Replacing meek: Snowflake

Using snowflake is now documented. Unfortunately for advanced users only.


Advanced users only, because:

The difficult part is getting snowflake-client into Whonix-Gateway ™. This is why this is for advanced users only. The binary snowflake-client can be found for example in /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client in Whonix-Workstation ™ [10] or in the Tor Browser download for Linux from torproject.org. Once extracted it is in the tor-browser folder in sub folder ./Browser/TorBrowser/Tor/PluggableTransports/snowflake-client . Once snowflake-client is somewhere in Whonix-Gateway ™, it needs to be copied to /usr/bin/snowflake-client.

Thanks a lot Patrick for that entry! Unfortunately that’s not working currently since it’s lacking certain steps and there’s an another bug going on (if a workaround is known please let us know since it’s the only blocker to using snowflake):

sudo chmod +rx /usr/bin/snowflake-client 

is needed otherwise one gets a permission denied when tor tries to launch snowflake.

One also needs to add this line:

/usr/bin/snowflake-client ix,

to /etc/apparmor.d/abstractions/tor and then reload apparmor using sudo service apparmor restart

(thanks to David Fifield for posting these instructions on
https:// trac. torproject. org/projects/tor/ticket/24203 )

Yet after all this snowflake doesn’t start and the reason is found when running /usr/bin/snowflake-client -h:

/usr/bin/snowflake-client: /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `CXXABI_1.3.11' not found (required by /usr/bin/snowflake-client)

How can I fix this issue? Which package would need updating?

1 Like

Apparently this should be fixed in the next Tor Browser alpha, https://trac.torproject.org/projects/tor/ticket/31380

In the meantime I will try another snowflake-client from an earlier version and see how it goes.

PS: Another important thing, when connecting to Tor through snowflake fails then Tor immediately switches to a direct connection to the Tor network, this is potentially dangerous in many environments. Does anyone know how to avoid this?

1 Like

I tested on Qubes-Whonix only but should be same in Non-Qubes-Whonix.

Outdated version of Whonix / security-misc where we had umask changes.

should be already. But depending on how the file was transferred in Whonix-Gateway this may be required indeed.

Already there. See footnote.


Do you have file /usr/lib/x86_64-linux-gnu/libstdc++.so.6 on your system?

dpkg -S /usr/lib/x86_64-linux-gnu/libstdc++.so.6

libstdc++6:amd64: /usr/lib/x86_64-linux-gnu/libstdc++.so.6


sudo apt install libstdc++6

I don’t think it’s possible to not have that package installed.

I used Tor Browser version 9.0a6 to extract snowflake-client. That might make a difference too.

Yes it’s a brand new sys-whonix from Qubes,

libstdc++6 is already the newest version (6.3.0-18+deb9u1).


libstdc++6 is already the newest version (8.3.0-6).

Are you sure you have Whonix 15 (Debian buster based)? And not Whonix 14 (Debian stretch based) (deprecated)? For me:

cat /etc/whonix_version


Are you sure?

If yes, please reproduce on Debian (buster) and then report to The Tor Project https://trac.torproject.org.

Thanks again for all of the valuable help, so it seems I only have Whonix 14, I just upgraded to 15.

Yes, since I didn’t put UseBridges 1 in 50_user.conf, please add it to the wiki as well. Now snowflake works!!!

Last question: Whenever I restart sys-whonix the /usr/bin/snowflake-client gets deleted, so should I make thse changes to the whonix gateway template??

1 Like


Hi everyone! I’m the “i0k0rw” in the thread above (had to make a new account since I lost the password of that one lol)

Unfortunately snowflake stopped working after 11-06-2020 (after Whonix updates?). I still don’t know what the issue is but I followed all the steps on installing snowflake (from the latest Tor Browser alpha) and it’s not working. /usr/bin/snowflake-client is able to load up, however when I see on nyx all I find is:

[NOTICE] New control connection opened.
[NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
[NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
[NOTICE] Tor opening log file.

I’d appreciate any help.

Edit: Precision: snowflake is working fine with the Tor Browser alpha on a debian-9 Qubes VM.

Since July 6, Tor browser has included Snowflake as a pre-packaged proxy option.

I love Snowflake, and I use it often to connect to the Tor network. I see that the Wiki describes how to add Snowflake to Whonix.

However, now that Snowflake is included in Tor Browser by default, I hope that Whonix Anon Connection Wizard will soon include Snowflake by default too. Is there any chance of this happening soon?

Snowflake is in Debian, almost

1 Like

Contribution always welcome.

Do you know f it’s in backports?

Not at time of writing.


Meek removal eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/tpo/anti-censorship/team/-/issues/33

1 Like

Goodbye sweet meek :sleepy:

It would make sense for upstream to sunset it when there’s a proper snowflake package available

Snowflake is in Debian: tracker.debian.org/pkg/snowflake

I do not know the situation with backport: gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/19409#note_2761402

Russia has started censoring Tor. torproject org is blocked, obfs4 and meek are blocked. Snowflake is blocked with DPI rules, the block has been bypassed for now.


I made a post on Use Snowflake in Whonix to Bypass Tor censorship

Below are the three non-trivial tasks required to integrate snowflake into Whonix. I unfortunately do not have enough time to implement all of them.

  1. Find an acceptable way to get snowflake binary into Whonix-gateway. Some options are:
  • Transferring binary from whonix-workstation to whonix-gateway can be hacky. It is also not always secure because whonix-workstation is not always be trusted.
  • Shipping TBB in whonix-gateway results in a bigger Whonix-gateway image. Users may accidentally/mistakenly use TBB in whonix-gateway, which completely defeats the purpose of Whonix.
  • Enable Debian unstable repo to install snowflake: snowflake - Debian Package Tracker This is not ideal and can probably be very messy.
  • Shipping snowflake binary from Whonix repo requires packaging and cost extra maintenance for Whonix developers.
  • Letting user themselves download TBB in Whonix-gatway creates a chicken-egg problem: users in censored area needs snowflake to connect to the Tor network to download TBB in the first place.

I personally prefer shipping TBB in whonix-gateway, this way we can always get the latest pluggable transports shipped by TBB. We may consider using script to rm core components of the TBB to prevent users from using TBB in whonix-gateway by accident or by mistake.

  1. Find an acceptable way to allow resolving -front domains in whonix-gateway; or find an acceptable way to modify /etc/hosts.

  2. Modify tor-control-pannel/anon-connection-wizard to provide the snowflake option. And keep an eye on upstream torrc changes and sync any changes to tor-control-pannel/anon-connection-wizard.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]