Tor extras

• This how-to describes the most common Tor tuning scenarios adapted for OpenWrt.
• Follow Tor client for client setup.
• Follow Random generator to overcome low entropy issues.

• Tor documentation
• Tor community documentation

Allow remote access to the router with Tor onion services. Beware of security issues.

# Configure Tor onion service
cat << EOF > /etc/tor/onion
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 22 127.0.0.1:22
EOF
uci del_list tor.conf.tail_include="/etc/tor/onion"
uci add_list tor.conf.tail_include="/etc/tor/onion"
uci commit tor
/etc/init.d/tor restart
 
# Fetch onion service hostname
cat /var/lib/tor/hidden_service/hostname

Allow SSH over Tor by intercepting only SSH traffic which destination is the router.

# Intercept SSH traffic
NET_ADDR="$(uci get network.lan.ipaddr)"
uci set firewall.ssh_int.src_dip="${NET_ADDR}"
uci commit firewall
/etc/init.d/firewall restart

Implement selective routing to route only specific domains to Tor network. Install the packages and configure IP sets for Tor-routed domains. Intercept DNS queries with Dnsmasq. Intercept TCP traffic which destination matches the IP sets. Forward domains not matching the IP sets. Configure the domains which addresses should be stored in the IP sets. Utilize selective DNS over Tor to prevent DNS leak.

# Install packages
opkg update
opkg remove dnsmasq
opkg install dnsmasq-full ipset
 
# Configure IP sets
uci -q delete firewall.tor
uci set firewall.tor="ipset"
uci set firewall.tor.name="tor"
uci set firewall.tor.family="ipv4"
uci set firewall.tor.storage="hash"
uci set firewall.tor.match="ip"
uci -q delete firewall.tor6
uci set firewall.tor6="ipset"
uci set firewall.tor6.name="tor6"
uci set firewall.tor6.family="ipv6"
uci set firewall.tor6.storage="hash"
uci set firewall.tor6.match="ip"
 
# Intercept DNS and TCP traffic
uci -q delete firewall.dns_int.dest_port
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.tcp_int.ipset="tor dest"
 
# Forward non-Tor domains
uci -q delete firewall.lan_fwd
uci set firewall.lan_fwd="rule"
uci set firewall.lan_fwd.name="Allow-NonTor-Forward"
uci set firewall.lan_fwd.src="lan"
uci set firewall.lan_fwd.dest="wan"
uci set firewall.lan_fwd.ipset="!tor dest"
uci set firewall.lan_fwd.family="ipv4"
uci set firewall.lan_fwd.proto="all"
uci set firewall.lan_fwd.target="ACCEPT"
uci -q delete firewall.lan6_fwd
uci set firewall.lan6_fwd="rule"
uci set firewall.lan6_fwd.name="Allow-NonTor-Forward"
uci set firewall.lan6_fwd.src="lan"
uci set firewall.lan6_fwd.dest="wan"
uci set firewall.lan6_fwd.ipset="!tor6 dest"
uci set firewall.lan6_fwd.family="ipv6"
uci set firewall.lan6_fwd.proto="all"
uci set firewall.lan6_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
 
# Allow routing for Tor-specific domains
uci set dhcp.@dnsmasq[0].rebind_protection="0"
 
# Configure Tor-routed domains
uci -q delete dhcp.@dnsmasq[0].ipset
uci add_list dhcp.@dnsmasq[0].ipset="/exit/tor,tor6"
uci add_list dhcp.@dnsmasq[0].ipset="/onion/tor,tor6"
uci add_list dhcp.@dnsmasq[0].ipset="/example.com/tor,tor6"
uci add_list dhcp.@dnsmasq[0].ipset="/example.net/tor,tor6"
 
# Enable selective DNS over Tor
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="/exit/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/onion/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#9053"
uci commit dhcp
/etc/init.d/dnsmasq restart

See also: DNS-based firewall with IP sets