Tor client
Introduction
- This how-to describes the method for setting up Tor client on OpenWrt.
- Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.
- Follow Tor extras for automated setup and additional tuning.
Goals
- Provide anonymous communication with onion routing.
- Access the dark net and Tor hidden services.
- Encrypt your internet connection to enforce security and privacy.
- Prevent traffic leaks and spoofing on the client side.
- Bypass regional restrictions using public relay providers.
- Escape client side content filters and internet censorship.
Command-line instructions
1. Tor client
Install the required packages. Configure Tor client.
# Install packages opkg update opkg install tor # Configure Tor client cat << EOF > /etc/tor/custom AutomapHostsOnResolve 1 AutomapHostsSuffixes . VirtualAddrNetworkIPv4 172.16.0.0/12 VirtualAddrNetworkIPv6 [fc00::]/8 DNSPort 0.0.0.0:9053 DNSPort [::]:9053 TransPort 0.0.0.0:9040 TransPort [::]:9040 EOF cat << EOF >> /etc/sysupgrade.conf /etc/tor EOF uci del_list tor.conf.tail_include="/etc/tor/custom" uci add_list tor.conf.tail_include="/etc/tor/custom" uci commit tor service tor restart
Disable IPv6 GUA prefix and announce IPv6 default route.
2. DNS over Tor
Configure firewall to intercept DNS traffic.
# Intercept DNS traffic uci -q del firewall.dns_int uci set firewall.dns_int="redirect" uci set firewall.dns_int.name="Intercept-DNS" uci set firewall.dns_int.family="any" uci set firewall.dns_int.proto="tcp udp" uci set firewall.dns_int.src="lan" uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.target="DNAT" uci commit firewall service firewall restart
Redirect DNS traffic to Tor and prevent DNS leaks.
# Enable DNS over Tor service dnsmasq stop uci set dhcp.@dnsmasq[0].noresolv="1" uci set dhcp.@dnsmasq[0].rebind_protection="0" uci -q delete dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053" uci add_list dhcp.@dnsmasq[0].server="::1#9053" uci commit dhcp service dnsmasq start
3. Firewall
Configure firewall to intercept LAN traffic. Disable LAN to WAN forwarding to prevent traffic leaks.
# Intercept TCP traffic cat << "EOF" > /etc/nftables.d/tor.sh TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)" TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \ | sed -n -e "/Intercept-TCP/p")" nft replace rule inet fw4 ${TOR_CHAIN} \ handle ${TOR_RULE##* } \ fib daddr type != { local, broadcast } ${TOR_RULE} EOF uci -q delete firewall.tor_nft uci set firewall.tor_nft="include" uci set firewall.tor_nft.path="/etc/nftables.d/tor.sh" uci -q delete firewall.tcp_int uci set firewall.tcp_int="redirect" uci set firewall.tcp_int.name="Intercept-TCP" uci set firewall.tcp_int.src="lan" uci set firewall.tcp_int.src_dport="0-65535" uci set firewall.tcp_int.dest_port="9040" uci set firewall.tcp_int.proto="tcp" uci set firewall.tcp_int.family="any" uci set firewall.tcp_int.target="DNAT" # Disable LAN to WAN forwarding uci -q delete firewall.@forwarding[0] uci commit firewall service firewall restart
Testing
Verify that you are using Tor.
Check your IP and DNS provider.
Troubleshooting
Collect and analyze the following information.
# Restart services service log restart; service firewall restart; service tor restart # Log and status logread -e Tor; netstat -l -n -p | grep -e tor # Runtime configuration pgrep -f -a tor nft list ruleset # Persistent configuration uci show firewall; uci show tor; grep -v -r -e "^#" -e "^$" /etc/tor