Command-line Tor stopped working. Requesting new bridges doesn't help

Support Censorship Circumvention
1

I use command-line Tor to circumvate government censorship (it’s Russia), with Safari on Mac. My torrc file is quite simple:

UseBridges 1
ClientTransportPlugin obfs4 exec /opt/homebrew/bin/obfs4proxy
Bridge obfs4 ...
Bridge obfs4 ...

The bridges are obtained using Gmail and sometimes Telegram.

Until recenly, it worked fine. The connection took 10-15 seconds. Sometimes bridges stopped working, but I simply requested new.

Few days ago, for some reason, it stopped working. When I try to connect, I see this:

[notice] Tor 0.4.8.13 running on Darwin with Libevent 2.1.12-stable, OpenSSL 3.4.0, Zlib 1.2.12, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
[notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
[notice] Read configuration file "/opt/homebrew/etc/tor/torrc".
[notice] Opening Socks listener on 127.0.0.1:9050
[notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
[warn] Cannot find maximum file descriptor, assuming: 256
[notice] Parsing GEOIP IPv4 file /opt/homebrew/Cellar/tor/0.4.8.13/share/tor/geoip.
[notice] Parsing GEOIP IPv6 file /opt/homebrew/Cellar/tor/0.4.8.13/share/tor/geoip6.
[notice] Bootstrapped 0% (starting): Starting
[notice] Starting with guard context "bridges"
[notice] Delaying directory fetches: No running bridges

And then:
`

[notice] Application request when we haven't used client functionality lately. Optimistically trying known bridges again.
[notice] Application request when we haven't used client functionality lately. Optimistically trying known bridges again.
[notice] Application request when we haven't used client functionality lately. Optimistically trying known bridges again.
[notice] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
[notice] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport

or sometimes:

[notice] Bridge 'SKIPPED' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (SKIPPED) based on the configured Bridge address.
[notice] new bridge descriptor 'SKIPPED' (cached): SKIPPED
[notice] Bridge 'Sr2Bridge3209' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (SKIPPED) based on the configured Bridge address.
[notice] Bridge 'SKIPPED' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (SKIPPED) based on the configured Bridge address.
[notice] new bridge descriptor 'SKIPPED' (cached): SKIPPED
[notice] Bridge 'Sr2Bridge3209' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (SKIPPED) based on the configured Bridge address.

And then:

Jan 27 04:17:56.000 [notice] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
Jan 27 04:17:56.000 [notice] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport

Then I have to wait for about 30 seconds and then I see this:

[warn] Proxy Client: unable to connect OR connection (handshaking (proxy)) with SKIPPED ("general SOCKS server failure")
[warn] Proxy Client: unable to connect OR connection (handshaking (proxy)) with SKIPPED ("general SOCKS server failure")
[notice] Delaying directory fetches: No running bridges

Could anybody explain what exactly happened and how to fix it?

1 Like
2

Hi!
What type of internet connection do you use? Mobile or residential?
Have you tried webtunnel bridges?

3

What type of internet connection do you use? Mobile or residential?

I use my laptop at home, it is wirelessly connected to a Wi-Fi router.

Have you tried webtunnel bridges?

Not yet. How can obtain them? When I receive a mail from Tor bridges service, it doesn’t seem to mention webtunner:

get bridges            (Request default Tor bridges.)
get ipv6               (Request IPv6 bridges.)
get transport obfs4    (Request obfs4 obfuscated bridges.)
get vanilla            (Request unobfuscated Tor bridges.)
4

The requirements for deploying a WebTunnel bridge are:

  1. A static IPv4 (preferably);
  2. The ability to expose TCP ports to the Internet (make sure that NAT doesn’t get in the way);
  3. A self-hosted website, including a configurable web server (such as NGINX or Apache) and a domain under your control;
  4. A valid TLS certificate.

The 3rd step will be a lot of hassle for me. Maybe there are easier solutions?

1 Like
5

No need to deploy bridges, you can get them form our website:

If it is not reachable, please contact us on our support channels @TorProjectSupportBot or frontdesk@torproject.org

1 Like
6

Thanks. So my torrc now like:

UseBridges 1
Bridge webtunnel ...
Bridge webtunne l...

I tried it, but there was an error:

[warn] Can’t use bridge at [scrubbed]: there is no configured transport called “webtunnel”.

Then I did a small research and according to this thread, after UseBrdiges 1 I need to add

#ClientTransportPlugin meek_lite,obfs4,scramblesuit,webtunnel exec <path to the lyrebird binary>

  • First question: Am I correct?
  • Second question: According to the mentioned thread, the lyrebird binary in Tor Browser is located in Browser/TorBrowser/Tor/PluggableTransports/. But I don’t have Tor browser installed. I checked /opt/homebrew/bin and there is no lyrebird file there. Then I tried brew install lyrebird, but brew responded that there is no such package wich such a name availabe. Do I need it install Tor browser then?
7

First question: Am I correct?

yes!

Second question:

Transports are included in the Tor Expert Bundle: Tor Project | Download Tor

1 Like
8

I installed Tor browser and updated torrc. My new torrc:

UseBridges 1
ClientTransportPlugin meek_lite,obfs4,scramblesuit,webtunnel exec "/Applications/Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/lyrebird"
Bridge webtunnel ...
Bridge webtunnel ...

When I try to connect, there are the following messages:

[notice] Bootstrapped 0% (starting): Starting
[notice] Starting with guard context "bridges"
[notice] Delaying directory fetches: No running bridges

What does it mean? What should I do next?

9

Can you please check if the path to the lyrebird file is correct? It looks like you use Tor Browser but you mentioned you didn’t have one.

This path

/Applications/Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/lyrebird"

should lead to the lyrebird file on your PC

10

Yes, I installed Tor browser, and the lyrebird file is there.

Once I tried to open it Finder, it first showed me a security window with text like “We don’t trust this file so you cannot open it”. But then I opened it using Control-click and now each time I open it in Finder in regular way, it opens successfully:

Screenshot 2025-01-27 at 9.56.34 PM
Screenshot 2025-01-27 at 9.56.34 PM1456×470 107 KB

12

It’s worth to add that Tor blocked in Russia.

Also, [there is a mention here on the forum[(Call for Testers: WebTunnel, a new way to bypass censorship with Tor Browser - #8 by ValdikSS), that many WebTunnel bridges are hosted on Cloudflare. Cloidflare is aslo blocked in Russia.

13

can you please share your torrc file conent?

14

Please see the latest update about censorship Russia and WebTunnel: Tor in Russia: A call for more WebTunnel bridges | The Tor Project

1 Like
15

(Edit: At the moment I posted this, I hadn’t yet read the article @gus pointed out.)

Here it is:

UseBridges 1
ClientTransportPlugin meek_lite,obfs4,scramblesuit,webtunnel exec "/Applications/Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/lyrebird"

Bridge webtunnel [2001:db8:2ce3:75bd:2da:f69f:d97a:7874]:443 CFB5DD5A5CC4AAB0435C1C5B27D46C0E2AB54C6E url=https:// ver=0.0.1
Bridge webtunnel [2001:db8:2b58:9764:2fcf:67a0:1d1d:b622]:443 9255D4ADB05B7F8792E49779E4DF382BF7B2BE01 url=https:// ver=0.0.1

I asked ChatGPT why it doesn’t work and it suggested to enable SOCKS proxy at port 1080. I tried it, but it didn’t help.

I also asked ChatGPT which is better to bybass censorship in Russia, obfs4 or webtunnel, and it replied obfs is more reliable:

WebTunnel:

Pros:

  • Works as a VPN tunnel, which encrypts all traffic.
  • Uses HTTPS tunneling, making it harder to detect and block.
  • Can be combined with Tor for better anonymity.
  • Often faster than obfs4 due to direct proxy connections.

Cons:

  • Depends on WebTunnel’s servers, which might be blocked in Russia.
  • Not as stealthy as obfs4 against advanced Deep Packet Inspection (DPI).
  • If WebTunnel servers are slow or overloaded, Tor may not work properly.

obfs4:

Pros:

  • Designed specifically to bypass DPI censorship.
  • More decentralized—anyone can run a bridge, making blocking harder.
  • More resistant to detection than VPNs or simple proxies.

Cons:

  • Slower than WebTunnel since it routes through Tor’s obfuscation layer.
  • Bridges can get blocked, requiring frequent updates.

I don’t know why obfs4 didn’t work for me for several days. Now it works again, here is current torrc:

UseBridges 1
ClientTransportPlugin obfs4 exec /opt/homebrew/bin/obfs4proxy

Bridge obfs4 ...
Bridge obfs4 ...

If ChatGPT’s answer is correct, then, given that (1) WebTunnel Depends on WebTunnel’s servers, which might be blocked in Russia and (2) not as stealthy as obfs4 against advanced Deep Packet Inspection (DPI), I don’t really understand why it was suggested to try it in the first place. Seems to be we tried a completely wrong direction, isn’t it?

16

Hello, thanks. I did read it. But are the following WebTunnel cons described by ChatGPT correct?

  • Depends on WebTunnel’s servers, which might be blocked in Russia.
  • Not as stealthy as obfs4 against advanced Deep Packet Inspection (DPI).

Or this is wrong? And if this is wrong, what might be a reason that WebTunnel doesn’t work for me? Maybe there are not enough WebTunnel bridges yet? But there are at least 125 of them (according to your Dec-11 comment), so it seems it should work somehow… Whereas what I see is simply this:

[notice] Bootstrapped 0% (starting): Starting
[notice] Starting with guard context "bridges"
[notice] Delaying directory fetches: No running bridges
17

ChatGPT is not a good resource to troubleshoot censorship circumvention tools. Sometimes it provides completely non-sense answers like the stuff you just pasted, for example:“it suggested to enable SOCKS proxy at port 1080”.

Well, this is true for the majority of anti-censorship tech.

1 Like
18

And what about the second point?

WebTunnel is not as stealthy as obfs4 against advanced Deep Packet Inspection (DPI).

And the most important part of my question. What might be a reason, in your opinion, that WebTunnel didn’t work for me? Do you (or maybe other people here) have information about whether WebTunnel really works in Russia currently?

19

The linked blog post focus on how certain mobile ISPs in Russia are blocking obfs4… You can find more about it here: [Russia] Investigate obsf4 blocking by protocol in mobile 4G in some ISPs (#40050) · Issues · The Tor Project / Anti-censorship / censorship-analysis · GitLab.

I believe WebTunnel didn’t work for you for other reasons. Please try another one.

Yes, users in Russia are reporting that works.

1 Like
20

Is my WebTunnel torrc that I posted above correct?

UseBridges 1
ClientTransportPlugin meek_lite,obfs4,scramblesuit,webtunnel exec "/Applications/Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/lyrebird"

Bridge webtunnel [2001:db8:2ce3:75bd:2da:f69f:d97a:7874]:443 CFB5DD5A5CC4AAB0435C1C5B27D46C0E2AB54C6E url=https:// ver=0.0.1
Bridge webtunnel [2001:db8:2b58:9764:2fcf:67a0:1d1d:b622]:443 9255D4ADB05B7F8792E49779E4DF382BF7B2BE01 url=https:// ver=0.0.1

What might be a reason that it doesn’t work? Maybe I should enable/disable a proxy, use specific port, somehow adjust lyrebird executable ownership/permissions …?

21

Let’s follow up via the Tor Project Telegram support channel.

1 Like