Add NAT/firewall setup instructions for Snowflake
https://gitlab.torproject.org/tpo/web/community/-/tree/main/content/relay/setup/snowflake
Need to add instructions for how to set up the machine for it to have an "unrestricted NAT".
Typical firewall settings appear to result in a "restricted NAT", even if the machine has a dedicated IP (no NAT) (see this forum post, for example), while an unrestricted one is more desirable. (Although I might be wrong, since the metrics say that there are ~2000 unrestricted proxies?) We already have instructions for regular Tor relays, but WebRTC (ICE) is a different kind of beast.
Need to consider both the NATed (say, behind a router), and the dedicated IP cases.
In case there's no NAT, simply allowing all incoming connections to the entire allowed port range should solve the problem, allowing the use of host
ICE candidates, but it compromises security, because another app may get assigned an ephemeral port from that range. So I thought maybe there is a way to disable filtering for the Snowflake process specifically. Or maybe use a non-ephemeral port range so that other apps can't randomly get a port from that range (but this may affect censorship-resistance). Or maybe there is a way to have one dedicated port for Snowflake (is SetICEUDPMux
it?) which can be opened up, with fallback to ephemeral ports in case the client's censor blocks that one.
There may be better mechanisms that I'm just not aware of since I'm not that good at networking (in both meanings of the word XD).
Related: