TOR + 3.0.x

Technical Support for Routers
1

Is their an easy way to bring TOR into the nice new 3.0 software train?

2

There isn’t plan to add TOR on v3.0, but you can set it up by yourself.

Install Tor ipk

opkg update
opkg install tor tor-geoip

Tor Configuration

Clear existing torrc file via echo '' > /etc/tor/torrc and copy paste this configuration bellow to /etc/tor/torrc.

RunAsDaemon 1
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
## Only run as a client, never a relay or exit
ClientOnly
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor
User tor
SocksPort 9050
SocksPort 192.168.1.1:9050
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
VirtualAddrNetworkIPv4 10.192.0.0/10
TransPort 192.168.1.1:9040
DNSPort 192.168.1.1:9053
ControlPort 9051

Firewall Configuration

Append those lines to /etc/config/firewall.

config zone 'tor'
    option name 'tor'
    option network 'lan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option conntrack '1'
	
config rule
    option name 'Allow-Tor-DHCP'
    option src 'tor'
    option proto 'udp'
    option dest_port '67'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-DNS'
    option src 'tor'
    option proto 'udp'
    option dest_port '9053'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-Transparent'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9040'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-SOCKS'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9050'
    option target 'ACCEPT'
    option family 'ipv4'

Append those lines to /etc/firewall.user.

enable_transparent_tor() {

	ifname=br-lan

	# Allow direct access to the Tor daemon
	iptables -t nat -A PREROUTING -i $ifname -p tcp --dport 9050 -j ACCEPT

	# provide transparent routing for TCP and DNS
	iptables -t nat -A PREROUTING -i $ifname -p udp --dport 53 -j REDIRECT --to-ports 9053
	iptables -t nat -A PREROUTING -i $ifname -p tcp --syn -j REDIRECT --to-ports 9040
}

enable_transparent_tor

Start Tor

We have to edit Tor init script, /etc/init.d/tor to successfully start tor at every boot. Add those lines before procd_open_instance.

lan_ip=$(uci get network.lan.ipaddr)
[ -n "$lan_ip" ] && sed -i "s/192.168\..*\..*:/$lan_ip:/g" /etc/tor/torrc

All things done. Let’s start tor.

/etc/init.d/tor restart

Verify tor

Visti http://check.torproject.org/ to see if you are in Tor network. Please not, when you are using tor, the router’s UI is not accessible as well. But you can ssh to the router.

3 Likes
3

Many thanks!!!

Two more questions:

  • Would this config block all traffic if TOR is not comming up?
  • If I did a FW upgrade, do I need to make the changes again?
4

Yup, it is.

Making change again is recommended. /etc/firewall.user will be overridden by our firmware.

5

I just gave this a try on a USB150, and after a long wait, it did work for a short while. However, after about 15 minutes of it working, it stopped. Restarting has not helped. I’m unable to get back into the GUI. I don’t think this is a good substitute for having TOR baked in to the firmware. I certainly hope you put it back in. Until then, I won’t be buying any more GL.INET routers.

8

How to make this work with the button on the router like with old firmwares?

9

Is DNS go through Tor with this configurations?

10

Is this for router when router is at 192.168.1.1? If I set LAN to 10.0.0.1 then I must change config like this?

11

This setup works with version 3.0.27 and below if you are running 3.1 you do not have to do these steps… although… I put tor on it’s own virual wireless rather than an enabled vpn for teh lan using a modified version of this setup and then disable tor service. run my own modified config file from here and modify /usr/bin/tor_switch and use the 3.1 interface for feedback and enabling and adding country out.

and to answer you question, if on 3.027 or below, the added lines to /etc/init.d/tor is so it detects your lan ip and updates /etc/tor/torrc with what would be assumed as 10.x.x.x settings automatically

12

Okay thank you. I have more questions

13

Question is, what exactly means “you do not have to do these steps” because I have firmwares 3.1 but when I click little button, nothing is change and traffic doesn’t nothings different.

Other questions after this maybe.

14

this post began in nov of 2018

today is 2020 and tor is now integrated into ver 3.1 this thread is about how to add tor to glinet routers pre ver3.1

i answered your question first now answer this one, “what version are you using, 3.1 or below?”

so if you stated above that you have 3.1, you should, politely speaking, probably stop posting questions on this thread specific to version 3.1