User Tools

Site Tools


docs:guide-user:services:tor:client

Tor client

Introduction

  • This guide describes how to configure OpenWrt to run Tor client.
  • It makes your router provide access to the dark net for LAN clients.
  • Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.

Goals

  • Provide anonymous communication via onion routing.
    • Access the dark net and Tor hidden services.
  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using public relay providers.
    • Escape client side content filters and internet censorship.

Instructions

1. Tor client

Install and configure Tor client.

# Install packages
opkg update
opkg install tor
 
# Configure Tor client
sed -i -e "
/^AutomapHostsOnResolve/s/^/#/
\$a AutomapHostsOnResolve 1
/^VirtualAddrNetwork/s/^/#/
\$a VirtualAddrNetworkIPv4 172.16.0.0/12
\$a VirtualAddrNetworkIPv6 fc00::/7
/^DNSPort/s/^/#/
\$a DNSPort 0.0.0.0:9053
\$a DNSPort [::]:9053
/^TransPort/s/^/#/
\$a TransPort 0.0.0.0:9040
\$a TransPort [::]:9040
" /etc/tor/torrc
service tor restart

2. Firewall

Configure firewall to intercept DNS and TCP traffic.

# Intercept DNS and TCP traffic
uci -q delete firewall.tordns
uci set firewall.tordns="redirect"
uci set firewall.tordns.name="Intercept-DNS"
uci set firewall.tordns.src="lan"
uci set firewall.tordns.src_dport="53"
uci set firewall.tordns.dest_port="9053"
uci set firewall.tordns.family="ipv4"
uci set firewall.tordns.proto="udp"
uci set firewall.tordns.target="DNAT"
uci -q delete firewall.tortrans
uci set firewall.tortrans="redirect"
uci set firewall.tortrans.name="Intercept-TCP"
uci set firewall.tortrans.src="lan"
uci set firewall.tortrans.src_dport="!22"
uci set firewall.tortrans.dest_port="9040"
uci set firewall.tortrans.family="ipv4"
uci set firewall.tortrans.proto="tcp"
uci set firewall.tortrans.extra="--syn"
uci set firewall.tortrans.target="DNAT"
uci commit firewall
service firewall restart

3. NAT6

If using dual-stack mode, enable NAT6 to process IPv6 traffic.

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" \
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

Testing

Verify that you are using Tor.

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Troubleshooting

Collect and analyze the following information.

# Restart the services
service log restart; service tor restart
 
# Log and status
logread -e Tor; netstat -l -n -p | grep -e tor
 
# Runtime configuration
pgrep -f -a tor
ip addr show; ip route show; ip rule show; iptables-save
ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-save
 
# Persistent configuration
grep -v -e "^#" -e "^$" /etc/tor/torrc
docs/guide-user/services/tor/client.txt · Last modified: 2019/04/28 02:36 by vgaetera