Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:tor:client [2020/10/03 23:10] – [Introduction] add link to RNG setup vgaetera | docs:guide-user:services:tor:client [2023/10/14 13:39] – [Introduction] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Tor client ====== | ====== Tor client ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| - | * It makes your router provide access to the dark net for LAN clients. | ||
| * Tor is limited to DNS and TCP traffic, use [[docs: | * Tor is limited to DNS and TCP traffic, use [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| - | * Follow [[docs: | + | |
| ===== Goals ===== | ===== Goals ===== | ||
| Line 13: | Line 11: | ||
| * Access the dark net and Tor hidden services. | * Access the dark net and Tor hidden services. | ||
| * Encrypt your internet connection to enforce security and privacy. | * Encrypt your internet connection to enforce security and privacy. | ||
| - | * Prevent | + | * Prevent traffic |
| * Bypass regional restrictions using public relay providers. | * Bypass regional restrictions using public relay providers. | ||
| * Escape client side content filters and internet censorship. | * Escape client side content filters and internet censorship. | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Tor client ==== | ==== 1. Tor client ==== | ||
| - | Install | + | Install |
| + | Configure | ||
| <code bash> | <code bash> | ||
| Line 27: | Line 26: | ||
| # Configure Tor client | # Configure Tor client | ||
| - | cat << EOF > /etc/tor/main | + | cat << EOF > /etc/tor/custom |
| AutomapHostsOnResolve 1 | AutomapHostsOnResolve 1 | ||
| + | AutomapHostsSuffixes . | ||
| VirtualAddrNetworkIPv4 172.16.0.0/ | VirtualAddrNetworkIPv4 172.16.0.0/ | ||
| - | VirtualAddrNetworkIPv6 fc00::/7 | + | VirtualAddrNetworkIPv6 |
| DNSPort 0.0.0.0: | DNSPort 0.0.0.0: | ||
| DNSPort [::]:9053 | DNSPort [::]:9053 | ||
| Line 36: | Line 36: | ||
| TransPort [::]:9040 | TransPort [::]:9040 | ||
| EOF | EOF | ||
| - | uci del_list tor.conf.tail_include="/ | + | cat << EOF >> / |
| - | uci add_list tor.conf.tail_include="/ | + | /etc/tor |
| + | EOF | ||
| + | uci del_list tor.conf.tail_include="/ | ||
| + | uci add_list tor.conf.tail_include="/ | ||
| uci commit tor | uci commit tor | ||
| - | / | + | service |
| </ | </ | ||
| + | |||
| + | Prefer [[docs: | ||
| ==== 2. Firewall ==== | ==== 2. Firewall ==== | ||
| - | Set up uHTTPd to listen on [[docs: | ||
| Configure firewall to intercept LAN traffic. | Configure firewall to intercept LAN traffic. | ||
| - | Disable LAN to WAN forwarding to avoid traffic | + | Disable LAN to WAN forwarding to prevent |
| <code bash> | <code bash> | ||
| - | # Intercept | + | # Intercept |
| - | uci -q delete firewall.ssh_int | + | cat << |
| - | uci set firewall.ssh_int="redirect" | + | TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)" |
| - | uci set firewall.ssh_int.name=" | + | TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \ |
| - | uci set firewall.ssh_int.src="lan" | + | | sed -n -e "/Intercept-TCP/p")" |
| - | uci set firewall.ssh_int.src_dport=" | + | nft replace rule inet fw4 ${TOR_CHAIN} \ |
| - | uci set firewall.ssh_int.proto=" | + | handle ${TOR_RULE## |
| - | uci set firewall.ssh_int.target=" | + | fib daddr type != { local, broadcast } ${TOR_RULE} |
| - | uci -q delete | + | EOF |
| - | uci set firewall.http_int=" | + | uci -q delete firewall.tor_nft |
| - | uci set firewall.http_int.name="Intercept-HTTP" | + | uci set firewall.tor_nft="include" |
| - | uci set firewall.http_int.src=" | + | uci set firewall.tor_nft.path="/ |
| - | uci set firewall.http_int.src_dport=" | + | |
| - | uci set firewall.http_int.proto=" | + | |
| - | uci set firewall.http_int.target=" | + | |
| - | uci -q delete firewall.https_int | + | |
| - | uci set firewall.https_int=" | + | |
| - | uci set firewall.https_int.name=" | + | |
| - | uci set firewall.https_int.src="lan" | + | |
| - | uci set firewall.https_int.src_dport=" | + | |
| - | uci set firewall.https_int.proto=" | + | |
| - | uci set firewall.https_int.target=" | + | |
| - | + | ||
| - | # Intercept DNS and TCP traffic | + | |
| - | uci -q delete firewall.dns_int | + | |
| - | uci set firewall.dns_int="redirect" | + | |
| - | uci set firewall.dns_int.name="Intercept-DNS" | + | |
| - | uci set firewall.dns_int.src=" | + | |
| - | uci set firewall.dns_int.src_dport=" | + | |
| - | uci set firewall.dns_int.dest_port=" | + | |
| - | uci set firewall.dns_int.proto=" | + | |
| - | uci set firewall.dns_int.target=" | + | |
| uci -q delete firewall.tcp_int | uci -q delete firewall.tcp_int | ||
| uci set firewall.tcp_int=" | uci set firewall.tcp_int=" | ||
| uci set firewall.tcp_int.name=" | uci set firewall.tcp_int.name=" | ||
| uci set firewall.tcp_int.src=" | uci set firewall.tcp_int.src=" | ||
| + | uci set firewall.tcp_int.src_dport=" | ||
| uci set firewall.tcp_int.dest_port=" | uci set firewall.tcp_int.dest_port=" | ||
| uci set firewall.tcp_int.proto=" | uci set firewall.tcp_int.proto=" | ||
| - | uci set firewall.tcp_int.extra="--syn" | + | uci set firewall.tcp_int.family="any" |
| uci set firewall.tcp_int.target=" | uci set firewall.tcp_int.target=" | ||
| # Disable LAN to WAN forwarding | # Disable LAN to WAN forwarding | ||
| - | uci rename | + | uci -q delete |
| - | uci set firewall.lan_wan.enabled=" | + | |
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| - | ==== 3. NAT6 ==== | + | ==== 3. DNS over Tor ==== |
| - | {{section> | + | {{section> |
| + | |||
| + | Redirect DNS traffic to Tor and prevent DNS leaks. | ||
| + | |||
| + | <code bash> | ||
| + | # Enable DNS over Tor | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].boguspriv=" | ||
| + | uci set dhcp.@dnsmasq[0].rebind_protection=" | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| + | uci -q delete dhcp.@dnsmasq[0].server | ||
| + | uci add_list dhcp.@dnsmasq[0].server=" | ||
| + | uci add_list dhcp.@dnsmasq[0].server=":: | ||
| + | uci commit dhcp | ||
| + | service dnsmasq start | ||
| + | </ | ||
| ===== Testing ===== | ===== Testing ===== | ||
| Verify that you are using Tor. | Verify that you are using Tor. | ||
| - | * [[https:// | + | * [[https:// |
| - | Check your client public | + | |
| - | * [[https:// | + | Check your IP and DNS provider. |
| - | Make sure there is no DNS leak on the client side. | + | * [[https:// |
| - | * [[https:// | + | * [[https://www.dnsleaktest.com/ |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 112: | Line 111: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 119: | Line 118: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a tor | pgrep -f -a tor | ||
| - | iptables-save; | + | nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||
| - | uci show firewall; uci show tor; grep -v -e " | + | uci show firewall; uci show tor; grep -v -r -e " |
| </ | </ | ||