Errors setting up Tor client on TD-W8986

applenap · April 21, 2023, 8:19pm

I'm following this guide from the OpenWrt documentation on setting up Tor client.

Let me first add that after updating packages, I had to run the following for at least some of the commands to work:

opkg install tor nftables ipset
mkdir /etc/nftables.d
mkdir /dev/stdin

At the moment (because there may be more errors waiting for me for the other sections), I'm getting errors with section 2 on Firewall:

root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) has no device, network, subnet or extra options
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'Intercept-TCP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'Intercept-TCP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/etc/nftables.d/tor.sh'
input in flex scanner failed
Error: No such file or directory
list chain inet fw4 dstnat_lan
                ^^^
   ! Failed with exit code 2

So fw4 is firewall4. The problem is, I can't install it on my system - it doesn't show up. This suggests the version of OpenWrt I have is too old, and thus firewall4 did not exist yet. And if I've read this table correctly, there is no update path for my particular router.

I tried swapping fw4 with fw3 in /etc/nftables.d/tor.sh but same exact error (highlighting fw3 instead, of course).

psherman · April 21, 2023, 8:27pm

what is the output of:

ubus call system board

applenap · April 21, 2023, 8:35pm

root@OpenWrt:~# ubus call system board
{
	"kernel": "4.14.275",
	"hostname": "OpenWrt",
	"system": "bcm63xx/F@ST2704N (0x6318/0xB0)",
	"model": "Sagem F@ST2704N",
	"board_name": "fast2704n",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.10",
		"revision": "r11427-9ce6aa9d8d",
		"target": "brcm63xx/generic",
		"description": "OpenWrt 19.07.10 r11427-9ce6aa9d8d"
	}
}

psherman · April 21, 2023, 8:43pm

This doesn't seem to match the model you mentioned in the title.
But nonetheless, this is an 8/32 device. It cannot run a more recent version of OpenWrt due to the limited RAM. Firewall4 is not available for 19.07 (which, btw, is EOL and unsupported now).

applenap · April 21, 2023, 8:54pm

Oh wow.... The only explanation I can think of is the image file provided in the table is wrong/faulty. Because I indeed have the TD-W8986. And the RAM for that is 64MB (both v3 and v5 are 64MB).

I'm going to have to look around...

Edit: There is! I will try again and come back!

psherman · April 21, 2023, 9:11pm

This is probably not from the official OpenWrt project since you are downloading it from another site.

applenap · April 21, 2023, 9:15pm

I got it from here from the official website:

You can download openwrt-brcm63xx-generic-TD-W8968-squashfs-cfe.bin. It was build from a trunk snapshot (r50019) and include LuCI packages.

This is what that same command now produces:

root@OpenWrt:~# ubus call system board
{
	"kernel": "4.4.14",
	"hostname": "OpenWrt",
	"system": "bcm63xx\/TD-W8968 (0x6318\/0xB0)",
	"model": "TP-Link TD-W8968",
	"release": {
		"distribution": "OpenWrt",
		"version": "Bleeding Edge",
		"revision": "50019",
		"codename": "designated_driver",
		"target": "brcm63xx\/generic",
		"description": "OpenWrt Designated Driver 50019"
	}
}

psherman · April 21, 2023, 9:16pm

That is a fork from a crazy ancient version of OpenWrt.

psherman · April 21, 2023, 9:24pm

This is a listing for the w8960n, but you're saying you have the w8968.

applenap · April 21, 2023, 9:26pm

TP-Link TD-W8960N v5 / TP-Link TD-W8968 v3

Judging by the title, they appear to be more or less the same.

psherman · April 21, 2023, 9:34pm

As I look at the variants here, it does indeed look like those two units are similar (and the w8968 v3 firmware link is for the fast2704n, as we had found in the beginning).

But regardless, it doesn't appear that you can get beyond 19.07.10 anyway, so I think all of this is moot.

applenap · April 21, 2023, 9:36pm

I had a feeling you'd say that . A shame I cant use Tor on this.

applenap · April 21, 2023, 9:51pm

There's only one other guide on Tor for OpenWrt - on the Tor GitLab. I tried this to see if this would lead to something different.

The second to last command produces these errors:

root@OpenWrt:~#   /etc/init.d/firewall reload
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Option @zone[2].syn_flood is unknown
Warning: Section @zone[2] (transtor) has no device, network, subnet or extra options
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Clearing IPv4 raw table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'transtor'
Warning: fw3_ipt_rule_append(): Can't find target 'input_transtor_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_transtor_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_transtor_rule'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule #7
   * Rule #8
   * Rule #9
   * Rule #10
   * Rule #11
   * Rule #12
   * Forward 'lan' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'transtor'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_transtor_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_transtor_rule'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'transtor'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'transtor'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Clearing IPv6 raw table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'transtor'
Warning: fw3_ipt_rule_append(): Can't find target 'input_transtor_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_transtor_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_transtor_rule'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule #7
   * Rule #8
   * Rule #9
   * Rule #10
   * Rule #11
   * Rule #12
   * Forward 'lan' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'transtor'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'transtor'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on

The AP doesn't show up either, evident by this:

Probably still won't work, but what are your thoughts?

psherman · April 21, 2023, 9:53pm

I've never used Tor, so I cannot comment. But if you can do stuff with FW3, you should be able to do it.