I'm thinking of setting up a Tor client on my router. The instructions seem simple enough to follow. However, rather than setting a dedicated AP, physical LAN port or VLAN I'd rather allow clients to connect through proxy on the router and forward it to the interface that Tor is listening on. Is this possible?
Okay. With the proxy built into Tor itself could a client simply enter the proxy details on their browser/device and connect straight through it without the need of a separate interface?
Yes. And you can even have the Tor client acting both as a transparent bridge (for dedicated AP/networks) and as a HTTP/SOCKS5 proxy on a normal network (for clients which choose to use it) simultaneously, if you desire.
In that case, you'll probably find my setup interesting. I have two dedicated virtual APs which transparently bridge to Tor (one is public, unencrypted and bandwidth-limited, the other is private). Additionally, I have a WireGuard endpoint which also bridges directly to Tor (allowing me to connect my laptop or phone to Tor from anywhere).
EDIT: Don't use OpenVPN for that, it's both overkill and dog-slow. WireGuard is where it's at, these days.
Let's assume you already have a WireGuard endpoint up and running. I created a dedicated firewall zone for it…
config zone
option name 'wgt'
list network 'wgt'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
… then I have Tor bridge set up to listen on the localhost, port 1080 (I don't like to listen on the wildcard address for security reasons and/or sheer paranoia), and the Tor DNS port directly on the WireGuard interface address, like this (on /etc/tor/torrc)…
DNSPort 192.168.68.9:53 IsolateClientProtocol IsolateDestPort IsolateDestAddr
TransPort 127.0.0.1:1080 IsolateClientProtocol IsolateDestPort IsolateDestAddr
… and told the kernel not to consider the local net (127.0.0.0/8) martian when routing on the WireGuard interface (with /etc/sysctl.conf)…
net.ipv4.conf.wgt.route_localnet = 1
… and finally I added the necessary firewall rules to /etc/firewall.user, like this…
I don't have WireGuard installed yet as I can't install any more packages to my overlay. My router is in need of re-compiling and had some errors. I then need some down time to flash without disturbing the rest of the home. However, I will definitely give this a try and get back to you. I really appreciate you making this mini guide
I better start reading up iptables as I usually work with pretty GUI's.