Hotspot with NDS and TOR

I want my Router to offer a open WiFi with NDS and route all Traffic trough Tor.

What I got working so far:

  • Have an open WiFi and all Traffic routed trough Tor

Where I stuck on:

  • NDS

Here are WiFi <-> Tor related config-sections:


config dhcp 'tor'
	option interface 'tor'
	option start '50'
	option limit '250'
	option leasetime '12h'
	option force '1'


config interface 'tor'
	option proto   'static'
	option ipaddr  ''
	option netmask ''


config wifi-iface 'tor_radio0'
	option device 'radio0'
	option network 'tor'
	option mode 'ap'
	option encryption 'none'
	option macaddr '00:88:88:88:00:2A'
	option ssid 'Tor'
	option isolate '1'


config zone
	option name 'tor'
	option network 'tor'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
	option name 'transtor-dhcp'
        option src 'tor'
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'


iptables -t nat -A PREROUTING -i wlan0-1 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0-1 -p tcp --syn -j REDIRECT --to-ports 9040


User tor
RunAsDaemon 1
PidFile /var/run/
DataDirectory /var/lib/tor
AutomapHostsOnResolve 1

This is what I have done on

  option gatewayinterface 'tor'

However, if I Connect to my "Tor" Network it really pushes everything trough Tor and even Skips the NDS... So it works too good, but not how I want it...
I think I need one more line in my /etc/firewall.user - somebody can help me out on that?

OK, after fiddling around a bit it finally seems to work :slight_smile:
Following changes/settings are needed:

  option gatewayinterface 'wlan0-1' #belongs to the wifi-iface tor_radio0
  list users_to_router 'allow udp port 53' #DNS
  list users_to_router 'allow udp port 67' #DHCP
  list users_to_router 'allow tcp port 9040' #Tor-Socks-Proxy
  list users_to_router 'allow udp port 9053' #Tor-DNS-Proxy
  list users_to_router 'allow tcp port 2050' #The Captive Portal

With this you can now easy give people public Internet-Access while saving privacy from "out-of-the-Box".
This "Tor"-AP now runs on my TP-Link TL-WR1043N/ND v2 beside my wifi-iface 'default_radio0' :wink: