On Fri, Dec 16, 2022 at 04:27:06AM +0000, Gary C. New via tor-relays wrote:
On Tuesday, December 13, 2022, 07:35:23 PM MST, David Fifield david@bamsoftware.com wrote:
On Tue, Dec 13, 2022 at 07:29:45PM +0000, Gary C. New via tor-relays wrote:
On Tuesday, December 13, 2022, 10:11:41 AM PST, David Fifield david@bamsoftware.com wrote:
Am I correct in assuming extor-static-cookie is only useful within the context of bridging connections between snowflake-server and tor (not as a pluggable transport similar to obfs4proxy)?
That's correct. extor-static-cookie is a workaround for a technical problem with tor's Extended ORPort. It serves a narrow and specialized purpose. It happens to use the normal pluggable transports machinery, but it is not a circumvention transport on its own. It's strictly for interprocess communication and is not exposed to the Internet. You don't need it to run a Snowflake proxy.
Created a Makefile for extra-static-cookie for OpenWRT and Entware:
https://forum.openwrt.org/t/extor-static-cookie-makefile/145694
I appreciate the enthusiasm, but I should reiterate: there is no reason to ever use this tool on OpenWRT. Packaging it is a mistake. If you think you need it, you misunderstand what it is for.
I am not sure what your plans are with running multiple obfs4proxy, but if you just want multiple obfs4 listeners, with different keys, running on different ports on the same host, you don't need a load balancer, extor-static-cookie, or any of that. Just run multiple instances of tor, each with its corresponding instance of obfs4proxy. The separate instances don't need any coordination or communication.
The goal of running multiple obfs4proxy listeners is to offer numerous, unique bridges distributed across several servers maximizing resources and availability.
If the purpose is running on several different servers, you don't need a load balancer and you don't need extor-static-cookie. Those tools are meant for running *one* instance of a pluggable transport on *one* server. If you want to distribute bridges over multiple servers, just run one instance each of tor and obfs4proxy on multiple servers, in the normal way. You don't need anything fancy.
You could, in principle, use the same load-balanced setup with obfs4proxy, but I expect that a normal bridge will not get enough users to justify it. It only makes sense when the tor process hits 100% CPU and becomes a bottleneck, which for the Snowflake bridge only started to happen at around 6,000 simultaneous users.
Hmm... If normal bridges will not see enough users to justify the deployment of numerous, unique bridges distributed over several servers--this may be a deciding factor. I don't have enough experience with normal bridges to know.
Some pluggable transports, like obfs4, need there to be many bridges, because they are vulnerable to being blocked by IP address. Each individual bridge does not get much traffic, because there are so many of them. With obfs4, it's not about load, it's about address diversity. Just run multiple independent bridges if you want to increase your contribution.
Snowflake is unlike obfs4 in that it does not depends on there being multiple bridges for its blocking resistance. Snowflake gets its address diversity at a different layer—the Snowflake proxies. There are many proxies, but there only needs to be one bridge. However, that one bridge, because it receives the concentrated traffic of many users, needs special scaling techniques.
What about a connection flow of haproxy/nginx => (snowflake-server => extor-static-cookie => tor) on separate servers?
You have the order wrong (it's snowflake-server → haproxy → extor-static-cookie → tor), but yes, you could divide the chain at any of the arrows and run things on different hosts. You could also run half the extor-static-cookie + tor on one host and half on another, etc.
I've installed and started configuring snowflake-server and have some questions after reading the README:
In short, I'm trying to get a sense of whether it makes sense to run a Snowflake Bridge and Normal Bridge on the same public addresses?
There is no reason at all to run a Snowflake bridge. No user will ever connect to it, because Snowflake bridges are not distributed through BridgeDB like obfs4 bridges are; they are shipping in configuration files with Tor Browser or Orbot. There is no need for volunteers to run Snowflake bridges, and no benefit to them doing so. If you want to help, run a Snowflake proxy.
There is no reason for a volunteer bridge operator to run snowflake-server or extor-static-cookie, ever. Packaging them for OpenWRT can only cause confusion. You do not need these programs.