Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:guide-user:services:tor:client [2020/08/27 10:23] – [Troubleshooting] vgaetera | docs:guide-user:services:tor:client [2023/10/18 07:17] (current) – intercept DNS before TCP as it can use 53/TCP vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Tor client ====== | ====== Tor client ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| - | * It makes your router provide access to the dark net for LAN clients. | ||
| * Tor is limited to DNS and TCP traffic, use [[docs: | * Tor is limited to DNS and TCP traffic, use [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| Line 12: | Line 11: | ||
| * Access the dark net and Tor hidden services. | * Access the dark net and Tor hidden services. | ||
| * Encrypt your internet connection to enforce security and privacy. | * Encrypt your internet connection to enforce security and privacy. | ||
| - | * Prevent | + | * Prevent traffic |
| * Bypass regional restrictions using public relay providers. | * Bypass regional restrictions using public relay providers. | ||
| * Escape client side content filters and internet censorship. | * Escape client side content filters and internet censorship. | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Tor client ==== | ==== 1. Tor client ==== | ||
| - | Install | + | Install |
| + | Configure | ||
| <code bash> | <code bash> | ||
| Line 26: | Line 26: | ||
| # Configure Tor client | # Configure Tor client | ||
| - | sed -i -e " | + | cat << EOF > /etc/tor/custom |
| - | /^AutomapHostsOnResolve/s/^/#/ | + | AutomapHostsOnResolve 1 |
| - | \$a AutomapHostsOnResolve 1 | + | AutomapHostsSuffixes . |
| - | / | + | VirtualAddrNetworkIPv4 172.16.0.0/ |
| - | \$a VirtualAddrNetworkIPv4 172.16.0.0/ | + | VirtualAddrNetworkIPv6 |
| - | \$a VirtualAddrNetworkIPv6 fc00::/7 | + | DNSPort 0.0.0.0: |
| - | / | + | DNSPort [::]:9053 |
| - | \$a DNSPort 0.0.0.0: | + | TransPort 0.0.0.0: |
| - | \$a DNSPort [::]:9053 | + | TransPort [::]:9040 |
| - | / | + | EOF |
| - | \$a TransPort 0.0.0.0: | + | cat << EOF >> / |
| - | \$a TransPort [::]:9040 | + | /etc/tor |
| - | " /etc/tor/torrc | + | EOF |
| - | /etc/init.d/tor restart | + | uci del_list tor.conf.tail_include="/ |
| + | uci add_list tor.conf.tail_include=" | ||
| + | uci commit tor | ||
| + | service | ||
| </ | </ | ||
| - | ==== 2. Firewall | + | Disable [[docs: |
| - | Set up uHTTPd to listen on [[docs: | + | |
| - | Configure firewall to intercept LAN traffic. | + | ==== 2. DNS over Tor ==== |
| - | Disable LAN to WAN forwarding to avoid traffic leak. | + | {{section> |
| + | |||
| + | Redirect DNS traffic | ||
| <code bash> | <code bash> | ||
| - | # Intercept SSH, HTTP and HTTPS traffic | + | # Enable DNS over Tor |
| - | uci -q delete firewall.ssh_int | + | service dnsmasq stop |
| - | uci set firewall.ssh_int=" | + | uci set dhcp.@dnsmasq[0].noresolv="1" |
| - | uci set firewall.ssh_int.name="Intercept-SSH" | + | uci set dhcp.@dnsmasq[0].rebind_protection="0" |
| - | uci set firewall.ssh_int.src="lan" | + | uci -q delete |
| - | uci set firewall.ssh_int.src_dport=" | + | uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053" |
| - | uci set firewall.ssh_int.proto=" | + | uci add_list dhcp.@dnsmasq[0].server="::1#9053" |
| - | uci set firewall.ssh_int.target=" | + | uci commit dhcp |
| - | uci -q delete | + | service dnsmasq start |
| - | uci set firewall.http_int=" | + | </ |
| - | uci set firewall.http_int.name="Intercept-HTTP" | + | |
| - | uci set firewall.http_int.src=" | + | |
| - | uci set firewall.http_int.src_dport=" | + | |
| - | uci set firewall.http_int.proto="tcp" | + | |
| - | uci set firewall.http_int.target=" | + | |
| - | uci -q delete firewall.https_int | + | |
| - | uci set firewall.https_int=" | + | |
| - | uci set firewall.https_int.name=" | + | |
| - | uci set firewall.https_int.src=" | + | |
| - | uci set firewall.https_int.src_dport=" | + | |
| - | uci set firewall.https_int.proto=" | + | |
| - | uci set firewall.https_int.target=" | + | |
| - | # Intercept | + | ==== 3. Firewall ==== |
| - | uci -q delete firewall.dns_int | + | Configure firewall to intercept LAN traffic. |
| - | uci set firewall.dns_int="redirect" | + | Disable LAN to WAN forwarding to prevent traffic leaks. |
| - | uci set firewall.dns_int.name=" | + | |
| - | uci set firewall.dns_int.src=" | + | <code bash> |
| - | uci set firewall.dns_int.src_dport=" | + | # Intercept TCP traffic |
| - | uci set firewall.dns_int.dest_port="9053" | + | cat << " |
| - | uci set firewall.dns_int.proto="udp" | + | TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)" |
| - | uci set firewall.dns_int.target=" | + | TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \ |
| + | | sed -n -e "/Intercept-TCP/ | ||
| + | nft replace rule inet fw4 ${TOR_CHAIN} \ | ||
| + | handle ${TOR_RULE## | ||
| + | fib daddr type != { local, broadcast } ${TOR_RULE} | ||
| + | EOF | ||
| + | uci -q delete | ||
| + | uci set firewall.tor_nft="include" | ||
| + | uci set firewall.tor_nft.path="/ | ||
| uci -q delete firewall.tcp_int | uci -q delete firewall.tcp_int | ||
| uci set firewall.tcp_int=" | uci set firewall.tcp_int=" | ||
| uci set firewall.tcp_int.name=" | uci set firewall.tcp_int.name=" | ||
| uci set firewall.tcp_int.src=" | uci set firewall.tcp_int.src=" | ||
| + | uci set firewall.tcp_int.src_dport=" | ||
| uci set firewall.tcp_int.dest_port=" | uci set firewall.tcp_int.dest_port=" | ||
| uci set firewall.tcp_int.proto=" | uci set firewall.tcp_int.proto=" | ||
| - | uci set firewall.tcp_int.extra="--syn" | + | uci set firewall.tcp_int.family="any" |
| uci set firewall.tcp_int.target=" | uci set firewall.tcp_int.target=" | ||
| # Disable LAN to WAN forwarding | # Disable LAN to WAN forwarding | ||
| - | uci rename | + | uci -q delete |
| - | uci set firewall.lan_wan.enabled=" | + | |
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| - | |||
| - | ==== 3. NAT6 ==== | ||
| - | {{section> | ||
| ===== Testing ===== | ===== Testing ===== | ||
| Verify that you are using Tor. | Verify that you are using Tor. | ||
| - | * [[https:// | + | * [[https:// |
| - | Check your client public | + | |
| - | * [[https:// | + | Check your IP and DNS provider. |
| - | Make sure there is no DNS leak on the client side. | + | * [[https:// |
| - | * [[https:// | + | * [[https://www.dnsleaktest.com/ |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 111: | Line 109: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| - | / | + | service |
| # Log and status | # Log and status | ||
| logread -e Tor; netstat -l -n -p | grep -e tor | logread -e Tor; netstat -l -n -p | grep -e tor | ||
| - | logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a tor | pgrep -f -a tor | ||
| - | ip address show; ip route show; ip rule show; iptables-save | + | nft list ruleset |
| - | ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save | + | |
| - | ipset list | + | |
| # Persistent configuration | # Persistent configuration | ||
| - | uci show firewall; uci show dhcp | + | uci show firewall; uci show tor; grep -v -r -e " |
| - | grep -v -e " | + | |
| </ | </ | ||