How to Use Tor Transparently and Also Bridged to an Interface


I'm thinking of setting up a Tor client on my router. The instructions seem simple enough to follow. However, rather than setting a dedicated AP, physical LAN port or VLAN I'd rather allow clients to connect through proxy on the router and forward it to the interface that Tor is listening on. Is this possible?

Many thanks


Yes, it's possible. The Wiki describes exactly how to do that using iptables to send the packets into Tor's transparent proxy.

You can also setup a much simpler SOCKS5-compatible proxy also and simply poring devices and browsers toward it.

1 Like

I don't think I've explained myself. I want to setup a proxy server on OpenWrt which will forward to Tor's proxy.

Client > Proxy Server > Tor > Internet

I hope that makes sense?

It does make sense; and I answered you already. Although my config is:

Client > Tor > Internet

(FYI, Tor has a proxy server built-in.)

I added these lines to the Tor config:

AutomapHostsOnResolve 1

For the transparent proxy config, you use the TransPort noted here:

Okay. With the proxy built into Tor itself could a client simply enter the proxy details on their browser/device and connect straight through it without the need of a separate interface?

Yes. And you can even have the Tor client acting both as a transparent bridge (for dedicated AP/networks) and as a HTTP/SOCKS5 proxy on a normal network (for clients which choose to use it) simultaneously, if you desire.


I meant "simply pointing devices and browsers toward it." Yes, you can use the Tor proxy like any normal proxy server.

Screenshot from 2019-12-09 15-29-12

1 Like

Thank you both for your replies.

I plan to use the transparent proxy within browsers majority of the time, but I will be bridging it across to a network/AP at a later date, for example Tor as a VPN as detailed here >

In that case, you'll probably find my setup interesting. I have two dedicated virtual APs which transparently bridge to Tor (one is public, unencrypted and bandwidth-limited, the other is private). Additionally, I have a WireGuard endpoint which also bridges directly to Tor (allowing me to connect my laptop or phone to Tor from anywhere).

EDIT: Don't use OpenVPN for that, it's both overkill and dog-slow. WireGuard is where it's at, these days. :sunglasses:

1 Like

I would be interested in how you bridge WireGuard and Tor.

1 Like

Does Wireguard have crossplatform support for clients such as an official app?

To be honest someone did mention in one of my posts that I should make the switch to WireGuard because it's so much easier to config.

Linux, iOS, Android, macOS, Windows, and some others as well, yes.


There are clients for iOS, Android and macOS, at least. And WireGuard native kernel support will be mainlined on Linux 5.6, due in a couple of months.

1 Like

Let's assume you already have a WireGuard endpoint up and running. I created a dedicated firewall zone for it…

config zone
	option name 'wgt'
	list network 'wgt'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'

… then I have Tor bridge set up to listen on the localhost, port 1080 (I don't like to listen on the wildcard address for security reasons and/or sheer paranoia), and the Tor DNS port directly on the WireGuard interface address, like this (on /etc/tor/torrc)…

DNSPort IsolateClientProtocol IsolateDestPort IsolateDestAddr
TransPort IsolateClientProtocol IsolateDestPort IsolateDestAddr

… and told the kernel not to consider the local net ( martian when routing on the WireGuard interface (with /etc/sysctl.conf)…

net.ipv4.conf.wgt.route_localnet = 1

… and finally I added the necessary firewall rules to /etc/firewall.user, like this…

iptables -t nat -A prerouting_wgt_rule -p tcp -m tcp --syn -j DNAT --to
iptables -t nat -A prerouting_wgt_rule -p udp -m udp -m multiport --dports 53,123 ! -d -j REDIRECT
iptables -t filter -A input_wgt_rule -p udp -m udp -m multiport --dports 53,123 -j ACCEPT

Since I run a local NTP server too, I do both DNS and NTP hijacking, as you can see on the second NAT rule. And that's basically it. :slightly_smiling_face:

1 Like

I don't have WireGuard installed yet as I can't install any more packages to my overlay. My router is in need of re-compiling and had some errors. I then need some down time to flash without disturbing the rest of the home. However, I will definitely give this a try and get back to you. I really appreciate you making this mini guide :slight_smile: :+1:

I better start reading up iptables as I usually work with pretty GUI's.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.