How to setup tor to only run on vlan?

wafles · September 11, 2021, 9:36am

I want only devices connected on a ssid to run. I had been trying to follow this tutorial Tor over Wifi only, first setting up the guest network, and then setting up tor, and it's not working, it still uses my direct connection

I am not sure of what I am doing wrong. Additionally, my custom tor configuration is shown below, I made some modifications to prevent it from affecting the entire network (but, last I checked, using the original configuration also didn't work)

# Configure Tor client
rm 
cat << EOF > /etc/tor/custom
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv4 192.168.2.0/24
DNSPort 192.168.2.1:9053
TransPort 192.168.2.1:9040
EOF
cat << EOF >> /etc/sysupgrade.conf
/etc/tor/custom
EOF
uci del_list tor.conf.tail_include="/etc/tor/custom"
uci add_list tor.conf.tail_include="/etc/tor/custom"
uci commit tor
/etc/init.d/tor restart

diagnostics https://pastebin.com/S4KKzV2U
My guest wifi does have internet connection, I don't know if these diagnostics are helpful

using this command has no effect

logread -e Tor; netstat -l -n -p | grep -e tor

Persistent configuration

root@OpenWrt:~# uci show firewall; uci show tor; grep -v -r -e "^#" -e "^$" /etc/tor
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Force Pihole'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='53'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.doh=ipset
firewall.doh.name='doh'
firewall.doh.family='ipv4'
firewall.doh.storage='hash'
firewall.doh.match='ip'
firewall.doh.entry='redacted'
firewall.doh6=ipset
firewall.doh6.name='doh6'
firewall.doh6.family='ipv6'
firewall.doh6.storage='hash'
firewall.doh6.match='ip'
firewall.doh6.entry='redacted'
firewall.doh_fwd=rule
firewall.doh_fwd.name='Deny-DoH'
firewall.doh_fwd.src='lan'
firewall.doh_fwd.dest='wan'
firewall.doh_fwd.dest_port='443'
firewall.doh_fwd.proto='tcp udp'
firewall.doh_fwd.family='ipv4'
firewall.doh_fwd.ipset='doh dest'
firewall.doh_fwd.target='REJECT'
firewall.doh6_fwd=rule
firewall.doh6_fwd.name='Deny-DoH'
firewall.doh6_fwd.src='lan'
firewall.doh6_fwd.dest='wan'
firewall.doh6_fwd.dest_port='443'
firewall.doh6_fwd.proto='tcp udp'
firewall.doh6_fwd.family='ipv6'
firewall.doh6_fwd.ipset='doh6 dest'
firewall.doh6_fwd.target='REJECT'
firewall.dot_fwd=rule
firewall.dot_fwd.name='Deny-DoT'
firewall.dot_fwd.src='lan'
firewall.dot_fwd.dest='wan'
firewall.dot_fwd.dest_port='853'
firewall.dot_fwd.proto='tcp udp'
firewall.dot_fwd.target='REJECT'
firewall.dns_masq=nat
firewall.dns_masq.name='Masquerade-DNS'
firewall.dns_masq.src='lan'
firewall.dns_masq.dest_ip='192.168.1.96'
firewall.dns_masq.dest_port='53'
firewall.dns_masq.proto='tcp udp'
firewall.dns_masq.target='MASQUERADE'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.network='guest'
firewall.guest.input='REJECT'
firewall.guest.output='ACCEPT'
firewall.guest.forward='REJECT'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.target='ACCEPT'
tor.conf=tor
tor.conf.default='/etc/tor/torrc'
tor.conf.generated='/tmp/torrc'
tor.conf.tail_include='/etc/tor/custom'
/etc/tor/custom:AutomapHostsOnResolve 1
/etc/tor/custom:AutomapHostsSuffixes .
/etc/tor/custom:VirtualAddrNetworkIPv4 192.168.2.0/24
/etc/tor/custom:VirtualAddrNetworkIPv6 fdb2::/7
/etc/tor/custom:DNSPort 192.168.2.1:9053
/etc/tor/custom:TransPort 192.168.2.1:9040
/etc/tor/torrc:Log notice syslog
/etc/tor/torrc:DataDirectory /var/lib/tor
/etc/tor/torrc:User tor

Additionally, running /etc/init.d/tor restart gives the message

"chown: unknown user/group tor:tor
chown: unknown user/group tor:tor"

vgaetera · September 11, 2021, 11:56am

You are missing the firewall rules to intercept/redirect traffic to Tor.
Those need to be modified for the guest network.

The Tor user/group is supposed be created upon the package installation.
Reinstalling the Tor package should fix the issue.

wafles · September 11, 2021, 8:50pm

I could had swore I implemented the firewall rules. I tried to do it again, by using the following commands, and I lost internet connection

# Fetch LAN subnet
. /lib/functions/network.sh
network_flush_cache
network_get_subnet NET_SUB lan
network_get_subnet6 NET_SUB6 lan
 
# Configure IP sets
uci -q delete firewall.tor
uci set firewall.tor="ipset"
uci set firewall.tor.name="tor"
uci set firewall.tor.family="ipv4"
uci set firewall.tor.storage="hash"
uci set firewall.tor.match="net"
uci add_list firewall.tor.entry="192.168.2.0/24 nomatch"
uci add_list firewall.tor.entry="192.168.2.0/24"
 
# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.ipset="tor dest"
uci set firewall.tcp_int.target="DNAT"
 
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

below is the output of the command

Warning: Section @redirect[0] (Force Pihole) does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 nat table
 * Flushing IPv6 mangle table
 * Deleting ipset doh
 * Deleting ipset doh6
 * Flushing conntrack table ...
 * Creating ipset doh
 * Creating ipset tor
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Deny-DoH'
   * Rule 'Deny-DoT'
   * Rule 'Allow-DNS-Guest'
   * Rule 'Allow-DHCP-Guest'
   * Redirect 'Force Pihole'
   * Redirect 'Intercept-TCP'
     ! Skipping due to missing ipset 'tor'
   * Forward 'guest' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 nat table
   * Redirect 'Force Pihole'
   * Redirect 'Intercept-TCP'
     ! Skipping due to missing ipset 'tor'
   * NAT 'Masquerade-DNS'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Creating ipset doh6
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Deny-DoH'
   * Rule 'Deny-DoT'
   * Rule 'Allow-DNS-Guest'
   * Forward 'guest' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/etc/firewall.nat6'

the rules weren't implemented

vgaetera · September 11, 2021, 9:36pm

. /lib/functions/network.sh
network_flush_cache
for IPV in 4 6
do
eval network_get_subnet${IPV%4} NET_SUB guest
uci -q delete firewall.tcp_int${IPV%4}
uci set firewall.tcp_int${IPV%4}="redirect"
uci set firewall.tcp_int${IPV%4}.name="Intercept-TCP"
uci set firewall.tcp_int${IPV%4}.src="guest"
uci set firewall.tcp_int${IPV%4}.dest_port="9040"
uci set firewall.tcp_int${IPV%4}.proto="tcp"
uci set firewall.tcp_int${IPV%4}.ipset="tor${IPV%4} dest"
uci set firewall.tcp_int${IPV%4}.family="ipv${IPV}"
uci set firewall.tcp_int${IPV%4}.target="DNAT"
uci -q delete firewall.tor${IPV%4}
uci set firewall.tor${IPV%4}="ipset"
uci set firewall.tor${IPV%4}.name="tor${IPV%4}"
uci set firewall.tor${IPV%4}.family="ipv${IPV}"
uci set firewall.tor${IPV%4}.match="net"
uci add_list firewall.tor.entry="${NET_SUB} nomatch"
done
uci add_list firewall.tor.entry="127.0.0.0/8 nomatch"
uci add_list firewall.tor.entry="0.0.0.0/1"
uci add_list firewall.tor.entry="128.0.0.0/1"
uci add_list firewall.tor6.entry="::1/128 nomatch"
uci add_list firewall.tor6.entry="fe80::/10 nomatch"
uci add_list firewall.tor6.entry="::/1"
uci add_list firewall.tor6.entry="8000::/1"
uci set firewall.lan_wan.enabled="1"
uci set firewall.guest_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

wafles · September 11, 2021, 9:39pm

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah

I see now. Okay I'll do that then

wafles · September 11, 2021, 9:51pm

After executing the code, guest is unable to get internet connection

pinging 8.8.8.8 gives "Reply from 192.168.2.1: Destination port unreachable."

It should have something to do with the tcp intercept traffic rule. I have internet when I disable it, but it says I am not connected to tor. This rule is important but I don't know how to make it work

vgaetera · September 11, 2021, 10:07pm

Yep, we are supposed to intercept the guest's traffic and redirect it to Tor.
Post the updated diagnostics to pastebin.com to proceed with troubleshooting.

wafles · September 11, 2021, 10:23pm

here's the pastebin https://pastebin.com/76Abuvsy

Something to take in mind is that I have pihole as my dns and I use masquerading among other things to prevent my network from bypassing pihole (the public ip address of my pihole is from a vpn, it's chosen at random as well with a script I made)

vgaetera · September 11, 2021, 10:32pm

Enable the intercepting rule:

uci set firewall.tcp_int.enabled="1"
uci commit firewall
/etc/init.d/firewall restart

Then check from the guest client: https://1.1.1.1/
And check from OpenWrt:

iptables-save -c | grep -e Intercept-TCP; ipset list tor; \
ip6tables-save -c | grep -e Intercept-TCP; ipset list tor6; \
pgrep -f -a tor; netstat -l -n -p | grep -e tor

wafles · September 11, 2021, 11:34pm

My bad, forgot to enable it before taking the logs

Pinging 1.1.1.1 when connected to guest gives "transmit failed. General failure." error

Logs on openwrt

iptables-save -c | grep -e Intercept-TCP; ipset list tor; \
> ip6tables-save -c | grep -e Intercept-TCP; ipset list tor6; \
> pgrep -f -a tor; netstat -l -n -p | grep -e tor
[0:0] -A zone_guest_prerouting -p tcp -m set --match-set tor dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
Name: tor
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 588
References: 1
Number of entries: 4
Members:
192.168.2.0/24 nomatch
128.0.0.0/1
127.0.0.0/8 nomatch
0.0.0.0/1
[0:0] -A zone_guest_prerouting -p tcp -m set --match-set tor6 dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
Name: tor6
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1560
References: 1
Number of entries: 4
Members:
::/1
::1 nomatch
8000::/1
fe80::/10 nomatch

"pgrep -f -a tor; netstat -l -n -p | grep -e tor" still shows nothing. Even after successfully running /etc/init.d/tor restart

vgaetera · September 12, 2021, 12:38am

Tor doesn't support ICMP, so forget about ping.
You need to check by HTTP/HTTPS from the guest clients.
But all of that is pointless until you make the service run properly.

/etc/init.d/log restart; \
/etc/init.d/tor restart; \
sleep 20; logread -e Tor

wafles · September 12, 2021, 1:52am

I ran the command and nothing happened

I ran logread -e tor (without the other commands) and got

Sun Sep 12 01:52:42 2021 daemon.info procd: Instance tor::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

If useful, I am using an archer c7 v2. Below is my ram

vgaetera · September 12, 2021, 6:50am

Virtual subnets must not overlap with the real ones:

sed -i -e "
/^VirtualAddrNetwork/d
2a VirtualAddrNetworkIPv4 172.16.0.0/12
2a VirtualAddrNetworkIPv6 fc00::/7
" /etc/tor/custom
/etc/init.d/tor restart

wafles · September 12, 2021, 11:11pm

Great, it's working now, it's even using my pihole dns (just like I wanted). I had also followed the guide to set it up as a proxy, doing it this way makes it easier to make websites go through a direct connection instead of tor, it's more accessible and more device-based, and I can always connect to the tor wifi for a more effective solution

It's even assigning a different tor ip address to each device, both as a proxy and also in the wifi hotspot, excellent.

Thank you for your help here

Note: For future readers, do follow the instructions from the wiki. My mistake was actually that I didn't follow instructions, and made changes that I thought were necessary to make it work on a vlan (instead of the entire network). For help setting tor only on one vlan, read the wiki AND the answer I marked as a solution.

system · September 22, 2021, 11:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.