VPN over TOR using OpenWRT

Hello all,

I'm new to OpenWRT and i"m looking for a guide to install VPN over TOR.
There is an excellent guide to install TOR client which I successfully used.
But now I need to add VPN over TOR. How can I do this?

Make additional guest network with restricted access via tor tproxy

1 Like

What does "VPN over TOR" mean, exactly? Do you want to make all the traffic flow through TOR? Do you want to stablish a VPN connection with some TOR node?

1 Like

I want the same setup as in Whonix. Whonix has two virtual boxes, gateway and workstation. Workstation traffik goes through the gateway and the gateway torrifies all the TCP traffik. Then I run VPN client in the workstation. Thus, VPN tunnel is created over TOR.

The official manuals allow me to create TOR over VPN easily: first I run VPN client, setting it up by UI: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci , then I intercept all traffik by TOR: https://openwrt.org/docs/guide-user/services/tor/client

I need the reverse.

  1. Install and configure TOR in the OpenWrt router; that TOR node includes a SOCKS server, that pipes all the traffic through TOR.
  2. If your VPN client supports to use a SOCKS proxy, just point it to the TOR node.
  3. If your VPN client supports to use an HTTPS proxy, configure tinyproxy on the router, using the TOR node as an upstream proxy, then configure the VPN client to use tinyproxy.
  4. If you intercept all traffic, as suggested in the TOR Client guide, then traffic from the VPN client will also go through the TOR node.

VPN client installs a route to send all trafikk to tun0. Will not your suggested solution create a loop? VPN client uses tor server which is intercepted by vpn itself?


well can't give you full instructions but this is what you should try:
-run TOR as [OpenWrt Wiki] Tor client

  • in step 1 add SocksPort
  • step 2 is optional
  • DON'T setup step 3 ( firewall to intercept LAN traffic)
  • in openvpn.conf client add socks-proxy
    and that should be it :slight_smile:

Do let us know how it went

Can you elaborate, please?

But you mentioned the VPN client will run on a workstation, not the router... Anyway, this is normal behavior for a VPN, it is not related to the fact that you are using TOR; the kernel will choose the most specific route for each connection, precisely to avoid this kind of loops

1 Like

No, I want to create the same functionality on a single OpenWRT router as I already have with two virtual boxes of Whonix.

I think running openvpn client through tor proxy which does not intercept all the traffik and excluding tor proxy from routing imposed by vpn client in the routing system.

tproxy intercepts all, you likely do not understand 2-box meaning in whonex, no, it is not possible to recreate whonix without virtualisation support.

Sorry, but I can't follow you here...

This setup works, for example.


The only difference i want to achieve is instead of entry node IP i want to use IP of the locally running Tor server.

Currently, when I use policy based routing to allow traffik from TOR server (which i run on to gateway ( before tun0 is created (gateway_network), I get an error from VPN:

2024-06-05 04:36:52 us=483709 TCP/UDP: Preserving recently used remote address: [AF_INET]
2024-06-05 04:36:52 us=483740 Socket Buffers: R=[131072->131072] S=[16384->16384]
2024-06-05 04:36:52 us=483749 Attempting to establish TCP connection with [AF_INET] [nonblock]
2024-06-05 04:36:52 us=483851 TCP connection established with [AF_INET]
2024-06-05 04:36:57 us=488698 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
2024-06-05 04:36:57 us=488761 TCP/UDP: Closing socket
2024-06-05 04:36:57 us=488808 SIGUSR1[soft,init_instance] received, process restarting
2024-06-05 04:36:57 us=488818 Restart pause, 5 second(s)

Hope I'll find out why....

The tables I use:

ip route show table custom_table
default via dev enp0s3

and the rules are

ip rule
0:	from all lookup local
32765:	from lookup custom_table
32766:	from all lookup main
32767:	from all lookup default

Please post output of

ubus call system board

I succeeded. TOR server should be set to bind to

ControlPort 9051
CookieAuthentication 1
CookieAuthFile /var/run/tor/control.authcookie

That's all. Otherwise, because it runs before openvpn, it opens circuits on and openvpn screws them inspite we defined routing for The circuits already existed on