Problems setting up webtunnel bridge

From the debug log:
Sep 05 23:55:10.000 [warn] The IPv4 ORPort address does not match the descriptor address <my-public-ip>. If you have a static public IPv4 address, use 'Address <IPv4>' and 'OutboundBindAddress <IPv4>'. If you are behind a NAT, use two ORPort lines: 'ORPort <PublicPort> NoListen' and 'ORPort <InternalPort> NoAdvertise'.

Also from the torrc:
ServerTransportListenAddr webtunnel

netstat -tleepn

does not show port open

Instructions used:


You can ignore this log message if you added these lines:

AssumeReachable 1

See this ticket:

Have you tried to connect to your own bridge and see if it works?

1 Like

does not work to connect - the only open ports are:

tcp        0      0*               LISTEN      0          17171      865/tor             
tcp        0      0*               LISTEN      0          17170      865/tor
From notices.log

Sep 05 23:55:04.787 [notice] Opened OR listener connection (ready) on
Sep 05 23:55:04.787 [notice] Opening Extended OR listener on
Sep 05 23:55:04.787 [notice] Extended OR listener listening on port 45503.
Sep 05 23:55:04.787 [notice] Opened Extended OR listener connection (ready) on
1 Like

Do you have nginx running with the snippet below?

Can you enable the nginx logs temporarily and see if there are any relevant info?

    location = /$PATH {
        proxy_http_version 1.1;

        ### Set WebSocket headers ###
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        ### Set Proxy headers ###
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
        access_log  off;
        error_log off;

Yes, nginx is running as supposted but gives “502 Bad Gateway | nginx/1.22.1” which is clear, because there is no port on open

in tor debug log (grep webtunnel):

Sep 06 04:23:38.000 [info] process_exec(): Starting new process: /usr/local/bin/webtunnel
Sep 06 04:23:38.000 [info] launch_managed_proxy(): Managed proxy at '/usr/local/bin/webtunnel' has spawned with PID '1286'.
Sep 06 04:23:38.000 [info] Managed proxy "/usr/local/bin/webtunnel" changed state: Infant -> Launched

ps aux |grep 1286:
debian-+ 1286 0.0 0.0 0 0 ? Z 04:23 0:00 [tor] <defunct>

1 Like

@arma on IRC pointed out that:“if you’re using the tor deb to run your webtunnel, you need to edit tor’s apparmor file to let it launch your webtunnel.”

If you run dmesg, you’ll see some lines like this:

apparmor="DENIED" operation="exec" profile="system_tor" name="/usr/local/bin/webtunnel" pid=385006 comm="tor" requested_mask="x" denied_mask="x" fsuid=107 ouid=0

Here is a quick fix:

  1. Edit the system_tor profile

$ sudo nano /etc/apparmor.d/system_tor

  1. Find the section where file permissions are defined and add an entry allowing tor to execute webtunnel binary ( /usr/local/bin/webtunnel). It might look something like this:
/usr/local/bin/webtunnel ix,
  1. Reload AppArmor profile
sudo apparmor_parser -r /etc/apparmor.d/system_tor

Let us know if that solves the issue, and I’ll update the guide.


That was the clue :slight_smile:

Works now!

Thank you @gus & @arma

Section in /etc/apparmor.d/system_tor

  # During startup, tor (as root) tries to open various things such as
  # directories via check_private_dir().  Let it.
/usr/local/bin/webtunnel ix,

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.