Tor Transparent Proxy with OpenWRT
From Leo's Notes
Last edited on 2 July 2020, at 05:13.
This page will go over the steps required to set up OpenWRT as a transparent Tor proxy.
Setup
Install OpenWRT. Ensure that the WAN and LAN networks are set up appropriately. The LAN segment should have DHCP forced with IPv6 disabled.
The /etc/config/dhcp for LAN:
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option force '1'
To stop LAN segment traffic from being forwarded out (to prevent accidental leaking of traffic), block it with the firewall config.
/etc/config/firewall should have:
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option dest 'wan'
option src 'lan'
option name 'Drop All from Lan to Wan'
option target 'REJECT'
list proto 'all'
Install and configure Tor:
# opkg update
# opkg install tor
## listen on 5353 for dns, 9040 for socks
# TorListenIP=`uci get network.lan2.ipaddr`
# cat <<EOF > /etc/tor/torrc
# tor runs as 'tor' already by init.d script, so this is not necessary
# User tor
# DataDirectory /var/lib/tor/data
Log notice file /var/log/tor/notices.log
# Use any unverified nodes for middle, rendezvous
AllowUnverifiedNodes middle,rendezvous
# Map onion addresses to a virtual IP
VirtualAddrNetworkIPv4 10.192.0.0/11
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
# Listen on 9050 (socks), 9040 (transparent proxy), 5353 (dns)
SocksPort $TorListenIP:9050
TransPort $TorListenIP:9040
DNSPort $TorListenIP:5353
# Control port can also be enabled:
ControlPort 127.0.0.1:9051
HashedControlPassword `/usr/sbin/tor --quiet --hash-password password 2>/dev/null`
# Not an exit node
ExitPolicy reject *:*
EOF
# chown -R tor:tor /etc/tor
Add the following /etc/firewall.user rules:
# create new chain in /etc/firewall.user
iptables -t nat -X tor_client_dnat
iptables -t nat -N tor_client_dnat
iptables -t nat -A prerouting_lan_rule -j tor_client_dnat
iptables -t nat -A tor_client_dnat -m mac --mac-source 00:50:56:C0:00:08 -j ACCEPT
# or iptables -t nat -A tor_client_dnat -s 192.168.35.200 -j RETURN
# When you add a new client, you do so by mac address
iptables -t nat -A tor_client_dnat -p tcp -m mac --mac-source 00:0C:29:42:9D:45 --syn -j DNAT --to-destination 192.168.35.10:9040
iptables -t nat -A tor_client_dnat -p udp -m mac --mac-source 00:0C:29:42:9D:45 --dport 53 -j DNAT --to-destination 192.168.35.10:5353
iptables -t nat -A tor_client_dnat -p tcp --syn -j DNAT --to-destination 192.168.35.10:9040
iptables -t nat -A tor_client_dnat -p udp --dport 53 -j DNAT --to-destination 192.168.35.10:5353