This is an old revision of the document!


Tor client

  • This how-to describes the method for setting up Tor client on OpenWrt.
  • It makes your router provide access to the dark net for LAN clients.
  • Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.
  • Follow Tor extras for additional tuning.
  • Provide anonymous communication with onion routing.
    • Access the dark net and Tor hidden services.
  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using public relay providers.
    • Escape client side content filters and internet censorship.

Install and configure Tor client.

# Install packages
opkg update
opkg install tor
 
# Configure Tor client
sed -i -e "
/^AutomapHostsOnResolve/s/^/#/
\$a AutomapHostsOnResolve 1
/^VirtualAddrNetwork/s/^/#/
\$a VirtualAddrNetworkIPv4 172.16.0.0/12
\$a VirtualAddrNetworkIPv6 fc00::/7
/^DNSPort/s/^/#/
\$a DNSPort 0.0.0.0:9053
\$a DNSPort [::]:9053
/^TransPort/s/^/#/
\$a TransPort 0.0.0.0:9040
\$a TransPort [::]:9040
" /etc/tor/torrc
/etc/init.d/tor restart

Set up uHTTPd to listen on alternative ports if required. Configure firewall to intercept LAN traffic. Disable LAN to WAN forwarding to avoid traffic leak.

# Intercept SSH, HTTP and HTTPS traffic
uci -q delete firewall.ssh_int
uci set firewall.ssh_int="redirect"
uci set firewall.ssh_int.name="Intercept-SSH"
uci set firewall.ssh_int.src="lan"
uci set firewall.ssh_int.src_dport="22"
uci set firewall.ssh_int.proto="tcp"
uci set firewall.ssh_int.target="DNAT"
uci -q delete firewall.http_int
uci set firewall.http_int="redirect"
uci set firewall.http_int.name="Intercept-HTTP"
uci set firewall.http_int.src="lan"
uci set firewall.http_int.src_dport="8080"
uci set firewall.http_int.proto="tcp"
uci set firewall.http_int.target="DNAT"
uci -q delete firewall.https_int
uci set firewall.https_int="redirect"
uci set firewall.https_int.name="Intercept-HTTPS"
uci set firewall.https_int.src="lan"
uci set firewall.https_int.src_dport="8443"
uci set firewall.https_int.proto="tcp"
uci set firewall.https_int.target="DNAT"
 
# Intercept DNS and TCP traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.dest_port="9053"
uci set firewall.dns_int.proto="udp"
uci set firewall.dns_int.target="DNAT"
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.target="DNAT"
 
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

Verify that you are using Tor.

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Collect and analyze the following information.

# Restart the services
/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/dnsmasq restart; /etc/init.d/tor restart
 
# Log and status
logread -e Tor; netstat -l -n -p | grep -e tor
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a tor
ip address show; ip route show; ip rule show; iptables-save
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
ipset list
 
# Persistent configuration
uci show firewall; uci show dhcp
grep -v -e "^#" -e "^$" /etc/tor/torrc
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/08/27 10:25
  • by vgaetera