OpenWrt on Tor with External VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm looking to use OpenWRT with Tor, but attached to a different router that already has a regular OpenVPN setup.

Internet -> OpenVPN Router -> OpenWRT with Tor -> PC

When OpenWRT is setup like this, does it need it's own DHCP for Tor?
Would it be an Access Point or it's own Gateway?

3

So I got it working as a regular router behind the regular VPN.
Then following the OpenWRT documentation entered these commands below and now can't SSH in or get to web browser GUI:

root@OpenWrt:~# cat << EOF > /etc/tor/custom
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
VirtualAddrNetworkIPv4 172.16.0.0/12
VirtualAddrNetworkIPv6 fc00::/7
DNSPort 0.0.0.0:9053
DNSPort [::]:9053
TransPort 0.0.0.0:9040
TransPort [::]:9040
EOF
root@OpenWrt:~# cat << EOF >> /etc/sysupgrade.conf
/etc/tor
EOF
root@OpenWrt:~# uci del_list tor.conf.tail_include="/etc/tor/custom"
root@OpenWrt:~# uci add_list tor.conf.tail_include="/etc/tor/custom"
root@OpenWrt:~# uci commit tor
root@OpenWrt:~# /etc/init.d/tor restart
root@OpenWrt:~# uci -q delete firewall.tcp_int
root@OpenWrt:~# uci set firewall.tcp_int="redirect"
root@OpenWrt:~# uci set firewall.tcp_int.name="Intercept-TCP"
root@OpenWrt:~# uci set firewall.tcp_int.src="lan"
root@OpenWrt:~# uci set firewall.tcp_int.dest_port="9040"
root@OpenWrt:~# uci set firewall.tcp_int.proto="tcp"
root@OpenWrt:~# uci set firewall.tcp_int.extra="--syn -m addrtype ! --dst-type L
OCAL,BROADCAST"
root@OpenWrt:~# uci set firewall.tcp_int.target="DNAT"
root@OpenWrt:~# uci -q delete firewall.@forwarding[0]
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'Intercept-TCP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'Intercept-TCP'
Warning: fw3_ipt_rule_append(): Can't find match 'addrtype'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
root@OpenWrt:~# uci -q delete firewall.dns_int
root@OpenWrt:~# uci set firewall.dns_int="redirect"
root@OpenWrt:~# uci set firewall.dns_int.name="Intercept-DNS"
root@OpenWrt:~# uci set firewall.dns_int.src="lan"
root@OpenWrt:~# uci set firewall.dns_int.src_dport="53"
root@OpenWrt:~# uci set firewall.dns_int.proto="tcp udp"
root@OpenWrt:~# uci set firewall.dns_int.target="DNAT"
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'Intercept-TCP'
   * Redirect 'Intercept-DNS'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'Intercept-TCP'
Warning: fw3_ipt_rule_append(): Can't find match 'addrtype'
   * Redirect 'Intercept-DNS'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
root@OpenWrt:~# /etc/init.d/dnsmasq stop
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].boguspriv="0"
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].rebind_protection="0"
root@OpenWrt:~# uci set dhcp.@dnsmasq[0].noresolv="1"
root@OpenWrt:~# uci -q delete dhcp.@dnsmasq[0].server
root@OpenWrt:~# uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053"
root@OpenWrt:~# uci add_list dhcp.@dnsmasq[0].server="::1#9053"
root@OpenWrt:~# uci commit dhcp
root@OpenWrt:~# /etc/init.d/dnsmasq start
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~# /etc/init.d/dnsmasq start
root@OpenWrt:~# reboot