Replacing meek: Snowflake

Goodbye sweet meek :sleepy:

It would make sense for upstream to sunset it when there’s a proper snowflake package available

Snowflake is in Debian: snowflake - Debian Package Tracker

I do not know the situation with backport: Make a deb of snowflake (proxy and client) and get into Debian (#19409) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab

Russia has started censoring Tor. torproject org is blocked, obfs4 and meek are blocked. Snowflake is blocked with DPI rules, the block has been bypassed for now.

2 Likes

I made a post on Use Snowflake in Whonix to Bypass Tor censorship

Below are the three non-trivial tasks required to integrate snowflake into Whonix. I unfortunately do not have enough time to implement all of them.

  1. Find an acceptable way to get snowflake binary into Whonix-gateway. Some options are:
  • Transferring binary from whonix-workstation to whonix-gateway can be hacky. It is also not always secure because whonix-workstation is not always be trusted.
  • Shipping TBB in whonix-gateway results in a bigger Whonix-gateway image. Users may accidentally/mistakenly use TBB in whonix-gateway, which completely defeats the purpose of Whonix.
  • Enable Debian unstable repo to install snowflake: snowflake - Debian Package Tracker This is not ideal and can probably be very messy.
  • Shipping snowflake binary from Whonix repo requires packaging and cost extra maintenance for Whonix developers.
  • Letting user themselves download TBB in Whonix-gatway creates a chicken-egg problem: users in censored area needs snowflake to connect to the Tor network to download TBB in the first place.

I personally prefer shipping TBB in whonix-gateway, this way we can always get the latest pluggable transports shipped by TBB. We may consider using script to rm core components of the TBB to prevent users from using TBB in whonix-gateway by accident or by mistake.

  1. Find an acceptable way to allow resolving -front domains in whonix-gateway; or find an acceptable way to modify /etc/hosts.

  2. Modify tor-control-pannel/anon-connection-wizard to provide the snowflake option. And keep an eye on upstream torrc changes and sync any changes to tor-control-pannel/anon-connection-wizard.

2 Likes

Tails ticket on the same issue with some ideas thrown around including using the python packaged versions of transports. Not much progress beyond what we have in the same area:

1 Like

Nowadays btw also available from Debian -- Details of package snowflake-client in bookworm. Making it easier to install.

sudo apt install snowflake-client
3 Likes
1 Like

The snowflake config as provided by upstream (Tor Browser) change over time. Using Tor Browser with snowflake today results in:

/home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/torrc

# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1, and Tor will ignore it

Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
ClientOnionAuthDir /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/onion-auth
DataDirectory /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor
GeoIPFile /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/geoip
GeoIPv6File /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/geoip6
UseBridges 1

/home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/torrc-defaults

# torrc-defaults for Tor Browser
#
# DO NOT EDIT THIS FILE
#
# This file is distributed with Tor Browser and SHOULD NOT be modified (it
# may be overwritten during the next Tor Browser update). To customize your
# Tor configuration, shut down Tor Browser and edit the torrc file.
#
# If non-zero, try to write to disk less frequently than we would otherwise.
AvoidDiskWrites 1
# Where to send logging messages.  Format is minSeverity[-maxSeverity]
# (stderr|stdout|syslog|file FILENAME).
Log notice stdout
CookieAuthentication 1
DormantCanceledByStartup 1
## lyrebird configuration
ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit exec ./TorBrowser/Tor/PluggableTransports/lyrebird

## snowflake configuration
ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client

@iry Wishlist: can you please add the snowflake option in anon-connection-wizard?

2 Likes
1 Like

Both anon-connection-wizard (ACW) and tor-control-panel (TCP) now have snowflake support.

This is now in the Whonix 17 testers repository.

3 Likes

Qubes specific issue:

  • prerequisite knowledge: Whonix-Gateway System DNS - Whonix
  • Tor configuration can be handled by ACW / TCP but DNS configuration not.
  • Since /etc/resolv.conf is in the root image, it is non-persistent. ACW / TCP does enable Whonix-Gateway system DNS in /etc/resolv.conf. This should work fine in Non-Qubes-Whonix. But in Qubes-Whonix this will be reverted after reboot of sys-whonix.
  • Qubes-Whonix users will therefore still need to follow the documentation Configure (Private) (Obfuscated) Tor Bridges chapter Setup Snowflake in Whonix wiki step DNS resolving in Whonix-Gateway. Documentation will be updated accordingly once updated ACW / TCP are migrated to the stable repository.
2 Likes

Amazing @Patrick! Glad to see this as it will simplify my life when I upgrade to the stable release of Qubes 4.2. :sweat_smile:

This is now in the Whonix 17 stable repository.