Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:tor:client [2020/08/27 10:37] – [Troubleshooting] code optimized vgaetera | docs:guide-user:services:tor:client [2023/10/14 13:39] – [Introduction] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Tor client ====== | ====== Tor client ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| - | * It makes your router provide access to the dark net for LAN clients. | ||
| * Tor is limited to DNS and TCP traffic, use [[docs: | * Tor is limited to DNS and TCP traffic, use [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| Line 12: | Line 11: | ||
| * Access the dark net and Tor hidden services. | * Access the dark net and Tor hidden services. | ||
| * Encrypt your internet connection to enforce security and privacy. | * Encrypt your internet connection to enforce security and privacy. | ||
| - | * Prevent | + | * Prevent traffic |
| * Bypass regional restrictions using public relay providers. | * Bypass regional restrictions using public relay providers. | ||
| * Escape client side content filters and internet censorship. | * Escape client side content filters and internet censorship. | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Tor client ==== | ==== 1. Tor client ==== | ||
| - | Install | + | Install |
| + | Configure | ||
| <code bash> | <code bash> | ||
| Line 26: | Line 26: | ||
| # Configure Tor client | # Configure Tor client | ||
| - | sed -i -e " | + | cat << EOF > /etc/tor/custom |
| - | /^AutomapHostsOnResolve/s/^/#/ | + | AutomapHostsOnResolve 1 |
| - | \$a AutomapHostsOnResolve 1 | + | AutomapHostsSuffixes . |
| - | / | + | VirtualAddrNetworkIPv4 172.16.0.0/ |
| - | \$a VirtualAddrNetworkIPv4 172.16.0.0/ | + | VirtualAddrNetworkIPv6 |
| - | \$a VirtualAddrNetworkIPv6 fc00::/7 | + | DNSPort 0.0.0.0: |
| - | / | + | DNSPort [::]:9053 |
| - | \$a DNSPort 0.0.0.0: | + | TransPort 0.0.0.0: |
| - | \$a DNSPort [::]:9053 | + | TransPort [::]:9040 |
| - | / | + | EOF |
| - | \$a TransPort 0.0.0.0: | + | cat << EOF >> / |
| - | \$a TransPort [::]:9040 | + | /etc/tor |
| - | " /etc/tor/torrc | + | EOF |
| - | /etc/init.d/tor restart | + | uci del_list tor.conf.tail_include="/ |
| + | uci add_list tor.conf.tail_include=" | ||
| + | uci commit tor | ||
| + | service | ||
| </ | </ | ||
| + | |||
| + | Prefer [[docs: | ||
| ==== 2. Firewall ==== | ==== 2. Firewall ==== | ||
| - | Set up uHTTPd to listen on [[docs: | ||
| Configure firewall to intercept LAN traffic. | Configure firewall to intercept LAN traffic. | ||
| - | Disable LAN to WAN forwarding to avoid traffic | + | Disable LAN to WAN forwarding to prevent |
| <code bash> | <code bash> | ||
| - | # Intercept | + | # Intercept |
| - | uci -q delete firewall.ssh_int | + | cat << |
| - | uci set firewall.ssh_int="redirect" | + | TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)" |
| - | uci set firewall.ssh_int.name=" | + | TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \ |
| - | uci set firewall.ssh_int.src="lan" | + | | sed -n -e "/Intercept-TCP/p")" |
| - | uci set firewall.ssh_int.src_dport=" | + | nft replace rule inet fw4 ${TOR_CHAIN} \ |
| - | uci set firewall.ssh_int.proto=" | + | handle ${TOR_RULE## |
| - | uci set firewall.ssh_int.target=" | + | fib daddr type != { local, broadcast } ${TOR_RULE} |
| - | uci -q delete | + | EOF |
| - | uci set firewall.http_int=" | + | uci -q delete firewall.tor_nft |
| - | uci set firewall.http_int.name="Intercept-HTTP" | + | uci set firewall.tor_nft="include" |
| - | uci set firewall.http_int.src=" | + | uci set firewall.tor_nft.path="/ |
| - | uci set firewall.http_int.src_dport=" | + | |
| - | uci set firewall.http_int.proto=" | + | |
| - | uci set firewall.http_int.target=" | + | |
| - | uci -q delete firewall.https_int | + | |
| - | uci set firewall.https_int=" | + | |
| - | uci set firewall.https_int.name=" | + | |
| - | uci set firewall.https_int.src="lan" | + | |
| - | uci set firewall.https_int.src_dport=" | + | |
| - | uci set firewall.https_int.proto=" | + | |
| - | uci set firewall.https_int.target=" | + | |
| - | + | ||
| - | # Intercept DNS and TCP traffic | + | |
| - | uci -q delete firewall.dns_int | + | |
| - | uci set firewall.dns_int="redirect" | + | |
| - | uci set firewall.dns_int.name="Intercept-DNS" | + | |
| - | uci set firewall.dns_int.src=" | + | |
| - | uci set firewall.dns_int.src_dport=" | + | |
| - | uci set firewall.dns_int.dest_port=" | + | |
| - | uci set firewall.dns_int.proto=" | + | |
| - | uci set firewall.dns_int.target=" | + | |
| uci -q delete firewall.tcp_int | uci -q delete firewall.tcp_int | ||
| uci set firewall.tcp_int=" | uci set firewall.tcp_int=" | ||
| uci set firewall.tcp_int.name=" | uci set firewall.tcp_int.name=" | ||
| uci set firewall.tcp_int.src=" | uci set firewall.tcp_int.src=" | ||
| + | uci set firewall.tcp_int.src_dport=" | ||
| uci set firewall.tcp_int.dest_port=" | uci set firewall.tcp_int.dest_port=" | ||
| uci set firewall.tcp_int.proto=" | uci set firewall.tcp_int.proto=" | ||
| - | uci set firewall.tcp_int.extra="--syn" | + | uci set firewall.tcp_int.family="any" |
| uci set firewall.tcp_int.target=" | uci set firewall.tcp_int.target=" | ||
| # Disable LAN to WAN forwarding | # Disable LAN to WAN forwarding | ||
| - | uci rename | + | uci -q delete |
| - | uci set firewall.lan_wan.enabled=" | + | |
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| - | ==== 3. NAT6 ==== | + | ==== 3. DNS over Tor ==== |
| - | {{section> | + | {{section> |
| + | |||
| + | Redirect DNS traffic to Tor and prevent DNS leaks. | ||
| + | |||
| + | <code bash> | ||
| + | # Enable DNS over Tor | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].boguspriv=" | ||
| + | uci set dhcp.@dnsmasq[0].rebind_protection=" | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci -q delete dhcp.@dnsmasq[0].server | ||
| + | uci add_list dhcp.@dnsmasq[0].server=" | ||
| + | uci add_list dhcp.@dnsmasq[0].server=":: | ||
| + | uci commit dhcp | ||
| + | service dnsmasq start | ||
| + | </ | ||
| ===== Testing ===== | ===== Testing ===== | ||
| Verify that you are using Tor. | Verify that you are using Tor. | ||
| - | * [[https:// | + | * [[https:// |
| - | Check your client public | + | |
| - | * [[https:// | + | Check your IP and DNS provider. |
| - | Make sure there is no DNS leak on the client side. | + | * [[https:// |
| - | * [[https:// | + | * [[https://www.dnsleaktest.com/ |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 111: | Line 110: | ||
| <code bash> | <code bash> | ||
| - | # Restart | + | # Restart services |
| - | / | + | service |
| # Log and status | # Log and status | ||
| - | logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq | ||
| logread -e Tor; netstat -l -n -p | grep -e tor | logread -e Tor; netstat -l -n -p | grep -e tor | ||
| # Runtime configuration | # Runtime configuration | ||
| - | pgrep -f -a dnsmasq; | + | pgrep -f -a tor |
| - | ip address show; ip route show; ip rule show; iptables-save | + | nft list ruleset |
| - | ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save | + | |
| - | ipset list | + | |
| # Persistent configuration | # Persistent configuration | ||
| - | uci show firewall; uci show dhcp; grep -v -e " | + | uci show firewall; uci show tor; grep -v -r -e " |
| </ | </ | ||