Wireguard AND tor simultaneously

Technical Support for Routers VPN, DNS, Leaks
1

Is it possible without manual changes to have a wireguard VPN client as the egress, and then have tor within wireguard? I know this is a technical possibility but I mean specifically with MV1000a or other glinet products with tor and WireGuard suppory

From what I can tell, the UI can’t do this, they’re mutually exclusive

For those in countries where authorities track those using tor, this is an important feature, because it’s easy to fingerprint tor

Wireguard can also be fingerprinted, but generally tor traffic is considered to be an indicator that a user is a threat. Tor is also more rare, so regimes are able to focus on it more easily (I do not have metrics but I would guess in all countries (with strict monitoring or with freedom) have a ratio higher than 100 wireguard users for every single tor user. It’s safer to be “just a more wireeguard user” than “the few tor users”

Thank you!!!

Edit: many alternatives exist but they require additional architecture. For example, a wireguard server in an area outside of the country which uses tor. It’s an added hop and cost and management headaches

2

Okay right off the bat the word that worries me most is regime(s). If you’re that deep in hostile territory & they monitor as you describe I’d really implore against leaving traces of Tor configuration on an unencrypted (data at rest, ie: conf files, logs on the GL device) that’d be easily accessible to anyone w/ a JTAG/GPIO reader. They’d have some bit of hardware like that to read the flash storage, even if overwritten w/ one pass, no doubt.

I take no responsibility for your actions or outcome but I’d put WG on the GL device, ensuring all traffic defaults to WG (via a ‘VPN Polilcy’), the Internet Kill Switch feature, then use Tails OS when you need to do what you need to do. If nothing else if was good enough for Snowden then I think it deserves serious consideration.

Make sure your VPN provider has a solid reputation of non-logging & openly gives the results of third-party auditing to that effect (eg: Mullvad, IVPN).

Note the Burme (MV1000) uses firmware v. 3.216. Capabilities have improved since that release. I would consider upgrading to a v. 4.2.1 device like the Slate Plus (A1300), Beryl AX (MT3000) or Slate AX (ATX1800) if possible.

Consider a BusKill dead-man’s switch.

Side note: for secure IM over Tor on mobiles, check out SimpleX Chat. Use it over Wi-Fi w/ your WG-enabled Burme… but test, test, test regardless of what direction you go.

3

(To edit, I wrote this, not from any help, I think you can understand?)

Good thank you. It is all very good and sound technically I think for many cases. But am looking for ways, only care for “wire”, not to be deniable and stop visitors (too late)

If an authority or person “comes” it’s not like a police in usa, where it is encrypted, no way to “prove” any things, a judge says the rules are ok for you, now we leave, have a nice night :slight_smile: . And not FBI in use where army full with forensic experts will come to see the hardware and software. More like traffic officer than FBI lol (so it lucky)

Other things, idea for this is to try hard avoiding any “visit”, not protecting with many cost the next steps

After, say this to be clear: many netizens are using vpn here, it is not strictly a crime here. No authority will come only to see why is there vpn. This is what is best, to be sure only vpn is noticed

To make big preparations as you say, can be dangerous. Maybe better to show “no spy here, dear”. If seeing advanced and sophisticated measures for hiding, is much worse assumed for this. Spying, or an organizer of problems. It is very big difference for that and is better with simple glinet router bought from internet, simply (unless you really are spy! But then Run!)

wonderful ideas you offered are good for some, very interesting to study one day but here, with money (not much) and no big thing to hide, just want to have a new layer inside the other. The “threat model” not same one like this here and there

Thank you! But I hope there is way to make this privacy all in a plain old little router, not special laptop, not dead man’s switch and encryption and those others (but cool)

In primary, deniable is very good sometimes in some ways. not something to do in this case, there become new dangers with that, I like stay simple

Hope this help! But seem that answer is no, mv1000 is not for the task

4

Fair enough. To more directly answer your question about ‘Tor-over-WG’: these GL devices run OpenWrt Linux underneath. Firmware version 4.2.1-release4 supports Tor, VPNs by WG or OpenVPN using OpenWrt 21.02, soon to be 22.x. The Tor option is in Beta status.

2023-07-05 15_05_57-GL.iNet Admin Panel - Chromium
2023-07-05 15_05_57-GL.iNet Admin Panel - Chromium972×333 92.6 KB

2023-07-05 14_07_35-GL.iNet Admin Panel - Chromium
2023-07-05 14_07_35-GL.iNet Admin Panel - Chromium822×398 21.5 KB

It could be. Burme (MV1000) uses firmware 3.216 (check to ensure it is the version number being used). That is based on OpenWrt 19.07.

I don’t think this is the right forum for such a unique but understandable scenario. To get ‘Tor-over-WG’ I’d think you’d have to ask on OpenWrt’s forums for help to set up such an advanced configuration.

5

yes it seems requiring custom solution, openwrt community maybe have ideas, :+1:

Other post by gl-inet describe as “very complicated”, experiences for me point to simpler maybe clever ways. theory, is not hard. Bring up wg, set for route 0/0, remove. Then transparent proxying and relation iptables rules by gl-inet. Maybe when completing there will be a patch diff of 25 lines. no, seem too simple…

the linux network namespace maybe can do a nice path of this, another path from policy routing with several tables. Maybe superior solution or maybe not harmony with gl-inet

Making me think…

Great way for keep the tor inside the wg, so many ways. Big worry is from the network scripts interrupt with “special” new change and cause full leak… No, you are in the right way suggest reading all from openwrt and gl-inet scripts, is probably only path

wait for a return, I will post failed and suceeds solutions :slight_smile:

:pray:

1 Like
6

Yeah; this is custom work to be sure.

Just a heads up: OpenWrt is about to change over from iptables (21.02 & earlier) to nftables . That’s probably going to severely impact what kind of firewall chains are required when you ask for help.

Be sure to specify what version of OpenWrt you’re running & don’t be afraid to SSH into the device. You’re most likely going to need to. The default IP for GL devices is 192.168.8.1.

(Also backup as you go. It’ll be easier than resetting, starting over fr scratch if it becomes all too messy. See HOW-TO.)