Tor Bridge Redundancy: Automatic Failover Configuration

Tor supports multiple Bridge lines in torrc, automatically trying them in order if earlier ones fail. Add multiple bridges of the same or different transport types: Bridge obfs4 address1:port fingerprint... / Bridge obfs4 address2:port fingerprint... / Bridge snowflake. When the first bridge is unreachable, Tor tries subsequent ones. The optimal strategy mixes bridge types so that if all bridges of one type are blocked simultaneously, alternative types remain available. A typical redundant configuration includes: 2-3 obfs4 bridges as primary, 1-2 Snowflake entries as fallback. This provides resilience against both individual bridge blocking and transport-type-wide blocking.

Tor does not randomly select among multiple bridges - it tries them in the order listed in torrc. When the first bridge connects successfully, Tor uses it. If the first bridge fails (timeout or connection refused), Tor moves to the next bridge. Tor retains a memory of which bridges have been unreachable and adjusts future attempts accordingly. The ClientBootstrapConsensusAuthorityDownloadInitialDelay setting affects how long Tor waits before considering a bridge failed. For latency-sensitive configurations, placing the best-performing bridge first ensures optimal performance when all bridges are available.

Before deploying bridge configuration in a critical environment, test each bridge: attempt Tor connection using each bridge individually, measure connection success rate and latency, verify the bridge is not on local network blocklists. Testing should be done from the target network environment (the censored country or network), not from a development environment, because bridge availability is network-specific. OONI tests can verify bridge reachability from specific locations. Maintain a tested set of bridges and refresh them every 1-3 months.

For production environments using Tor (hidden service operators, organizational deployments), monitoring bridge status is important. The Tor control port provides circuit status information including which bridge is being used and connection success rates. Prometheus tor_exporter exposes bridge status metrics. Alert when: the primary bridge has been replaced by a fallback (primary may be blocked), circuit establishment failure rate rises (indicating bridge issues), or all bridges fail (service inaccessible). For hidden services depending on bridges, configure paging-level alerts for complete Tor connectivity failures.

Bridges have lifespans - they are discovered and blocked by censors over time. A bridge rotation schedule prevents dependency on stale bridges. Automated rotation: script periodic bridge requests from BridgeDB, compare against current configuration, and add new bridges while removing confirmed-blocked ones. Manual rotation: review bridges monthly, test each against current censorship state, replace blocked bridges. Private bridges operated by your organization need regular replacement as they age or are discovered. Coordinate bridge rotation with dependent users to avoid disruption. Distribute new bridges through the same secure channels as initial distribution.