User Tools

Site Tools


docs:guide-user:services:tor:selective_client

Tor Client with Selective Address Routing

This page contains tor client setup with only domain addresses in ipset list. If you want route all data through tor network then go to Tor Client page.

Summary

Tor client router route all traffic to tor network but that cause some problems. Re-login every time when you return a page or chapta confirmation. With this method you can add what domain names you want to go to tor network and all else will be work on normal network.

For this you need a router with 8MB flash or more space. Otherwise you will need extroot on your router.

Instructions

1. Install packages

opkg update && opkg install kmod-ipt-ipset ipset && opkg remove dnsmasq && opkg install dnsmasq-full && opkg install tor && cd /etc/config/ && mv dhcp-opkg dhcp

Last two command replace standart dnsmasq dhcp config file with new one since opkg don't replace it when install dnsmasq-full

2. Prerouting ssh connection

When we finish this, we will not be able to reach router anymore if we don't let internal request reach to router. It will became inaccessible either luci or ssh connection. Before we lock ourself out give this command in terminal:

echo "iptables -t nat -I prerouting_lan_rule -d 192.168.1.1 -j ACCEPT" >> /etc/firewall.user

3. Tor base setup

Give this command in terminal:

sed -i -e "
/^AutomapHostsOnResolve/s/^/#/
\$a AutomapHostsOnResolve 1
/^VirtualAddrNetwork/s/^/#/
\$a VirtualAddrNetworkIPv4 172.16.0.0/12
\$a VirtualAddrNetworkIPv6 fc00::/7
/^DNSPort/s/^/#/
\$a DNSPort 0.0.0.0:9053
\$a DNSPort [::]:9053
/^TransPort/s/^/#/
\$a TransPort 0.0.0.0:9040
\$a TransPort [::]:9040
" /etc/tor/torrc
/etc/init.d/tor restart

4. Adding ipset to dnsmasq config

If you don't or can't use terminal editors then get yourself a scp client program because you need to add ipset line to last line of dnsmasq config block:

config dnsmasq
	option domainneeded	1
	option boguspriv	1
	option filterwin2k	0  # enable for dial on demand
	option localise_queries	1
	option rebind_protection 1  # disable if upstream must serve RFC1918 addresses
	option rebind_localhost 1  # enable for RBL checking and similar services
	#list rebind_domain example.lan  # whitelist RFC1918 responses for domains
	option local	'/lan/'
	option domain	'lan'
	option expandhosts	1
	option nonegcache	0
	option authoritative	1
	option readethers	1
	option leasefile	'/tmp/dhcp.leases'
	option resolvfile	'/tmp/resolv.conf.auto'
	#list server		'/mycompany.local/1.2.3.4'
	option nonwildcard	1 # bind to & keep track of interfaces
	#list interface		br-lan
	#list notinterface	lo
	#list bogusnxdomain     '64.94.110.11'
	option localservice	1  # disable to allow DNS requests from non-local subnets
	list ipset '/blockedpage.com/blockedaddress.net/..../lastaddress.org/routetotor'

this last line is our selected domains to send tor network. You can add address as much as you want. Last part (routetotor) is name of ipset we will need other steps. You can use anything you want, just don't forget replace it in other configs.

5. Intercept DNS,HTTP/HTTPs requests

add below lines end of /etc/config/firewall config file.

config ipset
	option enabled '1'
	option name 'routetotor'
	option match 'ip'
	option storage 'hash'

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option dest_port '9053'
	option family 'ipv4'
	option proto 'udp'
	option target 'DNAT'

config redirect
	option src 'lan'
	option name 'TorHTTP'
	option dest 'wan'
	option target 'DNAT'
	option ipset 'routetotor dest'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '80'
	option dest_port '9040'
	option ipset 'routetotor dest'

config redirect
	option src 'lan'
	option name 'TorHTTPs'
	option dest 'wan'
	option target 'DNAT'
	option ipset 'routetotor dest'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '443'
	option dest_port '9040'
	option ipset 'routetotor dest'

Restart firewall to see if any errors given. Reboot router. Thats it, you are done.

Control

Check your new setup working. First open an address you add in ipset (eg: blockedpage.com) then give this command in your ssh:

iptables-save -c | grep 9040

You should see something like this:

[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 80 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTP" -j REDIRECT --to-ports 9040
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 80 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTP" -j REDIRECT --to-ports 9040
[1:52] -A zone_lan_prerouting -p tcp -m tcp --dport 443 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTPs" -j REDIRECT --to-ports 9040
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 443 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTPs" -j REDIRECT --to-ports 9040

if you see only 0:0 like below then your browser may have configure to use a proxy server. Disable it and try again. If still nothing then go to troubleshooting.

iptables-save -c | grep 9040
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 80 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTP" -j REDIRECT --to-ports 9040
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 80 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTP" -j REDIRECT --to-ports 9040
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 443 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTPs" -j REDIRECT --to-ports 9040
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 443 -m set --match-set routetotor dst -m comment --comment "!fw3: TorHTTPs" -j REDIRECT --to-ports 9040

Troubleshooting

Warning: This step ONLY for troubleshooting. Since we didn't blocked lan to wan forwarding this isn't secure against leaking and it will send all TCP traffic to tor. Instead of using this just use tor router for better security.

Intercept TCP requests

Give this command in terminal:

uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.family="ipv4"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

and check again if any return in tcp routing:

iptables-save -c | grep 9040
[2:104] -A zone_lan_prerouting -p tcp -m set --match-set routetotor dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040

you can check by opening youtube and look at logo if logo says somewhere else where you are then tor is working but something not. Ask around forum :)

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/tor/selective_client.txt · Last modified: 2020/05/19 18:05 by dnecro