TOR + 3.0.x


#1

Is their an easy way to bring TOR into the nice new 3.0 software train?


#2

There isn’t plan to add TOR on v3.0, but you can set it up by yourself.

Install Tor ipk

opkg update
opkg install tor tor-geoip

Tor Configuration

Clear existing torrc file via echo '' > /etc/tor/torrc and copy paste this configuration bellow to /etc/tor/torrc.

RunAsDaemon 1
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
## Only run as a client, never a relay or exit
ClientOnly
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor
User tor
SocksPort 9050
SocksPort 192.168.1.1:9050
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
VirtualAddrNetworkIPv4 10.192.0.0/10
TransPort 192.168.1.1:9040
DNSPort 192.168.1.1:9053
ControlPort 9051

Firewall Configuration

Append those lines to /etc/config/firewall.

config zone 'tor'
    option name 'tor'
    option network 'lan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option conntrack '1'
	
config rule
    option name 'Allow-Tor-DHCP'
    option src 'tor'
    option proto 'udp'
    option dest_port '67'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-DNS'
    option src 'tor'
    option proto 'udp'
    option dest_port '9053'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-Transparent'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9040'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-SOCKS'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9050'
    option target 'ACCEPT'
    option family 'ipv4'

Append those lines to /etc/firewall.user.

enable_transparent_tor() {

	ifname=br-lan

	# Allow direct access to the Tor daemon
	iptables -t nat -A PREROUTING -i $ifname -p tcp --dport 9050 -j ACCEPT

	# provide transparent routing for TCP and DNS
	iptables -t nat -A PREROUTING -i $ifname -p udp --dport 53 -j REDIRECT --to-ports 9053
	iptables -t nat -A PREROUTING -i $ifname -p tcp --syn -j REDIRECT --to-ports 9040
}

enable_transparent_tor

Start Tor

We have to edit Tor init script, /etc/init.d/tor to successfully start tor at every boot. Add those lines before procd_open_instance.

lan_ip=$(uci get network.lan.ipaddr)
[ -n "$lan_ip" ] && sed -i "s/192.168\..*\..*:/$lan_ip:/g" /etc/tor/torrc

All things done. Let’s start tor.

/etc/init.d/tor restart

Verify tor

Visti http://check.torproject.org/ to see if you are in Tor network. Please not, when you are using tor, the router’s UI is not accessible as well. But you can ssh to the router.


Tor for AR750 Slate?
#3

Many thanks!!!

Two more questions:

  • Would this config block all traffic if TOR is not comming up?
  • If I did a FW upgrade, do I need to make the changes again?

#4

Yup, it is.

Making change again is recommended. /etc/firewall.user will be overridden by our firmware.


#5

I just gave this a try on a USB150, and after a long wait, it did work for a short while. However, after about 15 minutes of it working, it stopped. Restarting has not helped. I’m unable to get back into the GUI. I don’t think this is a good substitute for having TOR baked in to the firmware. I certainly hope you put it back in. Until then, I won’t be buying any more GL.INET routers.


#6

Using ar750 tesingimage 3.022 I got tor working by commening out firewall.user and setting firefox browser to use socks5 proxy port 192.168.19.1:9050. on the lan (my default lan is not 192.168.8.1)
how do you set tor on v3 guest network
in /etc/init.d/tor
I set
lan_ip=$(uci get network.lan.ipaddr)

lan_ip=$(uci get network.guest.ipaddr)

and in /etc/config/firewall is set tor "lan" to "guest"

config zone 'tor'
	option name 'tor'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option conntrack '1

proxy server is refusing conections at 192.168.9.1:9050 in firefox  on guest settins
browser works fine from the lan when set and configured to lan 192.168.19.1:9050
note:
DNS Rebinding Attack Protection enabled
Override DNS Settings for All Clients enabled
DNS over TLS from Cloudflare enabled
 firefox is set to use Dns through socks proxy

any ideas?