How To use Snowflake on OpenWrt?

Hi all,

I already posted this in the OpenWrt forum, but then i thought, that this is maybe the correct place to ask this.

I am trying to setup tor with snowflake as a bridge to circumvent censorship and followed this guide to set up tor. But this generates these warnings i would like to fix:

[warn] You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
[warn] You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
[warn] You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
[warn] You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.

I already tried the local addresses [::1] and 127.0.0.1, but this stops the internet connection.

Regarding Snowflake:

I was not able to find any documentation about configuring the snowflake-client on OpenWrt, so i followed the official documentation and added these lines to the custom torrc so it looked like this:

AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv4 172.16.0.0/12
VirtualAddrNetworkIPv6 [fc00::]/8
DNSPort 0.0.0.0:9053
DNSPort [::]:9053
TransPort 0.0.0.0:9040
TransPort [::]:9040

UseBridges 1
ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -log /var/log/tor/snowflake.log
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
SocksPort auto

But i get errors like this:
Warning: NAT checking failed for server at <URL:PORT>: Error completing roundtrip map test: write udp4 [scrubbed]->[scrubbed]: sendto: network is unreachable

My guess is that this is due to the DNS over Tor setting combined with Tor using Snowflake as a Bridge which is making DNS requests. Is that true and how can this be done correctly?

I would appreciate any help, because I’m currently stuck at this point.

I would recommend trying to disable LAN traffic and DNS interception first and see if the client manages to connect to Tor. After that, gradually add interception.

Tank you for the response.
Tor without Snowflake worked after i followed the OpenWrt guide. Including DNS

The errors came, when adding the snowflake part.

I understand. My point is to make it work with Snowflake, but without LAN traffic interception.

I got that a while later
and that was actually a great idea. I removed everything and started from scratch and got a working snowflake connection with this torrc.

SOCKSPort 9050
SOCKSPort 192.168.1.1:9100
SOCKSPolicy accept 192.168.1.0/24
SOCKSPolicy reject *
Log notice stderr

DataDirectory /var/lib/tor

User tor

ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -log /var/log/tor/snowflake.log

Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn

UseBridges 1

I am now working on reversing the process to get back to the point where i can intercept tcp and redirect it to the SOCK and if that works also DNS.

Do you have any ideas or tips how to do this best?

To me it appears more like “now I need to add things that are missing” rather than “reverse” it. But I’m not that deep into these lower-level network things anyway, sorry.