Tor routing only for special urls

johnnym · August 21, 2020, 11:00pm

Hello,
I am using a fritzbox 4020 with openwrt behind a fritzbox 6490 router.
I installed tor addon which is working as I want to stay a bit more anonymous on some websites.
I wonder, if there is any chance of routing only these urls via tor network and due to speed reasons the rest via "normal" connection ?
regards
J

vgaetera · August 22, 2020, 3:07am

Tor: client + selective routing

johnnym · August 26, 2020, 1:10pm

@vgaetera: thank you for those links.
I installed the packages and did the configuration as in the links, but for some reasons the selected urls are not routed via tor network.
The website shows the same IP as I have not using tor.

vgaetera · August 26, 2020, 1:48pm

The method based on DNS and IP sets requires you to take care of 2 main issues.

Also, note that each site can include multiple different domains and you need to list them all.

johnnym · August 26, 2020, 11:45pm

thanx for the instructions.
I did all that but still no luck. I requested "whatismyipaddress.com" to be routed via tor network, but it still return my normal IP address.
Is there any chance to check my configuration ?
regards
J

vgaetera · August 27, 2020, 10:30am

I modified the how-to to prevent non-TCP traffic leaks, e.g. ICMP, UDP, etc.

Flush DNS cache on the LAN clients and check these domains:

It works for me.
If you still have issues, then collect the diagnostics:

# Restart the services
/etc/init.d/log restart; /etc/init.d/firewall restart; \
/etc/init.d/dnsmasq restart; /etc/init.d/tor restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
logread -e Tor; netstat -l -n -p | grep -e tor
 
# Runtime configuration
pgrep -f -a dnsmasq; pgrep -f -a tor
ip address show; ip route show; ip rule show; iptables-save
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
ipset list
 
# Persistent configuration
uci show firewall; uci show dhcp; grep -v -e "^#" -e "^$" /etc/tor/torrc

You can post the output to pastebin.com to make verification easier.

johnnym · August 27, 2020, 11:31am

thank you again for the information (and your patience )
I did these modifications, but still the same issue.
I collected the diagnostics

wow - that is a lot of info.
Can you see, where I am doing wrong ?

vgaetera · August 27, 2020, 1:06pm

You are missing the rule to intercept TCP:

# Disable LAN to WAN forwarding
uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"

# Intercept TCP traffic
uci -q delete firewall.tcp_int
uci set firewall.tcp_int="redirect"
uci set firewall.tcp_int.name="Intercept-TCP"
uci set firewall.tcp_int.src="lan"
uci set firewall.tcp_int.ipset="tor dest"
uci set firewall.tcp_int.dest_port="9040"
uci set firewall.tcp_int.proto="tcp"
uci set firewall.tcp_int.extra="--syn"
uci set firewall.tcp_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

# Restart dnsmasq to refill IP sets
/etc/init.d/dnsmasq restart

eduperez · August 27, 2020, 2:11pm

In my humble opinion, you are playing with fire...

Anything but a fully gardened machine is a leak risk. If you are worried about your security, you should never thrust a mechanism like this.

For example, a malicious TOR-enabled website could easily redirect you to another TOR-disabled website, and compromise your identity.

vgaetera · August 27, 2020, 2:24pm

There's a use case, when you don't need to hide yourself specifically, but need to bypass regional restrictions on the client/ISP side.

johnnym · August 31, 2020, 12:10am

yeah - now it works !
@vgaetera : thank you for your great help
@eduperez : thank you for that information, I will keep that in mind, but have to do it that way, as I can not slow down my device to tor speed for all communication.
I have one last problem. Every first time, I request an url the system can not find the server. If I repeat the request, the webpage is shown correctly. May a double nating of the two routers be the reason for that ?
regards
J

vgaetera · August 31, 2020, 1:26am

Try using DNS over Tor only for the domains you want to route to Tor:

# Selective DNS over Tor
uci -q delete dhcp.@dnsmasq[0].noresolv
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#9053"
uci commit dhcp
/etc/init.d/dnsmasq restart

johnnym · August 31, 2020, 1:09pm

this error happens for both - Tor and non Tor domains.

vgaetera · August 31, 2020, 1:15pm

That is because you are using DNS over Tor for everything.
You need to use DNS over Tor selectively, or not use at all.

johnnym · August 31, 2020, 4:09pm

hm, after that modofication all urls are routed via tor.

vgaetera · August 31, 2020, 4:11pm

Post your current configuration:

uci show firewall; uci show dhcp

johnnym · August 31, 2020, 4:23pm

this is my current conf

regards
j

vgaetera · August 31, 2020, 4:39pm

Looks fine.
Check from your client:

ping example.org

johnnym · August 31, 2020, 7:28pm

Ping wird ausgeführt für openwrt.org [139.59.209.225] mit 32 Bytes Daten:
Antwort von 139.59.209.225: Bytes=32 Zeit=15ms TTL=53
Antwort von 139.59.209.225: Bytes=32 Zeit=14ms TTL=53
Antwort von 139.59.209.225: Bytes=32 Zeit=13ms TTL=53
Antwort von 139.59.209.225: Bytes=32 Zeit=13ms TTL=53

Ping-Statistik für 139.59.209.225:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 13ms, Maximum = 15ms, Mittelwert = 13ms

vgaetera · August 31, 2020, 7:35pm

What makes you think so?

According to your configs, Tor routing should be limited to the specific IP sets:

ipset list