Route through TOR for VLAN/Interface

I've read the instructions here https://openwrt.org/docs/guide-user/services/tor/client but don't really understand them. I was wondering if there was a way (through LuCI) of having traffic from a specific interface route through the TOR network. I have TOR setup and it listens on 127.0.0.1 port 9050 and I have a VLAN setup with its own WiFi & DHCP. Right now the VLAN routes through LAN but obviously want this routed through the socks proxy.

No, because the redirect rule requires some additional parameters that are not available in LuCI.

  1. Make Tor listen on all interfaces.
  2. Use the suggested commands from the firewall section of the guide, but first adapt them to your needs by adjusting the source zone and destination port.
cat << "EOF" > /etc/nftables.d/tor.sh
TOR_CHAIN="dstnat_$(uci -q get firewall.tcp_int.src)"
TOR_RULE="$(nft -a list chain inet fw4 ${TOR_CHAIN} \
| sed -n -e "/Intercept-TCP/p")"
nft replace rule inet fw4 ${TOR_CHAIN} \
handle ${TOR_RULE##* } \
fib daddr type != { local, broadcast } ${TOR_RULE}
EOF
uci -q delete firewall.tor_nft
uci set firewall.tor_nft="include"
uci set firewall.tor_nft.path="/etc/nftables.d/tor.sh"
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan" # Correct zone here
uci set firewall.tcp_int.src_dport="0-65535"
uci set firewall.tcp_int.dest_port="9040" # Correct port (9050 according to your post)
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.family="any"
uci set firewall.tcp_int.target="DNAT"
uci commit firewall
fw4 restart

Nice work, @vgaetera !

3 Likes