Prerequesites

  • Qubes OS R4.1 or later with Whonix Gateway (GW) and Workstation (WS) installed (16 or later).
Step 1: Relocating the Binary

Qubes OS, by default, ships with a broken version of the snowflake
client with the bundled Whonix operating systems. When setting a bridge
type in the Tor Control Panel, you are only effectively changing the
“torrc” configuration file to modify the connection. In order to fix the
snowflake option, we have to bypass it entirely. We will not be using
the “Bridge Type: snowflake” option, and instead modifying the “None”
Tor configuration to connect to snowflake proxies. To get a working
snowflake client, do the following:

  • Go to the blue Qubes Start Menu and select ‘Template: whonix-ws-XX’ where XX is your version, then select Xfce Terminal.
  • Go to the start menu again and open ‘Template: whonix-gw-XX’, then select Xfce Terminal.
  • On the whonix-ws template, type the following command to copy the snowflake binary to your whonix-gw template.

qvm-copy-to-vm whonix-gw-XX /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client

Replace ‘whonix-gw-XX’ with the title of the VM. A popup will appear where you can select whonix-gw-XX as the destination VM.

  • Step 2: Prepare the Client
  • Once copied, switch over to your ‘whonix-gw-XX
    terminal. We will now need to copy the snowflake client to the user
    binary folder and give it permissions to be read and executed:
sudo cp /home/user/QubesIncoming/whonix-ws-XX/snowflake-client /usr/bin/snowflake-client
sudo chmod og+rx /usr/bin/snowflake-client

Be sure to replace whonix-ws-XX with the name of your
workstation template VM. Now we have a working snowflake client on the
whonix gateway template! We just have to configure Tor to utilize it. You may safely shutdown the whonix-ws-XX template VM.

Step 3: Configure Tor to use Snowflake

On the whonix-gw-XX terminal, we need to edit Tor’s default configuration to use snowflake proxies. Open the following file:

sudo nano /usr/local/etc/torrc.d/50_user.conf

Inside this file, add the following lines:

UseBridges 1
ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
Bridge snowflake 192.0.2.3:1

The above content also needs to be added to sys-whonix > Tor User
Config. Save this file and continue.

The ClientTransportPlugin configuration setting tells Tor to use a
custom bridge transport called “snowflake” which can be executed through
the “/usr/bin/snowflake-client” binary that we moved earlier. In order
for snowflakes to work, they need a broker to tell your client which
proxies to connect to: this is set with the -url flag. The -front flag
tells the snowflake client how to utilize “domain fronting”, this is by
default on the Whonix wiki as cdn.sstatic.net but you can find others
online.

Step 4: Fixing the DNS

In order for fronting to work properly, the DNS in your Whonix Gateway
has to be modified. To get the IP for fronting, open any VM terminal
connected to the internet and run the following command:

dig +short cdn.sstatic.net

The output should be 1-30 IP addresses, always take the last IP in the
chain – as of right now, it sits at 151.101.193.69 and this is what we
will use. To setup the DNS record, open your hosts file with sudo
privileges:

sudo nano /etc/hosts

Use the IP you got from the previous dig command and add it to the bottom of your hosts file:

...

151.101.193.69 cdn.sstatic.net

Save and exit. You can now safely shutdown whonix-gw-XX.

Step 5: Restart Tor and Verify

After shutting down, go to your Qube Manager and shutdown / restart sys-whonix.
sys-whonix uses whonix-gw-XX as a template VM and will grab the changes
that we made once restarted. Open the Tor Control Panel from the top
right grey lock icon and click “Restart Tor” (ensuring your bridges are
set to “none”). Make sure it has connected 100%, switch to the Logs tab
and view the Tor log. Ensure the following lines are present (you may
have to scroll up):

[notice] Managed proxy "/usr/bin/snowflake-client": offer created
[notice] Managed proxy "/usr/bin/snowflake-client": broker rendezvous peer received
[notice] Managed proxy "/usr/bin/snowflake-client": connected

If these lines are present, then congratulations! You’ve successfully
connected to Tor via a snowflake bridge/proxy! I hope this guide was
informative and please let me know if you have any questions, I will try
to answer all that I can! If you have anything to add or any
corrections to make, please comment and keep users informed.

Troubleshooting

This simple process can be somewhat intimidating, especially when
viewing the confusing Whonix Wiki guide, I’ve tried to explain a little
more in detail what is happening with each step, but there is too much
information for one post. I urge you to take an afternoon and read
through the interesting documentation topics at
whonix.org/wiki/Documentation – Have a super day and stay vigilant!

Steve Dark

By Steve Dark

Steve Dark is a seasoned cybersecurity professional with over 10 years of experience in the field. He holds a Bachelor's degree in Computer Science from Stanford University and a Master's degree in Cybersecurity from MIT. Steve is known for his meticulous attention to detail and his ability to identify even the most subtle security vulnerabilities. When he's not researching protocols or playing in HackTheBox, Steve enjoys sipping on his favorite tea blend while munching on his favorite cookies. Despite his serious profession, Steve has a playful side and loves engaging in friendly hacking competitions with colleagues and peers