Used interfaces by Snowflake proxy

tobrop · September 7, 2024, 2:23pm

If you use a docker-compose.yml with network_mode: host and something like command: [ "-ephemeral-ports-range", "30000:30010" ], why does

netstat -tulpen | grep proxy

also lists the Snowflake proxy on the Docker (172.17.0.1) and WireGuard (I have it installed) interface, in addition to eth0 - and that for every single configured port (30000, 30001, …)? Is this correct behavior?

Note: my Docker image contains snowflake-proxy 2.9.2 (2bbd4d06)

WofWca · September 7, 2024, 7:51pm

I believe so. If you want to change that, you can try the outbound-address parameter.

See relevant issue:

tobrop · September 7, 2024, 8:19pm

Unfortunately, this parameter does not change anything. Even with -outbound-address set to the local IPv4 of eth0 the process uses/connects to the Docker and WireGuard interface. Strange, or at least unusual, behavior.

SirNeo · September 7, 2024, 8:25pm

With this paramater if i have two internet providers i can start 2 proxies one/isp?

WofWca · September 7, 2024, 8:31pm

I believe it’s the opposite -outbound-address is supposed to make the proxy use just one address. In your case you need to omit the parameter.

WofWca · September 7, 2024, 8:31pm

Hmm yeah the fix is kind of just a hack IMO.

I guess SetInterfaceFilter really is the way to go

Update: I made an issue:

Though I suspect this is not gonna be a high-priority one since the connections on other interfaces should not be happening since the Snowflake proxy never passes them to the client as ICE candidates. Not much to worry about.

tobrop · September 8, 2024, 2:14pm

Just tried this:

removed network_mode: host in docker-compose.yml and replaced it with

ports:
    - "192.168.2.100:33000-33010:33000-33010/udp"

192.168.2.100 is the local IPv4 of the eth0 interface.

After starting the container there is the output

NAT type: unrestricted
In the last 5m0s, there were 4 completed connections.

The command

netstat -tulpen | grep proxy

shows

udp ... 192.168.2.100:33000     0.0.0.0:* ... docker-proxy
udp ... 192.168.2.100:33001     0.0.0.0:* ... docker-proxy
...
udp ... 192.168.2.100:33009     0.0.0.0:* ... docker-proxy
udp ... 192.168.2.100:33010     0.0.0.0:* ... docker-proxy

So, seems to work, there are client connections to the unrestricted proxy and the process is only connected to eth0, not to Docker and WireGuard interface anymore.

What I don’t know is whether the above configuration has a negative impact on clients connecting via IPv6 (udp6).