Snowflake Tor Proxy Setup: Help Censored Users Access the Internet

The simplest way to run a Snowflake proxy: install the Snowflake extension for Firefox or Chrome. Firefox: visit Mozilla Add-ons and search 'Snowflake', or go to snowflake.torproject.org. Chrome: Chrome Web Store, 'Snowflake'. After installation, enable the proxy by clicking the extension icon and toggling it on. The extension runs a WebRTC-based proxy in your browser when it is open, using your internet connection to relay traffic for Tor users in censored countries. Resource usage: approximately 10-50 KB/s of bandwidth per active user connection, minimal CPU. The extension pauses when your browser is closed. For users who leave their browser open regularly, this is the easiest contribution with no server required.

The standalone Snowflake proxy runs as a background process without requiring a browser. Install Go (go.dev/dl) or use the pre-built binary from the Tor Project. Build from source: git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git, cd snowflake/proxy, go build. Run: ./proxy -summary (shows connections per minute). The standalone proxy uses WebRTC directly without a browser. Run as a systemd service for continuous operation: create /etc/systemd/system/snowflake-proxy.service with ExecStart=/opt/snowflake/proxy and Restart=always. Enable: systemctl enable --now snowflake-proxy. The standalone proxy on a server handles more connections than a browser extension due to always-on availability and no browser overhead.

A VPS provides always-on, high-bandwidth Snowflake proxy operation. Recommended VPS configuration: 1-2 vCPUs, 1GB RAM, 1 Gbps network, unlimited or high bandwidth allowance. Install the standalone proxy (as above) on Ubuntu or Debian. Configure ulimits for many concurrent connections: add to /etc/security/limits.conf: * soft nofile 65536, * hard nofile 65536. Edit the proxy startup to enable capacity flags: ./proxy -max-peers 100 (limits to 100 concurrent Snowflake users). Without -max-peers, the proxy accepts as many users as bandwidth allows. Monitor proxy activity: ./proxy -summary shows connections/minute, bytes transferred. A 1 Gbps server can handle hundreds of simultaneous Snowflake connections, supporting thousands of user sessions per day.

Snowflake uses WebRTC's data channel feature to create peer-to-peer connections between Tor users and Snowflake proxies. The Snowflake broker (run by the Tor Project) matches users with available proxies. Users initiate WebRTC offers via the broker (using a WebSocket connection to the broker, which is itself hosted at Tor Project infrastructure). Proxies receive offers through the broker and respond with WebRTC answers. After the WebRTC handshake, a direct DTLS-encrypted data channel is established between user and proxy. The proxy forwards this traffic to the Snowflake bridge server at the Tor Project (bridge.snowflake.torproject.net). From the user's ISP perspective, the connection looks like WebRTC traffic to a proxy IP address - the same pattern as Zoom or Google Meet connections.

Running a Snowflake proxy relays encrypted Tor traffic. What the proxy sees: WebRTC data channel traffic (encrypted DTLS), source IP of the Tor user (from WebRTC DTLS handshake), and bandwidth usage. What the proxy does not see: the content of Tor traffic (encrypted end-to-end), which .onion or clearnet sites the user accesses. The proxy operator's IP address is visible to the Tor user's ISP (they connect to the proxy) and to the Snowflake broker. Your ISP can see you are running a Snowflake proxy (WebRTC connections from many IP addresses). Legal considerations: you are relaying encrypted traffic - the legal analysis is similar to running a Tor relay. In most democracies, running a Snowflake proxy is legal. Review your ISP's terms of service for server/relay operation policies.