NAT is not the topic here 
There is an issue (“Remote returned status code 400”) if the value specified for -ephemeral-ports-range is too small for the value specified for -capacity.
As suggested above, it would be good if this is pointed out when the proxy is started.
From now on I use
ephemeral-ports-range = ceil(capacity * 2.5)
Thes replies asks more questions. Are the docs I quote actually correct. I can only go with what I read. I checked the GO source for Snowflake and see no mention of TURN. Maybe I can’t read the code but just the comments.
This thread may also explain why I have so many connections under 1 minute.
So where is this TURN server? I’m guessing it’s not used.
Wikipedia states “The Allocate request asks the TURN server to allocate some of its resources for the client so that it may contact a peer. If allocation is possible, the server allocates an address for the client to use as a relay, and sends the client an “Allocation Successful” response, which contains an “allocated relayed transport address” located at the TURN server.” Can we believe what we read on Wikipedia?
To me “allocated relayed transport address” means the IP:port of the TURN server in which case there would be traffic between me and the server but tcpdump actually shows traffic between me and the client somewhere in the world. I would have to put a sniffer between the modem and router and monitor to be sure. I can but really don’t want to just to see if I am correct.
I will leave the proxy up. Some stats: For September I used about 6 times more bandwidth than I have ever used in all the years (15+) with this ISP. I use -capacity 20 but have never seen more than 8 clients at a time.
I am also ending this discussion. The problem is solved. The rest is all opinion, including mine.
NAT blocks off all incoming connections that are not forwarded to somewhere internally.
Since snowflake seems not to use TURN (I didn’t verify this) your proxy gets less clients than it could with forwarded ports.
So you can help less people with your proxy than you potentially could.
Doesn’t it seem logical to you? 
The distinction between restricted and unrestricted NAT exists not without a reason.
I completely understand the logic about opened UDP ports. I am really behind 2 routers.
Exactly one year ago my ISP converted me (for free) to fibre, upped the speed to 10/30 Mbps, and made my plan unlimited but sent me a new modem and Nokia router and not the best one (lots of options I need missing like static LAN IP assignments). So my original router is connected to that.
I’ve seen instructions to connect my router (or try to) to their system (VLAN stuff). It does not feel broken now and since it is not broken why fix it.
My plan was not to be a superpower in censorship circumvention but to be a part without fuss. There it is.
I have not verified if I get more than 8 clients but anytime I check it is not more. Maybe I could analyze my logs or develop a script to monitor it.
Remember that the primary purpose of this 24/7 machine is community computing. Snowflake is just a plus.
Guess I lied about ending this discussion but felt I should give an explanation about my motives.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.