TOR forwarding vs. keeping ssh accessible

I'm trying to set up TOR as a default route for all attached (LAN side) computers.

I'm following
https://openwrt.org/docs/guide-user/services/tor/client
but I'm running into a few issues.

I've set up everything up to step 3 in the above manual. TOR works and DNS resolves are going via TOR.

Problem: I also loose all ssh connections, when logging in again, the box can't be reached via ssh anymore. I tried do counter that by adding a firewall rule in /etc/config/firewall

config rule
	option name 'allow-ssh'
	option src 'lan'
	option src_dip '192.168.1.1'
	option src_dport '22'
	option proto 'tcp'
	option target 'ACCEPT'

before the redirect-rule in Step 3, but this does not change anything.

What's going wrong here?

I did all commands step by step, so I can check where it fails. I did not use the uci command lines, but edited the rules in the appropriate files directly (/etc/config/firewall and /etc/config/dhcp), to make sure things are transparent.
I noticed that in Step 3, uci -q get firewall.tcp_int.src comes up empty.
What should this report back? A config string set by the TOR process? Unfortunately the docu is unclear on what this should return and why.

Just redo everything from the beginning. And record all commands, from vague description there is no telling why YOU did not create tcp_int entries.

Seems to work now. I re-did everything exactly as on the page, and then analyzed the /etc/config/firewall file afterwards to re-trace what really happened. Apparently I had missed to give the header name 'tcp_int' to the redirect rule.

Can someone explain why the rather abstract solution using /etc/nftables.d/tor.sh was chosen? Is it because this rule has to be re-generated afresh after tor has started, or something like that?

1 Like

@vgaetera may know.