Suggestion: Add OpenWrt instructions to the Standalone Snowflake proxy community page

Noino · February 22, 2026, 10:11pm

The community Standalone Snowflake proxy page currently has instructions for running a standalone snowflake proxy on various systems. Based on my recent experience with setting one up on my home router running OpenWrt, I think it may be useful to add instructions for OpenWrt too. Here is my thinking:

OpenWrt can run on a large number of modern routers and is designed to replace the OEM firmware
I’ve seen here at least one case of someone running a standalone snowflake proxy on their router
The OpenWrt forum has a number of questions from users asking how to do this
The setup cost on an existing router is nil - compared to, say, running the proxy on a dedicated server
A router is up pretty much 24/7 and proxied traffic is routed without touching the rest of the LAN
My own (albeit short) experience suggests the hardware & other requirements are no challenge
Most of the setup is possible through the router’s web GUI interface (OpenWrt’s default is called LuCI)

On that final point I thought I’d share my present setup:

I recently decided to upgrade my old router and wanted an OpenWrt-compatible replacement. I eventually chose OpenWrt’s own hardware; the OpenWrt One. This model has 1GB RAM and many home routers have less than this, but see below re memory requirements.

My router acts as a gateway router - i.e. it is connected directly to my modem and my WAN settings contain my ISP’s PPPoE credentials. Another contributor here describes running a standalone snowflake proxy on a machine behind an OpenWrt router. My post here concerns running the proxy on the gateway router itself.

Installing the snowflake-proxy package can be done via the web GUI. The firewall rules it order to attain the desired “unrestricted” NAT can also be set up via the web GUI. No port forwarding is required, as the device itself hosts the proxy. The program is started and set to start at reboot automatically.

The only part which requires some command line skills is adding the required parameters to the snowflake-proxy command it its ‘init’ script (located at /etc/init.d/snowflake-proxy). I have the -ephemeral-ports-range set to the maximum recommended range; 32768:60999 to match the ports I opened in the firewall.

Memory requirements were my biggest worry, as I’d read many opinions here on limiting the number of connections (via the -capacity flag) so as not to exceed available RAM. I experimented with a few figures and my proxy currently runs in default ‘unlimited’ mode. AFAICT the number of concurrent connections is peaking so far in the low 20’s. Memory usage so far is surprisingly manageable; less than 40 MB (RSS) and my router shows overall memory usage of only 22% (I don’t have any other additional software running on it).

The level of hourly traffic I’m seeing right now looks like this, so the proxy seems to be useful. If we were to project these kind of figures 24/7 it gives a pretty high monthly usage number, but I’ll need to look at a few 24hr periods to get a better view on whether this may be an issue with my ISP.

In summary, though it is very early days, my experience of running a standalone snowflake proxy on my OpenWrt home router has been excellent. I am sure many more people would be willing to do the same and adding OpenWrt-specific setup instructions on the community page would, I think, be very useful. I’d be happy to help with this, if needed.

BobbyB · February 24, 2026, 5:23pm

The only thing I can add to this post is about that connection count. By what method did you get to this number?
Not by this line in your logs I hope.
2026/02/24 05:18:10 In the last 1h0m0s, there were 34 completed successful connections. Traffic Relayed ↓ 15141 KB (4.21 KB/s), ↑ 3987 KB (1.11 KB/s).
I would not put faith in that. I use -capacity 12 so how can it say 34. Of those 34 connections, many have connected and disconnected within that hour. As a matter of fact my analysis show many connections last less than 30-40 seconds. Those would be part of the 34. Censorship is responsible for that I guess.

There as also many of these which don’t even make the count. Censorship is also responsible for that too I guess.
2026/02/24 05:19:08 Timed out waiting for client to open data channel

I get the concurrent connections by counting the TCP connections to relays 01.snowflake and 02.snowflake
This command shows the TCP and UDP connections to these 2 relays
netstat -t4u4wanp | grep -i 'proxy'

This command counts the number of TCP connections which is your count.
netstat -t4u4wanp | grep -i 'proxy' | grep -i -E -c '141.212.118.18|193.187.88.42'

I assume netstat is available on OpenWrt. I only tried it once or twice so I don’t remember.

What I read here is that you only need 2.5 ports per connection. I use 3 as I don’t like to multiply by halves.
So if you need to reduce the -capacity parameter this is a good rule of thumb.

Noino · February 24, 2026, 5:47pm

Hi @BobbyB , I’m actually grateful to you as I use a modified version of that script - I just added the IPv6 addresses of the 2 broker servers, as I’m seeing IPv6 connections from those addresses to my proxy too.

$ host snowflake-01.torproject.net
snowflake-01.torproject.net has address 193.187.88.42
snowflake-01.torproject.net has IPv6 address 2a0c:dd40:1:b::42

$ host snowflake-02.torproject.net
snowflake-02.torproject.net has address 141.212.118.18
snowflake-02.torproject.net has IPv6 address 2607:f018:600:8:be30:5bff:fef1:c6fa

BobbyB · February 25, 2026, 10:23am

OK! So how many connections then.

I don’t have IPv6 so I never think of that.

Noino · February 25, 2026, 12:29pm

Right now 4 IPv4 & 6 IPv6. I think the low 20’s figure I saw could have been due to my sampling being Sunday mid-morning Iran/China time. Maybe.

Noino · March 4, 2026, 3:47pm

As OpenWrt stable release 25.12.0 dropped today I thought I’d add to this post instructions on how to install a standalone Snowflake proxy on a router running this release. Caveat: This worked for my setup and cannot of course be guaranteed to work for any other.

The following assumes a router acting as a gateway - i.e. directly connected to a modem with your ISP’s credentials stored in the WAN interface settings (Network/Interfaces/wan in the web GUI):

First install the “snowflake-proxy” package either from the OpenWrt router’s command line (apk add snowflake-proxy) or from the LuCI web GUI (System/Software):

If you are happy running your standalone Snowflake proxy behind a restricted NAT (see the setup guide) that’s it! The proxy is started and enabled to start on reboot automatically.

To get your standalone Snowflake proxy detected as “unrestricted” NAT type you need to do 2 things:

use the -ephemeral-ports-range command flag and pass the desired (UDP) port range
add OpenWrt firewall rules to open the same range of ports in your router’s WAN interface

To modify the command Snowflake proxy uses at (re)start you’ll need to edit it’s ‘init’ script file which you’ll find at /etc/init.d/snowflake-proxy. This is the relevant line in the file installed by the package. For example, if you wish to allow Snowflake proxy to communicate on the full ephemeral port range available on Linux you would add the following: -ephemeral-ports-range 32768:60999. You may wish to add other flags too, for example the -capacity and/or -metrics flags. The full range of available flags and their usage can be seen by typing snowflake-proxy -help.

If you are not comfortable using a command line editor to edit files, various OpenWrt text editors are available, for example the luci-app-filemanager package.

To open ports in the OpenWrt firewall navigate to Network/Firewall in the web GUI, click on the “Traffic Rules” tab and click the “Add” button to add a new one. Opening the UDP port range used in the above example in the router’s “wan” interface would look like this. Note the destination is the router device itself, no port forwarding is required:

Once the new firewall rule is saved you should restart the proxy with /etc/init.d/snowflake-proxy restart. In the logs (logread | grep snowflake) you should see the line “NAT type: unrestricted”.

Optional: If you want to monitor the proxy’s metrics with the -metrics flag and see country-level detail on the connections made, you’ll need to install the OpenWrt tor-geoip package and restart the proxy. Note this will start and enable a tor daemon on your router. You don’t need tor running to run a standalone Snowflake proxy and it can be stopped/disabled with /etc/init.d/tor stop && /etc/init.d/tor disable.

In any case you’ll want to monitor your router’s overall memory usage as the proxy runs.

Happy proxying everyone!

BobbyB · March 4, 2026, 5:14pm

Just a FYI:
Every time you stop/start the proxy you knock everyone off.

I’m assuming you do not use verbose logs. Lots of info there.