Running Tor's Snowflake Proxy in Docker

Due to Iran’s internet blocking I stumbled over Tor’s Snowflake proxy. A pluggable transport plugin based on WebRTC. They work similar to Tor’s bridge and relay system. The standalone proxy which this post is all about is written in golang. Snowflake proxies are not published making it harder to block them. User traffic towards the internet never exits the proxy. The last hop is always a Tor exit node. This makes it easy for people to help without having to deal with abuse reports or worse.
For easy hosting an official Docker image is available.

Links:

• Official project website: https://snowflake.torproject.org/
• Official Docker Compose file: https://gitlab.torproject.org/tpo/anti-censorship/docker-snowflake-proxy/raw/main/docker-compose.yml
• Code Repo: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake
• Metrics: https://metrics.torproject.org/userstats-bridge-transport.html?transport=snowflake

I run the following docker compose file on my VPS and at home:

version: "3.8"

services:
    snowflake-proxy:
        image: thetorproject/snowflake-proxy:latest
        network_mode: host
        container_name: snowflake-proxy
        pull_policy: always
        restart: unless-stopped
        command: ["-verbose", "-unsafe-logging", "-summary-interval", "1m"]

My version differs slightly from the official one. I’ve added a command statement enabling logs (the default is absolute silence which is pretty annoying) with summaries every minute and a pull_policy to automatically pull on restart.

I’ve made some observations the last couple of days:

• If your NAT type is shown as restricted don’t worry! You are still able to relay traffic perfectly fine. Let the hole punching algorithm do its work. There is no need to forward a metric shit ton of ports!
• Messages like Timed out waiting for client to open data channel is not a problem with your NAT! A client may have gotten/chosen a better offer from another proxy.
• Unlike regular relays or bridges there are no stored keys and I’ve not seen a reputation system of any kind.