Tor client

  • This how-to describes the method for setting up Tor client on OpenWrt.
  • It makes your router provide access to the dark net for LAN clients.
  • Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.
  • Follow Tor extras for additional tuning.
  • Provide anonymous communication with onion routing.
    • Access the dark net and Tor hidden services.
  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using public relay providers.
    • Escape client side content filters and internet censorship.

Install and configure Tor client.

# Install packages
opkg update
opkg install tor
# Configure Tor client
cat << EOF > /etc/tor/main
AutomapHostsOnResolve 1
VirtualAddrNetworkIPv6 fc00::/7
DNSPort [::]:9053
TransPort [::]:9040
uci del_list tor.conf.tail_include="/etc/tor/main"
uci add_list tor.conf.tail_include="/etc/tor/main"
uci commit tor
/etc/init.d/tor restart

Set up uHTTPd to listen on alternative ports if required. Configure firewall to intercept LAN traffic. Disable LAN to WAN forwarding to avoid traffic leak.

# Intercept SSH, HTTP and HTTPS traffic
uci -q delete firewall.ssh_int
uci set firewall.ssh_int="redirect"
uci set"Intercept-SSH"
uci set firewall.ssh_int.src="lan"
uci set firewall.ssh_int.src_dport="22"
uci set firewall.ssh_int.proto="tcp"
uci set"DNAT"
uci -q delete firewall.http_int
uci set firewall.http_int="redirect"
uci set"Intercept-HTTP"
uci set firewall.http_int.src="lan"
uci set firewall.http_int.src_dport="8080"
uci set firewall.http_int.proto="tcp"
uci set"DNAT"
uci -q delete firewall.https_int
uci set firewall.https_int="redirect"
uci set"Intercept-HTTPS"
uci set firewall.https_int.src="lan"
uci set firewall.https_int.src_dport="8443"
uci set firewall.https_int.proto="tcp"
uci set"DNAT"
# Intercept DNS and TCP traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set"Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.dest_port="9053"
uci set firewall.dns_int.proto="udp"
uci set"DNAT"
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set"Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set"DNAT"
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Verify that you are using Tor.

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/tor restart
# Log and status
logread -e Tor; netstat -l -n -p | grep -e tor
# Runtime configuration
pgrep -f -a tor
iptables-save; ip6tables-save
# Persistent configuration
uci show firewall; uci show tor; grep -v -e "^#" -e "^$" /etc/tor
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/12/15 23:20
  • by vgaetera