Functional Snowflake Proxy in sys-whonix Tor Control Panel Fix [Full Guide]

Community Guides
, ,
1

Please use the updated and summarized version of this guide [Quick Start Guide] at the link below as this guide is outdated, for reference purposes only, and contains an unnecessary command in step 1 which has been made redundant by the newer QubesOS anon-gw-anonymizer script.

For some context to this guide, shown below is my previous guide on fixing snowflake in Qubes-Whonix from earlier through Tor User Config and the UseBridges 1 function. For today’s guide, we will fix the builtin Tor Control Panel’s broken snowflake option, and free up the Tor User Config in the process. I prefer this method over my last method shown in the post below. If you know what’s coming and would like to skip to the installation, scroll down to the part in caps and bold that says TLDR; SKIP TO THIS POINT FOR THE INSTALLATION OF SNOWFLAKE PROXY INTO QUBES-WHONIX TOR CONTROL PANEL, OR SKIP TO THE END WHERE A USER HAS SUMMARIZED THE GUIDE INTO EASY TO FOLLOW COMMANDS

In my last guide in the link above, I showed how to get snowflake proxy working in Qubes-Whonix(sys-whonix), by replacing the default (outdated?)bridges found in the whonix(qubes-whonix) snowflake documentation and by bypassing qubes-whonix’s Tor Control Panel using Tor User Config, on top of configuring DNS settings specific to qubes-whonix. This guide will show you how to get the snowflake proxy in sys-whonix’s Tor Control Panel working using the same principle, and independent of the Tor User Config, if you find that to be useful. (It feels nice to click snowflake and have it not stop at 10%, you know, having it work the way it is supposed to work), and it frees up your Tor User Config. I apologize if this is trivial/detrimental to security/or otherwise a waste of anyone’s time

This procedure was first tested in the sys-whonix VM as root, do it in the whonix-gateway-17 template for persistence.

This guide assumes that the user has already configured sys-whonix’s DNS using sudoedit /etc/resolv.conf.whonix(in the whonix-gateway-17 template) and setting the output of qubesdb-read /qubes-netvm-primary-dns as nameserver near the bottom of the file by uncommenting it and changing the ip. It also assumes the user has copied and installed snowflake-client by copying it from the whonix-workstation-17 template to the whonix-gateway-17 template in /usr/bin , and making the file executable(the default gateway-17 client is broken but the workstation-17 client works.) The commands to do all of this are below.
TLDR; SKIP TO THIS POINT FOR THE INSTALLATION OF SNOWFLAKE PROXY INTO QUBES-WHONIX TOR CONTROL PANEL, A SATISFIED USER SUMMARIZED ALL OF THE COMMANDS AND I PLACED IT AT THE BOTTOM OF THIS POST

1) In whonix-gateway-17 template terminal: sudoedit /etc/resolv.conf.whonix

a window will pop up to edit

uncomment “nameserver 10.0.2.3” and replace the ip with output of qubesdb-read /qubes-netvm-primary-dns from a running sys-whonix terminal(mine was 10.139.1.1 as it says in the qubes docs)
save the file, close the window and navigate to the whonix-workstation-17 template terminal to copy the snowflake-client to the whonix-gateway-17 template

#copy snowflake binary to gateway template from workstation template
2) In whonix-workstation-17 template terminal:
qvm-copy-to-vm whonix-gateway-17 /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client

In whonix-gateway-17 template terminal: sudo cp ~QubesIncoming/whonix-workstation-17/snowflake-client /usr/bin/snowflake-client

The next command(s), there are two that seem to do the same thing, and i’m not sure which one works because I don’t quite know the difference between them, but one of them works for sure, and doing them both works fine(if someone could tell me which one to remove from this guide that’d be great), they are: UPDATE: Please see below UPDATE comment in bold text.

sudo chmod og+rx /usr/bin/snowflake-client

and/or

UPDATE: adrelanos@whonix dot org told me that the below command is probably not necessary and has explained why when I asked in my Whonix thread below:

sudo install ~/Qubesincoming/whonix-workstation-17/snowflake-client --owner debian-tor --target-directory /usr/bin ← Command probably not necessary according to adrelanos@whonix dot org.

You now have the correct snowflake-client in your template ready for use.

Choose from the following Options to continue; A for testing, or B for persistent template install, to proceed.

Option A: In dom0:(for testing) qvm-run --user root sys-whonix xterm
In sys-whonix xterm:(for testing) skip Option B and execute commands below for testing

Option B: In whonix-gateway-17 template terminal:(For Template Install) execute commands below for template install

sudo nano /usr/share/anon-conection-wizard/bridges-defualt

Replace the outdated snowflake bridges in the file to these newer ones from the tor project found at this link, I suggest the CDN77 bridges(option 2):

CTRL+O then CTRL+ENTER (to save file)
CTRL+X (to exit file)

Shut down whonix-gateway-17 template

Start/Restart sys-whonix

Find and launch your Tor Control Panel under Main Qubes Menu > Services > sys-whonix > Tor Control Panel

Click Stop Tor

Click Configure

Select snowflake as your bridge type

Click Restart Tor

It should look like this.

qubesforum-torcontrolpanelfix
qubesforum-torcontrolpanelfix1920×1080 464 KB

Snowflake should connect fine. This has also been tested in the whonix-gateway-17 template for persistence and it works great! :).

EDIT: A user in my comments section was glad to find my guide and made a summarized version of it that is easy to follow! That’s what this is all about. I hope it helps others!

1) whonix-gateway-17 template terminal:

sudo nano /etc/resolv.conf.whonix

Replace “nameserver 10.0.2.3” with “nameserver 10.139.1.1(or the output of ip qubesdb-read /qubes-netvm-primary-dns run in a sys-whonix terminal, which should be 10.139.1.1, but if it is different, then use that output ip)”

Save & exit

2) whonix-workstation-17 template terminal:

qvm-copy-to-vm whonix-gateway-17 /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client

3) whonix-gateway-17 template terminal:

sudo cp ~QubesIncoming/whonix-workstation-17/snowflake-client /usr/bin/snowflake-client

sudo chmod og+rx /usr/bin/snowflake-client

sudo install ~/Qubesincoming/whonix-workstation-17/snowflake-client --owner debian-tor --target-directory /usr/bincommand probably not necessary according to Whonix dev

sudo nano /usr/share/anon-conection-wizard/bridges_default

Replace snowflake Bridges with:

"Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://1098762253.rsc.cdn77.org/ fronts=docs.plesk.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn", "Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org/ fronts=docs.plesk.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn"

Save & exit

5) Shutdown whonix-gateway-17 template

6) Restart sys-whonix

7) Start Tor Control Panel

Click Stop Tor

Click Configure

Select Bridges type: snowflake

Click Restart Tor

Enjoy Snowflake on Qubes-Whonix working the way it’s supposed to be! :slight_smile:

2 Likes
2

Here is a screenshot after installing in the template and rebooting with an empty Tor User Config to show that it works. :slight_smile:

qubesforum-torcontrolpanel-snowflake
qubesforum-torcontrolpanel-snowflake1920×1080 179 KB

1 Like
3

What can we do with it?

4

It gives you the ability to use snowflake proxy through Tor Control Panel in sys-whonix. It used to get stuck at 10% when trying to use the snowflake option due to outdated bridge lines. I’ve never been able to use that option in whonix/qubes-whonix until this method(it is a whonix specific issue but I posted it here because of sys-whonix).

I feel that this is the way it should work and be used but I could be wrong. Maybe whonix devs left the snowflake option dysfunctional for a reason, but they had non functioning bridges in the /usr/share/anon-connection-wizard/bridges_default file, so I feel I’ve done the right thing. I couldn’t find a guide anywhere else that worked. so I made my own and used bits from all of them.

5

There are paid Services for Residential Proxies, is this a similar but free option to get a non vpn residential ip? Just trying to understand snowflake…

6

From the tor project:

"Snowflake is a system that allows people from all over the world to access censored websites and applications. Similar to how VPNs assist users in getting around Internet censorship, Snowflake helps you avoid being noticed by Internet censors by making your Internet activity appear as though you’re using the Internet for a regular video or voice call.

There are numerous tools available, such as Snowflake, that “transform” Internet activity, each using a different technique. Some redirect Internet traffic to appear to be coming from popular cloud providers like Microsoft Azure and Amazon Web Services. Others scramble Internet traffic in order to make it appear completely random.

It therefore becomes costly for censors to consider blocking such circumvention tools since it would require blocking large parts of the Internet in order to achieve the initial targeted goal.

Unlike VPNs, you do not need to install a separate application to connect to a Snowflake proxy and bypass censorship. It is usually a circumvention feature embedded within existing apps. Currently Snowflake is available inside tor browser on Desktop and Android, Onion Browser() on iOS, and Orbot() on Android and iOS. If you have downloaded and installed any of these apps, and they are censored in your country, you can bypass the censorship by activating Snowflake through the apps’ settings page.

Did you know that Snowflake proxies are operated entirely by volunteers? In other words, a user gets matched with a random Snowflake volunteer proxy, which is run by a volunteer like you! So, if you want to help people bypass censorship, consider installing and running a Snowflake proxy. The only prerequisite is that the Internet in your country is not heavily censored already.

You can join thousands of volunteers from around the world who have a Snowflake proxy installed and running. There is no need to worry about which websites people are accessing through your Snowflake proxy. Their visible browsing IP address will match their Tor exit node, not yours."

7

Does not work for me, followed the procedure but when clicking accept after selecting snowflake in Tor Control Panel, the panel closes and when opening again snowflake is not set…

My bad, you have to add a “,” between the bridges in “bridges_default”…

Now it seems to work :slight_smile:

2 Likes
8

Try getting snowflake to work through Tor User Config before doing this. I can’t tell you what step is wrong because those are just all my steps.

9

Just forget a “,” between the bridges I added to “bridges_default” :wink:

10

Yay, this makes me happy! as long as I have helped even just 1 person then I’m satisfied :slight_smile: .

1 Like
11

Wondering, why this isn’t already fixed?

12

The Whonix dev(s) have not fixed it for years. So over the years people have figured out solutions like this one. I don’t understand why, I kind of want to post this on their forum but I don’t want to upset them or something lol. Maybe I can get someone from here to give them a nudge. I’m sure a gajillion people have contacted them with the same question. Forums all over the place are full of people not being able to use snowflake in Whonix. lol.

13

Just saw I missed the step looking up the dns and simply set it to “10.139.1.1” like in your case… I guess if it works, than this is fine?

14

yeah that’s fine, i think that command will bring up the same number in all if not most sys-whonix VMs.

15

Thank you very much! If I may ask another question… Is the assumption correct that Snowflake will help me open Websites which won’t open with just using TOR so basically hiding that I’m using TOR from the Website I’m surfing? And when I have a paid SOCKS5 Proxy I can also enter it in the Tor Control Panel instead?

16

I believe you could select the ‘none’ option for bridges and just set proxy type option in Tor Control Panel to SOCKS5, then it will open up a field to fill in your proxy information. is that what you mean?

and yes, snowflake uses WebRTC to hide you from guard nodes and disguise your traffic as a skype or viop call. China’s GFW has a way to block it with DPI I think(probably some crazy AI stuff).

17

Yeah, this is what I meant… I remember using Proxy over TOR was a bit harder when I experimented with Tails cause you had to use ProxyChains… Glad I found your guide cause it answered me the Proxy question too :smiley:

I’m liking Qubes OS more from day to day!

1 Like
18

that makes me even more happy! I have a feeling this guide will explode. I have used pretty much every reasonable linux distro including my own Arch respin that was redistributable as an ISO. Once I tried Qubes, I’m not sure I can go back to normal operating systems again.

19

Just made a simplified writeup for me (the persistant variant):

1) whonix-gateway-17 terminal:

sudo nano /etc/resolv.conf.whonix
Replace "nameserver 10.0.2.3" with "nameserver 10.139.1.1"
Save & exit

2) whonix-workstation-17 terminal:

qvm-copy-to-vm whonix-gateway-17 /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client

3) whonix-gateway-17 terminal:

sudo cp ~QubesIncoming/whonix-workstation-17/snowflake-client /usr/bin/snowflake-client
sudo chmod og+rx /usr/bin/snowflake client
sudo install ~/Qubesincoming/whonix-workstation-17/snowflake-client --owner debian-tor --target-directory /usr/bin
sudo nano /usr/share/anon-conection-wizard/bridges_default

Replace snowflake Bridges with:

"Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://1098762253.rsc.cdn77.org/ fronts=docs.plesk.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn",
"Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org/ fronts=docs.plesk.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn"

Save & exit
Shutdown whonix-gateway-17

5) Restart sys-whonix

6) Start Tor Control Panel
Stop Tor
Configure
Bridges type: snowflake
Accept
Restart Tor
1 Like
20

Thanks, I’m going to save that!

1 Like