I followed this tutorial (apart from the third point with NAT6) to set up Tor Client on my Asus RT-AC51U with the current release (18.06.5) of OpenWRT: https://openwrt.org/docs/guide-user/services/tor/client
The Tor Client works fine, but after some random time (may vary, sometimes after seconds, but certainly after reboot) I can't access the still opened web interface while access via SSH is working fine.
Maybe the Port Forwarding named "Intercept-TCP" is responsible for this behavior, because when I disable it via SSH for testing purposes and restart the firewall I regain access to LuCI:
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.family="ipv4"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.target="DNAT"
Beside from setting a password, changing the LAN IP and resticting SSH access to the LAN interface I did not change the OpenWRT default configuration.
Is this behavior intended or is it possible to use LuCI after setting up Tor Client?
Yes, it intercepts specific TCP-traffic and redirects it to Tor. So there is tip in manual: Set up uHTTPd to listen on alternative ports if required. You should configure e.g. port 8080 and redirect it before (see src_dport option). In your section there is no option src_dport, so ALL TCP TRAFFIC is redirected to Tor. You should create rule with option src_dport, and redirect it to the same port.
Thank you very much, LuCI is working again on port 8080.
So it was no low memory problem.
What still bothers me is the following tutorial statement:
Tor is limited to DNS and TCP traffic, use VPN to protect all traffic.
I don't have a use case for other traffic than DNS and TCP, but does this mean that for example UDP connections are transparently passed through my router?
Or does this mean that all connections which are not routed through Tor are reliably blocked with this setup (which I would prefer)?
Tor is SOCKS-proxy, in current implementation it doesn't support UDP: https://www.whonix.org/wiki/Transporting_UDP_Tunnels_over_Tor Proxy is commonly used for TCP, where connection tracking is executed. Removing of forwarding rule lan-wan blocks any connection outside the tunnel. You should use VPN to redirect ALL traffic in tunnel (you can also see my OpenVPN-guide).
thank you for your support. In the Tor tutorial there are already some uci commands affecting forwarding:
# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart
If I understand correctly, these commands refer to the only forwarding rule [0] in default configuration, which is renamed to "lan_wan" and set to disabled (written to /etc/config/firewall). But the "lan => wan" record under "Zone => Forwardings" looks unchanged in LuCI and I don't see an option to change or even check its status. So I removed the whole record in the dropdown next to "Allow forward to destination zones" and also set the dropdown in the "Forward" column to "reject". Afterwards I can see "lan => REJECT" under "Zone => Forwardings". I hope this is sufficient for preventing leaks?
While I understand the intercepting Port Forwardings, I would consider it more comprehensible to use a third (intermediate) "tor" interface with classic forwarding from lan to tor (tor interface does Masquerading) and tor to lan, like shown in several VPN tutorials. This way the lan interface and LuCI could be used in a normal way. Is there a reason for the different setups?
