Since July 6, Tor browser has included Snowflake as a pre-packaged proxy option.
I love Snowflake, and I use it often to connect to the Tor network. I see that the Wiki describes how to add Snowflake to Whonix.
However, now that Snowflake is included in Tor Browser by default, I hope that Whonix Anon Connection Wizard will soon include Snowflake by default too. Is there any chance of this happening soon?
Russia has started censoring Tor. torproject org is blocked, obfs4 and meek are blocked. Snowflake is blocked with DPI rules, the block has been bypassed for now.
Below are the three non-trivial tasks required to integrate snowflake into Whonix. I unfortunately do not have enough time to implement all of them.
Find an acceptable way to get snowflake binary into Whonix-gateway. Some options are:
Transferring binary from whonix-workstation to whonix-gateway can be hacky. It is also not always secure because whonix-workstation is not always be trusted.
Shipping TBB in whonix-gateway results in a bigger Whonix-gateway image. Users may accidentally/mistakenly use TBB in whonix-gateway, which completely defeats the purpose of Whonix.
Shipping snowflake binary from Whonix repo requires packaging and cost extra maintenance for Whonix developers.
Letting user themselves download TBB in Whonix-gatway creates a chicken-egg problem: users in censored area needs snowflake to connect to the Tor network to download TBB in the first place.
I personally prefer shipping TBB in whonix-gateway, this way we can always get the latest pluggable transports shipped by TBB. We may consider using script to rm core components of the TBB to prevent users from using TBB in whonix-gateway by accident or by mistake.
Find an acceptable way to allow resolving -front domains in whonix-gateway; or find an acceptable way to modify /etc/hosts.
Modify tor-control-pannel/anon-connection-wizard to provide the snowflake option. And keep an eye on upstream torrc changes and sync any changes to tor-control-pannel/anon-connection-wizard.
Tails ticket on the same issue with some ideas thrown around including using the python packaged versions of transports. Not much progress beyond what we have in the same area:
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1, and Tor will ignore it
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
ClientOnionAuthDir /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/onion-auth
DataDirectory /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor
GeoIPFile /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/geoip
GeoIPv6File /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/geoip6
UseBridges 1
# torrc-defaults for Tor Browser
#
# DO NOT EDIT THIS FILE
#
# This file is distributed with Tor Browser and SHOULD NOT be modified (it
# may be overwritten during the next Tor Browser update). To customize your
# Tor configuration, shut down Tor Browser and edit the torrc file.
#
# If non-zero, try to write to disk less frequently than we would otherwise.
AvoidDiskWrites 1
# Where to send logging messages. Format is minSeverity[-maxSeverity]
# (stderr|stdout|syslog|file FILENAME).
Log notice stdout
CookieAuthentication 1
DormantCanceledByStartup 1
## lyrebird configuration
ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit exec ./TorBrowser/Tor/PluggableTransports/lyrebird
## snowflake configuration
ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client
Tor configuration can be handled by ACW / TCP but DNS configuration not.
Since /etc/resolv.conf is in the root image, it is non-persistent. ACW / TCP does enable Whonix-Gateway system DNS in /etc/resolv.conf. This should work fine in Non-Qubes-Whonix. But in Qubes-Whonix this will be reverted after reboot of sys-whonix.