How to setup tor to only run on vlan?

I want only devices connected on a ssid to run. I had been trying to follow this tutorial Tor over Wifi only, first setting up the guest network, and then setting up tor, and it's not working, it still uses my direct connection

I am not sure of what I am doing wrong. Additionally, my custom tor configuration is shown below, I made some modifications to prevent it from affecting the entire network (but, last I checked, using the original configuration also didn't work)

# Configure Tor client
rm 
cat << EOF > /etc/tor/custom
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv4 192.168.2.0/24
DNSPort 192.168.2.1:9053
TransPort 192.168.2.1:9040
EOF
cat << EOF >> /etc/sysupgrade.conf
/etc/tor/custom
EOF
uci del_list tor.conf.tail_include="/etc/tor/custom"
uci add_list tor.conf.tail_include="/etc/tor/custom"
uci commit tor
/etc/init.d/tor restart

diagnostics https://pastebin.com/S4KKzV2U
My guest wifi does have internet connection, I don't know if these diagnostics are helpful

using this command has no effect

logread -e Tor; netstat -l -n -p | grep -e tor

Persistent configuration

root@OpenWrt:~# uci show firewall; uci show tor; grep -v -r -e "^#" -e "^$" /etc/tor
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Force Pihole'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='53'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.doh=ipset
firewall.doh.name='doh'
firewall.doh.family='ipv4'
firewall.doh.storage='hash'
firewall.doh.match='ip'
firewall.doh.entry='redacted'
firewall.doh6=ipset
firewall.doh6.name='doh6'
firewall.doh6.family='ipv6'
firewall.doh6.storage='hash'
firewall.doh6.match='ip'
firewall.doh6.entry='redacted'
firewall.doh_fwd=rule
firewall.doh_fwd.name='Deny-DoH'
firewall.doh_fwd.src='lan'
firewall.doh_fwd.dest='wan'
firewall.doh_fwd.dest_port='443'
firewall.doh_fwd.proto='tcp udp'
firewall.doh_fwd.family='ipv4'
firewall.doh_fwd.ipset='doh dest'
firewall.doh_fwd.target='REJECT'
firewall.doh6_fwd=rule
firewall.doh6_fwd.name='Deny-DoH'
firewall.doh6_fwd.src='lan'
firewall.doh6_fwd.dest='wan'
firewall.doh6_fwd.dest_port='443'
firewall.doh6_fwd.proto='tcp udp'
firewall.doh6_fwd.family='ipv6'
firewall.doh6_fwd.ipset='doh6 dest'
firewall.doh6_fwd.target='REJECT'
firewall.dot_fwd=rule
firewall.dot_fwd.name='Deny-DoT'
firewall.dot_fwd.src='lan'
firewall.dot_fwd.dest='wan'
firewall.dot_fwd.dest_port='853'
firewall.dot_fwd.proto='tcp udp'
firewall.dot_fwd.target='REJECT'
firewall.dns_masq=nat
firewall.dns_masq.name='Masquerade-DNS'
firewall.dns_masq.src='lan'
firewall.dns_masq.dest_ip='192.168.1.96'
firewall.dns_masq.dest_port='53'
firewall.dns_masq.proto='tcp udp'
firewall.dns_masq.target='MASQUERADE'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.network='guest'
firewall.guest.input='REJECT'
firewall.guest.output='ACCEPT'
firewall.guest.forward='REJECT'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.target='ACCEPT'
tor.conf=tor
tor.conf.default='/etc/tor/torrc'
tor.conf.generated='/tmp/torrc'
tor.conf.tail_include='/etc/tor/custom'
/etc/tor/custom:AutomapHostsOnResolve 1
/etc/tor/custom:AutomapHostsSuffixes .
/etc/tor/custom:VirtualAddrNetworkIPv4 192.168.2.0/24
/etc/tor/custom:VirtualAddrNetworkIPv6 fdb2::/7
/etc/tor/custom:DNSPort 192.168.2.1:9053
/etc/tor/custom:TransPort 192.168.2.1:9040
/etc/tor/torrc:Log notice syslog
/etc/tor/torrc:DataDirectory /var/lib/tor
/etc/tor/torrc:User tor

Additionally, running /etc/init.d/tor restart gives the message

"chown: unknown user/group tor:tor
chown: unknown user/group tor:tor"

1 Like

You are missing the firewall rules to intercept/redirect traffic to Tor.
Those need to be modified for the guest network.

The Tor user/group is supposed be created upon the package installation.
Reinstalling the Tor package should fix the issue.

1 Like

I could had swore I implemented the firewall rules. I tried to do it again, by using the following commands, and I lost internet connection

# Fetch LAN subnet
. /lib/functions/network.sh
network_flush_cache
network_get_subnet NET_SUB lan
network_get_subnet6 NET_SUB6 lan
 
# Configure IP sets
uci -q delete firewall.tor
uci set firewall.tor="ipset"
uci set firewall.tor.name="tor"
uci set firewall.tor.family="ipv4"
uci set firewall.tor.storage="hash"
uci set firewall.tor.match="net"
uci add_list firewall.tor.entry="192.168.2.0/24 nomatch"
uci add_list firewall.tor.entry="192.168.2.0/24"
 
# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.ipset="tor dest"
uci set firewall.tcp_int.target="DNAT"
 
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

below is the output of the command

Warning: Section @redirect[0] (Force Pihole) does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 nat table
 * Flushing IPv6 mangle table
 * Deleting ipset doh
 * Deleting ipset doh6
 * Flushing conntrack table ...
 * Creating ipset doh
 * Creating ipset tor
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Deny-DoH'
   * Rule 'Deny-DoT'
   * Rule 'Allow-DNS-Guest'
   * Rule 'Allow-DHCP-Guest'
   * Redirect 'Force Pihole'
   * Redirect 'Intercept-TCP'
     ! Skipping due to missing ipset 'tor'
   * Forward 'guest' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 nat table
   * Redirect 'Force Pihole'
   * Redirect 'Intercept-TCP'
     ! Skipping due to missing ipset 'tor'
   * NAT 'Masquerade-DNS'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Creating ipset doh6
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Deny-DoH'
   * Rule 'Deny-DoT'
   * Rule 'Allow-DNS-Guest'
   * Forward 'guest' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/etc/firewall.nat6'

the rules weren't implemented

# Install packages
opkg update
opkg install ipset

# Fetch guest subnet
. /lib/functions/network.sh
network_flush_cache
network_get_subnet NET_SUB guest
network_get_subnet6 NET_SUB6 guest
 
# Configure IP sets
uci -q delete firewall.tor
uci set firewall.tor="ipset"
uci set firewall.tor.name="tor"
uci set firewall.tor.family="ipv4"
uci set firewall.tor.storage="hash"
uci set firewall.tor.match="net"
uci add_list firewall.tor.entry="127.0.0.0/8 nomatch"
uci add_list firewall.tor.entry="${NET_SUB} nomatch"
uci add_list firewall.tor.entry="0.0.0.0/1"
uci add_list firewall.tor.entry="128.0.0.0/1"
uci -q delete firewall.tor6
uci set firewall.tor6="ipset"
uci set firewall.tor6.name="tor6"
uci set firewall.tor6.family="ipv6"
uci set firewall.tor6.storage="hash"
uci set firewall.tor6.match="net"
uci add_list firewall.tor6.entry="::1/128 nomatch"
uci add_list firewall.tor6.entry="fe80::/10 nomatch"
uci add_list firewall.tor6.entry="${NET_SUB6} nomatch"
uci add_list firewall.tor6.entry="::/1"
uci add_list firewall.tor6.entry="8000::/1"
 
# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="guest"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.ipset="tor dest"
uci set firewall.tcp_int.target="DNAT"
 
# Enable LAN to WAN forwarding
uci set firewall.lan_wan.enabled="1"

# Disable guest to WAN forwarding
uci set firewall.guest_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart
2 Likes

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah

I see now. Okay I'll do that then

After executing the code, guest is unable to get internet connection

pinging 8.8.8.8 gives "Reply from 192.168.2.1: Destination port unreachable."

It should have something to do with the tcp intercept traffic rule. I have internet when I disable it, but it says I am not connected to tor. This rule is important but I don't know how to make it work

1 Like

Yep, we are supposed to intercept the guest's traffic and redirect it to Tor.
Post the updated diagnostics to pastebin.com to proceed with troubleshooting.

here's the pastebin https://pastebin.com/76Abuvsy

Something to take in mind is that I have pihole as my dns and I use masquerading among other things to prevent my network from bypassing pihole (the public ip address of my pihole is from a vpn, it's chosen at random as well with a script I made)

1 Like

Enable the intercepting rule:

uci set firewall.tcp_int.enabled="1"
uci commit firewall
/etc/init.d/firewall restart

Then check from the guest client: https://1.1.1.1/
And check from OpenWrt:

iptables-save -c | grep -e Intercept-TCP; ipset list tor; \
ip6tables-save -c | grep -e Intercept-TCP; ipset list tor6; \
pgrep -f -a tor; netstat -l -n -p | grep -e tor

My bad, forgot to enable it before taking the logs

Pinging 1.1.1.1 when connected to guest gives "transmit failed. General failure." error

Logs on openwrt

iptables-save -c | grep -e Intercept-TCP; ipset list tor; \
> ip6tables-save -c | grep -e Intercept-TCP; ipset list tor6; \
> pgrep -f -a tor; netstat -l -n -p | grep -e tor
[0:0] -A zone_guest_prerouting -p tcp -m set --match-set tor dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
Name: tor
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 588
References: 1
Number of entries: 4
Members:
192.168.2.0/24 nomatch
128.0.0.0/1
127.0.0.0/8 nomatch
0.0.0.0/1
[0:0] -A zone_guest_prerouting -p tcp -m set --match-set tor6 dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
Name: tor6
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1560
References: 1
Number of entries: 4
Members:
::/1
::1 nomatch
8000::/1
fe80::/10 nomatch

"pgrep -f -a tor; netstat -l -n -p | grep -e tor" still shows nothing. Even after successfully running /etc/init.d/tor restart

1 Like

Tor doesn't support ICMP, so forget about ping.
You need to check by HTTP/HTTPS from the guest clients.
But all of that is pointless until you make the service run properly.

/etc/init.d/log restart; \
/etc/init.d/tor restart; \
sleep 20; logread -e Tor

I ran the command and nothing happened

I ran logread -e tor (without the other commands) and got

Sun Sep 12 01:52:42 2021 daemon.info procd: Instance tor::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

If useful, I am using an archer c7 v2. Below is my ram

1 Like

Virtual subnets must not overlap with the real ones:

sed -i -e "
/^VirtualAddrNetwork/d
2a VirtualAddrNetworkIPv4 172.16.0.0/12
2a VirtualAddrNetworkIPv6 fc00::/7
" /etc/tor/custom
/etc/init.d/tor restart
1 Like

Great, it's working now, it's even using my pihole dns (just like I wanted). I had also followed the guide to set it up as a proxy, doing it this way makes it easier to make websites go through a direct connection instead of tor, it's more accessible and more device-based, and I can always connect to the tor wifi for a more effective solution

It's even assigning a different tor ip address to each device, both as a proxy and also in the wifi hotspot, excellent.

Thank you for your help here

Note: For future readers, do follow the instructions from the wiki. My mistake was actually that I didn't follow instructions, and made changes that I thought were necessary to make it work on a vlan (instead of the entire network). For help setting tor only on one vlan, read the wiki AND the answer I marked as a solution.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.