Topic: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt

HOWTO: Transparent TOR proxy

Using Openwrt as tansparent proxy to the TOR-network.


This project has been on my mind since a long time.
I wanted to set up a free hotspot and share me broadband-connection, but I wanted to do it in a secure manner. I just want to avoid the police knocking on my door because someone did something "bad" using my hotspot. The best way I could come up with, was routing the traffic of the hotspot trough the tor-network http://www.torproject.org/.
This has two advantages:
Traffic is routed encryted trough the tor-network and reaches the net through an tor-exitnode, and there is no way to tell that the packets came from my hotspot.
A client connected to my hotspot doesn't know anything about my networkstructure, my real ip, etc. so it provides more privacy for me.

I use a transparent proxy setup because I want to use a simple setup, especially for the user. A new client gets an IP-Address through DHCP, and can use the net. No need for any additional setup. 
So that's why I'm doing it, but I guess there are lots of other situations where a transparent tor proxy can be usefull. 
info about Tor:  http://www.torproject.org/
info about the transparent proxy feature of Tor: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy I set up an "Anonymizing Middlebox"

Setup:
I used a wgt634u with a recent backfire-svn checkout (r24007) it's a broadcom chip and I run a linux-2.6 kernel. I guess the stable backfire-release and any other architekture should work too but your router should have at least 32MB RAM (my tor-daemon needs about 13MB RAM) and enough Flash (8MB are enough).
I use only the wifi ("ath0") interface with own firewall-zone "tor" and restricted the access to the dhcp-server and tor-proxy only. But it will work with "br-lan" as well.

You need to install the tor-package (available in the official openwrt-package-repository) and you need iptables-mod-nat and iptables-mod-nat-extra for the iptable-rules in /etc/firewall.user

so here are the relevant sections of my config files:

/etc/conf/network:

config interface tor
        option ifname   "ath0"
        option proto    static
        option ipaddr   192.168.2.1
        option netmask  255.255.255.0

/etc/config/dhcp:

config dhcp tor
    option interface    tor
    option start     100
    option stop    150
    option leasetime    12h

/etc/config/firewall:

config zone
        option name     tor
        option input    REJECT
        option output   ACCEPT
        option forward  REJECT
        option syn_flood 1
        option conntrack 1 #this setting is mandatory

#open the port of the DHCP-Server, so that the clients get an ip
config rule                                
        option src              tor        
        option proto            udp        
        option dest_port        67         
        option target           ACCEPT     
#TOR transparent-proxy-port (set in /etc/tor/torrc)                                           
config rule                                
        option src              tor        
        option proto            tcp        
        option dest_port        9040       
        option target           ACCEPT     
#TOR DNS-proxy-port (set in /etc/tor/torrc)                                            
config rule                                
        option src              tor        
        option proto            udp        
        option dest_port        9053       
        option target           ACCEPT

/etc/firewall.user:

iptables -t nat -A PREROUTING -i ath0 -p udp --dport 53 -j REDIRECT --to-ports 9053 #redirects all DNS-requests on the interface ath0 to the tor-daemon-dns-proxy-port
iptables -t nat -A PREROUTING -i ath0 -p tcp --syn -j REDIRECT --to-ports 9040 #redirects all tcp-requests on the interface ath0 to the tor-daemon-transparent-proxy-port

/etc/tor/torrc:

VirtualAddrNetwork 10.192.0.0/10             
AutomapHostsOnResolve 1                                              
TransPort 9040                                                          
TransListenAddress 192.168.2.1                                          
DNSPort 9053                                                              
DNSListenAddress 192.168.2.1

/etc/conf/wireless:

config wifi-device  wifi0
    option type     atheros
    option channel  auto

    # REMOVE THIS LINE TO ENABLE WIFI:
#    option disabled 1

config wifi-iface
    option device    wifi0
    option network    tor
    option mode    ap
    option ssid    'Hotspot'
    option encryption none

So clients can connect to the SSID "Hotspot" get an ip, and can surf the web, ALL tcp-connections are redirected through the tor-network, not only http.
Other connections (including connections to local resources) are rejected.       


So everything is working so far.
The next thing I want to achieve is running a open captive portal an this device so that I can give the users some information. About Tor, Openwrt and about why I'm running this hotspot.
I took a look at nodogsquash but its firewall-rules doesn't seem to work with the redirections for the transparent proxy.

So any feedback on the HOWTO, or ideas about setting up a captive portal in this case, are appreciated!

Re: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt

Hi,

i did it excatly in that way using the BARRIER BREAKER image. Unfortunatelly, it is not working. I can't connect to the tor wifi. It takes a lot of time, and at the end it has limited connectivity and no connection works.

My setup:

Client ----> OpenWRT Router ----> ADSL Router

Can u help me, what could be wrong or at least what steps i should do to debug. I'm quite a noob in linux.

Greetings!