This is an old revision of the document!
Tor client
Introduction
- This how-to describes the method for setting up Tor client on OpenWrt.
- It makes your router provide access to the dark net for LAN clients.
- Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.
- Follow Tor extras for additional tuning.
Goals
- Provide anonymous communication with onion routing.
- Access the dark net and Tor hidden services.
- Encrypt your internet connection to enforce security and privacy.
- Prevent data leak and traffic spoofing on the client side.
- Bypass regional restrictions using public relay providers.
- Escape client side content filters and internet censorship.
Instructions
1. Tor client
Install and configure Tor client.
# Install packages opkg update opkg install tor # Configure Tor client sed -i -e " /^AutomapHostsOnResolve/s/^/#/ \$a AutomapHostsOnResolve 1 /^VirtualAddrNetwork/s/^/#/ \$a VirtualAddrNetworkIPv4 172.16.0.0/12 \$a VirtualAddrNetworkIPv6 fc00::/7 /^DNSPort/s/^/#/ \$a DNSPort 0.0.0.0:9053 \$a DNSPort [::]:9053 /^TransPort/s/^/#/ \$a TransPort 0.0.0.0:9040 \$a TransPort [::]:9040 " /etc/tor/torrc /etc/init.d/tor restart
2. Firewall
Set up uHTTPd to listen on alternative ports if required. Configure firewall to intercept LAN traffic. Disable LAN to WAN forwarding to avoid traffic leak.
# Intercept SSH, HTTP and HTTPS traffic uci -q delete firewall.ssh_int uci set firewall.ssh_int="redirect" uci set firewall.ssh_int.name="Intercept-SSH" uci set firewall.ssh_int.src="lan" uci set firewall.ssh_int.src_dport="22" uci set firewall.ssh_int.proto="tcp" uci set firewall.ssh_int.target="DNAT" uci -q delete firewall.http_int uci set firewall.http_int="redirect" uci set firewall.http_int.name="Intercept-HTTP" uci set firewall.http_int.src="lan" uci set firewall.http_int.src_dport="8080" uci set firewall.http_int.proto="tcp" uci set firewall.http_int.target="DNAT" uci -q delete firewall.https_int uci set firewall.https_int="redirect" uci set firewall.https_int.name="Intercept-HTTPS" uci set firewall.https_int.src="lan" uci set firewall.https_int.src_dport="8443" uci set firewall.https_int.proto="tcp" uci set firewall.https_int.target="DNAT" # Intercept DNS and TCP traffic uci -q delete firewall.dns_int uci set firewall.dns_int="redirect" uci set firewall.dns_int.name="Intercept-DNS" uci set firewall.dns_int.src="lan" uci set firewall.dns_int.src_dport="53" uci set firewall.dns_int.dest_port="9053" uci set firewall.dns_int.proto="udp" uci set firewall.dns_int.target="DNAT" uci -q delete firewall.tcp_int uci set firewall.tcp_int="redirect" uci set firewall.tcp_int.name="Intercept-TCP" uci set firewall.tcp_int.src="lan" uci set firewall.tcp_int.dest_port="9040" uci set firewall.tcp_int.proto="tcp" uci set firewall.tcp_int.extra="--syn" uci set firewall.tcp_int.target="DNAT" # Disable LAN to WAN forwarding uci rename firewall.@forwarding[0]="lan_wan" uci set firewall.lan_wan.enabled="0" uci commit firewall /etc/init.d/firewall restart
3. NAT6
Testing
Verify that you are using Tor.
Check your client public IP addresses.
Make sure there is no DNS leak on the client side.
Troubleshooting
Collect and analyze the following information.
# Restart the services /etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/dnsmasq restart; /etc/init.d/tor restart # Log and status logread -e Tor; netstat -l -n -p | grep -e tor logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq # Runtime configuration pgrep -f -a dnsmasq; pgrep -f -a tor ip address show; ip route show; ip rule show; iptables-save ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save ipset list # Persistent configuration uci show firewall; uci show dhcp grep -v -e "^#" -e "^$" /etc/tor/torrc