Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:tor:client [2021/05/01 16:16] – [1. Tor client] update vgaetera | docs:guide-user:services:tor:client [2023/10/14 13:39] – [Introduction] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Tor client ====== | ====== Tor client ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the method for setting up [[wp> | * This how-to describes the method for setting up [[wp> | ||
| * Tor is limited to DNS and TCP traffic, use [[docs: | * Tor is limited to DNS and TCP traffic, use [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| ===== Goals ===== | ===== Goals ===== | ||
| Line 11: | Line 11: | ||
| * Access the dark net and Tor hidden services. | * Access the dark net and Tor hidden services. | ||
| * Encrypt your internet connection to enforce security and privacy. | * Encrypt your internet connection to enforce security and privacy. | ||
| - | * Prevent | + | * Prevent traffic |
| * Bypass regional restrictions using public relay providers. | * Bypass regional restrictions using public relay providers. | ||
| * Escape client side content filters and internet censorship. | * Escape client side content filters and internet censorship. | ||
| - | ===== Command-line | + | ===== Command-line |
| ==== 1. Tor client ==== | ==== 1. Tor client ==== | ||
| - | Install | + | Install the required |
| - | Enable [[docs: | + | Configure Tor client. |
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install tor ipset | + | opkg install tor |
| # Configure Tor client | # Configure Tor client | ||
| cat << EOF > / | cat << EOF > / | ||
| AutomapHostsOnResolve 1 | AutomapHostsOnResolve 1 | ||
| + | AutomapHostsSuffixes . | ||
| VirtualAddrNetworkIPv4 172.16.0.0/ | VirtualAddrNetworkIPv4 172.16.0.0/ | ||
| - | VirtualAddrNetworkIPv6 fc00::/7 | + | VirtualAddrNetworkIPv6 |
| DNSPort 0.0.0.0: | DNSPort 0.0.0.0: | ||
| DNSPort [::]:9053 | DNSPort [::]:9053 | ||
| Line 36: | Line 37: | ||
| EOF | EOF | ||
| cat << EOF >> / | cat << EOF >> / | ||
| - | /etc/tor/custom | + | /etc/tor |
| EOF | EOF | ||
| uci del_list tor.conf.tail_include="/ | uci del_list tor.conf.tail_include="/ | ||
| uci add_list tor.conf.tail_include="/ | uci add_list tor.conf.tail_include="/ | ||
| uci commit tor | uci commit tor | ||
| - | / | + | service |
| </ | </ | ||
| + | |||
| + | Prefer [[docs: | ||
| ==== 2. Firewall ==== | ==== 2. Firewall ==== | ||
| - | Set up IP sets for Tor destinations. | ||
| Configure firewall to intercept LAN traffic. | Configure firewall to intercept LAN traffic. | ||
| - | Disable LAN to WAN forwarding to avoid traffic | + | Disable LAN to WAN forwarding to prevent |
| <code bash> | <code bash> | ||
| - | # Fetch LAN subnet | ||
| - | . / | ||
| - | network_flush_cache | ||
| - | network_get_subnet NET_SUB lan | ||
| - | network_get_subnet6 NET_SUB6 lan | ||
| - | |||
| - | # Configure IP sets | ||
| - | uci -q delete firewall.tor | ||
| - | uci set firewall.tor=" | ||
| - | uci set firewall.tor.name=" | ||
| - | uci set firewall.tor.family=" | ||
| - | uci set firewall.tor.storage=" | ||
| - | uci set firewall.tor.match=" | ||
| - | uci add_list firewall.tor.entry=" | ||
| - | uci add_list firewall.tor.entry=" | ||
| - | uci add_list firewall.tor.entry=" | ||
| - | uci add_list firewall.tor.entry=" | ||
| - | uci -q delete firewall.tor6 | ||
| - | uci set firewall.tor6=" | ||
| - | uci set firewall.tor6.name=" | ||
| - | uci set firewall.tor6.family=" | ||
| - | uci set firewall.tor6.storage=" | ||
| - | uci set firewall.tor6.match=" | ||
| - | uci add_list firewall.tor6.entry=":: | ||
| - | uci add_list firewall.tor6.entry=" | ||
| - | uci add_list firewall.tor6.entry=" | ||
| - | uci add_list firewall.tor6.entry="::/ | ||
| - | uci add_list firewall.tor6.entry=" | ||
| - | |||
| # Intercept TCP traffic | # Intercept TCP traffic | ||
| + | cat << " | ||
| + | TOR_CHAIN=" | ||
| + | TOR_RULE=" | ||
| + | | sed -n -e "/ | ||
| + | nft replace rule inet fw4 ${TOR_CHAIN} \ | ||
| + | handle ${TOR_RULE## | ||
| + | fib daddr type != { local, broadcast } ${TOR_RULE} | ||
| + | EOF | ||
| + | uci -q delete firewall.tor_nft | ||
| + | uci set firewall.tor_nft=" | ||
| + | uci set firewall.tor_nft.path="/ | ||
| uci -q delete firewall.tcp_int | uci -q delete firewall.tcp_int | ||
| uci set firewall.tcp_int=" | uci set firewall.tcp_int=" | ||
| uci set firewall.tcp_int.name=" | uci set firewall.tcp_int.name=" | ||
| uci set firewall.tcp_int.src=" | uci set firewall.tcp_int.src=" | ||
| + | uci set firewall.tcp_int.src_dport=" | ||
| uci set firewall.tcp_int.dest_port=" | uci set firewall.tcp_int.dest_port=" | ||
| uci set firewall.tcp_int.proto=" | uci set firewall.tcp_int.proto=" | ||
| - | uci set firewall.tcp_int.extra="--syn" | + | uci set firewall.tcp_int.family="any" |
| - | uci set firewall.tcp_int.ipset=" | + | |
| uci set firewall.tcp_int.target=" | uci set firewall.tcp_int.target=" | ||
| # Disable LAN to WAN forwarding | # Disable LAN to WAN forwarding | ||
| - | uci rename | + | uci -q delete |
| - | uci set firewall.lan_wan.enabled=" | + | |
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| ==== 3. DNS over Tor ==== | ==== 3. DNS over Tor ==== | ||
| - | {{section> | + | {{section> |
| - | Redirect DNS traffic to Tor. | + | Redirect DNS traffic to Tor and prevent DNS leaks. |
| <code bash> | <code bash> | ||
| # Enable DNS over Tor | # Enable DNS over Tor | ||
| + | service dnsmasq stop | ||
| + | uci set dhcp.@dnsmasq[0].boguspriv=" | ||
| + | uci set dhcp.@dnsmasq[0].rebind_protection=" | ||
| + | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| uci -q delete dhcp.@dnsmasq[0].server | uci -q delete dhcp.@dnsmasq[0].server | ||
| uci add_list dhcp.@dnsmasq[0].server=" | uci add_list dhcp.@dnsmasq[0].server=" | ||
| uci add_list dhcp.@dnsmasq[0].server=":: | uci add_list dhcp.@dnsmasq[0].server=":: | ||
| - | |||
| - | # Allow resolving for Tor-specific domains | ||
| - | uci set dhcp.@dnsmasq[0].boguspriv=" | ||
| - | uci -q delete dhcp.@dnsmasq[0].rebind_domain | ||
| - | uci add_list dhcp.@dnsmasq[0].rebind_domain="/ | ||
| - | |||
| - | # Enforce DNS over Tor for LAN clients | ||
| - | / | ||
| - | uci set dhcp.@dnsmasq[0].noresolv=" | ||
| uci commit dhcp | uci commit dhcp | ||
| - | / | + | service |
| </ | </ | ||
| - | |||
| - | ==== 4. NAT6 ==== | ||
| - | {{section> | ||
| ===== Testing ===== | ===== Testing ===== | ||
| Verify that you are using Tor. | Verify that you are using Tor. | ||
| - | * [[https:// | + | * [[https:// |
| - | Check your client public | + | |
| - | * [[https:// | + | Check your IP and DNS provider. |
| - | Make sure there is no DNS leak on the client side. | + | * [[https:// |
| - | * [[https:// | + | * [[https://www.dnsleaktest.com/ |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 136: | Line 111: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 143: | Line 118: | ||
| # Runtime configuration | # Runtime configuration | ||
| pgrep -f -a tor | pgrep -f -a tor | ||
| - | iptables-save; | + | nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||