Schrödinger's bridge

lars-skuggi · March 29, 2026, 2:32am

Hi,

I’m running a webtunnel bridge since yesterday on a VPS and it’s dead and alive at the same time!

I can connect using a tor browser and browse the internet download stuff etc.

The tor browser’s circuit shows as first hop the correct webtunnel IP and I can monitor the traffic on the bridge real time with nyx on the server.

The same time I got these infos from: bridges. torproject. org

Bridge <fingerprint> advertises:

* webtunnel: dysfunctional
Error: timed out waiting for bridge descriptor
Last tested: 2026-03-28 15:11:34.316622948 +0000 UTC (3h58m36.100329952s ago)

and metrics.torproject.org


Downtime 

2 hours 39 minutes and 13 seconds

and “running flag” not set.



These are the last line of the VPS journal:
Mar 28 16:59:23 vps Tor[305910]: Bootstrapped 100% (done): Done
Mar 28 17:01:51 vps Tor[305910]: New control connection opened.
Mar 28 17:02:18 vps Tor[305910]: Self-testing indicates your ORPort <IP>:9001 is reachable from the outside. Excellent. Publishing server descriptor.
Mar 28 17:08:40 vps Tor[305910]: All current guards excluded by path restriction type 2; using an additional guard.
Mar 28 17:15:23 vps Tor[305910]: Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 148 buildtimes.
Mar 28 19:53:24 vps Tor[305910]: No circuits are opened. Relaxed timeout for circuit 314 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.
Mar 28 20:07:09 vps Tor[305910]: New control connection opened.

please help me to understand.

lars-skuggi · March 29, 2026, 8:18am

I’m pretty sure it’s VPS related, because the hosting provider is providing variable bandwidth.

unic3rn · March 29, 2026, 1:03pm

Depending on how much bandwidth they give you. If you yourself are able to connect to the bridge just fine and send traffic, then it might be not the bandwidth.

Maybe it’s the port? WebTunnel bridges are usually hosted on port 443.

lars-skuggi · March 29, 2026, 8:04pm

Thx for answering!

The ORPort setting is not critical because it’s use only locally for bridges. Changed it from a fixed port to the recommended 127.0.0.1:auto setting.

The access from remote is indeed coming via port 443 and this running properly.

lars-skuggi · March 29, 2026, 8:04pm

Solved!

It’s a known issue and therefore expected for webtunnel bridges:

On https://community.torproject.org/relay/setup/webtunnel/source/ we tell the bridge operator to set ORPort to 127.0.0.1 and set AssumeReachable. This is so their ORPort isn’t reachable from the outside world. But at present it will result in two surprises for bridge operators:

They will get “The IPv4 ORPort address 127.0.0.1 does not match the descriptor address <redacted: IP of the relay server>” scary log messages, which make them think something is wrong with their configuration
In tor metrics, the bridge is shown in “Red” status being “down” since a couple of hours. That’s because they don’t have the Running flag from the bridge authority.

source: webtunnel-from-source instructions close your ORPort without explaining that your bridge will seem down (#329) · Issues · The Tor Project / Web / community · GitLab