Tor routing only for special urls

Hello,
I am using a fritzbox 4020 with openwrt behind a fritzbox 6490 router.
I installed tor addon which is working as I want to stay a bit more anonymous on some websites.
I wonder, if there is any chance of routing only these urls via tor network and due to speed reasons the rest via "normal" connection ?
regards
J

Tor: client + selective routing

4 Likes

@vgaetera: thank you for those links.
I installed the packages and did the configuration as in the links, but for some reasons the selected urls are not routed via tor network.
The website shows the same IP as I have not using tor.

The method based on DNS and IP sets requires you to take care of 2 main issues.

Also, note that each site can include multiple different domains and you need to list them all.

thanx for the instructions.
I did all that but still no luck. I requested "whatismyipaddress.com" to be routed via tor network, but it still return my normal IP address.
Is there any chance to check my configuration ?
regards
J

I modified the how-to to prevent non-TCP traffic leaks, e.g. ICMP, UDP, etc.

Flush DNS cache on the LAN clients and check these domains:

It works for me.
If you still have issues, then collect the diagnostics:

# Restart the services
/etc/init.d/log restart; /etc/init.d/firewall restart; \
/etc/init.d/dnsmasq restart; /etc/init.d/tor restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e Tor; netstat -l -n -p | grep -e tor
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a tor
ip address show; ip route show; ip rule show; iptables-save
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
ipset list
 
# Persistent configuration
uci show firewall; uci show dhcp; grep -v -e "^#" -e "^$" /etc/tor/torrc

You can post the output to pastebin.com to make verification easier.

thank you again for the information (and your patience :slight_smile: )
I did these modifications, but still the same issue.
I collected the diagnostics


wow - that is a lot of info.
Can you see, where I am doing wrong ?
1 Like

You are missing the rule to intercept TCP:

# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"

# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.ipset="tor dest"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

# Restart dnsmasq to refill IP sets
/etc/init.d/dnsmasq restart

In my humble opinion, you are playing with fire...

Anything but a fully gardened machine is a leak risk. If you are worried about your security, you should never thrust a mechanism like this.

For example, a malicious TOR-enabled website could easily redirect you to another TOR-disabled website, and compromise your identity.

2 Likes

There's a use case, when you don't need to hide yourself specifically, but need to bypass regional restrictions on the client/ISP side.

2 Likes

yeah - now it works !
@vgaetera : thank you for your great help
@eduperez : thank you for that information, I will keep that in mind, but have to do it that way, as I can not slow down my device to tor speed for all communication.
I have one last problem. Every first time, I request an url the system can not find the server. If I repeat the request, the webpage is shown correctly. May a double nating of the two routers be the reason for that ?
regards
J

1 Like

Try using DNS over Tor only for the domains you want to route to Tor:

# Selective DNS over Tor
uci -q delete dhcp.@dnsmasq[0].noresolv
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#9053"
uci commit dhcp
/etc/init.d/dnsmasq restart

this error happens for both - Tor and non Tor domains.

That is because you are using DNS over Tor for everything.
You need to use DNS over Tor selectively, or not use at all.

hm, after that modofication all urls are routed via tor.

Post your current configuration:

uci show firewall; uci show dhcp

this is my current conf


regards
j
1 Like

Looks fine.
Check from your client:

ping openwrt.org
Ping wird ausgeführt für openwrt.org [139.59.209.225] mit 32 Bytes Daten:
Antwort von 139.59.209.225: Bytes=32 Zeit=15ms TTL=53
Antwort von 139.59.209.225: Bytes=32 Zeit=14ms TTL=53
Antwort von 139.59.209.225: Bytes=32 Zeit=13ms TTL=53
Antwort von 139.59.209.225: Bytes=32 Zeit=13ms TTL=53

Ping-Statistik für 139.59.209.225:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 13ms, Maximum = 15ms, Mittelwert = 13ms
1 Like

What makes you think so?

According to your configs, Tor routing should be limited to the specific IP sets:

ipset list