Tor Transparent Proxy with OpenWRT

From Leo's Notes
Last edited on 2 July 2020, at 05:13.

This page will go over the steps required to set up OpenWRT as a transparent Tor proxy.


Install OpenWRT. Ensure that the WAN and LAN networks are set up appropriately. The LAN segment should have DHCP forced with IPv6 disabled.

The /etc/config/dhcp for LAN:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option force '1'

To stop LAN segment traffic from being forwarded out (to prevent accidental leaking of traffic), block it with the firewall config.

/etc/config/firewall should have:

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config rule
        option dest 'wan'
        option src 'lan'
        option name 'Drop All from Lan to Wan'
        option target 'REJECT'
        list proto 'all'

Install and configure Tor:

# opkg update
# opkg install tor

## listen on 5353 for dns, 9040 for socks
# TorListenIP=`uci get network.lan2.ipaddr`

# cat <<EOF > /etc/tor/torrc
# tor runs as 'tor' already by init.d script, so this is not necessary
# User tor

# DataDirectory /var/lib/tor/data
Log notice file /var/log/tor/notices.log

# Use any unverified nodes for middle, rendezvous
AllowUnverifiedNodes middle,rendezvous

# Map onion addresses to a virtual IP
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1

# Listen on 9050 (socks), 9040 (transparent proxy), 5353 (dns)
SocksPort   $TorListenIP:9050
TransPort   $TorListenIP:9040
DNSPort     $TorListenIP:5353

# Control port can also be enabled:
HashedControlPassword `/usr/sbin/tor --quiet --hash-password password 2>/dev/null`

# Not an exit node
ExitPolicy reject *:*


# chown -R tor:tor /etc/tor

Add the following /etc/firewall.user rules:

# create new chain in /etc/firewall.user
iptables -t nat -X tor_client_dnat
iptables -t nat -N tor_client_dnat
iptables -t nat -A prerouting_lan_rule  -j tor_client_dnat

iptables -t nat -A tor_client_dnat -m mac --mac-source 00:50:56:C0:00:08 -j ACCEPT
# or iptables -t nat -A tor_client_dnat -s -j RETURN

# When you add a new client, you do so by mac address
iptables -t nat -A tor_client_dnat -p tcp -m mac --mac-source  00:0C:29:42:9D:45  --syn -j DNAT --to-destination
iptables -t nat -A tor_client_dnat -p udp -m mac --mac-source  00:0C:29:42:9D:45  --dport 53 -j DNAT --to-destination

iptables -t nat -A tor_client_dnat -p tcp  --syn -j DNAT --to-destination
iptables -t nat -A tor_client_dnat -p udp  --dport 53 -j DNAT --to-destination