Opened 8 years ago

Closed 7 years ago

#2370 closed enhancement (invalid)

Torouter basic Web UI for OpenWRT

Reported by: cyphunk Owned by: ioerror
Priority: Medium Milestone:
Component: Archived/Torouter Version:
Severity: Keywords: openwrt, torouter
Cc: ioerror Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Started building a Torouter GUI for OpenWRT. See attached source files and screenshot. This is just the first step in integrating with the OpenWRT config schema (/etc/config/*). 

The UI should use common OpenWRT practices such as depending on /etc/config/torouter so that the UI model and uci configuration model are seamless. The UI will also need to edit the /etc/firewall.user and /etc/config/firewall sections relevant to torouter.

To modify the /etc/tor/torrc the init script /etc/init.d/torouter is used. This script uses /etc/config/torouter values to determine defined interface and firewall zone. At the moment it only modifies /etc/firewall.user. This should be extended to integrate with /etc/config/firewall as well. OR, maybe we leave the firewall rules to some instillation script?

Child Tickets

Attachments (4)

torouter_ui.tar (20.0 KB) - added by cyphunk 8 years ago.
The OpenWRT UI files and scripts to integrate torrc, firewall cfg's
torouter_openwrt_ui.png (159.2 KB) - added by cyphunk 8 years ago.
Torouter OpenWRT UI Screenshot
torgui_openwrt.tgz (106.6 KB) - added by fermenthor 8 years ago.
Tor LuCI package for OpenWRT buildroot
tor_openwrt.tgz (4.6 KB) - added by fermenthor 8 years ago.
Tor package for OpenWRT buildroot

Download all attachments as: .zip

Change History (17)

Changed 8 years ago by cyphunk

Attachment: torouter_ui.tar added

The OpenWRT UI files and scripts to integrate torrc, firewall cfg's

Changed 8 years ago by cyphunk

Attachment: torouter_openwrt_ui.png added

Torouter OpenWRT UI Screenshot

comment:1 Changed 8 years ago by cyphunk

contents of .tar:

./etc/config/torouter
./etc/init.d/torouter
./usr/lib/lua/luci/controller/admin/torouter.lua
./usr/lib/lua/luci/model/cbi/admin_torouter/torouter.lua

comment:2 Changed 8 years ago by ioerror

How do you think we should modify the Tor packages?

Perhaps we want to add this UI to them as a patch?

comment:3 in reply to:  2 Changed 8 years ago by cyphunk

Patch sounds fine. Full firewall rule setup/integration needs to be completed in the UI before this. Maybe I can do this in the next week.

comment:4 Changed 8 years ago by phobos

Summary: Torouter basic Web UITorouter basic Web UI for OpenWRT

comment:5 Changed 8 years ago by fermenthor

I've made quite a few changes. The project is split into two packages for OpenWRT buildroot (because not everybody runs LuCI, but they can be easily merge by putting the files together and making a small change to Makefile):

  1. tor_openwrt.tgz - this is simply making Tor work correctly on OpenWRT and use its features like uci configuration instead of its own torrc. The main differences between this and cyphunk's original submission are:
  • Makefile to use in buildroot;
  • Tor configuration specifies which zones to use for the proxy (instead of a single interface);
  • No torrc is created when Tor starts - all options are passed on command line (maybe Tor should be patched to use /etc/config/tor as its config file?);
  • /etc/init.d/tor calls the configuration script, so everything is restarted correctly;
  • /etc/firewall.user is not used - instead, both firewall and tor call /etc/tor/firewall.sh on their restarts;
  • secret_id_key is stored in persistent /etc/tor/var/ .
  1. torgui_openwrt.tgz - a collection of pages for LuCI
  • "Basic" specifies the proxied zone and turns the relay/bridge on/off;
  • "Exceptions" specifies which traffic not to proxy;
  • "Torrc" has the same options as the original Tor configuration file - all these options will be passed to the process as-is (easily extended by editing torrc.lua);
  • Tor Status page shows the current circuits, network status, bandwidth and flags for each connected country if the bridge is on;
  • Save & Apply button does restart Tor.

comment:6 in reply to:  5 ; Changed 8 years ago by ioerror

Replying to fermenthor:

I've made quite a few changes. The project is split into two packages for OpenWRT buildroot (because not everybody runs LuCI, but they can be easily merge by putting the files together and making a small change to Makefile):

  1. tor_openwrt.tgz - this is simply making Tor work correctly on OpenWRT and use its features like uci configuration instead of its own torrc. The main differences between this and cyphunk's original submission are:
  • Makefile to use in buildroot;

OK.

  • Tor configuration specifies which zones to use for the proxy (instead of a single interface);

In Tor? Or in OpenWRT's firewalling setup?

  • No torrc is created when Tor starts - all options are passed on command line (maybe Tor should be patched to use /etc/config/tor as its config file?);

Tor can simply be passed the config file as a startup option with '-f /etc/config/tor'

  • /etc/init.d/tor calls the configuration script, so everything is restarted correctly;
  • /etc/firewall.user is not used - instead, both firewall and tor call /etc/tor/firewall.sh on their restarts;

What are the practical differences here? Why not integrate the changes into the main /etc/firewall.user file?

  • secret_id_key is stored in persistent /etc/tor/var/ .

That's a good idea.

  1. torgui_openwrt.tgz - a collection of pages for LuCI
  • "Basic" specifies the proxied zone and turns the relay/bridge on/off;
  • "Exceptions" specifies which traffic not to proxy;
  • "Torrc" has the same options as the original Tor configuration file - all these options will be passed to the process as-is (easily extended by editing torrc.lua);
  • Tor Status page shows the current circuits, network status, bandwidth and flags for each connected country if the bridge is on;
  • Save & Apply button does restart Tor.

Nice.

Do you want to integrate this into the tor-alpha package on OpenWRT and upload it as a patch? We can simply make the new tor-alpha package depend on LuCI if we want...

comment:7 in reply to:  6 Changed 8 years ago by fermenthor

Replying to ioerror:

  • Tor configuration specifies which zones to use for the proxy (instead of a single interface);

In Tor? Or in OpenWRT's firewalling setup?

in /etc/config/tor - toroptions.sh creates TransListenAddress parameters for all interfaces in the specified zone; firewall.sh creates iptables entries for these zones (which is very easy since firewall operates on zones). And i do think that all iptables related options would be handled by the firewall process, but i had a few problems with it. I'll look at it more.

  • No torrc is created when Tor starts - all options are passed on command line (maybe Tor should be patched to use /etc/config/tor as its config file?);

Tor can simply be passed the config file as a startup option with '-f /etc/config/tor'

Yes, but /etc/config/tor is in the uci format to make it compatible with the rest of the configuration system. So by patching tor, i mean make it read options from that kind of a file instead of using wrappers (toroptions.sh)

  • /etc/firewall.user is not used - instead, both firewall and tor call /etc/tor/firewall.sh on their restarts;

What are the practical differences here? Why not integrate the changes into the main /etc/firewall.user file?

Originally, i did have it in firewall.user but decided to use a separate file because, if there are more processes trying to modify contents of firewall.user, it would be a mess. My solution simply drops a static script and uses the uci interface to tell the firewall to run it.

Do you want to integrate this into the tor-alpha package on OpenWRT and upload it as a patch? We can simply make the new tor-alpha package depend on LuCI if we want...

Yes, we should check it in under the alpha package. Did you decide that we should not have a separate torgui package? In that case, there's no reason to depend on LuCI. It will work just fine without the UI and be configurable by command line uci tools like the rest of the system (though it will just install a few unnecessary lua files).

Note that I used the country flag icons from Vidalia - I wonder if it requires a special copyright notice.

comment:8 Changed 8 years ago by soma

Hi,
this looks like an interesting development so far. Many users of our freifunk communities were asking for an easy setup of tor (most ask for transparent proxy). I have to admit i didn't look at the files yet, but some suggestions right now:

  • put the advanced firewall rules (thinking of policy routing) for tor in /etc/firewall.tor and include that file via /etc/config/firewall. Simple rules (like opening ports and stuff) should directly go to /etc/config/firewall.
  • imo it would be good to split these packages make tor package on openwrt run with a config from /etc/config/tor. Using a init-script for that sounds good to me. Patches for that should go to openwrt directly

make an optional package luci-app-tor which will let the user do the settings in the gui. When finished, send it to the luci-devs to be included in the official luci repo

I will test the package soon and then probably be back with more suggestions.

comment:9 Changed 8 years ago by soma

Guys, very nice work. It worked out of the box. And my setup is a bit more complicated than the default. Found a bug (#2765) while playing with it, but its unrelated to your packages. I don't have much suggestions right now, maybe those:

  • log output should be configurable and per default be "warning syslog"
  • restart of the services at applying in the webinterface doesn't work for me
  • use tabs for the tor config in basics (especially if you plan to add more expert options). For a really nice example have a look at the olsr admin pages or dnsmasq page.

Changed 8 years ago by fermenthor

Attachment: torgui_openwrt.tgz added

Tor LuCI package for OpenWRT buildroot

comment:10 Changed 8 years ago by fermenthor

Replying to soma:

  • put the advanced firewall rules (thinking of policy routing) for tor in /etc/firewall.tor and include that file via /etc/config/firewall. Simple rules (like opening ports and stuff) should directly go to /etc/config/firewall.

That is how it works except the script is /etc/tor/firewall.sh and all tor rules are in there - otherwise we need to specify certain options twice (ex. firewall: allow OR port, tor: bind OR port) which might be okay.

  • imo it would be good to split these packages make tor package on openwrt run with a config from /etc/config/tor. Using a init-script for that sounds good to me. Patches for that should go to openwrt directly

make an optional package luci-app-tor which will let the user do the settings in the gui. When finished, send it to the luci-devs to be included in the official luci repo

That's how other applications are set up so I agree this would be consistent.

Replying to soma:

Found a bug (#2765) while playing with it, but its unrelated to your packages.

Frankly, I did not pay attention to aliases. I've fixed this by binding the DNS port only on the primary IP of the interface instead of 0.0.0.0. This makes the address translation work correctly.

  • log output should be configurable and per default be "warning syslog"

Added to the luci torrc page. All you have to do for a new option is to add an entry in torrc.lua. Someone with a lot of time on their hands should add all the possible tor options.

  • restart of the services at applying in the webinterface doesn't work for me

Works here. Do you have a correct tor entry in /etc/config/ucitrack ? It should have been added by postinst.

  • use tabs for the tor config in basics (especially if you plan to add more expert options). For a really nice example have a look at the olsr admin pages or dnsmasq page.

This will definitely be useful when we add all possible tor options to the torrc page and split it into client|relay|dir|etc

I've updated the files today.
Thanks for testing!

Changed 8 years ago by fermenthor

Attachment: tor_openwrt.tgz added

Tor package for OpenWRT buildroot

comment:11 Changed 8 years ago by fermenthor

I've updated the tor file to build with 0.2.2.25-alpha and not to include the geoip file since it has its own package.

comment:12 in reply to:  11 Changed 7 years ago by ioerror

Replying to fermenthor:

I've updated the tor file to build with 0.2.2.25-alpha and not to include the geoip file since it has its own package.

Awesome - is there any way that we can merge this into the actual package in svn?

comment:13 Changed 7 years ago by ioerror

Resolution: invalid
Status: newclosed

It looks like we're not going to progress further on this - someone should take the code from this ticket and use it for OpenWRT.

Note: See TracTickets for help on using tickets.