[Warning] on Fresh Webtunnel Bridge on OpenBSD

Hi Friends,

I am trying to set up a webtunnel bridge on OpenBSD 7.5 for the first time. After working through the instructions, I finally start the tor daemon and get this error:

Tor[2517]: The IPv4 ORPort address does not match the descriptor address [redacted-ip]. If you have a static public IPv4 address, use 'Address <IPv4>' and 'OutboundBindAddress <IPv4>'. If you are behind a NAT, use two ORPort lines: 'ORPort <PublicPort> NoListen' and 'ORPort <InternalPort> NoAdvertise'.

But the bridge seems to work. I tried connecting to it using the template bridge line from https://community.torproject.org/relay/setup/webtunnel/source/, replacing the fingerprint and URL, but leaving the IP how it is, although I don’t understand why it is in a private address space (pardon my ignorance please). I can connect to the bridge and surf the web!


  • It shows up on Relay Search, correctly indicating the webtunnel protocol, but with distribution mechanism ‘none’, and it says offline even though it is not.
  • Running Nyx shows 2 outbound connections, 8 circuits. Seems low.
  • Heartbeat message reads Heartbeat: Tor's uptime is 6:00 hours, with 6 circuits open. I've sent 8.10 MB and received 14.91 MB. I've received 5 connections on IPv4 and 0 on IPv6. I've made 2 connections with IPv4 and 0 with IPv6. Seems strange that it hasn’t made more connections.

Is this normal behavior for a webtunnel bridge?

Other info:

  • OpenBSD 7.5 amd64 on a VPS; nginx-1.24.0; tor-; compiled webtunnel from source with go-1.22.1.
  • Static IPv4 address. Running pf firewall with rules passing incoming traffic only on ports {80, 443} and a non-standard SSH port. Using anti-spoofing rules including quick dropping martian addresses on WAN interface.
  • torrc is as follows. It includes rules for rate limiting and Nyx control:
AssumeReachable 1                                                                                                                                                                                       
BridgeRelay 1                                                                                                                                                                                           
ControlPort 9051                                                                                                                                                                                        
CookieAuthentication 1                                                                                                                                                                                  
CookieAuthFile /var/tor/control_auth_cookie                                                                                                                                                             
CookieAuthFileGroupReadable 1                                                                                                                                                                           
DataDirectory /var/tor                                                                                                                                                                                  
DataDirectoryGroupReadable 1                                                                                                                                                                            
DisableDebuggerAttachment 0                                                                                                                                                                             
ExtORPort auto                                                                                                                                                                                          
Log notice syslog                                                                                                                                                                                       
RelayBandwidthBurst 3145728                                                                                                                                                                             
RelayBandwidthRate 2306867                                                                                                                                                                              
RunAsDaemon 1                                                                                                                                                                                           
ServerTransportListenAddr webtunnel                                                                                                                                                     
ServerTransportOptions webtunnel url=https://[redacted-url]/[redacted-24-digit-random-string]                                                                                                                       
ServerTransportPlugin webtunnel exec /usr/local/bin/webtunnel                                                                                                                                           
SocksPort 0                                                                                                                                                                                             
User _tor

Thanks in advance for any help or insights can you give.





Thanks for running a bridge!

The warn you get is expected. As a bridge, client won’t use the ORPort, so it’s better to keep it unreachable, so that it isn’t discovered by a port-scan. This also has the effect that Serge (the bridge authority) can’t make sure the bridge works properly, as Serge only tests the ORPort. This makes you appear offline on metrics.tpo.
You can check what other tools think of your bridge by going to https://bridges.torproject.org/status?id=<hashed fingerprint> If it says something along the lines of webtunnel: functional, it means your bridge works.

but with distribution mechanism ‘none’

if your relay is brand new, it’s normal to be that way for a few hours. If it’s stays, there is probably a problem somewhere.

Running Nyx shows 2 outbound connections, 8 circuits. Seems low.

the circuits are the ones you bridge makes, so you can ignore that. 2 outbound connections is low indeed, but coherent with not being distributed yet (or being distributed, but since so little time that nobody uses your bridge just yet).


Hey Trinity,

Thanks for getting back to me! I used the link you mentioned and it shows webtunnel: functional. But I went ahead and changed BridgeDistribution auto to BridgeDistribution https in torrc. I guess I will just be patient and see what happens.

Thanks again :slight_smile:

1 Like