TOR forwarding vs. keeping ssh accessible

berferd · June 13, 2024, 1:01pm

I'm trying to set up TOR as a default route for all attached (LAN side) computers.

I'm following
https://openwrt.org/docs/guide-user/services/tor/client
but I'm running into a few issues.

I've set up everything up to step 3 in the above manual. TOR works and DNS resolves are going via TOR.

Problem: I also loose all ssh connections, when logging in again, the box can't be reached via ssh anymore. I tried do counter that by adding a firewall rule in /etc/config/firewall

config rule
	option name 'allow-ssh'
	option src 'lan'
	option src_dip '192.168.1.1'
	option src_dport '22'
	option proto 'tcp'
	option target 'ACCEPT'

before the redirect-rule in Step 3, but this does not change anything.

What's going wrong here?

I did all commands step by step, so I can check where it fails. I did not use the uci command lines, but edited the rules in the appropriate files directly (/etc/config/firewall and /etc/config/dhcp), to make sure things are transparent.
I noticed that in Step 3, uci -q get firewall.tcp_int.src comes up empty.
What should this report back? A config string set by the TOR process? Unfortunately the docu is unclear on what this should return and why.

brada4 · June 13, 2024, 1:13pm

Just redo everything from the beginning. And record all commands, from vague description there is no telling why YOU did not create tcp_int entries.

berferd · June 13, 2024, 2:41pm

Seems to work now. I re-did everything exactly as on the page, and then analyzed the /etc/config/firewall file afterwards to re-trace what really happened. Apparently I had missed to give the header name 'tcp_int' to the redirect rule.

Can someone explain why the rather abstract solution using /etc/nftables.d/tor.sh was chosen? Is it because this rule has to be re-generated afresh after tor has started, or something like that?

brada4 · June 13, 2024, 2:48pm

@vgaetera may know.

vgaetera · February 28, 2025, 7:17am

The current implementation works for any LAN IP address and will continue to work even if the user later changes the address of the router.

This became more complicated with the transition to fw4 due to the lack of support for extra arguments.

system · March 10, 2025, 7:17am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.