Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Tor extras Introduction Extras References Onion services SSH over Tor Selective routing Tor extras This article relies on the following: Accessing OpenWrt CLI Managing configurations Managing packages Managing services Introduction This how-to describes the most common Tor tuning scenarios adapted for OpenWrt. Follow Tor client for client setup. Follow Random generator to overcome low entropy issues. Extras References Tor documentation Tor community documentation Onion services Allow remote access to the router with Tor onion services. Beware of security issues. # Configure Tor onion service cat << EOF > /etc/tor/onion HiddenServiceDir /var/lib/tor/hidden_service HiddenServicePort 22 127.0.0.1:22 EOF uci del_list tor.conf.tail_include="/etc/tor/onion" uci add_list tor.conf.tail_include="/etc/tor/onion" uci commit tor /etc/init.d/tor restart # Fetch onion service hostname cat /var/lib/tor/hidden_service/hostname SSH over Tor Allow SSH over Tor by intercepting only SSH traffic which destination is the router. # Intercept SSH traffic NET_ADDR="$(uci get network.lan.ipaddr)" uci set firewall.ssh_int.src_dip="${NET_ADDR}" uci commit firewall /etc/init.d/firewall restart Selective routing Implement selective routing to route only specific domains to Tor network. Install the packages and configure IP sets for Tor-routed domains. Intercept DNS queries with Dnsmasq. Intercept TCP traffic which destination matches the IP sets. Forward domains not matching the IP sets. Configure the domains which addresses should be stored in the IP sets. Utilize selective DNS over Tor to prevent DNS leak. # Install packages opkg update opkg remove dnsmasq opkg install dnsmasq-full ipset # Configure IP sets uci -q delete firewall.tor uci set firewall.tor="ipset" uci set firewall.tor.name="tor" uci set firewall.tor.family="ipv4" uci set firewall.tor.storage="hash" uci set firewall.tor.match="ip" uci -q delete firewall.tor6 uci set firewall.tor6="ipset" uci set firewall.tor6.name="tor6" uci set firewall.tor6.family="ipv6" uci set firewall.tor6.storage="hash" uci set firewall.tor6.match="ip" # Intercept DNS and TCP traffic uci -q delete firewall.dns_int.dest_port uci set firewall.dns_int.proto="tcp udp" uci set firewall.tcp_int.ipset="tor dest" # Forward non-Tor domains uci -q delete firewall.lan_fwd uci set firewall.lan_fwd="rule" uci set firewall.lan_fwd.name="Allow-NonTor-Forward" uci set firewall.lan_fwd.src="lan" uci set firewall.lan_fwd.dest="wan" uci set firewall.lan_fwd.ipset="!tor dest" uci set firewall.lan_fwd.family="ipv4" uci set firewall.lan_fwd.proto="all" uci set firewall.lan_fwd.target="ACCEPT" uci -q delete firewall.lan6_fwd uci set firewall.lan6_fwd="rule" uci set firewall.lan6_fwd.name="Allow-NonTor-Forward" uci set firewall.lan6_fwd.src="lan" uci set firewall.lan6_fwd.dest="wan" uci set firewall.lan6_fwd.ipset="!tor6 dest" uci set firewall.lan6_fwd.family="ipv6" uci set firewall.lan6_fwd.proto="all" uci set firewall.lan6_fwd.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart # Allow routing for Tor-specific domains uci set dhcp.@dnsmasq[0].rebind_protection="0" # Configure Tor-routed domains uci -q delete dhcp.@dnsmasq[0].ipset uci add_list dhcp.@dnsmasq[0].ipset="/exit/tor,tor6" uci add_list dhcp.@dnsmasq[0].ipset="/onion/tor,tor6" uci add_list dhcp.@dnsmasq[0].ipset="/example.com/tor,tor6" uci add_list dhcp.@dnsmasq[0].ipset="/example.net/tor,tor6" # Enable selective DNS over Tor uci -q delete dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server="/exit/127.0.0.1#9053" uci add_list dhcp.@dnsmasq[0].server="/onion/127.0.0.1#9053" uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#9053" uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#9053" uci commit dhcp /etc/init.d/dnsmasq restart See also: DNS-based firewall with IP sets This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2020/11/25 07:23by vgaetera