I am trying to setup a special wifi network just for the “internet of junk” devices. As a special treatment all traffic to the internet should be routed through tor. To do that I followed Failing to Redirect all Traffic over TOR - the response by @Twinkie. It is a really nice and comprehensive guide… except that it does not work for me
I have setup the addresses in torrc so that I could test it from the ‘lan’ main network as well:
TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:9053
SocksPort 0.0.0.0:9050
setting up socks proxy in firefox inside the main ‘lan’ network redirects the traffic successfully. The tor DNS server also works from the ‘lan’ zone:
dig @192.168.0.1 -p 9053 seznam.cz
; <<>> DiG 9.11.2 <<>> @192.168.0.1 -p 9053 seznam.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19614
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;seznam.cz. IN A
;; ANSWER SECTION:
seznam.cz. 3600 IN A 77.75.77.39
;; Query time: 386 msec
;; SERVER: 192.168.0.1#9053(192.168.0.1)
;; WHEN: Sun Feb 10 01:58:01 CET 2019
;; MSG SIZE rcvd: 43
→ Tor is running I assume.
But it does not work when I am connected to the wifi.
These are my current firewall rules (as the above mentioned forum post did not work for me, I deviated from it since):
/etc/config/firewall
config zone
option enabled '1'
option name 'tor_turris'
list network 'tor_turris'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option syn_flood '1'
option conntrack '1'
config rule 'tor_dhcp_request'
option name 'TOR-allow-DHPC-request'
option src 'tor_turris'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config rule 'tor_transparent_proxy'
option name 'TOR-allow-trasparent-proxy'
option src 'tor_turris'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
config rule 'tor_DNS_proxy'
option name 'TOR-allow-DNS-proxy'
option src 'tor_turris'
option proto 'udp'
option dest_port '9053'
option target 'ACCEPT'
and /etc/firewall.user (which probably has duplicate entries now. parts are taken from https://doc.turris.cz/doc/cs/howto/tor )
iptables -t nat -A PREROUTING -i tor_turris_0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -A INPUT -p tcp --dport 9040 -j ACCEPT
iptables -t nat -A PREROUTING -i tor_turris_0 -p tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat -A PREROUTING -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
When connected to the dedicated wifi inside newly created ‘tor_turris’ zone, no web page loads and I cannot get any DNS record.
# dig seznam.cz
; <<>> DiG 9.10.0 <<>> seznam.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29923
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; Query time: 5238 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 10 01:54:59 CET 2019
;; MSG SIZE rcvd: 12
What more I cannot even ping the router - is that normal? It seems there might be something else blocking the wifi clients entirely. Can you please help me troubleshoot this?