Using Briar GTK at a distance

Until a proper Briar mailbox is available, you can hack your own always-on Briar node with devices like the Raspberry Pi. The official binary provided by The Briar Project only works on Linux x86 devices so far, but at the end of the article you can find a Git patch to build your own binary that runs everywhere.

Note: You can seriously lower the security of your Briar communications when following this guide. Only do this if you know what you’re doing!

Download the briar-headless linux-x86 binary and check that its fingerprint matches e.g. the one used in Briar GTK’s flatpak:

wget https://briarproject.org/jar/briar-headless-1.2.12.jar -O briar-headless.jar
sha512sum briar-headless.jar
echo "8b0f5081b96094a3b563c26739034448c0b42d68c4ebf23ab7fe854ec47c5b720fdddced2852e2e0291a6c34bde6bfcfae41aefcec3c044898845052b5cc9bd8"

Make sure to always use the latest available version!

Ramp up the server following the docs:

java -jar briar-headless.jar

This will ask you for your password (and a username on the first start). To start it in the background, exit the current process (ctrl + c) and use nohup:

(echo -e "password\n" | nohup java -jar briar-headless.jar) &

You need to wait a bit after this for Briar to start up the server.

If you want to kill the process:

ps -aux | grep briar-headless
kill <id>

Allow tunneling in the SSH config:

AllowTcpForwarding yes
PermitTunnel yes

Don’t forget to restart SSH with sudo systemctl restart sshd.

Copy the authentication token to your local device (note that there must not be a newline at the end of the file):

cat ~/.briar/auth_token

You can also upload your local Briar account to the server. However, it’s really important that you delete the Briar account on your local computer to prevent some sort of attacks!

rsync -r ~/.briar user@server:/home/user/
rm -r ~/.briar

From your local computer, create an SSH tunnel to the server:

ssh -L localhost:7000:localhost:7000 user@server

When starting Briar GTK, you should now be able to login using a random password (since we already logged in on the server).

To get Briar running on ARM devices like the Raspberry Pi, you need to patch briar-headless with briar-ship-no-tor-binary.patch. This will disable Briar’s own Tor binary, allowing you to use your own:

Users can provide their own binary in ~/.briar/tor:

sudo apt install tor tor-geoipdb obfs4proxy
cp /usr/bin/tor         ~/.briar/tor/tor
cp /usr/bin/obfs4proxy  ~/.briar/tor/obfs4proxy
cp /usr/share/tor/geoip ~/.briar/tor/geoip

The file ~/.briar/tor/torrc should contain:

ControlPort 59051
CookieAuthentication 1
DisableNetwork 1
RunAsDaemon 1
SafeSocks 1
SocksPort 59050

You can apply this patch with

git am < briar-ship-no-tor-binary.patch

Based on briar/briar-gtk#49 and “get briar-headless working on librem5_devkit” by fphemeral.

If you want to stay informed about what happens to the outer Briar universe, make sure to subscribe to this rss feed which will keep you up-to-date on everything happening around Briar on this blog.

All content in this blog post got released under a CC0 1.0 Universal Public Domain Dedication. Feel free to share it with your peers!