Tor client

  • This how-to describes the method for setting up Tor client on OpenWrt.
  • Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.
  • Follow Tor extras for additional tuning.
  • Provide anonymous communication with onion routing.
    • Access the dark net and Tor hidden services.
  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using public relay providers.
    • Escape client side content filters and internet censorship.

Install and configure Tor client. Enable IPv6 by default and announce the default IPv6 route if required.

# Install packages
opkg update
opkg install tor ipset
# Configure Tor client
cat << EOF > /etc/tor/custom
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv6 fc00::/7
DNSPort [::]:9053
TransPort [::]:9040
cat << EOF >> /etc/sysupgrade.conf
uci del_list tor.conf.tail_include="/etc/tor/custom"
uci add_list tor.conf.tail_include="/etc/tor/custom"
uci commit tor
/etc/init.d/tor restart

Set up IP sets for Tor destinations. Configure firewall to intercept LAN traffic. Disable LAN to WAN forwarding to avoid traffic leak.

# Fetch LAN subnet
. /lib/functions/
network_get_subnet NET_SUB lan
network_get_subnet6 NET_SUB6 lan
# Configure IP sets
uci -q delete firewall.tor
uci set firewall.tor="ipset"
uci set"tor"
uci set"ipv4"
uci set"hash"
uci set firewall.tor.match="net"
uci add_list firewall.tor.entry=" nomatch"
uci add_list firewall.tor.entry="${NET_SUB} nomatch"
uci add_list firewall.tor.entry=""
uci add_list firewall.tor.entry=""
uci -q delete firewall.tor6
uci set firewall.tor6="ipset"
uci set"tor6"
uci set"ipv6"
uci set"hash"
uci set firewall.tor6.match="net"
uci add_list firewall.tor6.entry="::1/128 nomatch"
uci add_list firewall.tor6.entry="fe80::/10 nomatch"
uci add_list firewall.tor6.entry="${NET_SUB6} nomatch"
uci add_list firewall.tor6.entry="::/1"
uci add_list firewall.tor6.entry="8000::/1"
# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set"Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.ipset="tor dest"
uci set"DNAT"
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

Configure firewall to intercept DNS traffic.

# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set"Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set"DNAT"
uci commit firewall
/etc/init.d/firewall restart

Redirect DNS traffic to Tor.

# Enable DNS over Tor
/etc/init.d/dnsmasq stop
uci set dhcp.@dnsmasq[0].boguspriv="0"
uci set dhcp.@dnsmasq[0].rebind_protection="0"
uci set dhcp.@dnsmasq[0].noresolv="1"
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server=""
uci add_list dhcp.@dnsmasq[0].server="::1#9053"
uci commit dhcp
/etc/init.d/dnsmasq start

Enable NAT6 to process IPv6 traffic when using dual-stack mode.

# Install packages
opkg update
opkg install kmod-ipt-nat6
# Enable NAT6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
cat << "EOF" >> /etc/sysupgrade.conf
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart

Verify that you are using Tor.

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/tor restart
# Log and status
logread -e Tor; netstat -l -n -p | grep -e tor
# Runtime configuration
pgrep -f -a tor
iptables-save; ip6tables-save
# Persistent configuration
uci show firewall; uci show tor; grep -v -r -e "^#" -e "^$" /etc/tor
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/05/06 08:45
  • by vgaetera