User Tools

Site Tools


docs:guide-user:services:tor:client

Tor client

Introduction

  • This how-to describes the method for setting up Tor client on OpenWrt.
  • It makes your router provide access to the dark net for LAN clients.
  • Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.

Goals

  • Provide anonymous communication with onion routing.
    • Access the dark net and Tor hidden services.
  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using public relay providers.
    • Escape client side content filters and internet censorship.

Instructions

1. Tor client

Install and configure Tor client.

# Install packages
opkg update
opkg install tor
 
# Configure Tor client
sed -i -e "
/^AutomapHostsOnResolve/s/^/#/
\$a AutomapHostsOnResolve 1
/^VirtualAddrNetwork/s/^/#/
\$a VirtualAddrNetworkIPv4 172.16.0.0/12
\$a VirtualAddrNetworkIPv6 fc00::/7
/^DNSPort/s/^/#/
\$a DNSPort 0.0.0.0:9053
\$a DNSPort [::]:9053
/^TransPort/s/^/#/
\$a TransPort 0.0.0.0:9040
\$a TransPort [::]:9040
" /etc/tor/torrc
/etc/init.d/tor restart

2. Firewall

Set up uHTTPd to listen on alternative ports if required. Configure firewall to intercept LAN traffic. Disable LAN to WAN forwarding to avoid traffic leak.

# Intercept SSH, HTTP and HTTPS traffic
uci -q delete firewall.ssh_int
uci set firewall.ssh_int="redirect"
uci set firewall.ssh_int.name="Intercept-SSH"
uci set firewall.ssh_int.src="lan"
uci set firewall.ssh_int.src_dport="22"
uci set firewall.ssh_int.family="ipv4"
uci set firewall.ssh_int.proto="tcp"
uci set firewall.ssh_int.target="DNAT"
uci -q delete firewall.http_int
uci set firewall.http_int="redirect"
uci set firewall.http_int.name="Intercept-HTTP"
uci set firewall.http_int.src="lan"
uci set firewall.http_int.src_dport="8080"
uci set firewall.http_int.family="ipv4"
uci set firewall.http_int.proto="tcp"
uci set firewall.http_int.target="DNAT"
uci -q delete firewall.https_int
uci set firewall.https_int="redirect"
uci set firewall.https_int.name="Intercept-HTTPS"
uci set firewall.https_int.src="lan"
uci set firewall.https_int.src_dport="8443"
uci set firewall.https_int.family="ipv4"
uci set firewall.https_int.proto="tcp"
uci set firewall.https_int.target="DNAT"
 
# Intercept DNS and TCP traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.dest_port="9053"
uci set firewall.dns_int.family="ipv4"
uci set firewall.dns_int.proto="udp"
uci set firewall.dns_int.target="DNAT"
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.family="ipv4"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.target="DNAT"
 
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

3. NAT6

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" \
| ip6tables-restore -T nat
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Testing

Verify that you are using Tor.

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Troubleshooting

Collect and analyze the following information.

# Restart the services
/etc/init.d/log restart; /etc/init.d/tor restart
 
# Log and status
logread -e Tor; netstat -l -n -p | grep -e tor
 
# Runtime configuration
pgrep -f -a tor
ip address show; ip route show; ip rule show; iptables-save
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
 
# Persistent configuration
grep -v -e "^#" -e "^$" /etc/tor/torrc
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/tor/client.txt · Last modified: 2019/09/18 13:47 by vgaetera