Snowflake standalone proxy in Docker: How to make NAT unrestricted?

lutzh · January 11, 2023, 8:32pm

I am trying to run the Standalone Snowflake Proxy on an Ubuntu VPS using Docker. The container starts fine using this:

sudo docker run thetorproject/snowflake-proxy:latest

But now the container log says NAT type: restricted.

In this post I read that by “if I forward all udp packets for the whole ephemeral range (default is 32768 to 60999 for most Linux boxes) on the router, NAT type becomes unrestricted”. This sounds similar to this line from the Snowflake proxy docker-compose.yml:

#command: [ "-ephemeral-ports-range", "30000:60000" ]

Would this help in making the NAT unrestriced? How exactly would this be done using docker? Is this somehow related to the firewall settings of the VPS?

Edit: After running the proxy container for ~15 minutes I see logs like this:

2023/01/11 20:47:39 Traffic throughput (up|down): 20 KB|9 KB -- (44 OnMessages, 31 Sends, over 26 seconds)
...
2023/01/11 20:51:01 Traffic throughput (up|down): 955 KB|102 KB -- (212 OnMessages, 1012 Sends, over 510 seconds)

Is this better than what I can contribute to the Tor network using the browser plugin?

WofWca · January 12, 2023, 11:02am

I’m not a big networking expert, but it looks to me that there is no NAT in your setup. The VPS has a dedicated IP, right? The Docker image is set up with network_mode: host, which shouldn’t put it behind a NAT.
So yeah, maybe it’s the firewall. You don’t have address mapping, but filtering may still be in place.
Here’s another thread where people say that messing with the firewall made their “NAT” unrestricted:

And here’s another post where the author says they were updating the firewall rules.
And here @meskio recommends opening up the ephemeral ports range.
This tool may help diagnose.

I don’t think so. It just tells the proxy from which range of ports it can select ports to use for ICE.

The logs show traffic for individual clients, not the max available bandwidth.

lutzh · January 12, 2023, 6:16pm

I’ve found the solution. When running the docker command without using docker-compose (as I did), the --net=host should be used. Running the container like this makes the NAT unrestricted:

sudo docker run --net=host thetorproject/snowflake-proxy:latest

From the log:

2023/01/12 18:11:30 NAT type: unrestricted

system · January 13, 2023, 6:17pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.