I had some issues installing a standalone snowflake last night.
First, debian comes with docker-compose 1.25, which didn’t support v3.8 in the yml file, so I had to change that to 3.7 for it to work.
Then, I wasn’t really sure how to tell the proxy was working, and I couldn’t find any docs for it.
Eventually I managed to look at the container logs, and see some traffic (similar to the last entry you provided above).
However, someone in the Tor Relay Operators Matrix room suggested I run a NAT bahaviour scanner, and that told me:
NAT filtering behavior: address and port dependent
…which is not the best kind of NAT to be behind? The limit of my knowledge has been reached until I have time for more research.
(I tried to edit my previous message but it has to be approved first)
In addition, all my log lines look like this:
{"log":"2022/09/26 23:43:44 In the last 1h0m0s, there were 6 connections. Traffic Relayed ↑ 95 MB, ↓ 36 MB.\n","stream":"stderr","time":"2022-09-26T23:43:44.189852918Z"}
Does anyone know why it says ‘stream:stderr’? Is that normal?
You have what’s called a “port-restricted cone” NAT, which won’t be compatible with every client NAT, so we try to only hand out your proxy to clients with compatible NATs. It also happens that your type of NAT is very common, so you might see less usage than someone with a different type of NAT. This doesn’t mean there is anything wrong with your proxy, it’s still very useful! And it looks like you’ve gotten 6 connections in an hour which is quite a lot.
In addition, all my log lines look like this:
{"log":"2022/09/26 23:43:44 In the last 1h0m0s, there were 6 connections. Traffic Relayed ↑ 95 MB, ↓ 36 MB.\n","stream":"stderr","time":"2022-09-26T23:43:44.189852918Z"}
Does anyone know why it says ‘stream:stderr’? Is that normal?
This is normal, it’s just how docker displays their logs, nothing to worry about
Thank you so much @cecylia for all the explanations, this is really helpful!
At the same time, I am learning… so following your pointers, I read the page you linked to, and found that if I disable the firewall completely, on one of my snowflake proxies, I get both NAT mapping and NAT filtering to show ‘endpoint independent’ - which is, I believe the best situation to be in?
So, if I understand it correctly, NAT filtering actually means is there any filtering of traffic going on - right?
Is it recommended to try and have as many ‘endpoint independent’ snowflakes as possible (i.e. is this the rarest type currently available), and would these be matched to any and all types of NAT from the Tor users’ side, or should I run some more NAT-restricted ones too?
After poking around the forum and seeing a lot of proxies with a lot of traffic, I tried to open udp ports 32768-60999 in the firewall per some discussions on this forum, and ever since the traffic jumped dramatically.
Just to add to this; I’ve had a snowflake proxy running for five weeks. It was seeing some traffic, but not a lot. This would be a typical scenario:
After poking around the forum and seeing a lot of proxies with a lot of traffic, I tried to open udp ports 32768-60999 in the firewall per some discussions on this forum, and ever since the traffic jumped dramatically.
I’m very new to this, so if this is a bad idea, feel free to let me know.
Please don’t turn off your firewall. I would only recommend messing with your router’s firewall and NAT settings if you are experienced with this and aware of the security implications. We can still use proxies behind firewalls and NATs, and are reaching out to people to run unrestricted proxies on datacentre servers.
After poking around the forum and seeing a lot of proxies with a lot of traffic, I tried to open udp ports 32768-60999 in the firewall per some discussions on this forum, and ever since the traffic jumped dramatically.
I’m very new to this, so if this is a bad idea, feel free to let me know.
Again, I wouldn’t recommend messing with this unless you have some experience with it. Firewalls exist for a reason and we can still use proxies in NAT’d and firewalled networks.
Sorry, I should probably have mentioned my full setup first before everything else.
My snowflakes are running on VPSs that are on various providers’ data centers, all with public IPs.
The only firewall for each VPS is ufw (I don’t know much about iptables yet so I try to steer clear of it for now!), which is on the VPS itself.
Being a VPS with a public IP is why I was a bit perplexed as to why there would be any NAT filtering at all. It makes sense in my head full of limited knowledge why ‘NAT Filtering’ could be a way of saying “any kind of filtering”, such as closed ports by a firewall. This was then corroborated when NAT Filtering changed to ‘endpoint independent’ as soon as I allowed all incoming traffic with ufw.
I know it’s ‘bad’ to have all ports open, but is there another way to have an unrestricted snowflake proxy on a VPS?
It might be a complete coincidence that the increase in traffic happened at the same time with you opening the port.
The reason for saying this is that i also witnessed a huge increase in traffic (double the traffic) that started yesterday evening and i have not made any changes to the snowflake proxy setup.
|