Tor wifi: cannot connect to anything, not even the router


#1

I am trying to setup a special wifi network just for the “internet of junk” devices. As a special treatment all traffic to the internet should be routed through tor. To do that I followed Failing to Redirect all Traffic over TOR - the response by @Twinkie. It is a really nice and comprehensive guide… except that it does not work for me :confused:

I have setup the addresses in torrc so that I could test it from the ‘lan’ main network as well:

TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:9053
SocksPort 0.0.0.0:9050

setting up socks proxy in firefox inside the main ‘lan’ network redirects the traffic successfully. The tor DNS server also works from the ‘lan’ zone:

dig @192.168.0.1 -p 9053 seznam.cz

; <<>> DiG 9.11.2 <<>> @192.168.0.1 -p 9053 seznam.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19614
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;seznam.cz.			IN	A

;; ANSWER SECTION:
seznam.cz.		3600	IN	A	77.75.77.39

;; Query time: 386 msec
;; SERVER: 192.168.0.1#9053(192.168.0.1)
;; WHEN: Sun Feb 10 01:58:01 CET 2019
;; MSG SIZE  rcvd: 43

→ Tor is running I assume.

But it does not work when I am connected to the wifi.
These are my current firewall rules (as the above mentioned forum post did not work for me, I deviated from it since):
/etc/config/firewall

config zone
	option enabled '1'
	option name 'tor_turris'
	list network 'tor_turris'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option syn_flood '1'
	option conntrack '1'

config rule 'tor_dhcp_request'
	option name 'TOR-allow-DHPC-request'
	option src 'tor_turris'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule 'tor_transparent_proxy'
	option name 'TOR-allow-trasparent-proxy'
	option src 'tor_turris'
	option proto 'tcp'
	option dest_port '9040'
	option target 'ACCEPT'

config rule 'tor_DNS_proxy'
	option name 'TOR-allow-DNS-proxy'
	option src 'tor_turris'
	option proto 'udp'
	option dest_port '9053'
	option target 'ACCEPT'

and /etc/firewall.user (which probably has duplicate entries now. parts are taken from https://doc.turris.cz/doc/cs/howto/tor )

iptables -t nat -A PREROUTING -i tor_turris_0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables        -A INPUT      -p tcp --dport 9040     -j ACCEPT
iptables -t nat -A PREROUTING -i tor_turris_0 -p tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat -A PREROUTING -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
iptables -t nat -A OUTPUT     -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040

When connected to the dedicated wifi inside newly created ‘tor_turris’ zone, no web page loads and I cannot get any DNS record.

# dig seznam.cz

; <<>> DiG 9.10.0 <<>> seznam.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29923
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 5238 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 10 01:54:59 CET 2019
;; MSG SIZE  rcvd: 12

What more I cannot even ping the router - is that normal? It seems there might be something else blocking the wifi clients entirely. Can you please help me troubleshoot this?


#2

Of course it does not work the way you set it up. As tor package updated, directives in /etc/torr rc changed. I had similar situation when left old directives in old version of torrc with new package version.

This means, that tor will listen on all interfaces of your router, eg. your wan,lan, any interface

TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:9053
SocksPort 0.0.0.0:9050

In order to work you have to set it up on another IP address eg. like:

TransPort 192.168.250.0:9040
DNSPort 192.168.250.0:9053

So then you will have dedicated interface-IP just for tor separate from your normal network lan and wan and then you can setup some redirect of part of traffc eg. wifi.

I had updated guide and check also if you have RunAsDaemon 1 in torrc

Then you can see if tor is up and running in /var/log/tor.log that is a good start to debug.
My config works after those adjustments with new tor package also.

You dont have add firewall.user from howto as it is duplicated.
Just make sure to open section firewall section in luci and click save so it translate config from /etc/config to real config and make it effective.


#3
Log notice syslog
DataDirectory /var/lib/tor
User tor
Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.170.1:9040
DNSPort 192.168.170.1:9053
SocksPort 192.168.0.1:9050
RunAsDaemon 1

Great! This torrc + your /etc/config/firewall rules (instead of the iptables commands) made it work!
BTW why do these not work?
TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:9053
You say this should listen on ALL interfaces why does it not listen on 192.168.170.1? I used 0.0.0.0 to test it would work - only to get it running first.

There is only one thing, I cannot access any .onion address. The DNS works apparently, as it maps an .onion address into the 10.192.0.0/10 range:

; <<>> DiG 9.10.0 <<>> facebookcorewwwi.onion
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38028
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;facebookcorewwwi.onion.		IN	A

;; ANSWER SECTION:
facebookcorewwwi.onion.	60	IN	A	10.199.54.244

;; Query time: 31 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 10 14:41:03 CET 2019
;; MSG SIZE  rcvd: 56

So I am guessing the missing piece is a rule that would make 10.192.0.0/10 ip space accessible?


#4

There has to be some other directives to torrc added to enable onion, extended guide here :


#5

I’ll try that, thank you!