Privoxy and Tor

HellsAngel79 · March 2, 2021, 5:21pm

The dns is fine the pastebin i copied in an earlier reply is the current setup i have.
Im pretty sure what i tried with the redirect traffic is where things also went wrong i kept breaking more then doing good so gave up posted here for help and restored to the previous (these) settings.

Edit: After some more fiddling today i got it working finally thanks again for all those who chimed in.
Edit2: ok it didnt work ipad was being stupid thought i finally had it help still welcome lol.

DGdodo · March 3, 2021, 10:58pm

Hi HellsAngel79,

I've running Tor & Privoxy for years on OpenWrt.
You should NOT use DNS when using Tor
All clients need proxy adjustments, or no internet is available.
Or you only want Tor active on wlan? Normally on all LAN side (lan & wlan) you should run Tor.
My clients only get ip,subnet & gateway. NO DNS!
Client requests first go through Privoxy, then through Tor to internet.

Privoxy settings:
Forwarding Socks 5t:
/ 192.168.100.1:9050 .
( Space after last dot ! This is the clients Socks 5t redirect ip:port )

Firewall, Custom Rules active (last 2 rules):

# Redirection rules for Transparent Tor
iptables -t nat -A PREROUTING -i lan -p udp –dport 53 -j REDIRECT –to-port 9053
iptables -t nat -A PREROUTING -i lan -p tcp –syn -j REDIRECT –to-port 9040

DG.

vgaetera · March 3, 2021, 11:22pm

You can intercept DNS traffic with firewall and redirect it to Dnsmasq.
Then filter ads with Adblock and forward requests to Tor.

HellsAngel79 · March 4, 2021, 11:10am

Thank you for the replies the reason i use dns is for adblock tor makes it useless and the way i have that working now is with dnscrypt so anonimity is still fine while adblock does its thing.
ive tried / 192.168.100.1:9050 . aswell it doesnt work atleast for me the slight success ive had is messing around with port forwarding i want it to be transparent no messing around in browsers that http sites did work ie neverssl.com but https everything else basically fails and i dont know why.

Im not quite sure why dnscrypt and adblock work with the settings i got but as far as i can tell and test with a site here and there it does so im just gonna leave that alone as it seems to work.

Edit: i have tried the commands provided but they error out.
root@OpenWrt:~# iptables -t nat -A PREROUTING -i lan -p udp .dport 53 -j REDIRECT .to-port 9053
Bad argument .dport' Try iptables -h' or 'iptables --help' for more information.
root@OpenWrt:~# iptables -t nat -A PREROUTING -i lan -p tcp .syn -j REDIRECT .to-port 9040
Bad argument .syn' Try iptables -h' or 'iptables --help' for more information.
Edit2: ok i see it translated the - to . but replacing that still error im not familiar at all with commands so not sure why that is.
iptables -t nat -A PREROUTING -i lan -p udp -dport 53 -j REDIREC
T -to-port 9053

Edit3: Tried putting it in firewall > custom rules. turned off the router and back on disabled all other portforwarding rules i had before and it doesnt work at all.Looked in system and kernel log to see if the 2 custom rules would show up there they dont im not sure this is normal or not.

DGdodo · March 4, 2021, 10:13pm

HellsAngel79,

The commands should indeed be written in web-GUI / Firewall settings / Custom commands, maybe with double dash '--' (not a dot.):

The first line:

should be - with your own router's IP, of course - in Privoxy's settings, as below:

And for Tor usage I also use a virtual Network Interface, with no device attached (and whatever ip).
Within /etc/config/network:

config interface 'tor'
        option proto 'static'
        option ipaddr '101.13.54.121'
        option netmask '255.255.255.0'
        option delegate '0'

File torrc also needs some adjustments before all works fine.
Itself has a rather good explanation how to configure / use.

Oeps that's not good, hopefully you have them backed up.
Maybe my screen example above helps.

DG.

HellsAngel79 · March 5, 2021, 12:02pm

Thanks for the insight i did see the forum did translate another - to a weird longer stripe so i went ahead and replaced them the result still the same nothing works. i have the right ip in privoxy i dont wnna mess with the "config interface" stuff as i bet that would break everything thats why i posted the config i have running as its an odd one.Ill take a look at that torrc file i thought that would be fine as wifi+tor just works fine just when i add privoxy in it nothing works or only http sites which barely excist.

Also in privoxy i seem to get socks5t-forward error 503 negotiation got aborted by the server.
i do have this in the file for tor SOCKSPolicy accept 192.168.0.0/16 router ip is on 192.168.0.198

DGdodo · March 5, 2021, 12:54pm

HellsAngel79,

From my virtual OpenWrt Tor Network, file: torrc has been adjusted:

SOCKSPort 192.168.3.1:9050                 # Default: Bind to localhost:9050 for local connections.
VirtualAddrNetwork 10.193.54.0/16          # The virtual Tor ip on OpenWrt
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 9053

Privoxy log (start):

2021-02-26 10:53:38.041 7fa9a49b9d68 Info: Privoxy version 3.0.28
2021-02-26 10:53:38.041 7fa9a49b9d68 Info: Program name: /usr/sbin/privoxy
2021-02-26 10:53:38.041 7fa9a49b9d68 Info: Loading filter file: /etc/privoxy/default.filter
2021-02-26 10:53:38.042 7fa9a49b9d68 Info: Loading actions file: /etc/privoxy/match-all.action
2021-02-26 10:53:38.042 7fa9a49b9d68 Info: Loading actions file: /etc/privoxy/default.action
2021-02-26 10:53:38.044 7fa9a49b9d68 Info: Listening on port 8118 on IP address 192.168.3.1
...

/var/log/notices (Tor log):

# cat /var/log/tor/notices.log
Feb 26 10:51:27.000 [notice] Tor 0.4.5.6 opening new log file.
Feb 26 10:51:27.235 [notice] We compiled with OpenSSL 1010109f: OpenSSL 1.1.1i  8 Dec 2020 and we are running with OpenSSL 1010109f: 1.1.1i. These two versions should be binary compatible.
Feb 26 10:51:27.246 [notice] Tor 0.4.5.6 running on Linux with Libevent 2.1.11-stable, OpenSSL 1.1.1i, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Feb 26 10:51:27.246 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 26 10:51:27.246 [notice] Read configuration file "/tmp/torrc".
Feb 26 10:51:27.247 [notice] Processing configuration path "/etc/tor/torrc" at recursion level 1.
Feb 26 10:51:27.247 [notice] Including configuration file "/etc/tor/torrc".
Feb 26 10:51:27.249 [notice] You configured a non-loopback address '192.168.3.1:9050' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Feb 26 10:51:27.249 [notice] Opening Socks listener on 192.168.3.1:9050
Feb 26 10:51:27.249 [notice] Opened Socks listener connection (ready) on 192.168.3.1:9050
Feb 26 10:51:27.249 [notice] Opening DNS listener on 127.0.0.1:9053
Feb 26 10:51:27.249 [notice] Opened DNS listener connection (ready) on 127.0.0.1:9053
Feb 26 10:51:27.249 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
Feb 26 10:51:27.249 [notice] Opened Transparent pf/netfilter listener connection (ready) on 127.0.0.1:9040
Feb 26 10:51:27.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Feb 26 10:51:27.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Feb 26 10:51:27.000 [notice] Bootstrapped 0% (starting): Starting
Feb 26 10:51:27.000 [notice] Starting with guard context "default"
Feb 26 10:51:28.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Feb 26 10:51:29.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Feb 26 10:51:29.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
...
Feb 26 10:51:52.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Feb 26 10:51:52.000 [notice] Bootstrapped 100% (done): Done

Configure interface, is just 'Add new interface' on GUI with only an ip address (for Tor), no device attached. This should not interfere with existing interfaces.

Also the Firewall Zone settings should have the Tor interface (accept accept rejected)

This work for me already more than 5 years. Even after updates of Privoxy, OpenWrt and Tor.

DG.

HellsAngel79 · March 5, 2021, 1:37pm

Ok that helped immensily i dont have the tor log in var/log/notices or anywhere there.
I somehow keep getting refused by tor just tried to set it up as a proxy in firefox but connection refused.
A log file would be helpfull i bet, ran a full ftpsearch (i dont know commands let alone linux) "notices" does not excist.So i have no idea why its refusing when i have 2 socksports specified. This is on a fritzbox 4040 im not sure this matters but id almost blame the tor here.
Any ideas still welcome as to what i can try but i think all is covered now it just refuses it when it shouldnt.

DGdodo · March 5, 2021, 1:43pm

Normally Tor writes its log to syslog.
It's in torrc file, to set the log to /var/log/notices.log.

## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr

Btw, I've OpenWrt with Privoxy & Tor also running on a Fritz!Box4040
And on ZyXEL P-2812HNU-F1 and on virtual machines...

DG.

HellsAngel79 · March 5, 2021, 1:49pm

Ah ok so cant blame the fritz then lol.ive tried top and ps i dont see tor running not sure this is normal.
also dont know a better way to filter tor as a running process if its running or not.

vgaetera · March 5, 2021, 1:55pm

https://openwrt.org/docs/guide-user/services/tor/client#troubleshooting

HellsAngel79 · March 5, 2021, 2:00pm

Thanks alot for that.
i think its not running which is weird.
When i do logread -e Tor; netstat -l -n -p | grep -e tor nothing shows.
pgrep -f -a tor also shows nothing.

vgaetera · March 5, 2021, 2:04pm

grep -v -r -e "^#" -e "^$" /etc/tor

HellsAngel79 · March 5, 2021, 2:06pm

that shows this :
/etc/tor/torrc:Log notice syslog
/etc/tor/torrc:DataDirectory /var/lib/tor
/etc/tor/torrc:User tor
/etc/tor/main:AutomapHostsOnResolve 1
/etc/tor/main:VirtualAddrNetworkIPv4 172.16.0.0/12
/etc/tor/main:VirtualAddrNetworkIPv6 fc00::/7
/etc/tor/main:DNSPort 0.0.0.0:9053
/etc/tor/main:DNSPort [::]:9053
/etc/tor/main:TransPort 0.0.0.0:9040
/etc/tor/main:TransPort [::]:9040
/etc/tor/main:SOCKSPort 192.168.2.1:9050
/etc/tor/main:SOCKSPort 192.168.0.198:9050
also bit new to openwrt i see the browser/luci gui has a processes tab tor is running there.

Ok rebooted just to be sure confirmed tor is running under the processes tab in the gui and it is.
it just keeps denying any connections.

vgaetera · March 5, 2021, 2:12pm

sed -i -e "
/^SOCKSPort/s/^/#/
\$a SOCKSPort 0.0.0.0:9050
\$a SOCKSPort [::]:9050
" /etc/tor/main
/etc/init.d/tor restart

HellsAngel79 · March 5, 2021, 2:24pm

Ok did that some progress firefox confirms tor is atleast accepting connections and showing pages so tor isnt the issue. So the only other one that has to be the problem now is firewall portforwards http sites work but anything https does not work. Thanks again for all the help it is much appreciated.

To my understanding this should be transparent (like wifi over tor is that the forum helped me setup) and forward everything http https to privoxy and privoxy throws it finally to tor but somehow its only http that works.

Edit2: Ok if i use firefox and privoxy as a proxy it refuses it so it may just be privoxy not the portforwardings i have this is what i have as listen :

this looks fine to me but im doubting everything now if i use that address as a proxy it gets refused if i use tor alone as socks5 proxy it works so tor isnt the problem.

So if i use firefox and set privoxy as the proxy i get refusing connections nothing shows in the privoxy log either not sure what happened but this seems it should of worked devices showed up in the logs before.
edit 3: ok restarted privoxy the above now works firefox using privoxy as proxy finally that atleast works
hopefully i can get the rest working to as it should thanks again for all the help ill keep this updated.

edit4: Ok so as it stands now the problem has to be the portforwarding i got privoxy and tor work as confirmed by using a browser but now trying to get it to work transparent the devices dont show up in the privoxy log and no internet. So if anyone knows what i need to put in portforwarding so all traffic transparently moves to privoxy that would solve this problem i bet.

HellsAngel79 · March 5, 2021, 6:49pm

I think i finally found why its not working, i found this on the privoxy page "Note that intercepting encrypted connections (HTTPS) isn't supported."
Thanks again for all the help given much appreciated. If there is a way around this id like to know and try it but i dont think with what i want its possible but maybe im wrong.

vgaetera · March 5, 2021, 6:57pm

HellsAngel79 · March 5, 2021, 7:15pm

Oh nice i hope it gets added was wondering a few days now why i had some successes every now and then but if i did it was just http traffic, i still have the privoxy and settings set to go but disabled ill wait maybe in the future i can give it a shot when they add your patch.
Would it be possible you post your package and i can install it? im guessing might be a long shot due to probably different architechture of the cpus.

zrzro · March 23, 2021, 11:48am

What is the correct ./configure with flags to compile privoxy with support for https inspection?
It's not working for me so far.