Category Archives: rand

Tor transparent proxy on a GL.iNet router

Here’s how you can make a PORTAL-like device using the very trendy GL.iNet router. There is nothing new in the post. It’s all based off work done by folks like The Gruqg and Dan Staples: https://disman.tl/2014/09/13/transparent-tor-gateway-on-openwrt.html

April 2015 update:

Ars Technica recently published a story about how using a transparent Tor proxy is “EPICFAIL.” http://arstechnica.com/security/2015/04/op-ed-why-the-entire-premise-of-tor-enabled-routers-is-ridiculous/

The assumption in the story is that the user is using the same computer with the Tor proxy as he/she uses day-to-day. Do not do this. The device you use with a Tor router should be used ONLY on the Tor proxy.

gl.inetWe’re going to configure the router like so:

  • “wan” will be configured with dhcp. Plug this into a place where you can get internet.
  • “lan” will be used for management and configuration only. I picked 192.168.8.0/24 for this.
  • “wlan0” will be the wifi access point where the devices you want to use with Tor will connect.

1.   Get a router from the Internet.   I ordered from this seller:  http://www.dx.com/p/gl-inet-6416a-micro-usb-powered-smart-router-w-16m-rom-white-335418 (Fun fact: it shipped from The Netherlands). Make sure you get a model 6416A.

2.  Flash it with OpenWrt 14.07

https://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-gl-inet-v1-squashfs-factory.bin

More information here:  http://wiki.openwrt.org/toh/gl-inet/gl-inet

3.  Install TOR

root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
[...]
root@OpenWrt:~# opkg install tor-alpha tor-alpha-fw-helper tor-alpha-geoip
[...]
root@OpenWrt:~# /etc/init.d/tor enable

There will probably be a few dependencies installed also.

4. Edit /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth1'
        option type 'bridge'
        option _orig_ifname 'eth1 radio0.network1'
        option _orig_bridge 'true'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option disable_ipv6 '1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option hostname 'tablet;)'
        option disable_ipv6 '1'

config interface 'tor'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option disable_ipv6 '1'

5. Edit /etc/config/dhcp.

Add the following to the bottom:

config dhcp tor
        option interface    tor
        option start        100
        option limit        150
        option leasetime    1h

6. Edit /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ar933x_wmac'
        list ht_capab 'SHORT-GI-20'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        option txpower '20'
        option country 'CN'
        option channel 'auto'
        option hwmode '11ng'
        option htmode 'HT20'
        option AMPDULim '50000'

config wifi-iface
        option device 'radio0'
        option network 'tor'
        option mode 'ap'
        option encryption 'psk-mixed'
        option wds '1'
        option uapsd '1'
        option ssid 'default'
        option key 'somepassword'
        option disabled '0'

7. Edit /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
                               
config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
                               
config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'        
        option mtu_fix '1'
                          
config zone
        option name 'tor'
        option network 'tor'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option conntrack '1'   
                            

config rule
        option name 'Allow-Tor-DHCP'
        option src 'tor'            
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'  

config rule                         
        option name 'Allow-Tor-DNS' 
        option src 'tor'            
        option proto 'udp'          
        option dest_port '9053'     
        option target 'ACCEPT'      
        option family 'ipv4'        
                                           
config rule                                
        option name 'Allow-Tor-Transparent'
        option src 'tor'                   
        option proto 'tcp'                 
        option dest_port '9040'            
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
config rule                                
        option name 'Allow-Tor-SOCKS'      
        option src 'tor'                   
        option proto 'tcp'                 
        option dest_port '9050'            
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
                                           
config rule                                
        option name 'Allow-DHCP-Renew'     
        option src 'wan'                   
        option proto 'udp'                 
        option dest_port '68'              
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
config rule                                
        option name 'Allow-Ping'           
        option src 'wan'                   
        option proto 'icmp'                
        option icmp_type 'echo-request'    
        option family 'ipv4'               
        option target 'ACCEPT'

config forwarding                          
        option src 'lan'                   
        option dest 'wan'                  
                                           
config include                             
        option path '/etc/firewall.user'        

8. Edit /etc/firewall.user

enable_transparent_tor() {
  iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
  iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
}
enable_transparent_tor

9. Edit /etc/tor/torrc

Add the following lines to the bottom

AllowUnverifiedNodes middle,rendezvous
AutomapHostsOnResolve 1                                                
SocksPort 9050                                                       
SocksBindAddress 172.16.1.1:9050                                       
VirtualAddrNetwork 10.192.0.0/10                                        
TransPort 9040                                              
TransListenAddress 172.16.1.1
DNSPort 9053                                                       
DNSListenAddress 172.16.1.1          

10. Edit /etc/init.d/tor

I needed to add a sleep to the init script so Tor would start on boot.

        [...]
        sleep 60
        service_start /usr/sbin/tor --PidFile /var/run/tor.pid
        [...]

11. Harden it up a bit. There is probably a lot that could be done here. For example, it’s a good idea to turn off IP forwarding. In /etc/sysctl.conf:

net.ipv4.ip_forward=0
[...]
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.forwarding=0

12. Boot it up, connect to the wifi AP and check if you’re using Tor.

https://check.torproject.org/

Mac Mini 1,1 A1176 upgrade (Silverlight sucks)

In 2006, I bought an Intel-based Mac Mini. It had 512MB of RAM, 1.67GHz Core Duo (T2300) and an 80GB 5400 rpm drive, blah blah blah. Over the years I put in 2GB of RAM, then an SSD. Lately, one of its main functions has been playing Netflix and it struggled with anything over about 480p-ish. I put in a 2.0GHz Core 2 Duo (T7200) and it still struggles with 480p! This 7 year old machine can play 20Mbs 1080p h.264 with VLC or “1080p” HTML5 off Youtube, but not 480p Netflix. Yay Silverlight!

Reponse to Privacy, Moglen, @ioerror, #rp12

I stumbled across an blog post by Dmytri Kleiner from May of 2012 that has a criticism of a recent speech given by Eben Moglen. You can find the criticism here. For the most part, I agree with the criticism and the conclusion. It’s discouraging and almost ominous.

Practically, it’s becoming increasingly difficult to opt-out without some consequence. It’s also as difficult as Moxie Marlinspike says, “reduce the scope” of your choice to use these platforms.

ASIX AX88772 USB ethernet adapter performance

I’ve always been skeptical of USB ethernet adapters. An old 10Mb adapter I have in my junk box can barely do 1Mb. I have in my hands a D-Link DUB-E100 adapter. It’s supposed to be able to do 100Mb. I was really expecting to expose the sham that is 100Mbit USB Ethernet adapters. Fortunately, I was very wrong and this device works perfectly. There was no appreciable increase in CPU usage in any scenario. Using mpstat, the %irq column essentially stayed at zero for all tests while using the D-Link.


$ lsusb | grep D-Link
Bus 001 Device 016: ID 2001:3c05 D-Link Corp. [hex] DUB-E100 Fast Ethernet [asix]
$ dmesg | grep eth2
[22867.448692] eth2: register 'asix' at usb-0000:00:1d.7-4, ASIX AX88772 USB 2.0 Ethernet

Continue reading

The funniest antijoke ever

A gorilla walks into a bar and asks the bartender for a drink. The bartender finds this very peculiar and realizes he is dreaming. He then wakes up and tells his wife about the ridiculous dream he just had. His wife just ignores him, he rolls over and starts to sob because he knows his marriage is in shambles.

Intel Atom based motherboards. Why bother?

I recently built a small computer because I wanted to make my own wireless AP and I needed more horsepower than the old WRT54GL could provide. I put together a new system using an Intel D510MO motherboard/cpu combo. Then I started doing the math about what this little system cost me. Here is how it works out.

  • Intel D510MO – $80
  • Minibox M350 – $60
  • Pico PSU – $60
  • 1GB RAM – $30
  • 160GB HD – $60
  • Decent minipci-e wireless card – $40
  • Odds and ends – $20

The total here is about $350. What I ended up with is a cute little underpowered PC that, according to my Kill-A-Watt, draws “only” 19W at idle. Compare this to a Dell Mini 10 which hardware-wise is very similar, but includes a built in UPS (battery), keyboard and monitor for about the same price. I could have saved about $50 if I would have just used a cheap case instead of the minibox/picopsu combo, but then it would have been ugly.