OpenWRT Tor transparent proxy+bridge
This document gives some instructions on how to setup, on OpenWRT platform, a wireless network, whose clients gets tunneled transparently through Tor. Optionally, a public Tor bridge can be configured.
Status of Tor on OpenWRT
Tor is generally well maintained on OpenWRT and it relies on community support. For detailed OpenWRT install and configuation, please see OpenWRT_setup_notes
Hardware requirements
Minimum hardware requirements are :
- 64 Mio RAM (32Mio is too low, tor crashes because of that)
- 32 Mio flash (you may want to use a usb stick if you don't have that much flash on your router)
- A fast processor (ex: Atheros 700MHz cpu is enough to route 10Mbps over Tor, no more)
Buffalo WZR-HP-G300NH
That tutorial investigates the (Buffalo WZR-HP-G300NH (US) / Buffalo WZR-HP-G300NH (UK) / Buffalo WZR-HP-G300NH (DE) / OpenWRT wiki) hardware. See the open tickets in the Status section below for current state. This runs OpenWRT.
Note that the cpu should prevent you from running more than ~6Mbps over tor (to be tested).
TP-LIINK TL-WR1043nd
TP-LINK TL-WR1043ND is also a good candidate with a more powerful CPU than the Buffalo, and a lot cheaper (~60€). Note that only v2.x and v3.x of that hardware match hardware requirements for tor. Due to small flash you must use an usb key for storage.
Re-flashing the stock operating system to something reproducible
At the moment, we're using a stock OpenWRT (backfire 10.03.1-rc4) build as our router base OS. In the future, we will build our own images and that build information will be added to this page when it is relevant. The default operating system for the target hardware platform is either a modified version of DD-WRT (buffarlo) or stock TP-LINK firmware. For various reasons, we want to reflash the OS to a stock OpenWRT.
Flashing Buffalo with OpenWRT
You have mainly two « easy » options, both described in openwrt wiki to install openwrt on your router :
- using ssh on the stock firmware (modified DD-WRT)
- Alternatively, you can use the alternate method (see next section)
- Still you can use TFTP method (a bit harder)
Alternate buffalo flash method
If SSH cannot be enabled for any reason on the factory DD-WRT, FLASH the new OpenWRT image by first loading a vanilla DD-WRT image.
1. Obtain shell access on the router using a vanilla DD-WRT
Download DD-WRT from here by typing wzr-hp-g300nh in the search box and downloading the "Special File for initial flashing." The filename should be something like buffalo_to_ddwrt_webflash-MULTI.bin. Now, flash DD-WRT on to the router from the stock web interface, and wait for it to boot. Note that this takes a little while, at least a minute. The DIAG LED will be lit, then it will blink, and when it's not lit the router is ready for action.
Go to the DD-WRT web interface by browsing to http://192.168.1.1/ (standard user: root, pw empty) and enable Telnet management this way: Administration (Tab) -> Management (Tab) -> Remote Access (Group) -> Telnet. Telnet into the router using the same credentials as for the web interface.
Congratulations, you have a shell. Now on to OpenWRT.
2. Once you have a remote shell on the router
Once you have a remote shell and are able to issue commands as root, this is the way to reflash your router:
cd /tmp
wget http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin
mtd -r write openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin linuxFlashing TPLINK TL-WR1043ND with OpenWRT
The procedure is detailed in OpenWRT wiki, (works well with OpenWrt BarrierBreaker 14.07).
Get ready to set up OpenWRT
After flashing your router, it automatically reboots into a mint OpenWRT that listens on 192.168.1.1 with a password-less telnet root shell. Connect via ethernet (you might have to manually set your interface address to something like 192.168.1.2) to one of the Buffalo's four LAN ports,
log in via telnet:
telnet 192.168.1.1and set a new root password:
root@OpenWrt:~# passwd
Changing password for root
New password:
Retype password:
Password for root changed by rootAfter setting a password, telnet shuts down and an SSH server starts on the router. So log out, log back via SSH as root, and connect the router's WAN port to your home DHCP router for the rest of the setup process.
Update and install packages
Update the package list:
opkg updateBefore OpenWRT 11 you had to install the proper iptables packages. Now they are included, so if you are on OpenWRT 11 you can leave out this step:
opkg install iptables-mod-nat iptables-mod-nat-extraInstall Tor:
opkg install torThese packages should be installed but if they're not - install wireless driver and AP support packages:
opkg update
opkg install kmod-ath9k
opkg install wpad-miniConfiguration
Now reconfigure the wireless network:
cat << 'EOF' > /etc/config/wireless
#
# XXX TODO: We want to ensure the wireless AP has a static MAC
# This will ensure that no GeoIP database of MAC addresses can locate a client
# leaking MAC data.
#
config wifi-device radio0
option type mac80211
option channel 11
option phy phy0
option hwmode 11ng
option htmode HT20
list ht_capab SHORT-GI-40
list ht_capab DSSS_CCK-40
# REMOVE THIS LINE TO ENABLE WIFI:
# option disabled 1
config wifi-iface
option device radio0
option network transtor
option mode ap
option ssid 'Transparent Tor'
option encryption none
option macaddr 00:88:88:88:00:2A # see http://outflux.net/geoloc/?mac=00-88-88-88-00-2A+ for the location info associated with this mac addr
EOFConfigure Tor as a bridge:
cat << 'EOF' > /etc/tor/torrc
# This is a configuration for a Tor bridge on the WAN interface
# and it also runs with a transport to allow for transparent proxying
# on a specific wireless interface.
#
User tor
RunAsDaemon 1
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor
# This is for our transparent network
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.2.1:9040
DNSPort 192.168.2.1:9053
# GeoIP for stats
# DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED
# GeoIPFile /etc/tor/geoip
EOFAdd the following only if you want/can host a public tor bridge (optional).
cat << 'EOF' >> /etc/tor/torrc
# This is our bridge for the world to use
Nickname OpenWRTTorBridge
SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*
# This is where we rate limit the bridge to something reasonable
RelayBandwidthRate 100 KBytes
RelayBandwidthBurst 200 KBytes
EOFAdd new network interface for Tor wireless network:
cat << 'EOF' >> /etc/config/network
config interface transtor
option ifname "wlan0"
option proto static
option ipaddr 192.168.2.1
option netmask 255.255.255.0
EOFUpdate the DHCP config to ensure that DHCP is provided for wireless clients on the transparent Tor wifi network:
cat << 'EOF' >> /etc/config/dhcp
config 'dhcp' 'transtor'
option 'interface' 'transtor'
option 'start' '23'
option 'limit' '250'
option 'leasetime' '12h'
EOFUpdate the master firewall config:
cat << 'EOF' >> /etc/config/firewall
#Allow Tor Bridge incoming for censored users
config rule
option src wan
option proto tcp
option dest_port 443
option target ACCEPT
config zone
option name transtor
option input REJECT
option output ACCEPT
option forward REJECT
option syn_flood 1
option conntrack 1 #this setting is mandatory
# Allow Transparent clients the ability to DHCP an address
# XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
config rule
option src transtor
option proto udp
option dest_port 67
option target ACCEPT
# Tor transparent-proxy-port (set in /etc/tor/torrc)
config rule
option src transtor
option proto tcp
option dest_port 9040
option target ACCEPT
# Tor DNS-proxy-port (set in /etc/tor/torrc)
config rule
option src transtor
option proto udp
option dest_port 9053
option target ACCEPT
EOFUpdate the user supplied iptables rules:
cat << 'EOF' >> /etc/firewall.user
# Redirection rules for Transparent Tor
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
EOFRe-detect the wireless:
wifiReload the network:
/etc/init.d/network reloadRestart the firewall:
/etc/init.d/firewall reloadStart Tor:
/etc/init.d/tor startNow your router should be a Tor bridge with port 443 open to the world on the WAN port. It will also advertise a wireless network with the SSID "Transparent Tor" and any client joining that network will be given an RFC1918 address with all of their traffic being routed through Tor. Any traffic that is unsupported (non-DNS UDP, ICMP, etc) will be rejected by the router. If this router is behind a NAT, we will not currently open the required ports as the current OpenWRT project does not build with tor-fw-helper.
Disk Space Problems
If you run into problems where tor crashes due to the lack of disk space (flash being so small) add the following into /etc/tor/torrc:
AvoidDiskWrites 1