Planning for my proxy as Unrestricted

I’m planning this move which I said I could not do. Are there tips and tricks I should know of?

Like is there a ratio of -capacity to ephemeral ports to open. I read this here somewhere.
Like any preferred range of ports to use. High end or middle.

Of course it is all dependent on me replacing the ISP supplied router with my own which can do port forwarding. This part is tested.

The reason for this change is because my stats show a very VERY large number of connections less than 30 seconds. This says the connection did not work properly.
And an average of 70/day Timed out waiting for client to open data channel.

I’m assuming unrestricted will resolve these.

Here’s my experience and rule:

With 2 STUN servers (proxy default): ephemeral-ports-range = capacity * 3
With 1 STUN server: ephemeral-ports-range = capacity * 2

As ports I use dynamic ports in the range of 49152-65535.

Here are some related threads / posts:

• Firewall needs/settings for running standalone Snowflake proxy - #2 by meskio
• Road from restricted to unrestircted! - #10 by SirNeo
• Snowflake standalone proxy in Docker: How to make NAT unrestricted? - #2 by WofWca
• Snowflake standalone proxy: Port range considerations
• [tor-relays] snowflake incoming UDP ports - #2 by meskio
• Snowflake stand-alone… suddenly few connections - #12 by axel

My router has replaced the ISP router.

I restarted the proxy with small -capacity and *3 ports for the port range but it still comes up restricted.

 2024/11/22 20:12:40 NAT Type measurement: unknown -> restricted
 2024/11/22 20:12:40 NAT type: restricted

I know the UDP forwarding works. I see it in my router logs and I see it in the snowflake logs. Does it matter that the external port 65518 does not make it to the same respective port (65534) to the proxy?

a=candidate:1123660450 1 udp 2130706431 192.168.n.n 65534 typ host
a=candidate:1123660450 2 udp 2130706431 192.168.n.n 65534 typ host
a=candidate:479339942 1 udp 1694498815 n.n.n.n 65518 typ srflx raddr 0.0.0.0 rport 65518
a=candidate:479339942 2 udp 1694498815 n.n.n.n 65518 typ srflx raddr 0.0.0.0 rport 65518
a=end-of-candidates

Means you set -ephemeral-ports-range?

If the target/local ports of your forwarding are 50000 to 50030 you have to set
-ephemeral-ports-range 50000:50030.

Is there maybe a firewall on your proxy device?

Did you set it up this way? Are you sure you are not behind CG-NAT, i.e. are you sure that you have a dedicated IP?

SOLVED!

After an analysis of logs and everything else I slapped my forehead in a D’oh! moment.
D'oh! - Wikipedia!
Yes! My firewall in Ubuntu. When I read your response (@tobrop) I thought “He came to the same conclusion.” I was too concentrated on my router change.

Even though it is obvious, there in no mention of this in any instruction I followed (Tor Project_Compile Snowflake proxy from the source). It reminds you of the “nohup” in the startup command which allows the program to run in the background even after the terminal is closed, it reminds you to output to an optional logfile, it reminds you to make a crob job to allow the proxy to start after a reboot, it reminds you to open ports in the router and use -ephemeral-ports-range.

sudo ufw allow 65500:65534/udp did it.

In no time after the proxy restart I already had 8 clients which I never saw before.

@WofWca: am not behind CG-NAT and not a static public IP so after a power failure or just a brown-out or blip, the modem and router reboot and I get a new DHCP IP. The machine is on a UPS but not modem/router.

TKS all.

If the modem reboots i suggest restarting the snowflake process because the state will go again to unknown=restricted. At least this happens to my machines. If modem gets a new ip the users count drops to 5-10 from 80-120.

Welcome in the club of unrestricted proxy operators

Had not thought of it so I will keep my eye out for this. The modem and router are too far from the UPS to plug into it.

I have started out small -capacity 8 and will monitor my out bound bandwidth in order to adjust. I only have 10 Mbps to give.

This project was a good marriage of a CPU bound machine (100% 24/7) to a mostly I/O bound process.

Before unrestricted I hardly ever saw 7 concurrent clients connected whereas now I hardly see less than 7. It would probably be more if (when) I increased capacity.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.