My goal is to have an open guest (WiFi) network which routes any traffic automatically over TOR. In order to do so I followed TOR’s guide for OpenWRT with the subtile change that my WiFi card also hosts a second network and without adding a public bridge. In summary it explains how to set up an isolated guest network whereby all traffic is routed via iptables to the running tor service.
Unfortunately, after having completed the guide and connected myself to the new WiFi network, my PC had to self-assign itself an IP address. So instead of using the iptables rules for the routing I added redirect rules directly to my firewall config as found in this post on the OpenWRT forum.
Now, connecting to my new WiFi network works fine but I still have no internet connection. The tor service itself is running and works:
# curl --socks5 192.168.10.1:9050 --socks5-hostname 192.168.10.1:9050 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs
Congratulations. This browser is configured to use Tor.
Also its DNS resolver seems to work fine:
# dig @192.168.10.1 -p 9053 google.com
; <<>> DiG 9.9.8-P4 <<>> @192.168.10.1 -p 9053 google.com
...
Which leaves a broken redirect as possible cause for the missing internet connection. This is where I would like to seek help as I have only limited knowledge about it. Following the relevant active firewall rules:
config zone
option name 'tor'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option syn_flood '1'
option conntrack '1'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'TOR DHCP'
option src 'tor'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'tcp'
option dest_port '9040'
option name 'TOR Transparent Proxy'
option src 'tor'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'tcp'
option dest_port '9053'
option name 'TOR DNS Proxy'
option src 'tor'
config rule
option enabled '1'
option target 'DROP'
option src 'tor'
option dest 'lan'
option proto 'all'
option name 'Deny Tor LAN Access'
config redirect
option enabled '1'
option name 'Redirect Tor Traffic'
option src 'tor'
option src_dip '!192.168.1.0/24'
option dest_port '9040'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
config redirect
option enabled '1'
option name 'Redirect Tor DNS'
option src 'tor'
option src_dport '53'
option dest_port '9053'
option proto 'udp'
option target 'DNAT'
option reflection '0'
Any ideas what I am doing wrong? Thanks in advance!
Well I archieved actually exactly that, but you have to modify little bit more config files on Turris to make it working
/etc/config/wireless - we will add second SSID dedicated for TOR, I done that for both 5GHz and 2.4GHz wifi interfaces
config wifi-iface 'tor_iface_0'
option disabled '0'
option device 'radio0'
option mode 'ap'
option ssid '5TGHZTOR'
option encryption 'psk2+tkip+aes'
option key 'TORWIFIpassword'
option ifname 'tor_turris_0'
option network 'tor_turris'
option isolate '1'
config wifi-iface 'tor_iface_1'
option disabled '0'
option device 'radio1'
option mode 'ap'
option ssid '2GHZTOR'
option encryption 'psk2+tkip+aes'
option key 'TORwifipassword'
option ifname 'tor_turris_1'
option network 'tor_turris'
option isolate '1'
/etc/network - we have to create dedicated network for TOR
config interface 'tor_turris'
option enabled '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.250.1'
option netmask '255.255.255.0'
option ifname 'tor_turris_0 torr_turris_1'
/etc/config/firewall and now we have to modify firewall rules to route all traffic to TOR network
config zone 'tor_turris'
option enabled '1'
option name 'tor_turris'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option syn_flood 1
option conntrack 1
list network 'tor_turris'
config rule 'tor_dhcp_request'
option name 'Allow-TOR-DHPC-Request'
option src 'tor_turris'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config rule 'tor_transparent_proxy'
option name 'Allow-TOR-Trasparent-Proxy'
option src 'tor_turris'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
config rule 'tor_DNS_proxy'
option name 'Allow-TOR-DNS-Proxy'
option src 'tor_turris'
option proto 'udp'
option dest_port '9053'
option target 'ACCEPT'
config redirect
option name 'TOR-DNS-Redirect'
option src 'tor_turris'
option src_dport '53'
option dest_port '9053'
option proto 'udp'
option target 'DNAT'
option reflection '0'
config redirect
option name 'TOR-Traffic-Redirect'
option src 'tor_turris'
option src_dip '!192.168.1.0/24'
option dest_port '9040'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
config rule 'deny_TOR_LAN_ACCESS'
option name 'Deny-TOR-LAN-Access'
option src 'tor_turris'
option dest 'lan'
option proto 'all'
option target 'DROP'
/etc/dhcp - setup dhcp to give separate IP to TOR client on TOR WIFI
config dhcp 'tor_turris'
option interface 'tor_turris'
option start '200'
option limit '50'
option leasetime '1h'
option ignore '0'
list dhcp_option '6,192.168.250.1'
------------------------------
last thing is to install tor and modify /etc/tor/torrc accordingly
RunAsDaemon 1
User tor
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.250.1:9040
DNSPort 192.168.250.1:9053
and make it working and online
/etc/init.d/network reload
/etc/init.d/tor start
/etc/init.d/tor enable
/etc/init.d/firewall reload
3 Likes