Topic: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt
HOWTO: Transparent TOR proxy
Using Openwrt as tansparent proxy to the TOR-network.
This project has been on my mind since a long time.
I wanted to set up a free hotspot and share me broadband-connection, but I wanted to do it in a secure manner. I just want to avoid the police knocking on my door because someone did something "bad" using my hotspot. The best way I could come up with, was routing the traffic of the hotspot trough the tor-network http://www.torproject.org/.
This has two advantages:
Traffic is routed encryted trough the tor-network and reaches the net through an tor-exitnode, and there is no way to tell that the packets came from my hotspot.
A client connected to my hotspot doesn't know anything about my networkstructure, my real ip, etc. so it provides more privacy for me.
I use a transparent proxy setup because I want to use a simple setup, especially for the user. A new client gets an IP-Address through DHCP, and can use the net. No need for any additional setup.
So that's why I'm doing it, but I guess there are lots of other situations where a transparent tor proxy can be usefull.
info about Tor: http://www.torproject.org/
info about the transparent proxy feature of Tor: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy I set up an "Anonymizing Middlebox"
I used a wgt634u with a recent backfire-svn checkout (r24007) it's a broadcom chip and I run a linux-2.6 kernel. I guess the stable backfire-release and any other architekture should work too but your router should have at least 32MB RAM (my tor-daemon needs about 13MB RAM) and enough Flash (8MB are enough).
I use only the wifi ("ath0") interface with own firewall-zone "tor" and restricted the access to the dhcp-server and tor-proxy only. But it will work with "br-lan" as well.
You need to install the tor-package (available in the official openwrt-package-repository) and you need iptables-mod-nat and iptables-mod-nat-extra for the iptable-rules in /etc/firewall.user
so here are the relevant sections of my config files:
config interface tor option ifname "ath0" option proto static option ipaddr 192.168.2.1 option netmask 255.255.255.0
config dhcp tor option interface tor option start 100 option stop 150 option leasetime 12h
config zone option name tor option input REJECT option output ACCEPT option forward REJECT option syn_flood 1 option conntrack 1 #this setting is mandatory #open the port of the DHCP-Server, so that the clients get an ip config rule option src tor option proto udp option dest_port 67 option target ACCEPT #TOR transparent-proxy-port (set in /etc/tor/torrc) config rule option src tor option proto tcp option dest_port 9040 option target ACCEPT #TOR DNS-proxy-port (set in /etc/tor/torrc) config rule option src tor option proto udp option dest_port 9053 option target ACCEPT
iptables -t nat -A PREROUTING -i ath0 -p udp --dport 53 -j REDIRECT --to-ports 9053 #redirects all DNS-requests on the interface ath0 to the tor-daemon-dns-proxy-port iptables -t nat -A PREROUTING -i ath0 -p tcp --syn -j REDIRECT --to-ports 9040 #redirects all tcp-requests on the interface ath0 to the tor-daemon-transparent-proxy-port
VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 192.168.2.1 DNSPort 9053 DNSListenAddress 192.168.2.1
config wifi-device wifi0 option type atheros option channel auto # REMOVE THIS LINE TO ENABLE WIFI: # option disabled 1 config wifi-iface option device wifi0 option network tor option mode ap option ssid 'Hotspot' option encryption none
So clients can connect to the SSID "Hotspot" get an ip, and can surf the web, ALL tcp-connections are redirected through the tor-network, not only http.
Other connections (including connections to local resources) are rejected.
So everything is working so far.
The next thing I want to achieve is running a open captive portal an this device so that I can give the users some information. About Tor, Openwrt and about why I'm running this hotspot.
I took a look at nodogsquash but its firewall-rules doesn't seem to work with the redirections for the transparent proxy.
So any feedback on the HOWTO, or ideas about setting up a captive portal in this case, are appreciated!