WebRTC DataChannel Tunneling - Snowflake

WebRTC DataChannel Tunneling - Snowflake --- ## 專案簡介 - 目的 - 幫助受到網路審查的人規避網路限制 - 因為 Tor relay (guard, middle, and exit) 的列表有公開，若防火牆取得這份列表就很容易依據 IP 來封鎖連線，使受限制者無法連上 Tor entry guards 來進入 Tor 網路 - 解法: 透過第三方來連線到 Tor 網路上，稱做 Pluggable Transport - 其中一種 Pluggable Transport: **Snowflake**，把流量透過 WebRTC DataChannel 導出去，讓流量看起來就像在做語音視訊通話 - 網站 - [Snowflake ❄️](https://snowflake.torproject.org/) - GitLab Repo: [The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake) ## 使用方法 ### Client - 在 Tor Browser 設定裡：連線 -> 橋接器 -> 選擇內建橋接... -> Snowflake -> 連接 ![image](https://hackmd.io/_uploads/rkF1fergA.png) ![image](https://hackmd.io/_uploads/H1RIobreR.png) - Log: :::spoiler ``` 2024-04-11 05:20:18.481 [NOTICE] Opening Socks listener on 127.0.0.1:9150 2024-04-11 05:20:18.481 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150 2024-04-11 05:20:19.546 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport 2024-04-11 05:20:19.561 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport 2024-04-11 05:20:19.582 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay 2024-04-11 05:20:20.297 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": offer created 2024-04-11 05:20:21.356 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": broker rendezvous peer received 2024-04-11 05:20:22.311 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": connected 2024-04-11 05:20:22.783 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay 2024-04-11 05:20:23.037 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done 2024-04-11 05:20:23.038 [NOTICE] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits 2024-04-11 05:20:23.040 [NOTICE] Bootstrapped 95% (circuit_create): Establishing a Tor circuit 2024-04-11 05:20:23.986 [NOTICE] Bootstrapped 100% (done): Done 2024-04-11 05:20:24.888 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": offer created 2024-04-11 05:20:25.334 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": broker rendezvous peer received 2024-04-11 05:20:28.161 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": connected 2024-04-11 05:20:29.396 [NOTICE] new bridge descriptor 'flakey4' (fresh): $2B280B23E1107BB62ABFC40DDCC8824814F80A72~flakey4 [1zOHpg+FxqQfi/6jDLtCpHHqBTH8gjYmCKXkus1D5Ko] at 192.0.2.3 2024-04-11 06:04:29.362 [NOTICE] new bridge descriptor 'crusty2' (fresh): $8838024498816A039FCBBAB14E6F40A0843051FA~crusty2 [tO9nYvNCAdAh9lPoEEv2pZ9BJq+YzmPAMY6pxoFrLuk] at 192.0.2.4 2024-04-11 06:09:13.052 [NOTICE] No circuits are opened. Relaxed timeout for circuit 268 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. 2024-04-11 06:10:00.539 [NOTICE] Failed to find node for hop #1 of our path. Discarding this circuit. 2024-04-11 06:10:00.539 [NOTICE] Our circuit 0 (id: 281) died due to an invalid selected path, purpose Unlinked conflux circuit. This may be a torrc configuration issue, or a bug. 2024-04-11 06:10:02.431 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": offer created 2024-04-11 06:10:05.440 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": broker rendezvous peer received 2024-04-11 06:10:13.465 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": connected 2024-04-11 06:11:04.599 [NOTICE] Failed to find node for hop #1 of our path. Discarding this circuit. 2024-04-11 06:11:10.411 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": offer created 2024-04-11 06:11:13.594 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": broker rendezvous peer received 2024-04-11 06:11:21.431 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": connected 2024-04-11 07:01:03.863 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": trying a new proxy: no messages received, closing stale connection 2024-04-11 07:01:12.613 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": offer created 2024-04-11 07:01:18.332 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": broker failure Unexpected error, no answer. 2024-04-11 07:01:21.714 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": offer created 2024-04-11 07:01:22.720 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": broker rendezvous peer received 2024-04-11 07:01:25.753 [NOTICE] Managed proxy "TorBrowser\Tor\PluggableTransports\snowflake-client.exe": connected ``` ::: ### Proxy - 以下 3 種方法任選 1 種: - 在 [Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) 或 [Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) 上安裝 Snowflake 擴充元件 ![image](https://hackmd.io/_uploads/B1VXulHlR.png) - 任何有 WebRTC 的瀏覽器到 https://snowflake.torproject.org/embed - Standalone: 下載/自行編譯執行檔來執行 https://community.torproject.org/relay/setup/snowflake/standalone/ ### Server 1. Build snowflake-server from source ```bash $ git clone https://git.torproject.org/pluggable-transports/snowflake.git $ cd snowflake/server $ CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build ``` 2. 安裝 Tor (這台同時也是個 Tor relay) 3. 編輯 Tor 設定 `/etc/tor/torrc` ::: spoiler ``` SocksPort 0 ORPort 9001 Nickname exampleTorRelay BridgeRelay 1 ServerTransportPlugin snowflake exec /usr/local/bin/snowflake-server --acme-hostnames snowflake.example.com --acme-email email@example.com --log /var/log/tor/snowflake-server.log ServerTransportListenAddr snowflake [::]:443 ExtORPort auto ContactInfo <email@example.com> BridgeDistribution https ``` ::: 4. 重新開啟 Tor :::info 參考 [Snowflake Bridge Installation Guide · Wiki · The Tor Project / Anti-censorship / Team · GitLab](https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/Snowflake-Bridge-Installation-Guide) ::: ### Third Party Developers - [doc/using-the-snowflake-library.md · main · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/doc/using-the-snowflake-library.md) - 有一些如何使用他們的 library 的一些小提示 ## 原理 ![image alt](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/uploads/8716c3ba1226bd90009268a777ed2ccb/snowflake-diagram.png) 1. 防火牆內 client 用 Tor Browser，把選項調成要用 snowflake bridge 2. 牆外志工開一個 snowflake proxy，用 polling 方式跟 broker 溝通，看有沒有 client 想跟他連 3. client 的 Tor Browser 會跟 snowflake-client 開一個 SOCKS proxy 來溝通 (都在 local 環境裡) 4. client 的 snowflake-client.exe 會去 broker (作為一個 Rendezvous 集會點)索取一個可以用的 snowflake proxy 5. client 透過 broker 傳送 SDP，來跟 snowflake proxy 開始做 WebRTC offer/answer 6. client 跟 proxy 成功建立 WebRTC 連線之後用 WebRTC DataChannel 溝通 7. proxy 用 WebSocket 跟 snowflake server 溝通 8. snowflake server 透過 SOCKS 跟 Tor relay 溝通 (locally 同台主機) 9. snowflake client -> snowflake proxy -> snowflake server (Tor relay) 10. client 成功連上 Tor 網路 :::info 參考 [Technical Overview · Wiki · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview) ::: ## 目前遭遇到的困難 - 沒有 Public IPv4 的話，我的 snowflake server (bridge) 不會被 relay 給分發出去 - 目前還不接受 IPv6 only 的 bridge - 不是 exit node 的話，就不會把流量直接到公開網站上，不太會被告 - 但還是有點風險：有人說被 port scan 頻率增加 - 沒有被分發出去，就沒有人來用我的 proxy server，無法觀察到運作情形 - 如何把 snowflake proxy 用在傳自己 application 要的資料上，還要再研究