Use Snowflake in Whonix to Bypass Tor censorship

Support
1

Snowflake is a new pluggable transport available in Tor Browser to defeat internet censorship. In this post, we introduce how to use it in Whonix.

We use Qubes-Whonix as an example, and assume we have two template VMs: whonix-ws-16 and whonix-gw-16; and one whonix-gateway VM sys-whonix. The general idea is the same for other platforms that run Whonix.

Get snowflake-client binary

Since Whonix-gateway does not ship a Tor Browser Bundle by default, we get snowflake-client binary by transferring it from Whonix-workstation. In particular, there are two steps:

  1. First, execute the following command in whonix-ws-16 to copy the snowflake-client binary to whonix-gw-16:
qvm-copy-to-vm whonix-gw-16 ~/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client

Note that it is okay from a security point of view for this action, because both Whonix-gateway and Whonix-workstation templates are trusted.

  1. Second, put the snowflake-client binary to /usr/bin in whonix-gw-16:
sudo install ~/QubesIncoming/whonix-ws-16/snowflake-client --owner debian-tor --group debian-tor --target-directory /usr/bin

Configure Tor to use snowflake

We need to tell Tor to use snowflake. In particular, we append the following three lines to the user torrc in whonix-gw-16 with sudo nano /usr/local/etc/torrc.d/50_user.conf:

UseBridges 1
ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
Bridge snowflake 192.0.2.3:1

Don’t get intimidated by the three lines above. The UseBridges 1 and Bridge snowflake 192.0.2.3:1 never change. And we can obtain an up-to-date second line by looking at the latest torrc shipped with Tor Browser Bunbdle. In particular, we can get the second line by executing the following command in whonix-ws-16:

grep "ClientTransportPlugin snowflake" ~/.tb/tor-browser/Browser/TorBrowser/Data/Tor/torrc-defaults

ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478

Workaround DNS resolving in Whonix-gateway

Snowflake-client needs to resolve the -front domain to IP, in order to the server; however, this DNS resolving will fail with the default Whonix gateway DNS configuration.

We thus workaround it by resolving the domain manually and then put it into /etc/hosts in whonix-gw-16. In the example above, we have -front cdn.sstatic.net. We thus resolve the domain cdn.sstatic.net manually in a machine that allows DNS resolving by:

dig +short cdn.sstatic.net

151.101.193.69

Now, we append the following lines to the /etc/hosts in whonix-gw-16 with sudo nano /etc/hosts:

151.101.193.69 cdn.sstatic.net

Restart Tor

Finally, we shutdown the template VM whonix-gw-16 and start Whonix-gateway VM sys-whonix.

In sys-whonix, we restart the Tor with:

sudo service tor@default restart

Make sure Tor is using snowflake

To check if Tor is indeed using snowflake, we use nyx or onioncircuits. We are connecting to the Tor network through snowflake if:

  1. In nyx, the guard node is a local address, like 192.168.0.1;
  2. or in onioncircuits, the guard node IP is Unknown.

Other usages

Use AMP cache rendezvous for Snowflake

wkrp stated in a recent post:

by default in Tor Browser, Snowflake does rendezvous using a domain-fronted HTTPS request. Now there is an alternative (backup) to domain fronting rendezvous: AMP cache rendezvous. If one rendezvous method is blocked, there is a chance the other will work.

In short, two steps are required to use AMP cache rendezvous:

  1. First, replace the second line in /usr/local/etc/torrc.d/50_user.conf with:
ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.torproject.net/ -ampcache https://cdn.ampproject.org/ -front www.google.com -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
  1. Second, note that the -front is now www.google.com. So we have to put the IP address of www.google.com to /etc/hosts:

Still we resolve the IP manually with dig +short www.google.com and get 142.251.46.164.

We then append the following line with sudo nano /etc/hosts:

142.251.32.36 www.google.com

Enable and view Snowflake log

We can enable the snowflake log for bebugging purposes by appending -log snowflake.log -log-to-state-dir to the ClientTransportPlugin snowflake... line in /usr/local/etc/torrc.d/50_user.conf. The complete line looks like this:

ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 -log snowflake.log -log-to-state-dir

We can view the snowflake log with sudo less /var/lib/tor/pt_state/snowflake.log.

Note that we can always find the Tor DataDirectory with the following command:

anon-verify -v | grep DataDirectory

DataDirectory /var/lib/tor
1 Like
2

Development discussion on intergrating snowflake into Whonix:

1 Like
3

Could you please check what needs modification under https://www.whonix.org/wiki/Bridges#Snowflake?

--owner debian-tor --group debian-tor shouldn’t be used. No need.

The command already used in above link to documentation for copy and executable permission should be already perfect.

1 Like
4

Thank you for pointing me to the Wiki section! I wasn’t aware of it.

I have made the corresponding changes to the Wiki section. It now has the up-to-date instructions to use snowflake.

1 Like
5

We remove the unnecessary fingerprint 2B280B23E1107BB62ABFC40DDCC8824814F80A72 because Tor will find it automatically.

This is likely not a good idea.

6

These instructions probably broke:

And the instructions are too complex.

I’ll replace these instructions with ones where Whonix-Gateway System DNS - Whonix over clearnet gets enabled.

Old version is not lost. It is still available here in the wiki history and easy to restore: Configure (Private) (Obfuscated) Tor Bridges

So if anyone is interested, these could be presented as alternative instructions (using a tab controller).