Tor inside crunchy outer Wireguard shell

Router VPN, DNS, Leaks
1

Hello fellow netizens!

Everyone who is everyone knows that GL-Inet devices are the solution for ready-made, small, well supported privacy/security friendly devices. I love them, they solve the problems they set out to solve very well!!

But. There is one use-case that is not solved. I believe GL-Inet has not set out to solve it, yet.

Let’s imagine a young man named Bobby……

Little Bobby’s ISP will accept that some users use VPN. They will NOT accept some users use Tor or other privacy networks. They easily see Bobby’s Muddy connect to Tor, using basic DPI, and come give him a spanking. Poor Bobby.

Bobby is no dummy. He learns he can use the Tor network inside of a VPN (Wireguard or OpenVPN) tunnel. No more spanking for Bobby, until his ISP upgrades to much more sophisticated DPI!!

He has this idea, but can’t seem to do this with GL-Inet using the latest firnware GUI. He has tried to use the policy routing, but couldn’t see any way to do it.

Maybe he can figure it out by manually fiddling policy routing in the OS, but the GUI would be nicer. For dummies, and stays set. Same configuration for everyone.

For now, he has two physical routers, the Wireguard router connects to his ISP. The Tor router connects to the Wireguard router. He connects his laptop wireless NIC to the Tor router. It gives him the effect he wants. But he can’t carry it easily and he looks like a real doofus carrying two Muddy around :joy:

It can be done without GL-Inet official enhancements in some easy and some hard ways. But, we need easy ways, that work for everyone, without a lot of expertise or a lot of commands. That would be best.

This is not a new concept, and it has been mentioned before. One example (mentions Tor inside VPN, and Tor bridge - similar but two different topics)

This thread has some objectives:

  1. Attract GL-Inet product managers & developers. Maybe they can provide advice for workarounds or even offer a roadmap
  2. Attract users with the superior DIY workaround. What, exactly, is required and best? Is it ip route rules? Is it reordering or additional nft rules?
  3. Attract users who think it’s a dumb idea, try to convince everyone that Bobby doesn’t know what he needs. Attract users who will say “Yes, I want this feature too!”

Please no comments like “go buy another device” or “go use plain OpenWRT without GL-Inet addons. No comments “this is easy” (but don’t share detailed solution)

Thanks GL-Inet community!

3

Hi

We currently do not have plans to officially support Tor over VPN, but you can try the following workaround:

  1. SSH into the router and edit the following two files:

    • Add the following line to /etc/init.d/tor:
    procd_set_param group explict_vpn

    image
    image2358×1391 165 KB

    • Remove User root from /etc/tor/torrc:

    image
    image1145×660 27.4 KB

  2. Enable Tor. It should now operate over the VPN connection:

    image
    image2346×475 60.3 KB

  3. Please note that DNS does not appear to work correctly in this configuration. You will need to manually specify a DNS server or encrypted DNS on your LAN devices.