Opened 3 months ago

#23257 new defect

Snowflake doesn't connect on the CalVisitor network

Reported by: dcf Owned by:
Priority: Medium Milestone:
Component: Obfuscation/Snowflake Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Snowflake doesn't work on one of the wireless networks at UC Berkeley. It sends an offer and receives an answer, but then hangs here:

2017/08/16 13:56:38 ---- Handler: snowflake assigned ----
2017/08/16 13:56:38 Buffered 203 bytes --> WebRTC
2017/08/16 13:56:43 Traffic Bytes (in|out): 0 | 203 -- (0 OnMessages, 1 Sends)

I initially suspected that it had something to do with the network not assigning a public IPv4 address, only a public IPv6 address. I moved our existing proxy-go instances to a host with an IPv6 address, and that didn't help.

Here's the part of the log where client gathers its candidates. Notice the IPv6 address 2607:f140:6000:2:c53e:4d3e:19d5:d94c and the IPv4 address 10.105.136.190.

2017/08/16 13:55:58 WebRTC: DataChannel created.
2017/08/16 13:55:58 candidate:1109156821 1 udp 2122262783 2607:f140:6000:2:c53e:4d3e:19d5:d94c 56748 typ host generation 0 ufrag 3h4p network-id 2 network-cost 50
2017/08/16 13:55:58 candidate:2027054270 1 udp 2122194687 10.105.136.190 61395 typ host generation 0 ufrag 3h4p network-id 1 network-cost 50
2017/08/16 13:55:58 candidate:211787557 1 tcp 1518283007 2607:f140:6000:2:c53e:4d3e:19d5:d94c 49259 typ host tcptype passive generation 0 ufrag 3h4p network-id 2 network-cost 50
2017/08/16 13:55:58 candidate:911317070 1 tcp 1518214911 10.105.136.190 49260 typ host tcptype passive generation 0 ufrag 3h4p network-id 1 network-cost 50
2017/08/16 13:55:59 SOCKS accepted:  {0.0.3.0:1  map[]}

Here's an abridged form of the answer. Notice how the candidates (a=candidate:) include both IPv6 2a00:c6c0:0:151:4:8f94:69f5:7c01 and IPv4 37.218.242.151. However, the connection address (c=) is the IPv4 address.

o=- 5000276783403536546 2 IN IP4 127.0.0.1
m=application 41242 DTLS/SCTP 5000
c=IN IP4 37.218.242.151
a=candidate:836092752 1 udp 2122262783 2a00:c6c0:0:151:4:8f94:69f5:7c01 40571 typ host generation 0 network-id 1 network-cost 50
a=candidate:404726760 1 udp 2122194687 37.218.242.151 41242 typ host generation 0 network-id 2 network-cost 50
a=candidate:2136358816 1 tcp 1518283007 2a00:c6c0:0:151:4:8f94:69f5:7c01 39103 typ host tcptype passive generation 0 network-id 1 network-cost 50
a=candidate:1453088536 1 tcp 1518214911 37.218.242.151 49703 typ host tcptype passive generation 0 network-id 2 network-cost 50

Is this one of those weird NAT cases where a TURN server is needed? Is that why it's not working? The CalVisitor does block some applications like IMAP.

I tested this with Tor Browser 7.5a4 for mac.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.