Status of Tor on OpenWRT

Tor is generally well maintained on OpenWRT and it relies on community support. For detailed OpenWRT install and configuation, please see OpenWRT_setup_notes


We investigated the (Buffalo WZR-HP-G300NH (US) / Buffalo WZR-HP-G300NH (UK) / Buffalo WZR-HP-G300NH (DE) / OpenWRT wiki) hardware. See the open tickets in the Status section below for current state. This runs OpenWRT.

Re-flashing the stock operating system to something reproducible

At the moment, we're using a stock OpenWRT (backfire 10.03.1-rc4) build as our router base OS. In the future, we will build our own images and that build information will be added to this page when it is relevant. The default operating system for the target hardware platform is a modified version of DD-WRT--for various reasons, we want to reflash the OS to a stock OpenWRT.

Reflash Method 1

It's possible to use the factory DD-WRT image to load the firmware, if you can enable SSH:

Setup a (root) password for the factory DD-WRT image

Enable SSH via the Services -> Services page. Save, Apply and then reboot the router.

Download the OpenWRT image here and copy it over:

scp openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin root@

Install the image:

ssh root@ 
cd /tmp 
mtd -r write openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin linux

Wait for the device to reboot itself. Note that this takes a little while, at least a minute. The DIAG LED will be lit, then it will blink, and when it's not lit the router is ready for action.

Reflash Method 2

If SSH cannot be enabled for any reason on the factory DD-WRT, FLASH the new OpenWRT image by first loading a vanilla DD-WRT image.

1. Obtain shell access on the router using a vanilla DD-WRT

Download DD-WRT from here by typing wzr-hp-g300nh in the search box and downloading the "Special File for initial flashing." The filename should be something like buffalo_to_ddwrt_webflash-MULTI.bin. Now, flash DD-WRT on to the router from the stock web interface, and wait for it to boot. Note that this takes a little while, at least a minute. The DIAG LED will be lit, then it will blink, and when it's not lit the router is ready for action.

Go to the DD-WRT web interface by browsing to (standard user: root, pw empty) and enable Telnet management this way: Administration (Tab) -> Management (Tab) -> Remote Access (Group) -> Telnet. Telnet into the router using the same credentials as for the web interface.

Congratulations, you have a shell. Now on to OpenWRT.

2. Once you have a remote shell on the router

Once you have a remote shell and are able to issue commands as root, this is the way to reflash your router:

  cd /tmp
  mtd -r write openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin linux

Once you have reflashed the router, we'll move on to installing packages and finally to configuring it to meet our desired functionality. Please ensure that you set a password on the router after it has finished rebooting.

If the reflashing doesn't easily work - it may be worth reading about the Japanese variant of this router.

Get ready to set up OpenWRT

After flashing with the mtr command, the router automatically reboots into a mint OpenWRT that listens on with a password-less telnet root shell. Connect via ethernet (you might have to manually set your interface address to something like to one of the Buffalo's four LAN ports,

log in via telnet:


and set a new root password:

root@OpenWrt:~# passwd
Changing password for root
New password:
Retype password:
Password for root changed by root

After setting a password, telnet shuts down and an SSH server starts on the router. So log out, log back via SSH as root, and connect the router's WAN port to your home DHCP router for the rest of the setup process.

Update and install packages

Update the package list:

  opkg update

Before OpenWRT 11 you had to install the proper iptables packages. Now they are included, so if you are on OpenWRT 11 you can leave out this step:

  opkg install iptables-mod-nat iptables-mod-nat-extra

Install Tor:

  opkg install tor

These packages should be installed but if they're not - install wireless driver and AP support packages:

  opkg update
  opkg install kmod-ath9k
  opkg install wpad-mini


Now reconfigure the wireless network:

cat << 'EOF' > /etc/config/wireless

# XXX TODO: We want to ensure the wireless AP has a static MAC
# This will ensure that no GeoIP database of MAC addresses can locate a client
# leaking MAC data.
config wifi-device  radio0
    option type     mac80211
    option channel  11
    option phy phy0
    option hwmode   11ng
    option htmode   HT20
    list ht_capab   SHORT-GI-40
    list ht_capab   DSSS_CCK-40
    # option disabled 1

config wifi-iface
    option device    radio0
    option network   transtor
    option mode    ap
    option ssid    'Transparent Tor'
    option encryption none
    option macaddr 00:88:88:88:00:2A # see for the location info associated with this mac addr


Configure Tor as a bridge:

cat << 'EOF' > /etc/tor/torrc
# This is a configuration for a Tor bridge on the WAN interface
# and it also runs with a transport to allow for transparent proxying
# on a specific wireless interface.
User tor
RunAsDaemon 1
PidFile /var/run/
DataDirectory /var/lib/tor

# This is our bridge for the world to use
Nickname OpenWRTTorBridge
SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*

# This is for our transparent network
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 9053

# This is where we rate limit the bridge to something reasonable
RelayBandwidthRate 100 KBytes
RelayBandwidthBurst 200 KBytes

# GeoIP for stats       
# GeoIPFile /etc/tor/geoip

Add new network interface for Tor wireless network:

cat << 'EOF' >> /etc/config/network

config interface transtor
        option ifname   "wlan0"
        option proto    static
        option ipaddr
        option netmask


Update the DHCP config to ensure that DHCP is provided for wireless clients on the transparent Tor wifi network:

cat << 'EOF' >> /etc/config/dhcp

config 'dhcp' 'transtor'
    option 'interface' 'transtor'
    option 'start' '23'
    option 'limit' '250'
    option 'leasetime' '12h'

Update the master firewall config:

cat << 'EOF' >> /etc/config/firewall

#Allow Tor Bridge incoming for censored users
config rule
        option src wan
        option proto tcp
        option dest_port 443
        option target ACCEPT

config zone
        option name     transtor
        option input    REJECT
        option output   ACCEPT
        option forward  REJECT
        option syn_flood 1
        option conntrack 1 #this setting is mandatory

# Allow Transparent clients the ability to DHCP an address
# XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
config rule
        option src              transtor
        option proto            udp
        option dest_port        67
        option target           ACCEPT
# Tor transparent-proxy-port (set in /etc/tor/torrc)
config rule
        option src              transtor
        option proto            tcp
        option dest_port        9040
        option target           ACCEPT
# Tor DNS-proxy-port (set in /etc/tor/torrc)
config rule
        option src              transtor
        option proto            udp
        option dest_port        9053
        option target           ACCEPT

Update the user supplied iptables rules:

cat << 'EOF' >> /etc/firewall.user

# Redirection rules for Transparent Tor
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport ! 53 --syn -j REDIRECT --to-ports 9040


Re-detect the wireless:


Reload the network:

/etc/init.d/network reload

Restart the firewall:

  /etc/init.d/firewall reload

Start Tor:

  /etc/init.d/tor start

Now your router should be a Tor bridge with port 443 open to the world on the WAN port. It will also advertise a wireless network with the SSID "Transparent Tor" and any client joining that network will be given an RFC1918 address with all of their traffic being routed through Tor. Any traffic that is unsupported (non-DNS UDP, ICMP, etc) will be rejected by the router. If this router is behind a NAT, we will not currently open the required ports as the current OpenWRT project does not build with tor-fw-helper.

Disk Space Problems

If you run into problems where tor crashes due to the lack of disk space (flash being so small) add the following into /etc/tor/torrc:

  AvoidDiskWrites 1
Last modified 8 months ago Last modified on Oct 4, 2014 7:24:14 AM