Docker standalone snowflake stuck on "proxy starting"

I have set up Docker in Fedora and the standalone snowflake on it. When I check the snowflake’s status, it just says “proxy starting, NAT type: restricted.” I have a few questions:

  1. How come my proxy doesn’t start?
  2. The network layout is modem > ISP router > hardware firewall > personal router. Would changing my personal router or firewall’s NAT to unrestricted suffice or does the router above it (the ISP router) need to have the NAT unrestricted?
  3. What would be the easiest way to set the NAT to unrestricted? And should I do it on the firewall or personal router?

It may be logging problem. Try waiting for 1 hour and look if there will be additional messages in log.

For unrestricted mode, your computer should be able to accept incoming connections.
It means you need either public IP (there should be no NATs at all), or your NAT(s) should be configured to forward (map) some ports to your computer. In case of port mapping, additional command line options will need to be passed to snowflake (I did not tried it myself, but it should be explained in documentation somewhere).

You mentioned you wish to become NAT unrestricted. The other members told the snowflake proxy does work with restricted NAT and it does work no problem but you will only have small connected clients. But if you still want to pursue then go for it. If you have time may I suggest you check out my post.

Especially the part with the NAT behaviour discovery using STUN

https://forum.torproject.org/t/standalone-snowflake-nat-type-problem/16246/6

Hope this helps and just reply back if you’re still stuck… let’s make that snowflake BURN! :smiley:

How do you know it doesn’t start? Just based on the log messages? It’s the expected output. Your proxy is working. If you want more messages, pass in -verbose.

The latter. All routers in the way need to have an unrestricted NAT.

The easiest way is to set up port forwarding. See How to set up standalone snowflake behind restrictive NAT? - #2 by WofWca. About the firewall: I’m not sure.

1 Like

Thanks for sharing, I got the standalone snowflake up and running but in my search for unrestricted NAT I read that my ISP implements carrier-grade NAT and doesn’t offer opt out to residential customers. Wouldn’t this prevent me from setting up unrestricted NAT?

The command docker logs -f snowflake-proxy -v returned the error unknown shorthand flag: 'v' in -v See 'docker logs --help'.

What if my ISP enforces carrier-grade NAT and doesn’t allow opting out, would I still have a way of having unrestricted NAT? If so, how much additional security risk would it be to implement this method of unrestricted NAT?

Depends on the NAT type.

-verbose is a Snowflake CLI argument, not a Docker argument.

Not much of a risk IMO. As you can see, Snowflake expects that NAT is unrestricted, so having unrestricted NAT is normal.

Yes Carrier Grade NAT will restrict you, but the snowflake proxy will still work.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.