In case Snowflake rendezvous gets blocked

This observation agrees with OONI measurements I looked at in May 2022. Besides blackberry and altar, also stun.stunprotocol.org was not reachable.

https://lists.torproject.org/pipermail/anti-censorship-team/2022-May/000237.html

In summary, 3 of the pool of 12 STUN servers are inaccessible in Russia. One of them is blocked by censorship in Russia, and the other two look like geoblocking of Russian clients by the STUN service.

stun.voip.blackberry.com and the IP address 178.239.90.248 are on the unified register of blocked sites, the entry dated 2017-04-28

stun.stunprotocol.org is not on the unified register as far as I can tell, nor are its IP addresses 18.191.223.12 and 2600:1f16:8c5:101::108. … the domain resolves incorrectly only in Russia and Ukraine:

stun.altar.com.pl is not on the unified register, nor is its IP address
176.119.42.11. Its failures only start on 2022-03-09. Its domain usually resolves correctly, but in Russia the actual STUN phase usually results in a timeout.

By the way, in recent versions of Tor Browser this is easier to do. You can can do it just by entering a custom bridge address in the normal about:preferences#connection interface:

snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net/ ampcache=https://cdn.ampproject.org/ front=cdn.ampproject.org ice=stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478

This currently only works in desktop Tor Browser. Orbot for mobile does not support custom snowflake bridge lines, as of version 16.6.1-RC-3 at least.

Today, @Shelikhoo merged a change to stop sending Hello Verify Request. This may overcome Snowflake blocking by DTLS fingerprint in some ISPs in Russia.

It is not present in any release yet, but you can test it manually. You need commit 10fd00068528fd6309bbb49f9dd0fea38f1ac5ef or later. The expected output is Bootstrapped 100% (done).

$ git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git
$ cd snowflake/client
$ go build
$ tor -f torrc

There may still be a problem with the standalone (non-browser) proxies, as the Hello Verify Request mitigation hasn’t been applied to them yet.

RE: It is not present in any release yet
I intend to release a new version and get the patch into Tor Browser in the immediate future.

RE: There may still be a problem with the standalone (non-browser) proxies
It would take some time to get all the standalone proxies to update(as evident in the case of distributed snowflake server support). But since the majority of the proxy are browser based, and snowflake client would retry automatically, it should connect eventually.

The Hello Verify Request change is released in Tor Browser 12.0.3. It may make Snowflake work in Russia, if it was not working before for you.

А это просто в мануалах сами мейнтейнеры предлагали

Спасибо кстати за наводку на статические конфиги бриджа.
Погулив, нашел такой конфиг

И 1 из двух бриджей завелся.

Sorry about that. The snowflake-client README is outdated in that regard. It’s still documenting an older, deprecated way to set configuration options. The example torrc file is a better representative. I opened an issue to update the README:

Спасибо, что сделали муналы и пример torrc болеее человеколюбивыми!

Немного оффтопик: верно ли понял, что к каждому бриджу до сих пор нужно прописывать параметры подключения вида

url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=foursquare.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn

Или это уже можно вынести в (какую-либо?) общую часть конфига?

There are two ways to specify most settings: as a command-line argument in the ClientTransportPlugin line and as as a key=value parameter in the Bridge line. The key=value SOCKS parameters are the preferred form, but the command-line options still work. The command-line options will be global (not specific to a single Bridge line). If the same option is given on the command line and in a Bridge line, the Bridge line setting wins.

So yes, you can move one or more settings out of the Bridge line and into the ClientTransportPlugin line. For example, you can change

ClientTransportPlugin snowflake exec ./client
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=foursquare.com fronts=foursquare.com,github.githubassets.com ice=stun:stun.l.google.com:19302 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=foursquare.com fronts=foursquare.com,github.githubassets.com ice=stun:stun.l.google.com:19302 utls-imitate=hellorandomizedalpn

to

ClientTransportPlugin snowflake exec ./client -ice=stun:stun.l.google.com:19302
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=foursquare.com fronts=foursquare.com,github.githubassets.com utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=foursquare.com fronts=foursquare.com,github.githubassets.com utls-imitate=hellorandomizedalpn