[tor-relays] snowflake vs bridges (vs node)

Fran fatal at mailbox.org
Mon Feb 7 18:50:34 UTC 2022

Thanks meskio, this helped a lot to clarify things.

So I thought of trying to run a bride and a snowflakeproxy on one VM 
with individual IP addressing in v4 and v6 for each by adding secondary 
addresses to to the WAN interface. But after compiling the go binary I 
fail to find out how to tell snowflake which IP to bind to/use.

For the bridge this can be achieved with:

Address  <IPv4>
Address  <IPv6>
OutboundBindAddress <IPv4>
OutboundBindAddress <IPv6>

(and maybe to be save also set OutboundBindAddressPT, 
OutboundBindAddressExit and OutboundBindAddressOR)

But for snowflake I'm missing the options:

Usage of ./proxy:
   -broker string
     	broker URL (default "https://snowflake-broker.torproject.net/")
   -capacity uint
     	maximum concurrent clients
     	keep local LAN address ICE candidates
   -log string
     	log filename
   -nat-retest-interval duration
     	the time interval in second before NAT type is retested, 0s 
disables retest. Valid time units are "s", "m", "h".  (default 24h0m0s)
   -relay string
     	websocket relay URL (default "wss://snowflake.bamsoftware.com/")
   -stun string
     	broker URL (default "stun:stun.stunprotocol.org:3478")
   -summary-interval duration
     	the time interval to output summary, 0s disables retest. Valid 
time units are "s", "m", "h".  (default 1h0m0s)
     	prevent logs from being scrubbed
     	increase log verbosity

Could be solved with VRFs/namespaces but would involve bridging, 
veths...too snowflaky for me (same goes for containers).

So I guess I'll just keep the bridges and make then relays one day.

Thanks for all who helped!


On 2/7/22 11:12, meskio wrote
> Yes, there are many differencies. snowflake does make the traffic look like
> webrtc (like a video conference) and obfs4 makes the traffic look like random
> noise. Also the clients use different mechanisms to discover the relays.
> If you run both in the same IP address and the censor has a way to discover one
> but not the other both of them will be blocked at once. So you are making it
> easier for the censor to discover them and block them. That is why we don't want
> people to run both in the same IP address.

More information about the tor-relays mailing list