Monthly Archives: October 2014

Tor transparent proxy on a GL.iNet router

Here’s how you can make a PORTAL-like device using the very trendy GL.iNet router. There is nothing new in the post. It’s all based off work done by folks like The Gruqg and Dan Staples: https://disman.tl/2014/09/13/transparent-tor-gateway-on-openwrt.html

April 2015 update:

Ars Technica recently published a story about how using a transparent Tor proxy is “EPICFAIL.” http://arstechnica.com/security/2015/04/op-ed-why-the-entire-premise-of-tor-enabled-routers-is-ridiculous/

The assumption in the story is that the user is using the same computer with the Tor proxy as he/she uses day-to-day. Do not do this. The device you use with a Tor router should be used ONLY on the Tor proxy.

gl.inetWe’re going to configure the router like so:

  • “wan” will be configured with dhcp. Plug this into a place where you can get internet.
  • “lan” will be used for management and configuration only. I picked 192.168.8.0/24 for this.
  • “wlan0” will be the wifi access point where the devices you want to use with Tor will connect.

1.   Get a router from the Internet.   I ordered from this seller:  http://www.dx.com/p/gl-inet-6416a-micro-usb-powered-smart-router-w-16m-rom-white-335418 (Fun fact: it shipped from The Netherlands). Make sure you get a model 6416A.

2.  Flash it with OpenWrt 14.07

https://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-gl-inet-v1-squashfs-factory.bin

More information here:  http://wiki.openwrt.org/toh/gl-inet/gl-inet

3.  Install TOR

root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
[...]
root@OpenWrt:~# opkg install tor-alpha tor-alpha-fw-helper tor-alpha-geoip
[...]
root@OpenWrt:~# /etc/init.d/tor enable

There will probably be a few dependencies installed also.

4. Edit /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth1'
        option type 'bridge'
        option _orig_ifname 'eth1 radio0.network1'
        option _orig_bridge 'true'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option disable_ipv6 '1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option hostname 'tablet;)'
        option disable_ipv6 '1'

config interface 'tor'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option disable_ipv6 '1'

5. Edit /etc/config/dhcp.

Add the following to the bottom:

config dhcp tor
        option interface    tor
        option start        100
        option limit        150
        option leasetime    1h

6. Edit /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ar933x_wmac'
        list ht_capab 'SHORT-GI-20'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        option txpower '20'
        option country 'CN'
        option channel 'auto'
        option hwmode '11ng'
        option htmode 'HT20'
        option AMPDULim '50000'

config wifi-iface
        option device 'radio0'
        option network 'tor'
        option mode 'ap'
        option encryption 'psk-mixed'
        option wds '1'
        option uapsd '1'
        option ssid 'default'
        option key 'somepassword'
        option disabled '0'

7. Edit /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
                               
config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
                               
config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'        
        option mtu_fix '1'
                          
config zone
        option name 'tor'
        option network 'tor'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option conntrack '1'   
                            

config rule
        option name 'Allow-Tor-DHCP'
        option src 'tor'            
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'  

config rule                         
        option name 'Allow-Tor-DNS' 
        option src 'tor'            
        option proto 'udp'          
        option dest_port '9053'     
        option target 'ACCEPT'      
        option family 'ipv4'        
                                           
config rule                                
        option name 'Allow-Tor-Transparent'
        option src 'tor'                   
        option proto 'tcp'                 
        option dest_port '9040'            
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
config rule                                
        option name 'Allow-Tor-SOCKS'      
        option src 'tor'                   
        option proto 'tcp'                 
        option dest_port '9050'            
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
                                           
config rule                                
        option name 'Allow-DHCP-Renew'     
        option src 'wan'                   
        option proto 'udp'                 
        option dest_port '68'              
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
config rule                                
        option name 'Allow-Ping'           
        option src 'wan'                   
        option proto 'icmp'                
        option icmp_type 'echo-request'    
        option family 'ipv4'               
        option target 'ACCEPT'

config forwarding                          
        option src 'lan'                   
        option dest 'wan'                  
                                           
config include                             
        option path '/etc/firewall.user'        

8. Edit /etc/firewall.user

enable_transparent_tor() {
  iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
  iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
}
enable_transparent_tor

9. Edit /etc/tor/torrc

Add the following lines to the bottom

AllowUnverifiedNodes middle,rendezvous
AutomapHostsOnResolve 1                                                
SocksPort 9050                                                       
SocksBindAddress 172.16.1.1:9050                                       
VirtualAddrNetwork 10.192.0.0/10                                        
TransPort 9040                                              
TransListenAddress 172.16.1.1
DNSPort 9053                                                       
DNSListenAddress 172.16.1.1          

10. Edit /etc/init.d/tor

I needed to add a sleep to the init script so Tor would start on boot.

        [...]
        sleep 60
        service_start /usr/sbin/tor --PidFile /var/run/tor.pid
        [...]

11. Harden it up a bit. There is probably a lot that could be done here. For example, it’s a good idea to turn off IP forwarding. In /etc/sysctl.conf:

net.ipv4.ip_forward=0
[...]
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.forwarding=0

12. Boot it up, connect to the wifi AP and check if you’re using Tor.

https://check.torproject.org/