A few questions about the standalone snowflake proxy

Hello, have a few questions about the standalone snowflake proxy.

  1. The machine I’m trying to run the standalone snowflake proxy on is behind a router that allows port forwarding but otherwise functions as a restrictive NAT. The proxy’s log has “NAT Type : restricted” at the beginning and would periodically timeout (“Timed out waiting for client to open data channel”).

Could the timeouts be because of the restricted NAT? Is it possible to forward some port(s) to workaround this and to avoid the timeouts?

  1. Is it not advisable to share the same public IP address with an obfs4 bridge? I’ve read that all ports on the same IP could get blocked by firewalls such as the GFW which means that both the bridge and the proxy will be blocked if either is detected by the GFW.

  2. The [Snowflake Technical Overview] link on What is Snowflake? | Tor Project | Support seems broken?

Could the timeouts be because of the restricted NAT?

The timeout is normal. Snowflake proxies contact the broker asking for clients, if no client is around asking for a proxy it will timeout and contact again the broker. This is how webrtc works.

Is it possible to forward some port(s) to workaround this and to avoid the timeouts?

No, the webrtc connection uses unpredictable port numbers. You can not open them ahead of time.

Is it not advisable to share the same public IP address with an obfs4 bridge? I’ve read that all ports on the same IP could get blocked by firewalls such as the GFW which means that both the bridge and the proxy will be blocked if either is detected by the GFW.

Yes, is better to don’t share the same IP, as you say the censors might block everything once they find a bridge.

The [Snowflake Technical Overview] link on What is Snowflake? | Tor Project | Support seems broken?

You are right, it looks like the tls cert of keroserene.net is expired. I’ll see if we can find who can fix that.

For now you can see the website is archived in archive.org:
serene - Snowflake Technical Overview

5 Likes

A post was split to a new topic: Running the Snowflake add on without a VPN and living in a country with a “stricked” internet law, I have any danger that authorities might come after me?

Thank you!

Figured out that if I forward all udp packets for the whole ephemeral range (default is 32768 to 60999 for most Linux boxes) on the router, NAT type becomes unrestricted and the proxy starts to get SDP offers at a much faster rate.

Still have some questions with iptables setting, will start a new topic for it.

1 Like

Nice solution, I’m happy to see it works :slight_smile: