Bridge Mode Endpoints
Multi-hop bridge connections for enhanced privacy and censorship bypass, routing traffic through entry and exit VPN servers.
Overview
Bridge mode (multi-hop) routes VPN traffic through two servers: an entry server (bridge) and an exit server. The client connects to the entry server, which forwards traffic to the exit server. This provides an additional layer of privacy (the exit server only sees the entry server's IP, not the client's) and helps bypass censorship by using an entry server in a less restricted location.
How Bridge Mode Works
- The client connects to the entry server (bridge server) using any supported protocol.
- The entry server establishes a server-to-server tunnel to the exit server.
- All client traffic is relayed: Client -> Entry Server -> Exit Server -> Internet.
- The exit server sees the entry server's IP, not the client's real IP.
- Neither server alone has both the client's identity and their destination traffic.
When to Use Bridge Mode
Bridge mode is recommended by SmartConnect when direct connections to exit servers are unreliable due to IP blocking or censorship. It is especially effective when the entry server is in a region with unrestricted internet access.
Connect (Establish Bridge)
Establishes a bridge (multi-hop) connection through the entry server to the specified exit server. The entry server negotiates the exit tunnel and returns connection details for all supported protocols on the exit server.
/bridge/connectEstablish a multi-hop bridge connection through this entry server to an exit server
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
exit_server_id | string | Required | The target exit server identifier. Obtained from the OrbNET Servers API. |
protocol | string | Required | VPN protocol to use for the bridge tunnel: "wireguard", "vless", or "orbconnect". |
mimicry | string | Optional | Traffic mimicry profile for the entry-to-exit tunnel: "teams", "google", "none", etc. Defaults to "none". |
user_uuid | string | Required | The user's unique identifier for session tracking. |
wireguard_public_key | string | Optional | Client's WireGuard public key. Required when protocol is "wireguard". |
Code Examples
curl -X POST https://198.51.100.1:8443/bridge/connect \
-H "Authorization: Bearer DEVICE_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"exit_server_id": "srv_us_ny_02",
"protocol": "vless",
"mimicry": "teams",
"user_uuid": "usr_abc123"
}'Response
{
"session_id": "brg_sess_xyz789",
"bridge_server_id": "srv_eu_de_01",
"exit_server_id": "srv_us_ny_02",
"protocol": "vless",
"status": "connected",
"exit_server_wireguard": {
"serverPublicKey": "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=",
"endpoint": "203.0.113.50:51820",
"assignedIP": "10.8.0.42/32"
},
"exit_server_vless": {
"vlessUuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"serverEndpoint": "203.0.113.50",
"serverPort": 8443,
"realityPublicKey": "LS0tLS1CRUdJTi...",
"realitySNI": "www.microsoft.com"
},
"exit_server_orbconnect": {
"serverAddr": "203.0.113.50",
"serverPort": 443,
"dtlsPort": 443,
"password": "session_password_xyz"
}
}{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or expired device token"
}
}{
"success": false,
"error": {
"code": "EXIT_SERVER_UNREACHABLE",
"message": "Unable to establish tunnel to exit server srv_us_ny_02"
}
}Response Fields
| Field | Type | Description |
|---|---|---|
session_id | string | Unique bridge session identifier for status queries and disconnect |
bridge_server_id | string | Entry (bridge) server identifier |
exit_server_id | string | Exit server identifier |
protocol | string | Protocol used for the bridge tunnel |
status | string | Session status: connected, connecting, failed |
exit_server_wireguard | object | WireGuard connection details on the exit server (if available) |
exit_server_vless | object | VLESS connection details on the exit server (if available) |
exit_server_orbconnect | object | OrbConnect connection details on the exit server (if available) |
Multi-Protocol Response
The bridge connect response includes connection details for all available protocols on the exit server, regardless of which protocol was selected for the bridge tunnel itself. This allows the client to use different protocols for the client-to-bridge and bridge-to-exit segments.
Get Bridge Session Status
Returns the current status of a bridge session, including traffic statistics and connection health.
/bridge/statusGet the current status of a bridge session
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | string | Optional | The bridge session ID returned from /bridge/connect. Either session_id or user_id is required. |
user_id | string | Optional | The user UUID to look up their active bridge session. Either session_id or user_id is required. |
Code Examples
# Query by session ID
curl -X GET "https://198.51.100.1:8443/bridge/status?session_id=brg_sess_xyz789" \
-H "Authorization: Bearer DEVICE_TOKEN"
# Query by user ID
curl -X GET "https://198.51.100.1:8443/bridge/status?user_id=usr_abc123" \
-H "Authorization: Bearer DEVICE_TOKEN"Response
{
"session_id": "brg_sess_xyz789",
"user_id": "usr_abc123",
"protocol": "vless",
"bridge_server_id": "srv_eu_de_01",
"exit_server_id": "srv_us_ny_02",
"status": "connected",
"created_at": "2026-02-08T14:00:00Z",
"last_activity": "2026-02-08T14:32:15Z",
"bytes_sent": 15728640,
"bytes_received": 52428800
}{
"success": false,
"error": {
"code": "SESSION_NOT_FOUND",
"message": "No active bridge session found for the specified ID"
}
}Response Fields
| Field | Type | Description |
|---|---|---|
session_id | string | Bridge session identifier |
user_id | string | User UUID |
protocol | string | Protocol used for the bridge tunnel |
bridge_server_id | string | Entry (bridge) server identifier |
exit_server_id | string | Exit server identifier |
status | string | Session status: connected, disconnecting, disconnected |
created_at | string | ISO 8601 timestamp of session creation |
last_activity | string | ISO 8601 timestamp of last traffic through the bridge |
bytes_sent | integer | Total bytes sent through the bridge (client to exit) |
bytes_received | integer | Total bytes received through the bridge (exit to client) |
Disconnect Bridge
Terminates an active bridge session and closes both the client-to-entry and entry-to-exit tunnels.
/bridge/disconnectDisconnect an active bridge session and close all associated tunnels
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
session_id | string | Optional | The bridge session ID to disconnect. Either session_id or user_id is required. |
user_id | string | Optional | Disconnect all bridge sessions for this user UUID. Either session_id or user_id is required. |
Code Examples
# Disconnect by session ID
curl -X POST https://198.51.100.1:8443/bridge/disconnect \
-H "Authorization: Bearer DEVICE_TOKEN" \
-H "Content-Type: application/json" \
-d '{"session_id": "brg_sess_xyz789"}'
# Disconnect all sessions for a user
curl -X POST https://198.51.100.1:8443/bridge/disconnect \
-H "Authorization: Bearer DEVICE_TOKEN" \
-H "Content-Type: application/json" \
-d '{"user_id": "usr_abc123"}'Response
{
"success": true,
"message": "Bridge session disconnected"
}Bridge Service Health
Returns the health status of the bridge service, including active session count and average relay latency. This is a public endpoint for monitoring.
/bridge/healthGet the health status of the bridge relay service
Public Endpoint
The bridge health endpoint requires no authentication. It is designed for monitoring systems and load balancers to assess bridge service availability.
Code Examples
curl -X GET https://198.51.100.1:8443/bridge/healthResponse
{
"status": "healthy",
"enabled": true,
"active_sessions": 47,
"total_sessions": 12834,
"active_tunnels": 94,
"avg_latency_ms": 23.4,
"uptime": "72h15m42s"
}Response Fields
| Field | Type | Description |
|---|---|---|
status | string | Bridge service health: healthy, degraded, or unhealthy |
enabled | boolean | Whether bridge mode is enabled on this server |
active_sessions | integer | Number of currently active bridge sessions |
total_sessions | integer | Total bridge sessions since last restart |
active_tunnels | integer | Number of active entry-to-exit tunnels (typically 2x active_sessions) |
avg_latency_ms | number | Average relay latency in milliseconds |
uptime | string | Bridge service uptime since last restart |
Bridge Latency
Bridge mode adds relay latency because traffic must traverse an additional server hop. The avg_latency_ms field indicates the current relay overhead. For latency-sensitive applications, consider using direct connections when possible and reserve bridge mode for censored environments where direct connections are unreliable.
Related Endpoints
- Smart Connect -- Bridge recommendations based on network analysis
- WireGuard -- WireGuard tunnel management (supports bridge via
exitServerId) - VLESS -- VLESS protocol endpoints (supports bridge relay)
- OrbConnect -- OrbConnect tunnel management (includes
/orbconnect/bridge-tunnel) - Protocol Mimicry -- Traffic disguise for bridge tunnels
- Health & Monitoring -- Server health and protocol status