I want only devices connected on a ssid to run. I had been trying to follow this tutorial Tor over Wifi only, first setting up the guest network, and then setting up tor, and it's not working, it still uses my direct connection
I am not sure of what I am doing wrong. Additionally, my custom tor configuration is shown below, I made some modifications to prevent it from affecting the entire network (but, last I checked, using the original configuration also didn't work)
I could had swore I implemented the firewall rules. I tried to do it again, by using the following commands, and I lost internet connection
# Fetch LAN subnet
. /lib/functions/network.sh
network_flush_cache
network_get_subnet NET_SUB lan
network_get_subnet6 NET_SUB6 lan
# Configure IP sets
uci -q delete firewall.tor
uci set firewall.tor="ipset"
uci set firewall.tor.name="tor"
uci set firewall.tor.family="ipv4"
uci set firewall.tor.storage="hash"
uci set firewall.tor.match="net"
uci add_list firewall.tor.entry="192.168.2.0/24 nomatch"
uci add_list firewall.tor.entry="192.168.2.0/24"
# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.ipset="tor dest"
uci set firewall.tcp_int.target="DNAT"
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart
below is the output of the command
Warning: Section @redirect[0] (Force Pihole) does not specify a protocol, assuming TCP+UDP
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 nat table
* Flushing IPv6 mangle table
* Deleting ipset doh
* Deleting ipset doh6
* Flushing conntrack table ...
* Creating ipset doh
* Creating ipset tor
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Deny-DoH'
* Rule 'Deny-DoT'
* Rule 'Allow-DNS-Guest'
* Rule 'Allow-DHCP-Guest'
* Redirect 'Force Pihole'
* Redirect 'Intercept-TCP'
! Skipping due to missing ipset 'tor'
* Forward 'guest' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv4 nat table
* Redirect 'Force Pihole'
* Redirect 'Intercept-TCP'
! Skipping due to missing ipset 'tor'
* NAT 'Masquerade-DNS'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Creating ipset doh6
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Deny-DoH'
* Rule 'Deny-DoT'
* Rule 'Allow-DNS-Guest'
* Forward 'guest' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
* Running script '/etc/firewall.nat6'
After executing the code, guest is unable to get internet connection
pinging 8.8.8.8 gives "Reply from 192.168.2.1: Destination port unreachable."
It should have something to do with the tcp intercept traffic rule. I have internet when I disable it, but it says I am not connected to tor. This rule is important but I don't know how to make it work
Yep, we are supposed to intercept the guest's traffic and redirect it to Tor.
Post the updated diagnostics to pastebin.com to proceed with troubleshooting.
Something to take in mind is that I have pihole as my dns and I use masquerading among other things to prevent my network from bypassing pihole (the public ip address of my pihole is from a vpn, it's chosen at random as well with a script I made)
Tor doesn't support ICMP, so forget about ping.
You need to check by HTTP/HTTPS from the guest clients.
But all of that is pointless until you make the service run properly.
Great, it's working now, it's even using my pihole dns (just like I wanted). I had also followed the guide to set it up as a proxy, doing it this way makes it easier to make websites go through a direct connection instead of tor, it's more accessible and more device-based, and I can always connect to the tor wifi for a more effective solution
It's even assigning a different tor ip address to each device, both as a proxy and also in the wifi hotspot, excellent.
Thank you for your help here
Note: For future readers, do follow the instructions from the wiki. My mistake was actually that I didn't follow instructions, and made changes that I thought were necessary to make it work on a vlan (instead of the entire network). For help setting tor only on one vlan, read the wiki AND the answer I marked as a solution.