Scribd
Upload
270 views

Tor Transparent Proxy On A GL - Inet Router

This document provides instructions for configuring a GL.iNet router to act as a transparent Tor proxy. Key steps include: 1. Flashing the router with OpenWRT and installing Tor 2. Configuring the router interfaces, DHCP, wireless access point, and firewall rules 3. Editing the Tor configuration file to enable transparent proxying and configure ports 4. Adding scripts to redirect traffic to the Tor proxy on boot Devices that connect to the wireless network will have their internet traffic automatically routed over the Tor network without any additional configuration.

Uploaded by

dennis
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
270 views

Tor Transparent Proxy On A GL - Inet Router

This document provides instructions for configuring a GL.iNet router to act as a transparent Tor proxy. Key steps include: 1. Flashing the router with OpenWRT and installing Tor 2. Configuring the router interfaces, DHCP, wireless access point, and firewall rules 3. Editing the Tor configuration file to enable transparent proxying and configure ports 4. Adding scripts to redirect traffic to the Tor proxy on boot Devices that connect to the wireless network will have their internet traffic automatically routed over the Tor network without any additional configuration.

Uploaded by

dennis
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Tor transparent proxy on a GL.

iNet router

The assumption in the story is that the user is using the same computer with the Tor proxy as he/she uses
day-to-day. Do not do this. The device you use with a Tor router should be used ONLY on the Tor proxy.

https://rednerd.com/2014/10/16/tor-transparent-proxy-on-a-gl-inet-router/ 1/7
We’re going to con gure the router like so:

“wan” will be con gured with dhcp. Plug this into a place where you can get internet.
“lan” will be used for management and con guration only. I picked 192.168.8.0/24 for this.
“wlan0” will be the wi access point where the devices you want to use with Tor will connect.

1.   Get a router from the Internet.   I ordered from this seller:  http://www.dx.com/p/gl-inet-6416a-micro-
usb-powered-smart-router-w-16m-rom-white-335418 (Fun fact: it shipped from The Netherlands). Make
sure you get a model 6416A.

2.  Flash it with OpenWrt 14.07

https://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-gl-inet-v1-
squashfs-factory.bin

More information here:  http://wiki.openwrt.org/toh/gl-inet/gl-inet

3.  Install TOR

root@OpenWrt:~# opkg update


Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/bas
[...]
root@OpenWrt:~# opkg install tor-alpha tor-alpha-fw-helper tor-alpha-geoip
[...]
root@OpenWrt:~# /etc/init.d/tor enable

There will probably be a few dependencies installed also.

4. Edit /etc/con g/network

config interface 'loopback'


option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'


option ifname 'eth1'
option type 'bridge'
option _orig_ifname 'eth1 radio0.network1'
option _orig_bridge 'true'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'

https://rednerd.com/2014/10/16/tor-transparent-proxy-on-a-gl-inet-router/ 2/7
option disable_ipv6 '1'

config interface 'wan'


option ifname 'eth0'
option proto 'dhcp'
option hostname 'tablet;)'
option disable_ipv6 '1'

config interface 'tor'


option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option disable_ipv6 '1'

5. Edit /etc/con g/dhcp.

Add the following to the bottom:

config dhcp tor


option interface tor
option start 100
option limit 150
option leasetime 1h

6. Edit /etc/con g/wireless

config wifi-device 'radio0'


option type 'mac80211'
option path 'platform/ar933x_wmac'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option txpower '20'
option country 'CN'
option channel 'auto'
option hwmode '11ng'
option htmode 'HT20'
option AMPDULim '50000'

config wifi-iface
option device 'radio0'
option network 'tor'
option mode 'ap'
option encryption 'psk-mixed'
https://rednerd.com/2014/10/16/tor-transparent-proxy-on-a-gl-inet-router/ 3/7
option wds '1'
option uapsd '1'
option ssid 'default'
option key 'somepassword'
option disabled '0'

7. Edit /etc/con g/ rewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config zone
option name 'tor'
option network 'tor'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option conntrack '1'

config rule
option name 'Allow-Tor-DHCP'
option src 'tor'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'

config rule

https://rednerd.com/2014/10/16/tor-transparent-proxy-on-a-gl-inet-router/ 4/7
option name 'Allow-Tor-DNS'
option src 'tor'
option proto 'udp'
option dest_port '9053'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Tor-Transparent'
option src 'tor'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Tor-SOCKS'
option src 'tor'
option proto 'tcp'
option dest_port '9050'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config forwarding
option src 'lan'
option dest 'wan'

config include
option path '/etc/firewall.user'

8. Edit /etc/ rewall.user

https://rednerd.com/2014/10/16/tor-transparent-proxy-on-a-gl-inet-router/ 5/7
enable_transparent_tor() {
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
}
enable_transparent_tor

9. Edit /etc/tor/torrc

Add the following lines to the bottom

AllowUnverifiedNodes middle,rendezvous
AutomapHostsOnResolve 1
SocksPort 9050
SocksBindAddress 172.16.1.1:9050
VirtualAddrNetwork 10.192.0.0/10
TransPort 9040
TransListenAddress 172.16.1.1
DNSPort 9053
DNSListenAddress 172.16.1.1

10. Edit /etc/init.d/tor

I needed to add a sleep to the init script so Tor would start on boot.

[...]
sleep 60

service_start /usr/sbin/tor --PidFile /var/run/tor.pid


[...]

11. Harden it up a bit. There is probably a lot that could be done here. For example, it’s a good idea to turn
o IP forwarding. In /etc/sysctl.conf:

net.ipv4.ip_forward=0
[...]
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.forwarding=0

12. Boot it up, connect to the wi AP and check if you’re using Tor.

https://rednerd.com/2014/10/16/tor-transparent-proxy-on-a-gl-inet-router/ 6/7

You might also like