On Tuesday, December 13, 2022, 07:35:23 PM MST, David Fifield <david@bamsoftware.com> wrote:

On Tue, Dec 13, 2022 at 07:29:45PM +0000, Gary C. New via tor-relays wrote:
>> On Tuesday, December 13, 2022, 10:11:41 AM PST, David Fifield
>> <david@bamsoftware.com> wrote:
>>
>> Am I correct in assuming extor-static-cookie is only useful within the context
>> of bridging connections between snowflake-server and tor (not as a pluggable
>> transport similar to obfs4proxy)?

> That's correct. extor-static-cookie is a workaround for a technical
> problem with tor's Extended ORPort. It serves a narrow and specialized
> purpose. It happens to use the normal pluggable transports machinery,
> but it is not a circumvention transport on its own. It's strictly for
> interprocess communication and is not exposed to the Internet. You don't
> need it to run a Snowflake proxy.

Created a Makefile for extra-static-cookie for OpenWRT and Entware:

https://forum.openwrt.org/t/extor-static-cookie-makefile/145694

> I am not sure what your plans are with running multiple obfs4proxy, but
> if you just want multiple obfs4 listeners, with different keys, running
> on different ports on the same host, you don't need a load balancer,
> extor-static-cookie, or any of that. Just run multiple instances of tor,
> each with its corresponding instance of obfs4proxy. The separate
> instances don't need any coordination or communication.

The goal of running multiple obfs4proxy listeners is to offer numerous, unique
bridges distributed across several servers maximizing resources and availability.

> You could, in principle, use the same load-balanced setup with
> obfs4proxy, but I expect that a normal bridge will not get enough users
> to justify it. It only makes sense when the tor process hits 100% CPU
> and becomes  a bottleneck, which for the Snowflake bridge only started
> to happen at around 6,000 simultaneous users.

Hmm... If normal bridges will not see enough users to justify the deployment
of numerous, unique bridges distributed over several servers--this may be a
deciding factor. I don't have enough experience with normal bridges to know.

>> What about a connection flow of haproxy/nginx => (snowflake-server =>
>> extor-static-cookie => tor) on separate servers?

> You have the order wrong (it's snowflake-server → haproxy →
> extor-static-cookie → tor), but yes, you could divide the chain at any
> of the arrows and run things on different hosts. You could also run half
> the extor-static-cookie + tor on one host and half on another, etc.

I've installed and started configuring snowflake-server and have some questions
after reading the README:

https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/server

1. How are Snowflake Bridges advertised? Will they compromise a Normal Bridge
running on the same public addresses?

2. I already have a DNS Let's Encrypt process in place for certificates and port 80
(HTTP) is already in use by another daemon on my server. Is there an alternative method
to provide snowflake-server with the required certificates?

3. I'm using an init.d (not systemd) operating system. Do you have any init.d examples
for snowflake-server?

In short, I'm trying to get a sense of whether it makes sense to run a Snowflake Bridge
and Normal Bridge on the same public addresses?

Thanks, again, for your assistance.

Respectfully,


Gary