Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:tor:client [2020/08/27 10:23] – [Troubleshooting] vgaeteradocs:guide-user:services:tor:client [2023/10/18 07:17] (current) – intercept DNS before TCP as it can use 53/TCP vgaetera
Line 1: Line 1:
 ====== Tor client ====== ====== Tor client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>Tor_(anonymity_network)|Tor]] client on OpenWrt.   * This how-to describes the method for setting up [[wp>Tor_(anonymity_network)|Tor]] client on OpenWrt.
-  * It makes your router provide access to the dark net for LAN clients. 
   * Tor is limited to DNS and TCP traffic, use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.   * Tor is limited to DNS and TCP traffic, use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
-  * Follow [[docs:guide-user:services:tor:extra|Tor extras]] for additional tuning.+  * Follow [[docs:guide-user:services:tor:extras|Tor extras]] for automated setup and additional tuning.
  
 ===== Goals ===== ===== Goals =====
Line 12: Line 11:
     * Access the dark net and Tor hidden services.     * Access the dark net and Tor hidden services.
   * Encrypt your internet connection to enforce security and privacy.   * Encrypt your internet connection to enforce security and privacy.
-    * Prevent data leak and traffic spoofing on the client side.+    * Prevent traffic leaks and spoofing on the client side.
   * Bypass regional restrictions using public relay providers.   * Bypass regional restrictions using public relay providers.
     * Escape client side content filters and internet censorship.     * Escape client side content filters and internet censorship.
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Tor client ==== ==== 1. Tor client ====
-Install and configure Tor client.+Install the required packages. 
 +Configure Tor client.
  
 <code bash> <code bash>
Line 26: Line 26:
  
 # Configure Tor client # Configure Tor client
-sed -i -e " +cat << EOF > /etc/tor/custom 
-/^AutomapHostsOnResolve/s/^/#+AutomapHostsOnResolve 1 
-\$a AutomapHostsOnResolve 1 +AutomapHostsSuffixes . 
-/^VirtualAddrNetwork/s/^/#/ +VirtualAddrNetworkIPv4 172.16.0.0/12 
-\$a VirtualAddrNetworkIPv4 172.16.0.0/12 +VirtualAddrNetworkIPv6 [fc00::]/8 
-\$a VirtualAddrNetworkIPv6 fc00::/7 +DNSPort 0.0.0.0:9053 
-/^DNSPort/s/^/#/ +DNSPort [::]:9053 
-\$a DNSPort 0.0.0.0:9053 +TransPort 0.0.0.0:9040 
-\$a DNSPort [::]:9053 +TransPort [::]:9040 
-/^TransPort/s/^/#/ +EOF 
-\$a TransPort 0.0.0.0:9040 +cat << EOF >> /etc/sysupgrade.conf 
-\$a TransPort [::]:9040 +/etc/tor 
-" /etc/tor/torrc +EOF 
-/etc/init.d/tor restart+uci del_list tor.conf.tail_include="/etc/tor/custom" 
 +uci add_list tor.conf.tail_include="/etc/tor/custom" 
 +uci commit tor 
 +service tor restart
 </code> </code>
  
-==== 2. Firewall ==== +Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|IPv6 GUA prefix]] and announce [[docs:guide-user:network:ipv6:ipv6_extras#announcing_ipv6_default_route|IPv6 default route]]. 
-Set up uHTTPd to listen on [[docs:guide-user:luci:luci.essentials#alternative_ports|alternative ports]] if required. + 
-Configure firewall to intercept LAN traffic. +==== 2. DNS over Tor ==== 
-Disable LAN to WAN forwarding to avoid traffic leak.+{{section>docs:guide-user:firewall:fw3_configurations:intercept_dns#command-line_instructions&noheader&nofooter&noeditbutton}} 
 + 
 +Redirect DNS traffic to Tor and prevent DNS leaks.
  
 <code bash> <code bash>
-Intercept SSH, HTTP and HTTPS traffic +Enable DNS over Tor 
-uci -q delete firewall.ssh_int +service dnsmasq stop 
-uci set firewall.ssh_int="redirect" +uci set dhcp.@dnsmasq[0].noresolv="1
-uci set firewall.ssh_int.name="Intercept-SSH+uci set dhcp.@dnsmasq[0].rebind_protection="0
-uci set firewall.ssh_int.src="lan" +uci -q delete dhcp.@dnsmasq[0].server 
-uci set firewall.ssh_int.src_dport="22" +uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053
-uci set firewall.ssh_int.proto="tcp" +uci add_list dhcp.@dnsmasq[0].server="::1#9053
-uci set firewall.ssh_int.target="DNAT+uci commit dhcp 
-uci -q delete firewall.http_int +service dnsmasq start 
-uci set firewall.http_int="redirect" +</code>
-uci set firewall.http_int.name="Intercept-HTTP" +
-uci set firewall.http_int.src="lan" +
-uci set firewall.http_int.src_dport="8080+
-uci set firewall.http_int.proto="tcp+
-uci set firewall.http_int.target="DNAT" +
-uci -q delete firewall.https_int +
-uci set firewall.https_int="redirect" +
-uci set firewall.https_int.name="Intercept-HTTPS" +
-uci set firewall.https_int.src="lan" +
-uci set firewall.https_int.src_dport="8443" +
-uci set firewall.https_int.proto="tcp" +
-uci set firewall.https_int.target="DNAT"+
  
-# Intercept DNS and TCP traffic +==== 3. Firewall ==== 
-uci -q delete firewall.dns_int +Configure firewall to intercept LAN traffic. 
-uci set firewall.dns_int="redirect" +Disable LAN to WAN forwarding to prevent traffic leaks. 
-uci set firewall.dns_int.name="Intercept-DNS+ 
-uci set firewall.dns_int.src="lan" +<code bash> 
-uci set firewall.dns_int.src_dport="53" +# Intercept TCP traffic 
-uci set firewall.dns_int.dest_port="9053+cat << "EOF" > /etc/nftables.d/tor.sh 
-uci set firewall.dns_int.proto="udp" +TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)" 
-uci set firewall.dns_int.target="DNAT"+TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \ 
 +| sed -n -e "/Intercept-TCP/p")
 +nft replace rule inet fw4 ${TOR_CHAIN} \ 
 +handle ${TOR_RULE##* } \ 
 +fib daddr type !{ local, broadcast } ${TOR_RULE} 
 +EOF 
 +uci -q delete firewall.tor_nft 
 +uci set firewall.tor_nft="include
 +uci set firewall.tor_nft.path="/etc/nftables.d/tor.sh"
 uci -q delete firewall.tcp_int uci -q delete firewall.tcp_int
 uci set firewall.tcp_int="redirect" uci set firewall.tcp_int="redirect"
 uci set firewall.tcp_int.name="Intercept-TCP" uci set firewall.tcp_int.name="Intercept-TCP"
 uci set firewall.tcp_int.src="lan" uci set firewall.tcp_int.src="lan"
 +uci set firewall.tcp_int.src_dport="0-65535"
 uci set firewall.tcp_int.dest_port="9040" uci set firewall.tcp_int.dest_port="9040"
 uci set firewall.tcp_int.proto="tcp" uci set firewall.tcp_int.proto="tcp"
-uci set firewall.tcp_int.extra="--syn"+uci set firewall.tcp_int.family="any"
 uci set firewall.tcp_int.target="DNAT" uci set firewall.tcp_int.target="DNAT"
  
 # Disable LAN to WAN forwarding # Disable LAN to WAN forwarding
-uci rename firewall.@forwarding[0]="lan_wan" +uci -q delete firewall.@forwarding[0]
-uci set firewall.lan_wan.enabled="0"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
- 
-==== 3. NAT6 ==== 
-{{section>docs:guide-user:services:dns:intercept#nat6&noheader&nofooter&noeditbutton}} 
  
 ===== Testing ===== ===== Testing =====
 Verify that you are using Tor. Verify that you are using Tor.
-  * [[https://check.torproject.org/]] +  * [[https://check.torproject.org/|check.torproject.org]] 
-Check your client public IP addresses+ 
-  * [[https://ipleak.net/]] +Check your IP and DNS provider
-Make sure there is no DNS leak on the client side. +  * [[https://ipleak.net/|ipleak.net]] 
-  * [[https://dnsleaktest.com/]]+  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 111: Line 109:
  
 <code bash> <code bash>
-# Restart the services +# Restart services 
-/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/dnsmasq restart; /etc/init.d/tor restart+service log restart; service firewall restart; service tor restart
  
 # Log and status # Log and status
 logread -e Tor; netstat -l -n -p | grep -e tor logread -e Tor; netstat -l -n -p | grep -e tor
-logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq 
  
 # Runtime configuration # Runtime configuration
 pgrep -f -a tor pgrep -f -a tor
-ip address show; ip route show; ip rule show; iptables-save +nft list ruleset
-ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save +
-ipset list+
  
 # Persistent configuration # Persistent configuration
-uci show firewall; uci show dhcp +uci show firewall; uci show tor; grep -v -r -e "^#" -e "^$" /etc/tor
-grep -v -e "^#" -e "^$" /etc/tor/torrc+
 </code> </code>
  
  • Last modified: 2023/10/18 07:17
  • by vgaetera