Hello,
I recently started running an unrestricted standalone snowflake proxy and I was wondering, what is the lowest possible port range I can give it without having to give it all ports in the DMZ?
When I started mine someone suggested about 2.5 ports per connection. Don’t remember why.
I use 3 since it is easier to multiply. I have -capacity 12 so I opened 36.
I assume you also mean unlimited in connections so I guess all of 32768 to 60999.
I doubt you will get enough connections to fill all those ports.
I do get 12 but hardly get past 7. I don’t have the biggest fastest connection so maybe that is part of the problem.
The way to find the number of connection in real time is something like this:
netstat -t4u4wanp | grep -i 'proxy' | grep -i -E -c '141.212.118.18|193.187.88.42'
I will just spit out a number. I only have IPV4 so if you have IPV6 you may have to modify it
Edited later:
I seem to now remember why the 2.5.
After receiving a client offer from the broker the proxy answers with 2 candidate UDP ports the client can try like this:
a=candidate:1488169829 2 udp 1694498815 nn.nn.nn.nn 60916 typ srflx raddr 0.0.0.0 rport 60916 ufrag NwHVqlhIANVUUPea
a=candidate:1488169829 1 udp 1694498815 nn.nn.nn.nn 60933 typ srflx raddr 0.0.0.0 rport 60933 ufrag NwHVqlhIANVUUPea
I presume the .5 port is just breathing room while unused ports are released by the system and are ready to be used again by the proxy.
To make the traffic less suspicious one should not limit the port range.
However, lowest possible port range would be 1 (or ~2?). As long as you set -capacity to 1.
The “2-3 per client” discussion originated here I believe:
I seem to remember another. When that discussion was taking place I was still running restricted and none of that seemed important so 2.5 would not have clicked. A little later I was convinced to go unrestricted (late Nov 2024) because they were more needed (I think). But anyway the message is the same.
I am more curious about “To make the traffic less suspicious one should not limit the port range”.
Are you saying they (the censors) track UDP connections to outside IPs trying to find a pattern. I would thing a whole UDP conversation to an outside IP sounds suspicious. So I’ll triple what I now use.
Yes, I would say that it looks suspicious that a WebRTC connection for a particular IP keeps using the same few ports instead of the full ephemeral range.
I am, however, not aware of whether censors are actually doing this. Some use AI, so maybe it is feasible.
But if it’s too much hassle to open the full range, personally I think it’s fine to keep just a few.
Wow, these guys are aggressive.
OK then, I’ll schedule a restart of the proxy, give it 400 more, and up it to -capacity 14. We’ll see if it makes it to 14. It spends most of its time at 7 connections by a huge margin. Have no idea why that is such a sweet spot. It must indicate that there is NO lack of available connections in this whole proxy system otherwise it should be at near the max all the time.
Now using proxy v2.13.1