Tor extras

This article relies on the following:

Introduction

  • This how-to describes the most common Tor tuning scenarios adapted for OpenWrt.
  • Follow Tor client for client setup.
  • Follow Random generator to overcome low entropy issues.

Extras

References

Exit nodes

Exclude dubious exit nodes by their country code. 

# Install packages
opkg update
opkg install tor-geoip
 
# Exclude exit nodes
cat << EOF >> /etc/tor/custom
ExcludeExitNodes {??}, {by}, {kz}, {ru}, {ua}
EOF
/etc/init.d/tor restart

Onion services

Allow remote access to the router with Tor onion services. Beware of security issues. 

# Enable Tor onion service
cat << EOF >> /etc/tor/custom
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 22 127.0.0.1:22
EOF
/etc/init.d/tor restart
 
# Fetch onion service hostname
cat /var/lib/tor/hidden_service/hostname

Enable authorization for improved security. See details for v3 key generation. Also see forum post.

Socks proxy

Enable Tor socks proxy. 

# Enable Tor socks proxy
cat << EOF >> /etc/tor/custom
SOCKSPort 0.0.0.0:9050
SOCKSPort [::]:9050
EOF
/etc/init.d/tor restart

Selective routing

Route only specific domains to Tor network. Configure IP sets for Tor destinations. Allow forwarding for non-Tor destinations. Selectively resolve domains with DNS over Tor. 

# Install packages
opkg update
opkg install ipset
 
# Configure IP sets
uci set firewall.tcp_int.ipset="tor dest"
uci -q delete firewall.tor
uci set firewall.tor="ipset"
uci set firewall.tor.name="tor"
uci set firewall.tor.family="ipv4"
uci set firewall.tor.storage="hash"
uci set firewall.tor.match="net"
uci add_list firewall.tor.entry="172.16.0.0/12"
uci -q delete firewall.tor6
uci set firewall.tor6="ipset"
uci set firewall.tor6.name="tor6"
uci set firewall.tor6.family="ipv6"
uci set firewall.tor6.storage="hash"
uci set firewall.tor6.match="net"
uci add_list firewall.tor6.entry="fc00::/7"
 
# Allow forwarding for non-Tor destinations
uci -q delete firewall.lan_fwd
uci set firewall.lan_fwd="rule"
uci set firewall.lan_fwd.name="Allow-NonTor-Forward"
uci set firewall.lan_fwd.src="lan"
uci set firewall.lan_fwd.dest="wan"
uci set firewall.lan_fwd.proto="all"
uci set firewall.lan_fwd.family="ipv4"
uci set firewall.lan_fwd.ipset="!tor dest"
uci set firewall.lan_fwd.target="ACCEPT"
uci -q delete firewall.lan6_fwd
uci set firewall.lan6_fwd="rule"
uci set firewall.lan6_fwd.name="Allow-NonTor-Forward"
uci set firewall.lan6_fwd.src="lan"
uci set firewall.lan6_fwd.dest="wan"
uci set firewall.lan6_fwd.proto="all"
uci set firewall.lan6_fwd.family="ipv6"
uci set firewall.lan6_fwd.ipset="!tor6 dest"
uci set firewall.lan6_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
 
# Configure Tor-routed domains
uci -q delete dhcp.@dnsmasq[0].noresolv
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="/onion/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#9053"
uci commit dhcp
/etc/init.d/dnsmasq restart

Automated

Automated Tor client installation. 

URL="https://openwrt.org/_export/code/docs/guide-user/services/tor"
alias uclient-fetch="uclient-fetch --no-check-certificate"
cat << EOF > tor-client.sh
$(uclient-fetch -O - "${URL}/client?codeblock=0")
$(uclient-fetch -O - "${URL}/client?codeblock=1")
$(uclient-fetch -O - "${URL}/client?codeblock=2")
$(uclient-fetch -O - "${URL}/client?codeblock=3")
$(uclient-fetch -O - "${URL}/client?codeblock=4")
EOF
sh tor-client.sh
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/10/06 16:10
  • by vgaetera