IPv6 Dual-Stack Configuration for Tor Bridges and Relays

IPv6 ORPorts allow Tor clients that have IPv6 connectivity to reach your bridge directly without IPv4. In censored regions where specific IPv4 ranges are blocked, the same bridge's IPv6 address may not yet be on blocklists, providing an additional path for users. IPv6 addresses are allocated in much larger blocks than IPv4 and blocklisting an entire IPv6 /48 is too broad for censors to apply without collateral damage, making IPv6 bridge addresses longer-lived in some environments.

From the network health perspective, the Tor Project explicitly values IPv6 participation and the directory authorities give credit for advertising IPv6 ORPorts in consensus weight calculations. Bridges and relays with functional IPv6 ORPorts have a competitive advantage in reaching consensus weight thresholds compared to IPv4-only peers with otherwise identical configurations.

The technical requirement is simply that your VPS has a routable IPv6 address, which AnubizHost provides on all plans. The OS configuration and torrc changes are minimal. There is essentially no downside to enabling IPv6 on a relay that already has IPv4 support.

Verify IPv6 is available on your VPS with ip addr show and look for a global unicast address (starts with 2 or 3, not fe80). If no IPv6 address is shown, request one through the hosting control panel or open a support ticket. AnubizHost assigns IPv6 automatically on all plans.

Test IPv6 connectivity outbound: ping6 -c 4 2001:4860:4860::8888 (Google's IPv6 DNS). If this succeeds, the VPS has functional IPv6 routing. If it fails, check the default IPv6 route with ip -6 route show default. A missing default route can often be fixed by adding: ip -6 route add default via YOUR_GATEWAY dev eth0

Make the IPv6 route persistent by adding it to /etc/network/interfaces or the NetworkManager configuration depending on your OS configuration. For Debian 12 with /etc/network/interfaces, add:

iface eth0 inet6 static
    address YOUR_IPv6_ADDRESS/64
    gateway YOUR_IPv6_GATEWAY

Add IPv6 ORPort and transport configuration to torrc alongside the existing IPv4 configuration:

# IPv4 configuration
ORPort 9001
ServerTransportListenAddr obfs4 0.0.0.0:443

# IPv6 configuration
ORPort [2001:db8::1]:9001 IPv6Only
ServerTransportListenAddr obfs4 [::]:443 IPv6Only

Replace 2001:db8::1 with your actual IPv6 address. The IPv6Only flag tells Tor to listen on this ORPort only for IPv6 connections, avoiding conflicts with the IPv4 ORPort. The ServerTransportListenAddr for IPv6 uses the :: notation to bind to all IPv6 interfaces.

After restarting tor, verify that both ORPorts appear in the relay descriptor. Use: echo "GETINFO desc/current-version" | nc 127.0.0.1 9051 to retrieve the descriptor and search for ORPort lines. The descriptor should show both the IPv4 and IPv6 ORPort entries with different listening addresses.

UFW manages IPv4 and IPv6 rules independently. Add IPv6-specific rules to allow the ORPort and obfs4 transport port on IPv6:

ufw allow in on eth0 to any port 9001 proto tcp
ufw allow in on eth0 to any port 443 proto tcp

UFW applies these rules to both IPv4 and IPv6 by default when IPv6 is enabled in /etc/default/ufw. Verify with ufw status verbose and look for the IPv6 column showing ALLOW. If the rules show only IPv4, edit /etc/default/ufw and set IPV6=yes, then reload UFW.

Test IPv6 connectivity to your bridge from an external IPv6 host: nc -6 -zv YOUR_IPv6_ADDRESS 443. A successful connection confirms the firewall is open and the obfs4 transport is listening on IPv6. If this fails but IPv4 works, the firewall configuration or kernel routing needs investigation.