Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:tor:client [2021/03/06 07:01] – [2. Firewall] update vgaeteradocs:guide-user:services:tor:client [2023/10/14 13:39] – [Introduction] vgaetera
Line 1: Line 1:
 ====== Tor client ====== ====== Tor client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>Tor_(anonymity_network)|Tor]] client on OpenWrt.   * This how-to describes the method for setting up [[wp>Tor_(anonymity_network)|Tor]] client on OpenWrt.
-  * It makes your router provide access to the dark net for LAN clients. 
   * Tor is limited to DNS and TCP traffic, use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.   * Tor is limited to DNS and TCP traffic, use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
-  * Follow [[docs:guide-user:services:tor:extras|Tor extras]] for additional tuning.+  * Follow [[docs:guide-user:services:tor:extras|Tor extras]] for automated setup and additional tuning.
  
 ===== Goals ===== ===== Goals =====
Line 12: Line 11:
     * Access the dark net and Tor hidden services.     * Access the dark net and Tor hidden services.
   * Encrypt your internet connection to enforce security and privacy.   * Encrypt your internet connection to enforce security and privacy.
-    * Prevent data leak and traffic spoofing on the client side.+    * Prevent traffic leaks and spoofing on the client side.
   * Bypass regional restrictions using public relay providers.   * Bypass regional restrictions using public relay providers.
     * Escape client side content filters and internet censorship.     * Escape client side content filters and internet censorship.
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Tor client ==== ==== 1. Tor client ====
-Install and configure Tor client.+Install the required packages. 
 +Configure Tor client.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install tor ipset+opkg install tor
  
 # Configure Tor client # Configure Tor client
-cat << EOF > /etc/tor/main+cat << EOF > /etc/tor/custom
 AutomapHostsOnResolve 1 AutomapHostsOnResolve 1
 +AutomapHostsSuffixes .
 VirtualAddrNetworkIPv4 172.16.0.0/12 VirtualAddrNetworkIPv4 172.16.0.0/12
-VirtualAddrNetworkIPv6 fc00::/7+VirtualAddrNetworkIPv6 [fc00::]/8
 DNSPort 0.0.0.0:9053 DNSPort 0.0.0.0:9053
 DNSPort [::]:9053 DNSPort [::]:9053
Line 36: Line 37:
 EOF EOF
 cat << EOF >> /etc/sysupgrade.conf cat << EOF >> /etc/sysupgrade.conf
-/etc/tor/main+/etc/tor
 EOF EOF
-uci del_list tor.conf.tail_include="/etc/tor/main+uci del_list tor.conf.tail_include="/etc/tor/custom
-uci add_list tor.conf.tail_include="/etc/tor/main"+uci add_list tor.conf.tail_include="/etc/tor/custom"
 uci commit tor uci commit tor
-/etc/init.d/tor restart+service tor restart
 </code> </code>
 +
 +Prefer [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] or announce [[docs:guide-user:network:ipv6:ipv6_extras#announcing_ipv6_default_route|IPv6 default route]] if necessary.
  
 ==== 2. Firewall ==== ==== 2. Firewall ====
-Configure IP sets for non-Tor destinations. 
 Configure firewall to intercept LAN traffic. Configure firewall to intercept LAN traffic.
-Disable LAN to WAN forwarding to avoid traffic leak.+Disable LAN to WAN forwarding to prevent traffic leaks.
  
 <code bash> <code bash>
-# Fetch LAN subnet 
-. /lib/functions/network.sh 
-network_flush_cache 
-network_get_subnet NET_SUB lan 
-network_get_subnet6 NET_SUB6 lan 
- 
-# Configure IP sets 
-uci -q delete firewall.notor 
-uci set firewall.notor="ipset" 
-uci set firewall.notor.name="notor" 
-uci set firewall.notor.family="ipv4" 
-uci set firewall.notor.storage="hash" 
-uci set firewall.notor.match="net" 
-uci add_list firewall.notor.entry="${NET_SUB}" 
-uci -q delete firewall.notor6 
-uci set firewall.notor6="ipset" 
-uci set firewall.notor6.name="notor6" 
-uci set firewall.notor6.family="ipv6" 
-uci set firewall.notor6.storage="hash" 
-uci set firewall.notor6.match="net" 
-uci add_list firewall.notor6.entry="fe80::/10" 
-uci add_list firewall.notor6.entry="${NET_SUB6}" 
- 
 # Intercept TCP traffic # Intercept TCP traffic
 +cat << "EOF" > /etc/nftables.d/tor.sh
 +TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)"
 +TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \
 +| sed -n -e "/Intercept-TCP/p")"
 +nft replace rule inet fw4 ${TOR_CHAIN} \
 +handle ${TOR_RULE##* } \
 +fib daddr type != { local, broadcast } ${TOR_RULE}
 +EOF
 +uci -q delete firewall.tor_nft
 +uci set firewall.tor_nft="include"
 +uci set firewall.tor_nft.path="/etc/nftables.d/tor.sh"
 uci -q delete firewall.tcp_int uci -q delete firewall.tcp_int
 uci set firewall.tcp_int="redirect" uci set firewall.tcp_int="redirect"
 uci set firewall.tcp_int.name="Intercept-TCP" uci set firewall.tcp_int.name="Intercept-TCP"
 uci set firewall.tcp_int.src="lan" uci set firewall.tcp_int.src="lan"
 +uci set firewall.tcp_int.src_dport="0-65535"
 uci set firewall.tcp_int.dest_port="9040" uci set firewall.tcp_int.dest_port="9040"
-uci set firewall.tcp_int.ipset="!notor dest" 
 uci set firewall.tcp_int.proto="tcp" uci set firewall.tcp_int.proto="tcp"
-uci set firewall.tcp_int.extra="--syn"+uci set firewall.tcp_int.family="any"
 uci set firewall.tcp_int.target="DNAT" uci set firewall.tcp_int.target="DNAT"
  
 # Disable LAN to WAN forwarding # Disable LAN to WAN forwarding
-uci rename firewall.@forwarding[0]="lan_wan" +uci -q delete firewall.@forwarding[0]
-uci set firewall.lan_wan.enabled="0"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
 ==== 3. DNS over Tor ==== ==== 3. DNS over Tor ====
-{{section>docs:guide-user:firewall:fw3_configurations:intercept_dns#firewall&noheader&nofooter&noeditbutton}}+{{section>docs:guide-user:firewall:fw3_configurations:intercept_dns#command-line_instructions&noheader&nofooter&noeditbutton}}
  
-Redirect DNS traffic to Tor.+Redirect DNS traffic to Tor and prevent DNS leaks.
  
 <code bash> <code bash>
 # Enable DNS over Tor # Enable DNS over Tor
 +service dnsmasq stop
 +uci set dhcp.@dnsmasq[0].boguspriv="0"
 +uci set dhcp.@dnsmasq[0].rebind_protection="0"
 +uci set dhcp.@dnsmasq[0].noresolv="1"
 uci -q delete dhcp.@dnsmasq[0].server uci -q delete dhcp.@dnsmasq[0].server
 uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053" uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053"
 uci add_list dhcp.@dnsmasq[0].server="::1#9053" uci add_list dhcp.@dnsmasq[0].server="::1#9053"
- 
-# Allow resolving for Tor-specific domains 
-uci set dhcp.@dnsmasq[0].boguspriv="0" 
-uci -q delete dhcp.@dnsmasq[0].rebind_domain 
-uci add_list dhcp.@dnsmasq[0].rebind_domain="/exit/" 
-uci add_list dhcp.@dnsmasq[0].rebind_domain="/onion/" 
- 
-# Enforce DNS over Tor for LAN clients 
-uci set dhcp.@dnsmasq[0].noresolv="1" 
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart+service dnsmasq start
 </code> </code>
- 
-==== 4. NAT6 ==== 
-{{section>docs:guide-user:firewall:fw3_configurations:intercept_dns#nat6&noheader&nofooter&noeditbutton}} 
  
 ===== Testing ===== ===== Testing =====
 Verify that you are using Tor. Verify that you are using Tor.
-  * [[https://check.torproject.org/]] +  * [[https://check.torproject.org/|check.torproject.org]] 
-Check your client public IP addresses+ 
-  * [[https://ipleak.net/]] +Check your IP and DNS provider
-Make sure there is no DNS leak on the client side. +  * [[https://ipleak.net/|ipleak.net]] 
-  * [[https://dnsleaktest.com/]]+  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 130: Line 111:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/tor restart+service log restart; service firewall restart; service tor restart
  
 # Log and status # Log and status
Line 137: Line 118:
 # Runtime configuration # Runtime configuration
 pgrep -f -a tor pgrep -f -a tor
-iptables-save; ip6tables-save+nft list ruleset
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2023/10/18 07:17
  • by vgaetera