Tor extras

  • This how-to describes the most common Tor tuning scenarios adapted for OpenWrt.
  • Follow Tor client for client setup.
  • Follow Random generator to overcome low entropy issues.

Exclude dubious exit nodes by their country code.

# Install packages
opkg update
opkg install tor-geoip
 
# Exclude exit nodes
cat << EOF >> /etc/tor/custom
ExcludeExitNodes {??}, {by}, {kz}, {ru}, {ua}
EOF
/etc/init.d/tor restart

Allow remote access to the router with Tor onion services. Beware of security issues.

# Enable Tor onion service
cat << EOF >> /etc/tor/custom
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 22 127.0.0.1:22
EOF
/etc/init.d/tor restart
 
# Fetch onion service hostname
cat /var/lib/tor/hidden_service/hostname

Enable Tor socks proxy.

# Enable Tor socks proxy
cat << EOF >> /etc/tor/custom
SOCKSPort 0.0.0.0:9050
SOCKSPort [::]:9050
EOF
/etc/init.d/tor restart

Route only specific domains to Tor network. Install the packages and set up IP sets for Tor destinations. Allow non-Tor destinations forwarding. Configure the domains which addresses should be stored in the IP sets. Utilize DNS over Tor selectively.

# Install packages
opkg update
opkg remove dnsmasq
opkg install dnsmasq-full
 
# Configure IP sets
uci add_list firewall.tor.entry="172.16.0.0/12"
uci del_list firewall.tor.entry="0.0.0.0/1"
uci del_list firewall.tor.entry="128.0.0.0/1"
uci add_list firewall.tor6.entry="fc00::/7"
uci del_list firewall.tor6.entry="::/1"
uci del_list firewall.tor6.entry="8000::/1"
 
# Allow non-Tor destinations forwarding
uci -q delete firewall.lan_fwd
uci set firewall.lan_fwd="rule"
uci set firewall.lan_fwd.name="Allow-NonTor-Forward"
uci set firewall.lan_fwd.src="lan"
uci set firewall.lan_fwd.dest="wan"
uci set firewall.lan_fwd.proto="all"
uci set firewall.lan_fwd.family="ipv4"
uci set firewall.lan_fwd.ipset="!tor dest"
uci set firewall.lan_fwd.target="ACCEPT"
uci -q delete firewall.lan6_fwd
uci set firewall.lan6_fwd="rule"
uci set firewall.lan6_fwd.name="Allow-NonTor-Forward"
uci set firewall.lan6_fwd.src="lan"
uci set firewall.lan6_fwd.dest="wan"
uci set firewall.lan6_fwd.proto="all"
uci set firewall.lan6_fwd.family="ipv6"
uci set firewall.lan6_fwd.ipset="!tor6 dest"
uci set firewall.lan6_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
 
# Revert to default system resolvers
uci -q delete dhcp.@dnsmasq[0].noresolv
 
# Configure Tor-routed domains
uci -q delete dhcp.@dnsmasq[0].ipset
uci add_list dhcp.@dnsmasq[0].ipset="/onion/tor,tor6"
uci add_list dhcp.@dnsmasq[0].ipset="/example.com/tor,tor6"
uci add_list dhcp.@dnsmasq[0].ipset="/example.net/tor,tor6"
 
# Enable selective DNS over Tor
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="/onion/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#9053"
uci commit dhcp
/etc/init.d/dnsmasq restart

See also: DNS-based firewall with IP sets

Automated Tor client installation.

opkg update
opkg install libustream-mbedtls
URL="https://openwrt.org/_export/code/docs/guide-user/services/tor"
cat << EOF > tor-client.sh
$(uclient-fetch -O - "${URL}/client?codeblock=0")
$(uclient-fetch -O - "${URL}/client?codeblock=1")
$(uclient-fetch -O - "${URL}/client?codeblock=2")
$(uclient-fetch -O - "${URL}/client?codeblock=3")
$(uclient-fetch -O - "${URL}/client?codeblock=4")
EOF
sh tor-client.sh
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/04/03 23:17
  • by vgaetera