Fix: anon-connection-wizard validation logic for WebTunnel bridges (regex/parsing error)

Jimmy67 · May 23, 2026, 7:59pm

Title: [Bug/Patch] anon-connection-wizard: Allow WebTunnel bridge strings in validation

Hey team,

Running into a UX blocker on Whonix 17.x where anon-connection-wizard rejects perfectly valid WebTunnel bridge strings during manual configuration.

Context: I’m currently dealing with an ISP that uses active DPI to fingerprint and drop obfs4 handshakes, so WebTunnel is essentially my only viable transport for bootstrapping. If I manually edit /etc/tor/torrc, the WebTunnel connection works flawlessly and stays stable. However, the GUI wizard rejects the string outright.

The Issue: Looking at the source, the validation logic in anon-connection-wizard.py only whitelists obfs4 and meek_lite. It chokes as soon as it sees the webtunnel prefix (and likely the url= parameter).

Here’s a quick diff to add WebTunnel to the allowed prefixes. I’ve tested this locally and it allows the wizard to parse the string and bootstrap correctly.

Diff

--- a/usr/libexec/python3-whonix/anon-connection-wizard.py
+++ b/usr/libexec/python3-whonix/anon-connection-wizard.py
@@ -xxx,x +xxx,x @@
- if not bridge_string.startswith(('obfs4 ', 'meek_lite ')):
+ if not bridge_string.startswith(('obfs4 ', 'meek_lite ', 'webtunnel ')):

Repro Steps:

Open ACW → Configure → “Provide a bridge I know.”
Paste a standard WebTunnel string: webtunnel 192.0.2.1:443 <FINGERPRINT> url=https://example.com/path
Hit Next → Fails with the generic “Invalid Bridge String” dialog.

Let me know if you want me to open a formal Merge Request for this over on the GitLab instance, or if you prefer to just cherry-pick the logic straight from here.

arraybolt3 · May 24, 2026, 2:01am

Whonix 17 is end-of-life on all platforms except Qubes R4.2. See:

Does the issue occur on Whonix 18?

We use GitHub (Whonix · GitHub), not GitLab. A pull request on GitHub would be welcome though.

Moderation comment:

This post has some hallmarks of possibly being AI-generated. Please see:

Jimmy67 · May 24, 2026, 5:27am

Yeah, fair catch. I used Gemini to format the markdown and fix grammar, but the reverse-engineering, network testing behind my ISP’s CGNAT, and the Python fix are 100% my own work tested locally on my gateway. I’ll flag any formatting tools in the future.

Just a heads up, this is my first time posting on the Whonix forums or contributing to open source. I just ran into this WebTunnel bug in the wizard and wanted to help get it patched.

Regarding the version: I need to correct myself. I just checked my VirtualBox manager and I am actually running build 18.1.6.4. So I can confirm this bug does occur on Whonix 18.

My bad on the GitLab mention. Let me check the master branch on your GitHub repo for anon-connection-wizard. If the regex in anon-connection-wizard.py is still missing the webtunnel prefix there, I’ll fork it and submit a proper PR this weekend.

Also next time I will use AI in any manner i will report it.

Jimmy67 · May 24, 2026, 5:41am

Hey arraybolt3, one quick clarification on my end. While I dug into the anon-connection-wizard.py source and found the regex missing the webtunnel prefix, I actually haven’t manually edited my /etc/tor/torrc file yet to force the connection.

Before I go modifying core system files on the Gateway to test the WebTunnel bridge, I wanted to report the wizard bug first to make sure I wasn’t going to break AppArmor or anything else.

If you guys want me to test the manual torrc workaround this weekend to confirm WebTunnel plays nice with the rest of the Whonix 18 architecture, just let me know.

Jimmy67 · May 24, 2026, 5:50am

“Quick update: I went to test the manual workaround and realized webtunnel-client isn’t actually shipped in /usr/bin on Whonix 18. So my regex fix for the GUI is putting the cart before the horse! I guess this turns my bug report into a feature request: Are there plans to package the WebTunnel binary into the default Gateway image soon so users behind heavy DPI can use it?”

Patrick · May 24, 2026, 9:50am

Existing feature request:
Adding webtunel bridges to whonix

Jimmy67 · May 25, 2026, 5:25am

Hi Patrick,

Got it. The “undocumented” stuff is a total blocker for security audits. I’m seeing the same friction on my end trying to bypass DPI—feels like a dead end without a proper spec.

If we want to stop manually patching the anon-connection-wizard every time Tor adds a new bridge, maybe we should push some of this upstream to Lyrebird? (Especially since the transition from obfs4proxy to Lyrebird is still causing some packaging lag).

It’d be way easier if Lyrebird just had a --list-transports flag so the GUI could dynamically pick up what’s installed. Right now it’s too tightly coupled with the Tor Browser bundle. We definitely need a real integrator spec for CLI/env vars so we can actually jail the thing in the Gateway without it being a mystery box.

Also, is anyone actually pushing to get Lyrebird into the Debian Trixie (Stable) repos? That seems like the biggest long-term fix for the bundling mess.

I’m down to do some documentation research or testing if it helps move this along. Better than just waiting for a bridge that’s 2 years out.

Patrick · May 25, 2026, 6:21pm

Undocumented in this refers to:

That would be awesome but I don’t know how such as spec could look like.

Indeed, TPO (Tor Project) seems to focus on TBB. I see no indication that this would change, but feel free to contribute upstream to TPO.

Not to my awareness.

Yes.

Jimmy67 · May 30, 2026, 9:02am

Point taken on the documentation policy. I read through the “Unsupported Features” wiki page, and I completely agree—it’s a dead end for security audits without a proper specification. I’ll gladly take you up on the “Become a Contributor” option.

To bridge this gap without putting the maintenance burden on the Whonix team, the fix needs to happen upstream at TPO.

Just a quick update on the packaging front: Lyrebird v0.8.1 has officially landed in Debian Sid (unstable) and Forky (testing). So the long-term bundling mess is already resolving itself natively without needing manual tarball pulls.

Regarding the integrator spec, the main friction point seems to be jailing the transport safely. Whonix needs to know the exact strict AppArmor profiles and torrc parameters to isolate it. If we can get TPO to add a --capabilities flag that outputs a machine-readable spec, the anon-connection-wizard could parse it dynamically.

Here is a rough draft of what I am thinking of proposing to the TPO Anti-Censorship team:

```json
{
  "version": "0.8.1",
  "supported_transports": ["obfs4", "webtunnel", "snowflake", "meek"],
  "binary_path": "/usr/bin/lyrebird",
  "env_vars_required": [
    "TOR_PT_MANAGED_TRANSPORT_VER", 
    "TOR_PT_STATE_LOCATION",
    "TOR_PT_CLIENT_TRANSPORTS"
  ],
  "apparmor_needs": {
    "network": ["tcp"],
    "rw_paths": ["$TOR_PT_STATE_LOCATION"]
  }
}

If Lyrebird provides this, Whonix doesn’t have to guess how to sandbox it. The UI toggles automatically, and the security model remains intact without hard-coding everything per release.

I am going to draft an issue on the TPO GitLab to request this discovery flag for integrators. I’ll drop the issue link here once it’s up so the Whonix team can track it if interested.

Thanks for pointing me in the right direction!

Jimmy67 · May 30, 2026, 9:39am

Quick update: I’m currently waiting for account approval on the Tor Project Forum to post the proposal there (ran into some 500 errors on the GitLab portal). Once I’m approved and the post is live, I’ll drop the link here so we can track the upstream discussion.

Patrick · May 30, 2026, 5:01pm

Was this post AI generated?

Yes.

Indeed.

Super helpful.

How’s that supposed to work? I don’t know what the suggestion to The Tor Project (TPO) would be.

TPO’s primary project seems to be TBB (Tor Browser Bundle). It’s supposed to be extracted in the user’s $HOME folder and run from there.

Add --capabilities where specifically?

I am not sure that’s the main issue. Does TPO even ship AppArmor profiles for either Tor Browser or Lyrebird?

If there was a “something” that would output --capabilities, yeah, that would be useful.

I am not sure if the transport lines such as Bridge meek_lite are so difficult and fit into a --capabilities framework. These Bridge something lines are quite simple.

The primary issue is software sources and stable maintenance. There needs a mechanism to easily, securely get stable versions of (Tor and) pluggable transports. As per:

Whonix sources most of it’s software packages from packages.debian.org. Then these can be installed simply using proverbial apt install pkg-name. Debian does a good job of keeping these packages stable and functional within a release. (Stability is a related project goal. [1])

C-Tor is available from deb.torproject.org. [2]

(Arti [3] is not yet last time I checked.)

Pluggable transports such as Lyrebird are available neither from deb.torproject.org nor from packages.debian.org for the release suite Whonix is currently based on at the time of writing (Debian trixie).

So what could be contributed upstream in TPO and/or Debian is pluggable transports packages as Debian packages for trixie. (Debian is long term, unless backports or fasttrack. TPO in theory more short term.)

What could be contributed at Whonix maybe is: make TBB usable as "system Tor", so latest pluggable transports and the tor-launcher graphical user interface can be used in Whonix (as a secondary, non-default mechanism as this might be less stable).

[1]

[2]

[3] Keep an eye on Arti (Tor)

Jimmy67 · June 2, 2026, 8:05am

"Fair point on the packaging front—I was looking at this as a feature-parity issue for downstream integrators, but I see your perspective that fixing the packaging lifecycle (Debian/TPO) is the more robust root-cause solution.

Regarding the --capabilities flag, I can see why that’s being viewed as an unnecessary layer if proper packaging solves the source/stability issue. I’ll refocus my efforts on tracking the packaging side for Lyrebird in the Debian repos. Thanks for the clarification on how you’re handling the TPO/Whonix ecosystem dependencies."

Jimmy67 · June 2, 2026, 8:09am

“To answer your question: I wrote the technical logic myself. I used AI only to clean up the grammar and formatting because I wanted to make sure the proposal was clear. I’m definitely not trying to automate this discussion—just trying to contribute.”

Jimmy67 · June 2, 2026, 8:43am

That makes sense. Allright,I see it now that solving this at the packaging and distribution layer is a far more sustainable and easy(way less of a headache)solution than trying to bridge it with downstream feature flags.

Since you mentioned this packaging effort is the primary focus, I’d love to follow that work. Is there a specific tracker, mailing list, or area where the Lyrebird/Debian packaging efforts are discussed, or should I just keep an eye on the TPO issue tracker? I’d like to follow along as that resolves. > Also, if you see any fundamental design flaws or anti-patterns in the logic I proposed, I’d appreciate a quick pointer. I’m trying to improve my approach to these integration problems, so any critique on the design would be a huge help.

Patrick · June 2, 2026, 9:40am

TPO issue tracker.

Similar ticket and website for different pluggable transport:

Jimmy67 · June 3, 2026, 7:40am

Thank you for the reference links, Patrick. Looking through that Snowflake ticket makes the upstream tracking workflow and the maintenance constraints a lot clearer.

I agree that handling this at the software sourcing and distribution layer is the right approach.

Just as a quick update: Cecylia from the Tor Project reviewed the proposal on their forum, found it well-motivated, and is opening an official GitLab issue in the lyrebird repo so the team can look at the design details and complexity trade-offs upstream.

My main goal was just to highlight this integration bottleneck so the core devs could address it. I’m glad to leave it in their hands to figure out the best way forward, and I’ll keep an eye on the TPO tracker to see how it develops. Thanks again for the guidance!

Patrick · June 3, 2026, 2:09pm

For reference:

Doesn’t make sense.

Whatever AI you’re using, it’s not figuring out this issue and wasting developer time.

Jimmy67 · June 4, 2026, 6:10am

I hand typed the Go logic and JSON capabilities and everything else. I had an LLM make the forum post text friendly, but that tripped your ai slop detector.

I spent 3 days of my time on this. no ai helped me scour through the wiki and forums and code and github and gitlab. I read through your links and suggestions and pages myself. I admit I may not be the perfect programmer, but I am a human being, not a robot or an LLM. Even if my logic is flawed, that dosent make me a prompt engineer who just copy pastes whatever the ai pops out.

Just a first rough try. The big problem is the integration gap. Cecylia has already looked at the logic, confirmed the bottleneck and is creating an official GitLab issue in Lyrebird to investigate it further.My goal was to just give a implementation that i thought would work,it was just a draft not the final product or anything.My initial idea was to just inform you about the lack of support for webtunnel in the anon wizard and to provide a very rough implementation which others will refine and improve to be production ready. I frankly dont care if upstream uses a single line of my exact code. I just needed them to see the actual friction downstream projects are dealing with.

We’ve reached our goal so feel free to close this thread on the downstream end.

Patrick · June 4, 2026, 10:00am

Just a bug wrangler comment without technical review.

Seems like this slipped out of the context window.

Patrick · June 5, 2026, 11:08am

https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/work_items/40036