Bridge replacement question

I had to rebuild a bridge relay with a new OS in order to get the new tor version. I kept the keys so that didn’t change in the new one, but it took some support tickets to get it up again. I’m running it as a moat distribution type, which it was before. However, I seem to have lost everyone (I had an average of 2,000 connections a day) but a few.
This relay was up for 3-4 years. I have another in the same position: unupgradable FreeBSD (something they can’t fix in the pkd update system), and 1500 avg daily connections. Up for 3.4 years now also. I’ve hated not to continue as I feel a loyalty to those who have set this up for themselves, but it looks as though I’ve pulled the rug out from under them anyway.

But here’s the larger question:
Have both these bridges been most likely “found out” by now and I should retire them and start with new ips? How long should a bridge last? I have a couple more in Latvia that are also 3 years old now with 500 and 1000 avg. connections, so all 4 of these are “in use”.

Hey @torix, that’s a great question. If you have an average of 1500 daily connections, it seems your bridge is very useful, and rotating the IP address might not help more users. You can check your bridge’s country stats in this file: /var/lib/tor/stats/bridge-stats or on *BSD: /var/db/tor/stats/bridge-stats.

If you find that most users are coming from countries that block Tor (Russia, Iran…), I’d say that rotating the IP will frustrate a lot of users more than it will help.

Maybe you could allocate a new bridge and monitor when the IP is blocked in China, then it? Usually when the GFW detects a bridge, it blocks the IP address (and not just IP:Port). You can use this site to test your bridge’s reachability: https://www.itdog.cn/ping/.

Thanks for running bridges!

Gus, I don’t have any /var/lib(db)/tor/stats directory in my bridges. Is this part of the monitoring additions that you can install on your relay? I tried adding them twice, following the instructions, but the relays fell over and wouldn’t come back up until I took it out of the configuration. Are we talking about the same thing?

So what I have is a homebrew system - avg of the day’s connection taken every 5 min. with a cron job, and then the number of users taken from the tor log every 6 hours. So I have no idea where these connections come from; I’ve never wanted to screw up anonymity, and I’m never sure what can be correlated with something that I know nothing about.

I’d love to know how to set it up to tell me what countries connections are coming from.

–Torix
p.s. all chinese ping site is a little intimidating, but I assume that red means blocked, and taiwan’s yellow means partly blocked?

On Debian based systems, you need to install the package tor-geoipdb and it will generate bridge stats every day in that directory. You do not need to edit your torrc to have these stats.

On FreeBSD, if you installed tor using pkg, I believe you may have ‘tor-geoipdb’ too:

# pkg info -l tor
tor-0.4.8.10_1:
        /usr/local/bin/tor
        /usr/local/bin/tor-gencert
        /usr/local/bin/tor-print-ed-signing-cert
        /usr/local/bin/tor-resolve
        /usr/local/bin/torify
        /usr/local/etc/rc.d/tor
        /usr/local/etc/tor/torrc.sample
        /usr/local/share/doc/tor/tor-gencert.html
        /usr/local/share/doc/tor/tor-print-ed-signing-cert.html
        /usr/local/share/doc/tor/tor-resolve.html
        /usr/local/share/doc/tor/tor.html
        /usr/local/share/doc/tor/torify.html
        /usr/local/share/licenses/tor-0.4.8.10_1/BSD3CLAUSE
        /usr/local/share/licenses/tor-0.4.8.10_1/LICENSE
        /usr/local/share/licenses/tor-0.4.8.10_1/catalog.mk
        /usr/local/share/man/man1/tor-gencert.1.gz
        /usr/local/share/man/man1/tor-print-ed-signing-cert.1.gz
        /usr/local/share/man/man1/tor-resolve.1.gz
        /usr/local/share/man/man1/tor.1.gz
        /usr/local/share/man/man1/torify.1.gz
        /usr/local/share/tor/geoip
        /usr/local/share/tor/geoip6

Yes, red means unreachable/blocked. Yellow means that the ping latency was high, but the IP is reachable.

You can find other public tests services here:

Gus, thanks very much for your helpful reply - I made a 2 line bash script that gives me the top 10 and % for these 2 geoip files - works like a charm on my bridges.

I also think the link to the set of probing tools to be gold; I knew almost none of them. I wonder if that link might be helpful in the post-install docs somewhere.

Again, many thanks,

–Torix