[tor-relays] snowflake vs bridges (vs node)

Fran fatal at mailbox.org
Mon Feb 7 18:50:34 UTC 2022 

Thanks meskio, this helped a lot to clarify things.

So I thought of trying to run a bride and a snowflakeproxy on one VM 
with individual IP addressing in v4 and v6 for each by adding secondary 
addresses to to the WAN interface. But after compiling the go binary I 
fail to find out how to tell snowflake which IP to bind to/use.

For the bridge this can be achieved with:

Address  <IPv4>
Address  <IPv6>
OutboundBindAddress <IPv4>
OutboundBindAddress <IPv6>

(and maybe to be save also set OutboundBindAddressPT, 
OutboundBindAddressExit and OutboundBindAddressOR)

But for snowflake I'm missing the options:

Usage of ./proxy:
   -broker string
     	broker URL (default "https://snowflake-broker.torproject.net/")
   -capacity uint
     	maximum concurrent clients
   -keep-local-addresses
     	keep local LAN address ICE candidates
   -log string
     	log filename
   -nat-retest-interval duration
     	the time interval in second before NAT type is retested, 0s 
disables retest. Valid time units are "s", "m", "h".  (default 24h0m0s)
   -relay string
     	websocket relay URL (default "wss://snowflake.bamsoftware.com/")
   -stun string
     	broker URL (default "stun:stun.stunprotocol.org:3478")
   -summary-interval duration
     	the time interval to output summary, 0s disables retest. Valid 
time units are "s", "m", "h".  (default 1h0m0s)
   -unsafe-logging
     	prevent logs from being scrubbed
   -verbose
     	increase log verbosity

Could be solved with VRFs/namespaces but would involve bridging, 
veths...too snowflaky for me (same goes for containers).

So I guess I'll just keep the bridges and make then relays one day.

Thanks for all who helped!

best
fran


On 2/7/22 11:12, meskio wrote
> Yes, there are many differencies. snowflake does make the traffic look like
> webrtc (like a video conference) and obfs4 makes the traffic look like random
> noise. Also the clients use different mechanisms to discover the relays.
> 
> If you run both in the same IP address and the censor has a way to discover one
> but not the other both of them will be blocked at once. So you are making it
> easier for the censor to discover them and block them. That is why we don't want
> people to run both in the same IP address.

More information about the tor-relays mailing list