Goodbye sweet meek
It would make sense for upstream to sunset it when there’s a proper snowflake package available
Snowflake is in Debian: snowflake - Debian Package Tracker
I do not know the situation with backport: Make a deb of snowflake (proxy and client) and get into Debian (#19409) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
Russia has started censoring Tor. torproject org is blocked, obfs4 and meek are blocked. Snowflake is blocked with DPI rules, the block has been bypassed for now.
I made a post on Use Snowflake in Whonix to Bypass Tor censorship
Below are the three non-trivial tasks required to integrate snowflake into Whonix. I unfortunately do not have enough time to implement all of them.
- Find an acceptable way to get snowflake binary into Whonix-gateway. Some options are:
- Transferring binary from whonix-workstation to whonix-gateway can be hacky. It is also not always secure because whonix-workstation is not always be trusted.
- Shipping TBB in whonix-gateway results in a bigger Whonix-gateway image. Users may accidentally/mistakenly use TBB in whonix-gateway, which completely defeats the purpose of Whonix.
- Enable Debian unstable repo to install snowflake: snowflake - Debian Package Tracker This is not ideal and can probably be very messy.
- Shipping snowflake binary from Whonix repo requires packaging and cost extra maintenance for Whonix developers.
- Letting user themselves download TBB in Whonix-gatway creates a chicken-egg problem: users in censored area needs snowflake to connect to the Tor network to download TBB in the first place.
I personally prefer shipping TBB in whonix-gateway, this way we can always get the latest pluggable transports shipped by TBB. We may consider using script to
rm core components of the TBB to prevent users from using TBB in whonix-gateway by accident or by mistake.
Find an acceptable way to allow resolving
-frontdomains in whonix-gateway; or find an acceptable way to modify
Modify tor-control-pannel/anon-connection-wizard to provide the
snowflakeoption. And keep an eye on upstream torrc changes and sync any changes to tor-control-pannel/anon-connection-wizard.
Tails ticket on the same issue with some ideas thrown around including using the python packaged versions of transports. Not much progress beyond what we have in the same area:
Nowadays btw also available from Debian -- Details of package snowflake-client in bookworm. Making it easier to install.
sudo apt install snowflake-client
The snowflake config as provided by upstream (Tor Browser) change over time. Using Tor Browser with snowflake today results in:
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1, and Tor will ignore it
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
# torrc-defaults for Tor Browser
# DO NOT EDIT THIS FILE
# This file is distributed with Tor Browser and SHOULD NOT be modified (it
# may be overwritten during the next Tor Browser update). To customize your
# Tor configuration, shut down Tor Browser and edit the torrc file.
# If non-zero, try to write to disk less frequently than we would otherwise.
# Where to send logging messages. Format is minSeverity[-maxSeverity]
# (stderr|stdout|syslog|file FILENAME).
Log notice stdout
## lyrebird configuration
ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit exec ./TorBrowser/Tor/PluggableTransports/lyrebird
## snowflake configuration
ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client
@iry Wishlist: can you please add the snowflake option in anon-connection-wizard?
Both anon-connection-wizard (ACW) and tor-control-panel (TCP) now have snowflake support.
This is now in the Whonix 17 testers repository.
Qubes specific issue:
- prerequisite knowledge: Whonix-Gateway System DNS - Whonix
- Tor configuration can be handled by ACW / TCP but DNS configuration not.
/etc/resolv.confis in the root image, it is non-persistent. ACW / TCP does enable Whonix-Gateway system DNS in
/etc/resolv.conf. This should work fine in Non-Qubes-Whonix. But in Qubes-Whonix this will be reverted after reboot of
- Qubes-Whonix users will therefore still need to follow the documentation Configure (Private) (Obfuscated) Tor Bridges chapter Setup Snowflake in Whonix wiki step
DNS resolving in Whonix-Gateway. Documentation will be updated accordingly once updated ACW / TCP are migrated to the stable repository.
Amazing @Patrick! Glad to see this as it will simplify my life when I upgrade to the stable release of Qubes 4.2.
This is now in the Whonix 17 stable repository.