wiki:doc/Torouter/OpenWRT_setup_notes

The following are notes for varying methods of setup and modifications to the Torrouter installation on a Buffalo WZR-HP-G300NH (UK). This setup differs in that we will use an existing wireless network as our upstream internet provider. The following diagram describes the network topology (network SSID's in grey):

https://chart.googleapis.com/chart

"Upstream" should be changed to the SSID of an existing wireless network. The "OpenWrt" network address range (192.168.1.0/10) and "Transparent Tor" network address range (10.192.0.0/10) are set with the assumption that they do not conflict with the "Upstream" network address.

Installating the OpenWRT image

To copy the openwrt image use SSH:

  1. Enable a user/password for the factory DD-WRT image
  2. Enable SSH via the "Services" / "Services" menu. Save, Apply and then reboot the router.
  3. Copy the image: scp openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin <user>@192.168.11.1:/tmp/.
  4. Install the image:
    1. ssh <user>@192.168.11.1
    2. # cd /tmp
    3. # mtd -r write openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin firmware
      1. or use "sysupgrade -v openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin"

Wait for the device to reboot itself.

Setup upstream wifi for internet connectivity

  1. From http://192.168.1.1 go to the "Administration" / "Network" / "Radio0" page.
  2. Click the "Enable" wireless checkbox.
  3. Setup the first Interface to be a new wireless network that users connect to as they would any other network. Define the ESSID (example: "OpenWrt") and password.
  4. Add a new Interface to be used to connect to an upstream wireless provider for the routers internet access. Set the ESSID to that of the upstream wireless (example: "Upstream"). Define the "Mode" as "Client" and the "Network" as "wan".

Important:

  • By default the "wan" network interface is set to use DHCP. It is important that the IP provided or used for this interface is on a different network than the "lan" interface, which is 192.168.1.0/24 by default. In our case the upstream wireless network was set to use 192.168.2.0/24.
  • The order of the interfaces appears to be important and the upstream connection should always be last.

Test that the connection is working by attaching to the OpenWrt wireless network and connecting to the internet.

Setup the transtor network interface

  1. From the "Network" / "Interfaces" page put "transtor" in the text box and click "Add entry"
  2. In the interface page change the "Interface" to custom and give it the name "wlan0"
  3. Under "Create / Assign firewall-zone" select "transtor"
  4. Set the the "Protocol" as static set the IP information as follows:
Zone IPv4-Address IPv4-Netmask
transtor 10.192.0.1 255.192.0.0
  1. Click "Save & Apply"

(might need to add mac addr definition?)

Setup dhcp for interface:

  1. From the "Network" / "Dhcp" page click "Add entry" with the following values:
Interface Start Limit Lease time
transtor 10 100 12h
  1. Click "Save & Apply"

Setup "transtor" firewall zone rules

  1. From the "Network" / "Firewall" / "Zones" page
  2. Set the "transtor" zone to Incoming=Reject, Outgoing=Accept, Forward=Reject. Leave MASQ and MSS Clamping unchecked.
  3. Click "Save & Apply"
  4. From the console you will need to add the " conntrack '1' " option to the transtor zone as this option is not supported in the GUI:
    config 'zone'
    	option 'name' 'transtor'
    	option 'input' 'REJECT'
    	option 'output' 'ACCEPT'
    	option 'forward' 'REJECT'
    	option 'conntrack' '1'
    

Setup port rules:

  1. From the "Network" / "Firewall" / "Traffic Control" page click "Add Entry"
  2. Add entries with values matching each of the following. For each entry you will need to add the "Protocol" field::
Source Destination Protocol Source Port Destination Port Action
wan Device tcp 443 Accept
transtor Device udp 67 Accept
transtor Device tcp 9040 Accept
transtor Device udp 9053 Accept
  1. Click "Save & Apply"

Setup traffic redirection:

  1. From the console (no GUI support) telnet to the router and execute:
    opkg install iptables-mod-nat iptables-mod-nat-extra
    
    cat << 'EOF' >> /etc/firewall.user
    
    # Redirection rules for Transparent Tor
    iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
    iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
    
    
    EOF
    
    
    Note: the 9053 port should match the DNSPort from torrc and 9040 the TransPort from torrc.

Setup Tor

  1. From the "System" / "Software" page click the "Update package lists" link
  2. In the "Download and install package" enter "tor" and press "OK"
  3. From the "Services" / "Initscripts" enable the tor service

At this point tor must be configured manually from the console.

  1. telnet to the router
  2. edit /etc/tor/torrc values to match:
    User tor
    RunAsDaemon 1
    PidFile /var/run/tor.pid
    DataDirectory /var/lib/tor
    
    # This is our bridge for the world to use
    Nickname OpenWRTTorBridge
    SocksPort 0
    ORPort 443
    BridgeRelay 1
    Exitpolicy reject *:*
    
    # This is for our transparent network
    VirtualAddrNetwork 10.192.0.0/10
    AutomapHostsOnResolve 1
    TransPort 9040
    TransListenAddress 10.192.0.1
    DNSPort 9053
    DNSListenAddress 10.192.0.1
    
    # This is where we rate limit the bridge to something reasonable
    RelayBandwidthRate 100 KBytes
    RelayBandwidthBurst 200 KBytes
    
    # GeoIP for stats       
    # DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED  
    # GeoIPFile /etc/tor/geoip
    # Logging:
    # Log notice file /var/log/tor/notices.log
    # Log debug file /var/log/tor/debug.log
    
    
    Change the ListenAddress to the address of the "OpenWrt"/lan interface
  3. restart tor: # /etc/init.d/tor restart
  4. depending on your version of tor you might need to edit the tor start script to handle late nameserver configuration (see below)

Unable to parse '/etc/resolv.conf' error

For some network setups the namserver is not given until the upstream network is read and some older versions of tor do not handle this gracefully and will fail to start. Modify /etc/init.d/tor and place loop that delays the start of tor until the nameserver has been configured.

sed -i -e 's/$BIN $OPTIONS/while [ -z `grep "nameserver" \/etc\/resolv.conf` ] ; do sleep 10; done;\n\t$BIN $OPTIONS/' /etc/init.d/tor

Setup "Transparent Tor" access point

  1. From http://192.168.1.1 go to the "Administration" / "Network" / "Radio0" page.
  2. Add a new Interface with the following values:
ESSID Network Mode Encryption
Transparent Tor transtor Access Point No Encryption
  1. Click "Save & Apply"

Miscellaneous Options

Remote control with Vidalia

This is not recommended. The Control connection of Tor is not encrypted and opening it over unprotected wifi is not advised. However, to set this up we must:

  1. Setup tor Control Port, Addr and Hash password
  2. Setup wireless router firewall rule to pass through Control port and to NOT forward this connection through tor
  3. Setup Vidalia client

Setup tor

  1. Generate HashedControlPassword (example):
    # tor --hash-password examplepassword
    !16:6300B3DF2CDBCAD6605794581971326F4A03437A7502490A133B96966F
  2. Add /etc/tor/rc:
    ControlPort 9051                                                     
    ControlListenAddress 10.192.0.1
    HashedControlPassword 16:6300B3DF2CDBCAD6605794581971326F4A03437A7502490A133B96966F
    
  3. Restart tor:
    # /etc/init.d/tor restart

Setup wireless router firewall

  1. Add to /etc/config/firewall:
    config 'rule'              
            option 'src' 'transtor'
            option 'proto' 'tcp'    
            option 'dest_port' '9051'
            option 'target' 'ACCEPT'
    
  2. Change /etc/firewall.user to:
    # Redirection rules for Transparent Tor
    iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 9053
    # iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040
    # So that we can setup local control port
    iptables -t nat -A PREROUTING -i wlan1 -p tcp ! -d 10.192.0.1 --syn -j REDIRECT --to-ports 9040
    
  3. Restart firewall:
    # /etc/init.d/firewall restart

Setup Vidalia client

  1. In the settings change the tor binary location to be nothing (or you might need to add a random binary such as cmd.exe or /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal)
  2. Change the Control Port and Address to 10.192.0.1 and 9051
  3. Restart Vidalia

Change Transparent Tor to password protected

Does not seem to work. When enabling encryption on the Transparent Tor AP both the OpenWrt and Transparent Tor AP's fail to initialize. Perhaps the Buffalo router cannot handle more than two encrypted channels (The Upstream AP and OpenWrt AP)

Hardware assisted Software 'brick prevention

It would be 'neat' to use the reset button to reinstall and reconfigure the router to a base image. This would allow most non-technical (and technical) from having to open up their devices. This feature 'mostly' works on ddwrt and there is a /sys gpio entry on openwrt - so hopefully this won't be hard to implement.

It should also be noted that some device (the A0 A2) revision (it seems) cannot simply be tftp booted to 'unbrick' them. (this may be a quirk in the uboot settings for the specific hardware I have though).

Building a custom Image

XXX: FIX THIS UP WITH ACTUAL VALID COMPLETE CONFIGS ETC.

As per http://wiki.openwrt.org/doc/howto/build

mkdir OpenWrt/
cd OpenWrt/
svn co svn://svn.openwrt.org/openwrt/branches/backfire
#for packages
cd backfire_10.03
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig
# the configuration should have at least the following selected 
CONFIG_TARGET_ar71xx=y
CONFIG_TARGET_ar71xx_WZRHPG300NH=y
CONFIG_TARGET_BOARD="ar71xx"
...
CONFIG_LINUX_2_6_32=y
CONFIG_DEFAULT_base-files=y
CONFIG_DEFAULT_busybox=y
CONFIG_DEFAULT_dnsmasq=y
CONFIG_DEFAULT_dropbear=y
CONFIG_DEFAULT_kmod-ath9k=y
CONFIG_DEFAULT_mtd=y
CONFIG_DEFAULT_opkg=y
...
CONFIG_DEFAULT_wpad-mini=y
...
CONFIG_PACKAGE_tor=y

The following 'files' directory could be put into some kind of version control. (along with a working .config)

Then you can put the pre-configured network settings into the image like this:

mkdir -p files/etc/config/
mkdir -p files/etc/tor




cat << 'EOF' >> files/etc/config/network

config interface lan
	option ifname eth0
	option proto static
	option ipaddr 192.168.1.1
	option netmask 255.255.255.0
	option defaultroute 0
	option peerdns 0
	option type bridge

config interface transtor
        option ifname   "wlan0"
        option proto    static
        option ipaddr 192.168.2.1
        option netmask 255.255.255.0

EOF

cat << 'EOF' > files/etc/config/wireless

#
# XXX TODO: We want to ensure the wireless AP has a static MAC
# This will ensure that no GeoIP database of MAC addresses can locate a client
# leaking MAC data.
#
config wifi-device  radio0
    option type     mac80211
    option channel  11
    option phy phy0
    option hwmode   11ng
    option htmode   HT20
    list ht_capab   SHORT-GI-40
    list ht_capab   DSSS_CCK-40
    # REMOVE THIS LINE TO ENABLE WIFI:
    # option disabled 1

config wifi-iface
    option device    radio0
    option network   transtor
    option mode    ap
    option ssid    'Transparent Tor'
    option encryption none
    option macaddr 00:88:88:88:00:2A # see http://outflux.net/geoloc/?mac=00-88-88-88-00-2A+ for the location info associated with this mac addr

EOF

cat << 'EOF' >> files/etc/config/dhcp

config 'dhcp' 'transtor'
    option 'interface' 'transtor'
    option 'start' '23'
    option 'limit' '250'
    option 'leasetime' '12h'
EOF


Tor configuration:

cat << 'EOF' > files/etc/tor/torrc
# This is a configuration for a Tor bridge on the WAN interface
# and it also runs with a transport to allow for transparent proxying
# on a specific wireless interface.
#
User tor
RunAsDaemon 1
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor

# This is our bridge for the world to use
Nickname OpenWRTTorBridge
SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*

# This is for our transparent network
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.2.1
DNSPort 9053
DNSListenAddress 192.168.2.1

# This is where we rate limit the bridge to something reasonable
RelayBandwidthRate 100 KBytes
RelayBandwidthBurst 200 KBytes

# GeoIP for stats       
# DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED  
# GeoIPFile /etc/tor/geoip
EOF

Firewall:

cat << 'EOF' >> files/etc/config/firewall

#Allow Tor Bridge incoming for censored users
config rule
        option src wan
        option proto tcp
        option dest_port 443
        option target ACCEPT

config zone
        option name     transtor
        option input    REJECT
        option output   ACCEPT
        option forward  REJECT
        option syn_flood 1
        option conntrack 1 #this setting is mandatory

# Allow Transparent clients the ability to DHCP an address
# XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
config rule
        option src              transtor
        option proto            udp
        option dest_port        67
        option target           ACCEPT
# Tor transparent-proxy-port (set in /etc/tor/torrc)
config rule
        option src              transtor
        option proto            tcp
        option dest_port        9040
        option target           ACCEPT
# Tor DNS-proxy-port (set in /etc/tor/torrc)
config rule
        option src              transtor
        option proto            udp
        option dest_port        9053
        option target           ACCEPT
EOF

cat << 'EOF' >> files/etc/firewall.user

# Redirection rules for Transparent Tor
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport ! 53 --syn -j REDIRECT --to-ports 9040

EOF

Then enter:

make

After make finishes images can be found in the bin/ folder.

Last modified 22 months ago Last modified on Jun 17, 2012 11:19:32 PM