I am trying to run the Standalone Snowflake Proxy on an Ubuntu VPS using Docker. The container starts fine using this:
sudo docker run thetorproject/snowflake-proxy:latest
But now the container log says NAT type: restricted.
In this post I read that by “if I forward all udp packets for the whole ephemeral range (default is 32768 to 60999 for most Linux boxes) on the router, NAT type becomes unrestricted”. This sounds similar to this line from the Snowflake proxy docker-compose.yml:
Would this help in making the NAT unrestriced? How exactly would this be done using docker? Is this somehow related to the firewall settings of the VPS?
Edit: After running the proxy container for ~15 minutes I see logs like this:
I’m not a big networking expert, but it looks to me that there is no NAT in your setup. The VPS has a dedicated IP, right? The Docker image is set up with network_mode: host, which shouldn’t put it behind a NAT.
So yeah, maybe it’s the firewall. You don’t have address mapping, but filtering may still be in place.
Here’s another thread where people say that messing with the firewall made their “NAT” unrestricted:
And here’s another post where the author says they were updating the firewall rules.
And here@meskio recommends opening up the ephemeral ports range. This tool may help diagnose.
I don’t think so. It just tells the proxy from which range of ports it can select ports to use for ICE.
The logs show traffic for individual clients, not the max available bandwidth.
I’ve found the solution. When running the docker command without using docker-compose (as I did), the --net=host should be used. Running the container like this makes the NAT unrestricted:
sudo docker run --net=host thetorproject/snowflake-proxy:latest