Censorship circumvention software like Snowflake, but faster thanks to not using Tor.
Acts as a TCP or UDP tunnel
between the user (client) and
the server,
much like ssh -L.
This, in turn, allows the client to access any blocked TCP / UDP service, such as a SOCKS proxy or your favorite (but blocked) VPN service provider.
Snowflake is developed by The Tor Project. As of 2024, it can only be used to access the Tor network.
A Snowflake client is embedded into Tor Browser and Orbot. Orbot provides VPN-like functionality by tunneling traffic through Tor, optionally accessing Tor through bridges, such as Snowflake.
(An altered figure from
the Snowflake paper
(which you should check out (it's not that hard to read)))
But, as you might imagine,
making your traffic bounce off of 1 + 3 relays
(extra 1 is a Snowflake proxy) before it reaches the destination
could be quite slow.
If you're only looking to browse Instagram or YouTube
or whatever else is blocked for you,
and you
don't care
about anonymity that Tor provides, you'd want Snowflake to connect directly
(or at least more directly)
to where you want to go, and not through a huge chain of relays.
Luckily, as it turns out, Tor is not inherent in Snowflake. And this is where our project comes in!
Pretty much like Snowflake.
In fact you can argue that this project is just Snowflake,
but with adjusted arguments.
The source code is mostly boilerplate.
Not yet.
Update 2025-01-16: It will get much faster soon!
See the "unreliable mode" MR comments.
As much as I hate to admit it, this project is, well, not actually faster
than regular Snowflake with Tor.
Yep. As of 2025-01, after a bunch of tests, mainly with a SOCKS server
(see ./examples/socks-server),
I have not been able to achieve
a sustained download speeds greater than 8 Mbit / s.
Latency, however is actually lower due fewer hops,
but it's still not suitable for, say, gaming.
So, even with Tor, Snowflake itself seems to be the bottleneck.
But all is not lost! The Tor Project team is working on performance improvements. One such improvement is "Use unreliable and unordered WebRTC data channels", which gives highest hopes.
For reference, here are some other performance-related issues, which also include performance measurements:
- Tune reliable protocol parameters for Snowflake
- Multiplex - one client splits traffic across multiple proxies
The real power of a Snowflake network comes from
the numerosity of its proxies.
Ideally we'd want one huge Snowflake network
(which the original one from The Tor Project is)
where proxies are happy to pass client's traffic
wherever the client wishes,
without making the proxy operator install
an extra browser extension or a Docker container per each
server that they want to let clients get unrestricted access to.
But, as was said, by default the proxies can only forward traffic to
just a few set-in-stone Tor relays.
In order to change that and
let proxies connect to arbitrary addresses,
we need to make a lot of hardening changes
to the proxy's code such that they cannot be abused,
e.g. for DDoS,
access to the proxy operator's private network,
or distribution of illegal content.
And I am trying to do just that with
my recent MRs.
Yes, you can help this project help others circumvent censorship.
However, remember:
- This project is still work-in-progress. But we'll continue improving things, so I guess you could just launch the proxy and forget about it: it should update itself automatically, if you use the command below.
- It might not be safe to run a proxy on a personal machine and+or network.
Do I think it's safe? Yes, it looks pretty safe to me. But, AFAIK, nobody else has assessed the security of my changes.
If you want to proceed:
-
Run
curl -O https://gitlab.torproject.org/WofWca/snowflake/-/raw/for-snowflake-generalized/docker-compose-proxy.yml \ && docker compose -f docker-compose-proxy.yml up --detach
Again, the proxy code is based on the original Snowflake code, so you could also find Tor Project's instructions and Tor Project Forum useful.
My dream is: Snowflake clients can access any service they want with the help of Snowflake proxies, without having to route the traffic through the (not the fastest) Tor network, and the Snowflake proxies don't have to worry about being abused, and that all VPN providers have a Snowflake server running, ready to accept clients for whom their service is blocked.
Snowflake is a fascinating concept and I think it has a lot of potential.
Also see <./examples>
This guide will walk you through setting up an entire Snowflake network,
with all 4 of its components.
However, as a regular user, or a service provider,
you'll only need to set up one:
users will need to set up the client,
and service providers will need to set up the server.
You're supposed to be using the broker and the proxies that other people
already set up publicly.
Let's make a setup that will work in the same way as
ssh -L localhost:2080:example.com:80 my-server-1.my-domain.com -NThat is, if you connect with TCP to localhost:2080 on your local machine,
the connection will be performed to example.com:80 from
my-server-1.my-domain.com.
A Snowflake network consists of components of 4 types. In production, each component usually runs on a different machine, but for testing purposes you can run all of them locally.
It is not possible to use the already set up Snowflake broker maintained by The Tor Project because as of 2024 it refuses clients who ask to connect to servers other than the ones maintained by The Tor Project.
This might change in the future. Keep an eye on this issue.
-
Download the original Snowflake code.
git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git
-
_
cd snowflake/broker -
Create a list of available Snowflake servers. Replace
wss://my-server-1.my-domain.com:7901with the URL that your Snowflake server (not the broker!) is gonna listen on. We're gonna set up the said server in the next steps.echo '{"displayName":"my", "webSocketAddress":"wss://my-server-1.my-domain.com:7901", "fingerprint":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}' > bridgeListMy.txt
This step might become unnecessary after this MR is merged.
-
Run the broker. Follow the original instructions to set up TLS ecnryption.
Or you can run it
⚠️ without encryption. Again, replacemy-server-1.my-domain.comwith the hostname of your Snowflake server, andlocalhost:4444with the address that you want the broker to listen on.go run . \ -disable-geoip \ -disable-tls \ -addr=localhost:4444 \ -allowed-relay-pattern='^my-server-1.my-domain.com$' \ -bridge-list-path=bridgeListMy.txt
-
Download the original Snowflake code.
git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git
-
_
cd snowflake/proxy -
Run the proxy.
Replace
http://localhost:4444with the URL of your broker, and^my-server-1.my-domain.com$with the same pattern that you set for the broker (i.e. your server's hostname).
Omitkeep-local-addressesin production.go run . \ -broker='http://localhost:4444' \ -verbose \ -allowed-relay-hostname-pattern='^my-server-1.my-domain.com$' \ -allow-non-tls-relay \ -keep-local-addresses
-
Download this project's code.
git clone https://github.com/WofWca/snowflake-generalized.git
-
_
cd snowflake-generalized/server -
Run the server.
Replace
example.com:80with the desired destination. In practice you'd want it to be a SOCKS / VPN / Tor server running on the same machine as the server. Also replacelocalhost:7901with:7901if you want the server to be publicly reachable.⚠️ Remove-disable-tlsand addacme-hostnames=...to enable encryption.go run . \ -destination-address='example.com:80' \ -listen-address='localhost:7901' \ -disable-tls
-
Download this project's code.
https://github.com/WofWca/snowflake-generalized.git
-
_
cd snowflake-generalized/client -
Run the client!
Again, replace
broker-urlwith the URL of the broker from a previous step and (optionally)server-idwith the one that you used inbridgeListMy.txt.
Omitkeep-local-addressesin production.go run . \ -listen-address='localhost:2080' \ -broker-url='http://localhost:4444' \ -server-id='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \ -keep-local-addresses
Now open up the browser and go to http://localhost:2080. If you see a dummy 404 page, then it worked!
Now feel free to replace example.com:80 with a real service of your choosing.
- Snowflake. Well, this project is based on Snowflake.
- Snowstorm. A WIP project by the original Snowflake author. Seems very similar to this project in spirit. Claims to be optimized for high speed and low latency.
- Lantern's Unbounded (source code). Also very similar. Development started after Snowflake has been released, so it hopefully avoids unfortunate design decisions of Snowflake, for example it's already using WebTransport, as opposed to WebSocket used by Snowflake. WebTransport should be faster.
- Ceno Browser. Similar because peer-to-peer, but seems to be webpage-oriented, i.e. it fetches cached versions from peers using BitTorrent. But there is a lot more to it, so better check their manual.
- MassBrowser. The difference is that proxies act as exit nodes and not just middle nodes like in Snowflake and in this project, so it's not as safe to run a proxy. And the project seems a bit abandoned as of 2025-01.
- SpotProxy. Doesn't seem super similar, but there is a similarity in the fact that proxies are ephemeral, and there is explicit support for switching between them.
Please let me know if you know other similar projects!
Thanks to The Tor Project for making the Snowflake library easy to use!