Snowflake

3 minute read

Countries which heavily censor internet access usually have a non-democratic and oppressive government - and thus very likely no free press (s. currently Iran or Russia for example). Sometimes the only way to receive or post information about what is actually happening in those countries is by circumventing the censorship by using VPNs or tools like “Snowflake”.

Snowflake, developed by the Tor Project will help by kind of disguising the internet traffic, thus making it very hard to block it - because it would basically mean to block large parts of it and not just dedicated IPs. As long as the internet in general is still working chances are that it’s possible to reach sites which would otherwise be blocked by the government. You can make use of Tor Browser (Desktop and Android version), Onion Browser (iOS) or Orbot (Android + iOS) to get passed censorship using Snowflake then.

In order to make this work it requires volunteers to run a Snowflake proxy - which is actually quite easy. You can either install an extension for Firefox or Chrome - which will of course only work as long as you keep your browser running.

Another way would be to run a standalone proxy on a dedicated server. If you can afford it this is probably the best way. I had a VPS still available and thus used it to host the Snowflake proxy. The installation is pretty easy, you can either install via Docker, Ansible or from source. You’ll find links to instructions here. As I have some experience with Ansible I thought I’d use this way of installing Snowflake, but learning something new is more fun so I went for Docker (it is actually the first time I’m interacting with Docker).

Install Docker (for Ubuntu)

First get your server up and running, harden it as good as possible and then install Docker from their repositories. I’m using Ubuntu as operating system, but you’ll find instructions for Debian or RPM based distros as well here. To have a current version it’s advisable to make use of the Docker repositories and not to use the packages which come with your distro. (See original instructions here)

Install some prerequisites first (if not already installed - usually curl is missing):

$ apt install ca-certificates curl gnupg lsb-release

Next add the repository for your Ubuntu release:

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker.gpg
$ echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
$ apt update

…and install Docker:

$ apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin

Install Snowflake container

Now you’re ready to actually install Snowflake’s Docker image following the instructions for Docker given here. You need to create a small docker-compose configuration file. As I’m new to Docker I’m not sure if this file will be required in the future, but I think it’s only for the initial creation of the docker image. Anyway, create a YAML file called “docker-compose.yml” with following content:

version: "3.8"

services:
    snowflake-proxy:
        network_mode: host
        image: thetorproject/snowflake-proxy:latest
        container_name: snowflake-proxy
        restart: unless-stopped
        entrypoint: [ "/bin/proxy", "-verbose"]

You can omit the last line completely but then you will not see any logs. While in the same directory where you generated the file run:

$ docker compose up -d snowflake-proxy

According to this post you might also want to open UDP ports 32768-60999. For ufw:

$ ufw allow 32768:60999/udp

To list running docker containers:

$ docker container ls

This will also give you the container ID of Snowflake. You can see logs from this container by:

docker logs -f --details <ID>

“-f” will follow the log and you should see that snowflake is working. Not sure if it’s a good idea to keep it logging all the time. In case you’d like to deactivate logging, stop the container, remove “entrypoint: [ "/bin/proxy", "-verbose"]” from “docker-compose.yml” and run docker compose command again. You can still see that it’s working by checking netstat -tulpn as you will observe quite a few connections to the proxy process.

Anyway, if you have the resources it might be a good idea to have a look at Snowflake and maybe get a proxy running.