Snowflake on OpenWRT as standalone proxy

My router is powerful enough it can run Snowflake proxy.

At least the router itself does run 24/7 and it’s low powered compared to the dedicated machine.

The set up should be for what I know (looking here for info):

opening the ports in FW (/etc/config/firewall) such as:

config rule
option src_port ‘min-max’
option src ‘wan’
option name ‘Snowflake’
option target ‘ACCEPT’
list proto ‘udp’

and starting the Snowflake as:

procd_set_param command “$PROG” -capacity 5 --ephemeral-ports-range min:max

in init.d should do the trick right?

(Maybe adding the -verbose for few hours to see some details.)

Is there some good default for port min:max range?
(Except for the info 2x as wide as the amount of clients.)

What bothering me also is process of avoiding any VPN being possibly deployed on the router itself.

Because the traffic should use the ISP. There is no point nor is it for sure anyhow beneficial (possibly a lot of connections and also the lag VPN does add).

How to do that?
Does anyone have some config. tips for OpenWRT that could facilitate such setup.

Thank you in advance.

1 Like

I use 3.5x. It is now really 4x because I went from -capacity 12 to -capacity 9 and never made the change. In a previous post someone mentioned 2.5x just to be safe. I guess in case destroying a used port is not yet complete while the exact 2 ports are trying to be re-used for a new connection.

I started at 65534 and went backwards. I avoided using the last port 65535 just because so for you and 2x this would be 65525-65534.

I use -ephemeral-ports-range “65497:65534” -capacity 9 -unsafe-logging -verbose and I keep stats

What bothering me also is process of avoiding any VPN being possibly deployed on the router itself.
Don’t understand this. Do you mean someone compromising your system? Hmmm probably not wanting to have to use a VPN on your router.

With -verbose and -unsafe-logging you will see exactly which IP is connecting and all kinds of other stuff.

Have no tips for OpenWRT since I have only tried that one many years ago.

Good luck

1 Like

I don’t think it matters much. I’d just pick a range above 1024, maybe it doesn’t even have to be in the ephemeral ports range (above 32768).

1 Like