OpenVPN via TOR on OpenWrt

TFro · June 21, 2024, 12:17pm

Hello guys, I would like to access a remote OpenVPN server via the TOR network
(I do know the pros and cons and the implications of doing so).
I.e.: I would like to run an OpenVPN client on my OpenWrt router, and all traffic coming in from the internal side (wlan or lan) should go via the OpenVPN tunnel, including DNS lookups. But the connection from my OpenVPN client to the remote OpenVPN server endpoint should not be directly, but via the TOR network.
TOR is described on the OpenWrt pages, and OpenVPN client, but not both combined.
I searched a bit, and this sounds exactly like what I am trying to do: VPN over TOR using OpenWRT - #15 by 0xfreebit
But I was not able to get things running based on that information, lots of info seems to be missing.
Can someone provide me some info on how to get this up and running?
Best, Tom

kukulo · June 21, 2024, 6:03pm

in openvpn.conf client add socks-proxy 127.0.0.1:9050
and that should be it

....Somewhere in that post....

Tor should be running as a socks proxy on 127.0.0.1:9050.

TFro · June 23, 2024, 6:48am

Indeed I did exactly that.
But I'm also running into the same problem as the guy in that post.
As soon as the VPN comes up, it seems it is loosing connection to the socks port:

daemon.notice openvpn(client)[2656]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:9050
daemon.notice openvpn(client)[2656]: Attempting to establish TCP connection with [AF_INET]192.168.1.1:9050 [nonblock]
daemon.notice openvpn(client)[2656]: TCP connection established with [AF_INET]192.168.1.1:9050
daemon.err openvpn(client)[2656]: recv_socks_reply: TCP port read timeout expired: Operation in progress (errno=115)
daemon.notice openvpn(client)[2656]: SIGUSR1[soft,init_instance] received, process restarting

Also tried socks IP 127.0.0.1 but this did not chance anything.

lleachii · June 23, 2024, 6:56am

The Whonix link explains how to setup OpenVPN via Tor.

TFro · June 24, 2024, 7:28am

I've seen these pages, but they don't explain how to do the setup on Openwrt. I understand how this works in principle, but I can't get it running on openwrt.

My setup so far:
I followed the TOR setup here
https://openwrt.org/docs/guide-user/services/tor/client
then I setup OpenVPN like described here
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client
In addition, I did the steps "Support OpenVPN" and "Route LAN to VPN" from here:
https://openwrt.org/docs/guide-user/network/routing/pbr_app

After that, I run into the problem as described in my first message.

Also, when doing a "service pbr restart", I see messages like these:

Creating TOR redirects [✗]
pbr.cfg066ff5.name is unset and defaults to string Untitled
pbr.cfg066ff5.enabled is unset and defaults to bool 1
pbr.cfg066ff5.interface=tun validates as or("ignore", "tor", uci("network", "@interface")) with false
pbr.cfg066ff5.proto is unset and defaults to or(string) (null)
pbr.cfg066ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING") prerouting
pbr.cfg066ff5.src_addr=192.168.1.0/24 validates as list(neg(or(host,network,macaddr,string))) with true
pbr.cfg066ff5.src_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg066ff5.dest_addr is unset and defaults to list(neg(or(host,network,string))) (null)
pbr.cfg066ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
Routing 'Untitled' via  [✗]

This seems to indicate that something goes wrong with the routing setup.

Best, Tom

TFro · July 2, 2024, 5:51am

Does no one have any suggestions or experiences how to fix this? I'm still stuck.

lleachii · July 2, 2024, 7:38am

I don't use PBR (I make manual routes and rules).

Can you post yoir PBR config so we can see it?

TFro · July 2, 2024, 6:54pm

If you have a good solution without PBR, that is just as fine - I'm not set on using PBR. Grateful for whatever works.

My PBR config at the moment in /etc/config/pbr:

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list supported_interface 'tun*'

config policy
	option src_addr '192.168.1.0/24'
	option interface 'vpn'

The /etc/config/firewall seems standard, except for the following additions:

config redirect 'tcp_int'
	option name 'Intercept-TCP'
	option src 'lan'
	option src_dport '0-65535'
	option dest_port '9040'
	option proto 'tcp'
	option family 'any'
	option target 'DNAT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

and /etc/tor/custom:

AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv4 172.16.0.0/12
VirtualAddrNetworkIPv6 [fc00::]/8
DNSPort 0.0.0.0:9053
DNSPort [::]:9053
TransPort 0.0.0.0:9040
TransPort [::]:9040
SocksPort 192.168.1.1:9050

To /etc/openvpn/client.conf I've added

dev tun
proto tcp
socks-proxy 192.168.1.1 9050

TFro · July 13, 2024, 7:49am

Does anyone have any hints or suggestions, or even a working config? With or without PBR. Still stuck here unfortunately.

TFro · August 25, 2024, 5:22pm

I'm still stuck here. Has noone ever succeeded in doing this?
I know it should work in theory, but it doesn't.