[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Use Snowflake in Whonix to Bypass Tor censorship

Snowflake is a new pluggable transport available in Tor Browser to defeat internet censorship. In this post, we introduce how to use it in Whonix.

We use Qubes-Whonix as an example, and assume we have two template VMs: whonix-ws-16 and whonix-gw-16; and one whonix-gateway VM sys-whonix. The general idea is the same for other platforms that run Whonix.

Get snowflake-client binary

Since Whonix-gateway does not ship a Tor Browser Bundle by default, we get snowflake-client binary by transferring it from Whonix-workstation. In particular, there are two steps:

  1. First, execute the following command in whonix-ws-16 to copy the snowflake-client binary to whonix-gw-16:
qvm-copy-to-vm whonix-gw-16 ~/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client

Note that it is okay from a security point of view for this action, because both Whonix-gateway and Whonix-workstation templates are trusted.

  1. Second, put the snowflake-client binary to /usr/bin in whonix-gw-16:
sudo install ~/QubesIncoming/whonix-ws-16/snowflake-client --owner debian-tor --group debian-tor --target-directory /usr/bin

Configure Tor to use snowflake

We need to tell Tor to use snowflake. In particular, we append the following three lines to the user torrc in whonix-gw-16 with sudo nano /usr/local/etc/torrc.d/50_user.conf:

UseBridges 1
ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
Bridge snowflake 192.0.2.3:1

Don’t get intimidated by the three lines above. The UseBridges 1 and Bridge snowflake 192.0.2.3:1 never change. And we can obtain an up-to-date second line by looking at the latest torrc shipped with Tor Browser Bunbdle. In particular, we can get the second line by executing the following command in whonix-ws-16:

grep "ClientTransportPlugin snowflake" ~/.tb/tor-browser/Browser/TorBrowser/Data/Tor/torrc-defaults
ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478

Workaround DNS resolving in Whonix-gateway

Snowflake-client needs to resolve the -front domain to IP, in order to the server; however, this DNS resolving will fail with the default Whonix gateway DNS configuration.

We thus workaround it by resolving the domain manually and then put it into /etc/hosts in whonix-gw-16. In the example above, we have -front cdn.sstatic.net. We thus resolve the domain cdn.sstatic.net manually in a machine that allows DNS resolving by:

dig +short cdn.sstatic.net
151.101.193.69

Now, we append the following lines to the /etc/hosts in whonix-gw-16 with sudo nano /etc/hosts:

151.101.193.69 cdn.sstatic.net

Restart Tor

Finally, we shutdown the template VM whonix-gw-16 and start Whonix-gateway VM sys-whonix.

In sys-whonix, we restart the Tor with:

sudo service tor@default restart

Make sure Tor is using snowflake

To check if Tor is indeed using snowflake, we use nyx or onioncircuits. We are connecting to the Tor network through snowflake if:

  1. In nyx, the guard node is a local address, like 192.168.0.1;
  2. or in onioncircuits, the guard node IP is Unknown.

Other usages

Use AMP cache rendezvous for Snowflake

wkrp stated in a recent post:

by default in Tor Browser, Snowflake does rendezvous using a domain-fronted HTTPS request. Now there is an alternative (backup) to domain fronting rendezvous: AMP cache rendezvous. If one rendezvous method is blocked, there is a chance the other will work.

In short, two steps are required to use AMP cache rendezvous:

  1. First, replace the second line in /usr/local/etc/torrc.d/50_user.conf with:
ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.torproject.net/ -ampcache https://cdn.ampproject.org/ -front www.google.com -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
  1. Second, note that the -front is now www.google.com. So we have to put the IP address of www.google.com to /etc/hosts:

Still we resolve the IP manually with dig +short www.google.com and get 142.251.46.164.

We then append the following line with sudo nano /etc/hosts:

142.251.32.36 www.google.com

Enable and view Snowflake log

We can enable the snowflake log for bebugging purposes by appending -log snowflake.log -log-to-state-dir to the ClientTransportPlugin snowflake... line in /usr/local/etc/torrc.d/50_user.conf. The complete line looks like this:

ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 -log snowflake.log -log-to-state-dir

We can view the snowflake log with sudo less /var/lib/tor/pt_state/snowflake.log.

Note that we can always find the Tor DataDirectory with the following command:

anon-verify -v | grep DataDirectory
DataDirectory /var/lib/tor
1 Like

Development discussion on intergrating snowflake into Whonix:

1 Like

Could you please check what needs modification under https://www.whonix.org/wiki/Bridges#Snowflake?

--owner debian-tor --group debian-tor shouldn’t be used. No need.

The command already used in above link to documentation for copy and executable permission should be already perfect.

1 Like

Thank you for pointing me to the Wiki section! I wasn’t aware of it.

I have made the corresponding changes to the Wiki section. It now has the up-to-date instructions to use snowflake.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]