Tor extras

• This how-to describes the most common Tor tuning scenarios adapted for OpenWrt.
• Follow Tor client for client setup and Tor hidden service for Onion service setup.
• Follow Random generator to overcome low entropy issues.

• Tor manual
• Tor community documentation
• Tor frequently asked questions

Circumvent ISP restrictions with bridges.

# Install packages
opkg update
opkg install obfs4proxy
 
# Configure bridges
cat << EOF >> /etc/tor/custom
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
Bridge obfs4 154.35.22.10:443 8FB9F4319E89E5C6223052AA525A192AFBC85D55 \
cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0
Bridge obfs4 154.35.22.12:80 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB \
cert=N86E9hKXXXVz6G7w2z8wFfhIDztDAzZ/3poxVePHEYjbKDWzjkRDccFMAnhK75fc65pYSg iat-mode=0
EOF
/etc/init.d/tor restart

Exclude dubious exit nodes by their country code.

# Install packages
opkg update
opkg install tor-geoip
 
# Exclude exit nodes
cat << EOF >> /etc/tor/custom
ExcludeExitNodes {??}, {by}, {kz}, {ru}, {ua}
EOF
/etc/init.d/tor restart

Enable Tor socks proxy.

# Enable Tor socks proxy
cat << EOF >> /etc/tor/custom
SOCKSPort 0.0.0.0:9050
SOCKSPort [::]:9050
EOF
/etc/init.d/tor restart

Route only specific domains to Tor network. Configure IP sets for Tor destinations. Allow forwarding for non-Tor destinations. Selectively resolve domains with DNS over Tor. Beware of privacy issues as a Tor destination can track you by including non-Tor resources.

# Configure IP sets
for IPV in 4 6
do
uci -q delete firewall.tor${IPV%4}
uci set firewall.tor${IPV%4}="ipset"
uci set firewall.tor${IPV%4}.name="tor${IPV%4}"
uci set firewall.tor${IPV%4}.family="ipv${IPV}"
uci set firewall.tor${IPV%4}.match="net"
done
uci add_list firewall.tor.entry="172.16.0.0/12"
uci add_list firewall.tor6.entry="fc00::/8"
uci set firewall.tcp_int.ipset="tor dest"
 
# Allow forwarding for non-Tor destinations
for IPV in 4 6
do
uci -q delete firewall.lan${IPV%4}_fwd
uci set firewall.lan${IPV%4}_fwd="rule"
uci set firewall.lan${IPV%4}_fwd.name="Allow-NonTor-Forward"
uci set firewall.lan${IPV%4}_fwd.src="lan"
uci set firewall.lan${IPV%4}_fwd.dest="wan"
uci set firewall.lan${IPV%4}_fwd.proto="all"
uci set firewall.lan${IPV%4}_fwd.family="ipv${IPV}"
uci set firewall.lan${IPV%4}_fwd.ipset="!tor${IPV%4} dest"
uci set firewall.lan${IPV%4}_fwd.target="ACCEPT"
done
uci commit firewall
/etc/init.d/firewall restart
 
# Configure Tor-routed domains
uci -q delete dhcp.@dnsmasq[0].noresolv
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="/onion/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#9053"
uci commit dhcp
/etc/init.d/dnsmasq restart

Some devices have hardware crypto accelerator chips. Enabling Tor to use a hardware accelerator offloads CPU pressure. Because Tor uses the openssl library acceleration must also be enabled by openssl, which can be done by following these instructions. Then hardware acceleration must be enabled in Tor. In the Tor notice log after the above setup, you should notice multiple lines like Default OpenSSL engine for 3DES-CBC is /dev/crypto engine [devcrypto].

# Enable Tor hardware acceleration
cat << EOF >> /etc/tor/custom
HardwareAccel 1
EOF
/etc/init.d/tor restart