Topic: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt

HOWTO: Transparent TOR proxy

Using Openwrt as tansparent proxy to the TOR-network.


This project has been on my mind since a long time.
I wanted to set up a free hotspot and share me broadband-connection, but I wanted to do it in a secure manner. I just want to avoid the police knocking on my door because someone did something "bad" using my hotspot. The best way I could come up with, was routing the traffic of the hotspot trough the tor-network http://www.torproject.org/.
This has two advantages:
Traffic is routed encryted trough the tor-network and reaches the net through an tor-exitnode, and there is no way to tell that the packets came from my hotspot.
A client connected to my hotspot doesn't know anything about my networkstructure, my real ip, etc. so it provides more privacy for me.

I use a transparent proxy setup because I want to use a simple setup, especially for the user. A new client gets an IP-Address through DHCP, and can use the net. No need for any additional setup. 
So that's why I'm doing it, but I guess there are lots of other situations where a transparent tor proxy can be usefull. 
info about Tor:  http://www.torproject.org/
info about the transparent proxy feature of Tor: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy I set up an "Anonymizing Middlebox"

Setup:
I used a wgt634u with a recent backfire-svn checkout (r24007) it's a broadcom chip and I run a linux-2.6 kernel. I guess the stable backfire-release and any other architekture should work too but your router should have at least 32MB RAM (my tor-daemon needs about 13MB RAM) and enough Flash (8MB are enough).
I use only the wifi ("ath0") interface with own firewall-zone "tor" and restricted the access to the dhcp-server and tor-proxy only. But it will work with "br-lan" as well.

You need to install the tor-package (available in the official openwrt-package-repository) and you need iptables-mod-nat and iptables-mod-nat-extra for the iptable-rules in /etc/firewall.user

so here are the relevant sections of my config files:

/etc/conf/network:

config interface tor
        option ifname   "ath0"
        option proto    static
        option ipaddr   192.168.2.1
        option netmask  255.255.255.0

/etc/config/dhcp:

config dhcp tor
    option interface    tor
    option start     100
    option stop    150
    option leasetime    12h

/etc/config/firewall:

config zone
        option name     tor
        option input    REJECT
        option output   ACCEPT
        option forward  REJECT
        option syn_flood 1
        option conntrack 1 #this setting is mandatory

#open the port of the DHCP-Server, so that the clients get an ip
config rule                                
        option src              tor        
        option proto            udp        
        option dest_port        67         
        option target           ACCEPT     
#TOR transparent-proxy-port (set in /etc/tor/torrc)                                           
config rule                                
        option src              tor        
        option proto            tcp        
        option dest_port        9040       
        option target           ACCEPT     
#TOR DNS-proxy-port (set in /etc/tor/torrc)                                            
config rule                                
        option src              tor        
        option proto            udp        
        option dest_port        9053       
        option target           ACCEPT

/etc/firewall.user:

iptables -t nat -A PREROUTING -i ath0 -p udp --dport 53 -j REDIRECT --to-ports 9053 #redirects all DNS-requests on the interface ath0 to the tor-daemon-dns-proxy-port
iptables -t nat -A PREROUTING -i ath0 -p tcp --syn -j REDIRECT --to-ports 9040 #redirects all tcp-requests on the interface ath0 to the tor-daemon-transparent-proxy-port

/etc/tor/torrc:

VirtualAddrNetwork 10.192.0.0/10             
AutomapHostsOnResolve 1                                              
TransPort 9040                                                          
TransListenAddress 192.168.2.1                                          
DNSPort 9053                                                              
DNSListenAddress 192.168.2.1

/etc/conf/wireless:

config wifi-device  wifi0
    option type     atheros
    option channel  auto

    # REMOVE THIS LINE TO ENABLE WIFI:
#    option disabled 1

config wifi-iface
    option device    wifi0
    option network    tor
    option mode    ap
    option ssid    'Hotspot'
    option encryption none

So clients can connect to the SSID "Hotspot" get an ip, and can surf the web, ALL tcp-connections are redirected through the tor-network, not only http.
Other connections (including connections to local resources) are rejected.       


So everything is working so far.
The next thing I want to achieve is running a open captive portal an this device so that I can give the users some information. About Tor, Openwrt and about why I'm running this hotspot.
I took a look at nodogsquash but its firewall-rules doesn't seem to work with the redirections for the transparent proxy.

So any feedback on the HOWTO, or ideas about setting up a captive portal in this case, are appreciated!

Re: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt

Hi,

i did it excatly in that way using the BARRIER BREAKER image. Unfortunatelly, it is not working. I can't connect to the tor wifi. It takes a lot of time, and at the end it has limited connectivity and no connection works.

My setup:

Client ----> OpenWRT Router ----> ADSL Router

Can u help me, what could be wrong or at least what steps i should do to debug. I'm quite a noob in linux.

Greetings!

Re: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt

Now there is a detailed guidance of how to make a tor router: http://www.gl-inet.com/w/?p=492&lang=en

needforhelp wrote:

Hi,

i did it excatly in that way using the BARRIER BREAKER image. Unfortunatelly, it is not working. I can't connect to the tor wifi. It takes a lot of time, and at the end it has limited connectivity and no connection works.

My setup:

Client ----> OpenWRT Router ----> ADSL Router

Can u help me, what could be wrong or at least what steps i should do to debug. I'm quite a noob in linux.

Greetings!

4 (edited by stangri 2015-11-24 21:26:12)

Re: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt

Since the OP's guide is outdated and the article linked above is 404 below is what I do in my uci-defaults script to set up the Tor access on a dedicated and isolated WLAN (OpenWrt-Tor). This assumes you have tor package installed, if you do not then first run "opkg update && opkg install tor".

if [ -f /etc/init.d/tor ]; then
    uci add network interface
    uci rename network.@interface[-1]=tor
    uci set network.@interface[-1].proto=static
    uci set network.@interface[-1].ipaddr=192.168.2.1
    uci set network.@interface[-1].netmask=255.255.255.0
    uci commit network
    
    uci add dhcp dhcp
    uci rename dhcp.@dhcp[-1]=tor
    uci set dhcp.@dhcp[-1].interface=tor
    uci set dhcp.@dhcp[-1].start=100
    uci set dhcp.@dhcp[-1].limit=150
    uci set dhcp.@dhcp[-1].leasetime=12h
    uci commit dhcp
    
    uci add wireless wifi-iface
    uci set wireless.@wifi-iface[-1]=wifi-iface
    uci set wireless.@wifi-iface[-1].device=radio0
    uci set wireless.@wifi-iface[-1].network=tor
    uci set wireless.@wifi-iface[-1].mode=ap
    uci set wireless.@wifi-iface[-1].ssid='OpenWrt-Tor'
    uci set wireless.@wifi-iface[-1].encryption=psk2
    uci set wireless.@wifi-iface[-1].key=changeme
    uci set wireless.@wifi-iface[-1].isolate=1
    uci set wireless.@wifi-iface[-1].macaddr='00:88:88:88:00:2A'
    uci set wireless.@wifi-iface[-1].disabled=0
    uci commit wireless

    uci add firewall zone
    uci set firewall.@zone[-1].name=tor
    uci set firewall.@zone[-1].input=REJECT
    uci set firewall.@zone[-1].output=ACCEPT
    uci set firewall.@zone[-1].forward=REJECT
    uci set firewall.@zone[-1].conntrack=1
    uci set firewall.@zone[-1].network=tor
    
    uci add firewall rule
    uci set firewall.@rule[-1].target=ACCEPT
    uci set firewall.@rule[-1].src=tor
    uci set firewall.@rule[-1].proto=udp
    uci set firewall.@rule[-1].dest_port=67
    uci set firewall.@rule[-1].name='Allow Tor DHCP Requests'
    
    uci add firewall rule
    uci set firewall.@rule[-1].target=ACCEPT
    uci set firewall.@rule[-1].src=tor
    uci set firewall.@rule[-1].proto=tcp
    uci set firewall.@rule[-1].dest_port=9040
    uci set firewall.@rule[-1].name='Allow Tor Transparent Proxy'

    uci add firewall rule
    uci set firewall.@rule[-1].target=ACCEPT
    uci set firewall.@rule[-1].src=tor
    uci set firewall.@rule[-1].proto=tcp
    uci set firewall.@rule[-1].dest_port=9053
    uci set firewall.@rule[-1].name='Allow Tor DNS Proxy'

    uci add firewall redirect
    uci set firewall.@redirect[-1].name='Redirect Tor Traffic'
    uci set firewall.@redirect[-1].src=tor
    uci set firewall.@redirect[-1].src_dip='!192.168.1.0/24'
    uci set firewall.@redirect[-1].dest_port=9040
    uci set firewall.@redirect[-1].proto=tcp
    uci set firewall.@redirect[-1].target=DNAT
    uci set firewall.@redirect[-1].reflection=0
    
    uci add firewall redirect
    uci set firewall.@redirect[-1].name='Redirect Tor DNS'
    uci set firewall.@redirect[-1].src=tor
    uci set firewall.@redirect[-1].src_dport=53
    uci set firewall.@redirect[-1].dest_port=9053
    uci set firewall.@redirect[-1].proto=udp
    uci set firewall.@redirect[-1].target=DNAT
    uci set firewall.@redirect[-1].reflection=0

    uci add firewall rule
    uci set firewall.@rule[-1]=rule
    uci set firewall.@rule[-1].name='Deny Tor LAN Access'
    uci set firewall.@rule[-1].src=tor
    uci set firewall.@rule[-1].dest=lan
    uci set firewall.@rule[-1].proto=all
    uci set firewall.@rule[-1].target=DROP

    uci commit firewall

    echo "VirtualAddrNetwork 10.192.0.0/10" >> /etc/tor/torrc
    echo "AutomapHostsOnResolve 1" >> /etc/tor/torrc
    echo "TransPort 9040" >> /etc/tor/torrc
    echo "TransListenAddress 192.168.2.1" >> /etc/tor/torrc
    echo "DNSPort 9053" >> /etc/tor/torrc
    echo "DNSListenAddress 192.168.2.1" >> /etc/tor/torrc
    
    /etc/init.d/tor enable
fi

Thanks to @arokh for his uci-defaults script as I was struggling to get the DNS and transparent traffic redirects working without it.

Re: HOWTO:Run a transparent TOR proxy ("Anonymizing Middlebox") on Openwrt

FYI, you can use Dnsmasq DNS forwarding option to redirect all DNS queries through Tor DNS. Just add following to your dhcp config:

uci set dhcp.@dhcp[-1].noresolv=1
uci set dhcp.@dhcp[-1].server=127.0.0.1#9053