IPv6 Tor Bridges: Configuration for Dual-Stack Operations

IPv6 blocking is less common than IPv4 blocking in many filtered networks because IPv6 infrastructure is newer and censorship systems have not been fully updated to block it. Some networks provide better IPv6 connectivity than IPv4 (enterprise networks with IPv6 transit but limited IPv4 NAT). Tor bridges can advertise both IPv4 and IPv6 addresses, allowing clients to choose whichever is more accessible. As IPv6 adoption grows globally, IPv6-only bridges may become viable for reaching users in fully IPv6 networks. For bridge operators with VPS providers that include IPv6 allocation (most modern providers), enabling IPv6 on the bridge has no additional cost and increases utility for users.

Enable IPv6 on your bridge in torrc: ORPort [IPv6_ADDRESS]:9001 IPv6Only (for Tor's ORPort over IPv6), ServerTransportListenAddr obfs4 [::]:443 (for obfs4 on IPv6). If your server has both IPv4 and IPv6, configure both: ORPort 0.0.0.0:9001 and ORPort [::]:9001 (allows both). For the bridge line to be distributed, Tor automatically announces both addresses if both are configured. Verify your server's IPv6 address: ip addr show | grep inet6. Ensure your firewall allows IPv6 connections: ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT (for obfs4 on port 443). ufw supports IPv6 automatically if IPV6=yes in /etc/default/ufw.

Test that IPv6 is reachable on your bridge: from an external server, nc -zv [your-ipv6] 443 should succeed. Use test-ipv6.com from a browser on the bridge server to verify IPv6 internet connectivity. Tor's logs will show connections arriving on IPv6 when it is working. The Tor metrics portal (metrics.torproject.org/rs.html) shows whether your bridge's IPv6 address is being distributed. Alternatively, configure a test Tor client to use your bridge and monitor which address it connects to via Tor's verbose logs (Log info) on the client side. Fix common issues: IPv6 not assigned to interface (provider must enable IPv6), ip6tables blocking connections (check rules), Tor not configured to listen on IPv6.

IPv6-only bridges (no IPv4 address configured for Tor) are a niche but useful strategy for environments where IPv4 blocking is comprehensive but IPv6 is not monitored as closely. Configuration: ORPort [ipv6]:9001 IPv6Only, ServerTransportListenAddr obfs4 [::]:443. The bridge line contains only the IPv6 address. Tor clients must have IPv6 connectivity to use an IPv6-only bridge (ClientUseIPv6 1 in client's torrc, or Tor Browser enables IPv6 automatically on systems with IPv6 connectivity). IPv6 penetration globally: approximately 40% of internet users have IPv6 connectivity as of 2026, limiting the audience for IPv6-only bridges. Dual-stack (both IPv4 and IPv6) is preferred for maximum reach.

IPv6 requires separate firewall rules from IPv4. Do not assume iptables rules apply to IPv6 (use ip6tables or unified nftables). Basic ip6tables configuration for a bridge: ip6tables -F; ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT ACCEPT; ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; ip6tables -A INPUT -p ipv6-icmp -j ACCEPT (ICMPv6 needed for IPv6 to function); ip6tables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT; ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT. Save ip6tables rules for persistence (ip6tables-save > /etc/iptables/rules.v6) and restore on boot (iptables-restore < /etc/iptables/rules.v6). ufw handles both IPv4 and IPv6 in a unified command-line interface.