Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:tor:client [2023/01/12 09:48] – [2. Firewall] optimize code vgaeteradocs:guide-user:services:tor:client [2023/10/14 13:39] – [Introduction] vgaetera
Line 1: Line 1:
 ====== Tor client ====== ====== Tor client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the method for setting up [[wp>Tor_(anonymity_network)|Tor]] client on OpenWrt.   * This how-to describes the method for setting up [[wp>Tor_(anonymity_network)|Tor]] client on OpenWrt.
   * Tor is limited to DNS and TCP traffic, use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.   * Tor is limited to DNS and TCP traffic, use [[docs:guide-user:services:vpn:start|VPN]] to protect all traffic.
-  * Follow [[docs:guide-user:services:tor:extras|Tor extras]] for additional tuning.+  * Follow [[docs:guide-user:services:tor:extras|Tor extras]] for automated setup and additional tuning.
  
 ===== Goals ===== ===== Goals =====
Line 11: Line 11:
     * Access the dark net and Tor hidden services.     * Access the dark net and Tor hidden services.
   * Encrypt your internet connection to enforce security and privacy.   * Encrypt your internet connection to enforce security and privacy.
-    * Prevent data leak and traffic spoofing on the client side.+    * Prevent traffic leaks and spoofing on the client side.
   * Bypass regional restrictions using public relay providers.   * Bypass regional restrictions using public relay providers.
     * Escape client side content filters and internet censorship.     * Escape client side content filters and internet censorship.
Line 42: Line 42:
 uci add_list tor.conf.tail_include="/etc/tor/custom" uci add_list tor.conf.tail_include="/etc/tor/custom"
 uci commit tor uci commit tor
-/etc/init.d/tor restart+service tor restart
 </code> </code>
  
-Enable [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] and announce the [[docs:guide-user:network:ipv6:ipv6_extras#announcing_default_ipv6_route|default IPv6 route]] if necessary.+Prefer [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|IPv6 by default]] or announce [[docs:guide-user:network:ipv6:ipv6_extras#announcing_ipv6_default_route|IPv6 default route]] if necessary.
  
 ==== 2. Firewall ==== ==== 2. Firewall ====
 Configure firewall to intercept LAN traffic. Configure firewall to intercept LAN traffic.
-Disable LAN to WAN forwarding to avoid traffic leak.+Disable LAN to WAN forwarding to prevent traffic leaks.
  
 <code bash> <code bash>
Line 55: Line 55:
 cat << "EOF" > /etc/nftables.d/tor.sh cat << "EOF" > /etc/nftables.d/tor.sh
 TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)" TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)"
-nft list chain inet fw4 ${TOR_CHAIN} \ +TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \ 
-| sed -e "/Intercept-TCP/+| sed -n -e "/Intercept-TCP/p")" 
-s/^/fib daddr type != { local, broadcast }+nft replace rule inet fw4 ${TOR_CHAIN} \ 
-1i flush chain inet fw4 ${TOR_CHAIN}" \ +handle ${TOR_RULE##* } 
-| nft -f -+fib daddr type != { local, broadcast } ${TOR_RULE}
 EOF EOF
 uci -q delete firewall.tor_nft uci -q delete firewall.tor_nft
Line 77: Line 77:
 uci -q delete firewall.@forwarding[0] uci -q delete firewall.@forwarding[0]
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
 ==== 3. DNS over Tor ==== ==== 3. DNS over Tor ====
 {{section>docs:guide-user:firewall:fw3_configurations:intercept_dns#command-line_instructions&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:firewall:fw3_configurations:intercept_dns#command-line_instructions&noheader&nofooter&noeditbutton}}
-{{section>docs:guide-user:firewall:fw3_configurations:intercept_dns#ipv6_dns&noheader&nofooter&noeditbutton}} 
  
-Redirect DNS traffic to Tor.+Redirect DNS traffic to Tor and prevent DNS leaks.
  
 <code bash> <code bash>
 # Enable DNS over Tor # Enable DNS over Tor
-/etc/init.d/dnsmasq stop+service dnsmasq stop
 uci set dhcp.@dnsmasq[0].boguspriv="0" uci set dhcp.@dnsmasq[0].boguspriv="0"
 uci set dhcp.@dnsmasq[0].rebind_protection="0" uci set dhcp.@dnsmasq[0].rebind_protection="0"
Line 96: Line 95:
 uci add_list dhcp.@dnsmasq[0].server="::1#9053" uci add_list dhcp.@dnsmasq[0].server="::1#9053"
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq start+service dnsmasq start
 </code> </code>
  
 ===== Testing ===== ===== Testing =====
 Verify that you are using Tor. Verify that you are using Tor.
-  * [[https://check.torproject.org/]] +  * [[https://check.torproject.org/|check.torproject.org]] 
-Check your client public IP addresses+ 
-  * [[https://ipleak.net/]] +Check your IP and DNS provider
-Make sure there is no DNS leak on the client side. +  * [[https://ipleak.net/|ipleak.net]] 
-  * [[https://dnsleaktest.com/]]+  * [[https://www.dnsleaktest.com/|dnsleaktest.com]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 112: Line 111:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/tor restart+service log restart; service firewall restart; service tor restart
  
 # Log and status # Log and status
  • Last modified: 2023/10/18 07:17
  • by vgaetera