Erich Blume
b97e37543f
## Summary - Add Snowflake proxy as a native systemd service on ringtail (NixOS) - Uses `pkgs.snowflake` from nixpkgs (v2.11.0) - Hardened systemd unit with DynamicUser, ProtectSystem=strict, 512MB memory limit - Prometheus metrics enabled on localhost:9999 ## What is Snowflake? A Tor pluggable transport that helps censored users reach the Tor network via WebRTC. **This is NOT a Tor exit node** — traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted) and destination servers never see the proxy's IP. ## Changes - `nixos/ringtail/configuration.nix` — new systemd service definition - `docs/reference/services/snowflake-proxy.md` — service reference card - `docs/reference/infrastructure/ringtail.md` — updated systemd services section - `service-versions.yaml` — added entry (type: nixos) ## Deploy plan After review, deploy via `mise run provision-ringtail`. Service starts automatically. ## Test plan - [ ] `mise run provision-ringtail` succeeds - [ ] `ssh ringtail 'systemctl status snowflake-proxy'` shows active - [ ] `ssh ringtail 'journalctl -u snowflake-proxy --no-pager -n 20'` shows broker connections - [ ] `ssh ringtail 'curl -s localhost:9999/metrics'` returns Prometheus metrics Reviewed-on: #311
74 lines
2.4 KiB
Markdown
74 lines
2.4 KiB
Markdown
---
|
|
title: Snowflake Proxy
|
|
modified: 2026-03-24
|
|
tags:
|
|
- service
|
|
- privacy
|
|
- anti-censorship
|
|
---
|
|
|
|
# Snowflake Proxy
|
|
|
|
Tor Snowflake proxy that helps censored users reach the Tor network. Runs as a native systemd service on [[ringtail]].
|
|
|
|
## Quick Reference
|
|
|
|
| Property | Value |
|
|
|----------|-------|
|
|
| **Host** | ringtail |
|
|
| **Type** | NixOS systemd service |
|
|
| **Package** | `pkgs.snowflake` (nixpkgs) |
|
|
| **Binary** | `proxy` |
|
|
| **Upstream** | https://snowflake.torproject.org/ |
|
|
| **Source** | https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake |
|
|
| **Metrics** | `localhost:9999/metrics` (Prometheus) |
|
|
|
|
## Architecture
|
|
|
|
Snowflake is a pluggable transport for Tor that uses WebRTC to provide short-lived proxies. The proxy:
|
|
|
|
1. Polls the Tor broker for censored clients needing a bridge
|
|
2. Establishes a WebRTC connection with the client
|
|
3. Forwards the encrypted traffic to a Tor bridge (relay)
|
|
|
|
**This proxy is NOT a Tor exit node.** Traffic exits through Tor exit nodes operated by others. The proxy operator cannot see traffic content (double-encrypted: WebRTC DTLS + Tor onion routing) and destination servers never see the proxy's IP.
|
|
|
|
```
|
|
Censored user ──[WebRTC/DTLS]──▶ THIS PROXY ──[encrypted]──▶ Tor bridge ──▶ Tor network ──▶ Exit node
|
|
```
|
|
|
|
## Configuration
|
|
|
|
The service runs with default settings — no special configuration needed. Key defaults:
|
|
|
|
| Setting | Value |
|
|
|---------|-------|
|
|
| **Broker** | `https://snowflake-broker.torproject.net/` |
|
|
| **Relay** | `wss://snowflake.torproject.net/` |
|
|
| **STUN** | Google + BlackBerry STUN servers |
|
|
| **Capacity** | Unlimited concurrent clients |
|
|
| **Summary interval** | 1 hour |
|
|
| **Metrics port** | 9999 (Prometheus format) |
|
|
|
|
## Resource Usage
|
|
|
|
Based on community reports, a Snowflake proxy typically uses:
|
|
|
|
- **Bandwidth:** ~5-10 GB/day (varies with client demand)
|
|
- **Memory:** Under 100 MB
|
|
- **CPU:** Negligible
|
|
|
|
## Legal Considerations
|
|
|
|
Running a Snowflake proxy carries very low legal risk in the US:
|
|
|
|
- Traffic does not exit from the proxy's IP (exit nodes are elsewhere)
|
|
- Content is not visible to the proxy operator (end-to-end encrypted)
|
|
- No known legal cases against Snowflake proxy operators worldwide
|
|
- EFF and Tor Project both classify this as minimal-risk activity
|
|
- US intermediary protections (Section 230, ECPA) apply
|
|
|
|
## Related
|
|
|
|
- [[ringtail]] - Host machine
|
|
- [[architecture]] - Overall system design
|