19807409 Posted February 14, 2017 Report Share Posted February 14, 2017 Requirements openwrt (or any openwrt based firmware like LEDE openwrt) tor libevent2-openssl libevent2 libminiupnpc libnatpmp tor-geoip (optional) tor-fw-helper (optional) DescriptionIn this guide I will install and create tor on my openwrt router. My Wireless is isolated. You can change these setting as you wish, take only care that nobody from outside can reach your LAN's. At the end of this post is a script doing everything for you. You need only to adapt the script for your settings. For this guide, my router's lan ip is 192.168.1.3 This setup works for those who do use only proxy/socks product, vpn products or mix of them. It is very high grade of anonimity if all this works in some VPN, like TorGuard's which does work perfectly! What will we have at the end of this setup tor socks5 server on router's lan IP:9050(in this example 192.168.1.3:9050)(you can set your system, browser or anything else to use socks5 which goes always over tor) Simple usage by joining WLAN(no need to setup anything on any device) set specific LAN port to go always through Tor,(especially usefull for those who use C-Lines for Card Sharing) Isolated Wireless Network(which is secured and can't communicate with LAN devices) Traffic is sent through TorGuard's proxy/socks5(all tor's traffic sent through socks ot https proxy, Torguard Proxy port: 6060, TorGuard socks5 ports: 1080/1085/1090) (in this guide, we set only .onion and .exit urls to go over tor, all other pages will go over TorGuard's socks/proxy used by tor)(We also restrict usage on port 80 and 443 for the case that you need to hide from your ISP/VPN provder, TorGuard does not block)(if you are not using VPN, then you do hide the traffic from your ISP in using socks and from your socks provider by using only ports 80/443)(even if this setup is higly secure, consider using as addition obfsproxy which I will not cover in this guide)(socks5/proxy acts also as a fallback if your VPN stops working) This setup works if you are connected to a VPN(like TorGuard and openvpn, my router is currently in TorGuard's VPN) Installation of required packages: opkg update opkg install libevent2-openssl libevent2 libminiupnpc libnatpmp tor tor-fw-helper tor-geoip Create Tor interface with static IP 172.x.x.x uci add network interface uci rename [email protected][-1]=tor uci set [email protected][-1].proto=static uci set [email protected][-1].ipaddr=172.16.1.1 uci set [email protected][-1].netmask=255.255.255.0 uci commit network Create DHCP server for tor interface # Configuring DHCP server for Tor interface (/etc/config/dhcp) uci add dhcp dhcp uci rename [email protected][-1]=tor uci set [email protected][-1].interface=tor uci set [email protected][-1].start=100 uci set [email protected][-1].limit=150 uci set [email protected][-1].leasetime=12h uci commit dhcp Create 5Ghz and 2,4Ghz isolated wireless interfaces # Creating new isolated Wireless interface for Tor (/etc/config/wireless) # please check which radio is which device. # TP-Links Archer C7 radio0: 2,4Ghz radio1: 5,0Ghz # TP-Link RE450: radio0: 5Ghz radio1: 2,4Ghz uci add wireless wifi-iface uci set [email protected][-1]=wifi-iface uci set [email protected][-1].device=radio0 uci set [email protected][-1].network=tor uci set [email protected][-1].mode=ap uci set [email protected][-1].ssid='ಠ_ಠ' uci set [email protected][-1].encryption=psk2 uci set [email protected][-1].key='CHANGETHISPASSWORD' uci set [email protected][-1].isolate=1 uci set [email protected][-1].macaddr='00:88:88:88:00:2A' uci set [email protected][-1].disabled=0 uci commit wireless uci add wireless wifi-iface uci set [email protected][-1]=wifi-iface uci set [email protected][-1].device=radio1 uci set [email protected][-1].network=tor uci set [email protected][-1].mode=ap uci set [email protected][-1].ssid='ಠ_ಠ' uci set [email protected][-1].encryption=psk2 uci set [email protected][-1].key='CHANGETHISPASSWORD' uci set [email protected][-1].isolate=1 uci set [email protected][-1].macaddr='00:88:88:88:00:2B' uci set [email protected][-1].disabled=0 uci commit wireless Add firewall zone and configure firewall for tor # Configuring Firewall (/etc/config/firewall) uci add firewall zone uci set [email protected][-1].name=tor uci set [email protected][-1].input=REJECT uci set [email protected][-1].output=ACCEPT uci set [email protected][-1].forward=REJECT uci set [email protected][-1].conntrack=1 uci set [email protected][-1].network=tor uci set [email protected][-1].mask=1 uci add firewall rule uci set [email protected][-1].target=ACCEPT uci set [email protected][-1].src=tor uci set [email protected][-1].proto=udp uci set [email protected][-1].dest_port=67 uci set [email protected][-1].name='Allow Tor DHCP Requests' uci add firewall rule uci set [email protected][-1].target=ACCEPT uci set [email protected][-1].src=tor uci set [email protected][-1].proto=tcp uci set [email protected][-1].dest_port=9040 uci set [email protected][-1].name='Allow Tor Transparent Proxy' uci add firewall rule uci set [email protected][-1].target=ACCEPT uci set [email protected][-1].src=tor uci set [email protected][-1].proto=tcp uci set [email protected][-1].dest_port=9053 uci set [email protected][-1].name='Allow Tor DNS Proxy' uci add firewall redirect uci set [email protected][-1].name='Redirect Tor Traffic' uci set [email protected][-1].src=tor uci set [email protected][-1].src_dip='!192.168.1.0/24' uci set [email protected][-1].dest_port=9040 uci set [email protected][-1].proto=tcp uci set [email protected][-1].target=DNAT uci set [email protected][-1].reflection=0 uci add firewall redirect uci set [email protected][-1].name='Redirect Tor DNS' uci set [email protected][-1].src=tor uci set [email protected][-1].src_dport=53 uci set [email protected][-1].dest_port=9053 uci set [email protected][-1].proto=udp uci set [email protected][-1].target=DNAT uci set [email protected][-1].reflection=0 uci add firewall rule uci set [email protected][-1]=rule uci set [email protected][-1].name='Deny Tor LAN Access' uci set [email protected][-1].src=tor uci set [email protected][-1].dest=lan uci set [email protected][-1].proto=all uci set [email protected][-1].target=DROP uci commit firewall Configure tor with TorGuard services # Configuring Tor (/etc/tor/torrc) echo "VirtualAddrNetwork 10.192.0.0/10" >> /etc/tor/torrc echo "AutomapHostsSuffixes .onion,.exit" >> /etc/tor/torrc echo "AutomapHostsOnResolve 1" >> /etc/tor/torrc echo "TransPort 9040" >> /etc/tor/torrc echo "TransListenAddress 172.16.1.1" >> /etc/tor/torrc echo "DNSPort 9053" >> /etc/tor/torrc echo "DNSListenAddress 172.16.1.1" >> /etc/tor/torrc echo "SocksPort 9050" >> /etc/tor/torrc echo "SocksPort 192.168.1.3:9050" >> /etc/tor/torrc echo "SocksPolicy accept 192.168.1.0/24" >> /etc/tor/torrc echo "SocksPolicy accept 172.16.1.0/24" >> /etc/tor/torrc echo "SocksPolicy accept 127.0.0.1" >> /etc/tor/torrc echo "SocksPolicy reject * " >> /etc/tor/torrc echo "EntryNodes {de},{nl}" >> /etc/tor/torrc echo "ExitNodes {nl},{de}" >> /etc/tor/torrc echo "ExcludeNodes {be},{pl},{ca},{za},{vn},{uz},{ua},{tw},{tr},{th},{sk},{sg},{se},{sd},{sa},{ru},{ro},{pt},{ph},{pa},{nz},{np},{no},{my},{mx},{md},{lv},{lu},{kr},{jp},{it},{ir},{il},{ie},{id},{hr},{hk},{gr},{gi},{gb},{fi},{es},{ee},{dk},{cz},{cy},{cr},{co},{cn},{cl},{ci},{ch},{by},{br},{bg},{au},{at},{ar},{aq},{ao},{ae},{fr},{us}" >> /etc/tor/torrc echo "ExcludeExitNodes {be},{pl},{ca},{za},{vn},{uz},{ua},{tw},{tr},{th},{sk},{sg},{se},{sd},{sa},{ru},{ro},{pt},{ph},{pa},{nz},{np},{no},{my},{mx},{md},{lv},{lu},{kr},{jp},{it},{ir},{il},{ie},{id},{hr},{hk},{gr},{gi},{gb},{fi},{es},{ee},{dk},{cz},{cy},{cr},{co},{cn},{cl},{ci},{ch},{by},{br},{bg},{au},{at},{ar},{aq},{ao},{ae},{fr},{us}" >> /etc/tor/torrc echo "GeoIPFile /etc/tor/geoip" >> /etc/tor/torrc echo "GeoIPv6File /etc/tor/geoip6" >> /etc/tor/torrc echo "HiddenServiceStatistics 0" >> /etc/tor/torrc echo "#HTTPSProxy nl.torguardvpnaccess.com:6060" >> /etc/tor/torrc echo "#HTTPSProxyAuthenticator YOURTORGUARDUSERNAME:YOURTORGUARDPASSWORD" >> /etc/tor/torrc echo "Socks5Proxy nl.torguardvpnaccess.com:1080" >> /etc/tor/torrc echo "Socks5ProxyUsername YOURTORGUARDUSERNAME" >> /etc/tor/torrc echo "Socks5ProxyPassword YOURTORGUARDPASSWORD" >> /etc/tor/torrc echo "ReachableAddresses *:80,*:443" >> /etc/tor/torrc echo "ReachableAddresses *:80,*:443" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "StrictNodes 1" >> /etc/tor/torrc echo "UseBridges 0" >> /etc/tor/torrc /etc/init.d/tor enable Download geoip and geoipv6 # Download file to specific location # wget <file.ext> -O /path/to/folder/file.ext # INFO: make sure /etc/tor folder exists # Download GeoIP (IPv4) wget https://raw.githubusercontent.com/torproject/tor/master/src/config/geoip -O /etc/tor/geoip # Download GeoIP (IPv6) wget https://raw.githubusercontent.com/torproject/tor/master/src/config/geoip6 -O /etc/tor/geoip6 Reboot your router Script installing tor requirements, creating interface, configuring firewall Please change these lines according to your settings:Set here your router's LAN IP(in most cases it is 192.168.1.1 and and subnet is 192.168.1.0/24) Here you set socks port to listen on 192.168.1.3 echo "SocksPort 192.168.1.3:9050" >> /etc/tor/torrc Here you set which clients should be accepted additionally to the 172.x.x.x subnet echo "SocksPolicy accept 192.168.1.0/24" >> /etc/tor/torrc Change your TorGuard credentialsI use here Socks5 netherlands server. If you want to use https proxy, unmark it by deleting # sign and place/delete socks5 entries. echo "#HTTPSProxy nl.torguardvpnaccess.com:6060" >> /etc/tor/torrc echo "#HTTPSProxyAuthenticator YOURTORGUARDUSERNAME:YOURTORGUARDPASSWORD" >> /etc/tor/torrc echo "Socks5Proxy nl.torguardvpnaccess.com:1080" >> /etc/tor/torrc echo "Socks5ProxyUsername YOURTORGUARDUSERNAME" >> /etc/tor/torrc echo "Socks5ProxyPassword YOURTORGUARDPASSWORD" >> /etc/tor/torrc Tor Network SettingsSet your tor interface static ip: uci set [email protected][-1].ipaddr=172.16.1.1 Please replace all 172.x.x.x in torrc according to your setting if you change these values. Change your Entry/Exit nodes(I've set here german and netherlands only, best is if you set to the country of the socks/proxy server which you use) echo "EntryNodes {de},{nl}" >> /etc/tor/torrc echo "ExitNodes {nl},{de}" >> /etc/tor/torrc echo "ExcludeNodes {be},{pl},{ca},{za},{vn},{uz},{ua},{tw},{tr},{th},{sk},{sg},{se},{sd},{sa},{ru},{ro},{pt},{ph},{pa},{nz},{np},{no},{my},{mx},{md},{lv},{lu},{kr},{jp},{it},{ir},{il},{ie},{id},{hr},{hk},{gr},{gi},{gb},{fi},{es},{ee},{dk},{cz},{cy},{cr},{co},{cn},{cl},{ci},{ch},{by},{br},{bg},{au},{at},{ar},{aq},{ao},{ae},{fr},{us}" >> /etc/tor/torrc echo "ExcludeExitNodes {be},{pl},{ca},{za},{vn},{uz},{ua},{tw},{tr},{th},{sk},{sg},{se},{sd},{sa},{ru},{ro},{pt},{ph},{pa},{nz},{np},{no},{my},{mx},{md},{lv},{lu},{kr},{jp},{it},{ir},{il},{ie},{id},{hr},{hk},{gr},{gi},{gb},{fi},{es},{ee},{dk},{cz},{cy},{cr},{co},{cn},{cl},{ci},{ch},{by},{br},{bg},{au},{at},{ar},{aq},{ao},{ae},{fr},{us}" >> /etc/tor/torrc For other settings, please read up Tor's documentation. Install Script(please check all settings before running this script) opkg update;opkg install libevent2-openssl libevent2 libminiupnpc libnatpmp tor tor-geoip if [ -f /etc/init.d/tor ]; then # Creating Tor interface (/etc/config/network) uci add network interface uci rename [email protected][-1]=tor uci set [email protected][-1].proto=static uci set [email protected][-1].ipaddr=172.16.1.1 uci set [email protected][-1].netmask=255.255.255.0 uci commit network # Configuring DHCP server for Tor interface (/etc/config/dhcp) uci add dhcp dhcp uci rename [email protected][-1]=tor uci set [email protected][-1].interface=tor uci set [email protected][-1].start=100 uci set [email protected][-1].limit=150 uci set [email protected][-1].leasetime=12h uci commit dhcp # Creating new isolated Wireless interface for Tor (/etc/config/wireless) # please check which radio is which device. # TP-Links Archer C7 radio0: 2,4Ghz radio1: 5,0Ghz # TP-Link RE450: radio0: 5Ghz radio1: 2,4Ghz uci add wireless wifi-iface uci set [email protected][-1]=wifi-iface uci set [email protected][-1].device=radio0 uci set [email protected][-1].network=tor uci set [email protected][-1].mode=ap uci set [email protected][-1].ssid='ಠ_ಠ' uci set [email protected][-1].encryption=psk2 uci set [email protected][-1].key='CHANGETHISPASSWORD' uci set [email protected][-1].isolate=1 uci set [email protected][-1].macaddr='00:88:88:88:00:2A' uci set [email protected][-1].disabled=0 uci commit wireless uci add wireless wifi-iface uci set [email protected][-1]=wifi-iface uci set [email protected][-1].device=radio1 uci set [email protected][-1].network=tor uci set [email protected][-1].mode=ap uci set [email protected][-1].ssid='ಠ_ಠ' uci set [email protected][-1].encryption=psk2 uci set [email protected][-1].key='CHANGETHISPASSWORD' uci set [email protected][-1].isolate=1 uci set [email protected][-1].macaddr='00:88:88:88:00:2B' uci set [email protected][-1].disabled=0 uci commit wireless # Configuring Firewall (/etc/config/firewall) uci add firewall zone uci set [email protected][-1].name=tor uci set [email protected][-1].input=REJECT uci set [email protected][-1].output=ACCEPT uci set [email protected][-1].forward=REJECT uci set [email protected][-1].conntrack=1 uci set [email protected][-1].network=tor uci set [email protected][-1].mask=1 uci add firewall rule uci set [email protected][-1].target=ACCEPT uci set [email protected][-1].src=tor uci set [email protected][-1].proto=udp uci set [email protected][-1].dest_port=67 uci set [email protected][-1].name='Allow Tor DHCP Requests' uci add firewall rule uci set [email protected][-1].target=ACCEPT uci set [email protected][-1].src=tor uci set [email protected][-1].proto=tcp uci set [email protected][-1].dest_port=9040 uci set [email protected][-1].name='Allow Tor Transparent Proxy' uci add firewall rule uci set [email protected][-1].target=ACCEPT uci set [email protected][-1].src=tor uci set [email protected][-1].proto=tcp uci set [email protected][-1].dest_port=9053 uci set [email protected][-1].name='Allow Tor DNS Proxy' uci add firewall redirect uci set [email protected][-1].name='Redirect Tor Traffic' uci set [email protected][-1].src=tor uci set [email protected][-1].src_dip='!192.168.1.0/24' uci set [email protected][-1].dest_port=9040 uci set [email protected][-1].proto=tcp uci set [email protected][-1].target=DNAT uci set [email protected][-1].reflection=0 uci add firewall redirect uci set [email protected][-1].name='Redirect Tor DNS' uci set [email protected][-1].src=tor uci set [email protected][-1].src_dport=53 uci set [email protected][-1].dest_port=9053 uci set [email protected][-1].proto=udp uci set [email protected][-1].target=DNAT uci set [email protected][-1].reflection=0 uci add firewall rule uci set [email protected][-1]=rule uci set [email protected][-1].name='Deny Tor LAN Access' uci set [email protected][-1].src=tor uci set [email protected][-1].dest=lan uci set [email protected][-1].proto=all uci set [email protected][-1].target=DROP uci commit firewall # Configuring Tor (/etc/tor/torrc) echo "VirtualAddrNetwork 10.192.0.0/10" >> /etc/tor/torrc echo "AutomapHostsSuffixes .onion,.exit" >> /etc/tor/torrc echo "AutomapHostsOnResolve 1" >> /etc/tor/torrc echo "TransPort 9040" >> /etc/tor/torrc echo "TransListenAddress 172.16.1.1" >> /etc/tor/torrc echo "DNSPort 9053" >> /etc/tor/torrc echo "DNSListenAddress 172.16.1.1" >> /etc/tor/torrc echo "SocksPort 9050" >> /etc/tor/torrc echo "SocksPort 192.168.1.3:9050" >> /etc/tor/torrc echo "SocksPolicy accept 192.168.1.0/24" >> /etc/tor/torrc echo "SocksPolicy accept 172.16.1.0/24" >> /etc/tor/torrc echo "SocksPolicy accept 127.0.0.1" >> /etc/tor/torrc echo "SocksPolicy reject * " >> /etc/tor/torrc echo "EntryNodes {de},{nl}" >> /etc/tor/torrc echo "ExitNodes {nl},{de}" >> /etc/tor/torrc echo "ExcludeNodes {be},{pl},{ca},{za},{vn},{uz},{ua},{tw},{tr},{th},{sk},{sg},{se},{sd},{sa},{ru},{ro},{pt},{ph},{pa},{nz},{np},{no},{my},{mx},{md},{lv},{lu},{kr},{jp},{it},{ir},{il},{ie},{id},{hr},{hk},{gr},{gi},{gb},{fi},{es},{ee},{dk},{cz},{cy},{cr},{co},{cn},{cl},{ci},{ch},{by},{br},{bg},{au},{at},{ar},{aq},{ao},{ae},{fr},{us}" >> /etc/tor/torrc echo "ExcludeExitNodes {be},{pl},{ca},{za},{vn},{uz},{ua},{tw},{tr},{th},{sk},{sg},{se},{sd},{sa},{ru},{ro},{pt},{ph},{pa},{nz},{np},{no},{my},{mx},{md},{lv},{lu},{kr},{jp},{it},{ir},{il},{ie},{id},{hr},{hk},{gr},{gi},{gb},{fi},{es},{ee},{dk},{cz},{cy},{cr},{co},{cn},{cl},{ci},{ch},{by},{br},{bg},{au},{at},{ar},{aq},{ao},{ae},{fr},{us}" >> /etc/tor/torrc echo "GeoIPFile /etc/tor/geoip" >> /etc/tor/torrc echo "GeoIPv6File /etc/tor/geoip6" >> /etc/tor/torrc echo "HiddenServiceStatistics 0" >> /etc/tor/torrc echo "#HTTPSProxy nl.torguardvpnaccess.com:6060" >> /etc/tor/torrc echo "#HTTPSProxyAuthenticator YOURTORGUARDUSERNAME:YOURTORGUARDPASSWORD" >> /etc/tor/torrc echo "Socks5Proxy nl.torguardvpnaccess.com:1080" >> /etc/tor/torrc echo "Socks5ProxyUsername YOURTORGUARDUSERNAME" >> /etc/tor/torrc echo "Socks5ProxyPassword YOURTORGUARDPASSWORD" >> /etc/tor/torrc echo "ReachableAddresses *:80,*:443" >> /etc/tor/torrc echo "ReachableAddresses *:80,*:443" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "ReachableAddresses reject *:*" >> /etc/tor/torrc echo "StrictNodes 1" >> /etc/tor/torrc echo "UseBridges 0" >> /etc/tor/torrc /etc/init.d/tor enable # Download file to specific location # wget <file.ext> -O /path/to/folder/file.ext # INFO: make sure /etc/tor folder exists # Download GeoIP (IPv4) wget https://raw.githubusercontent.com/torproject/tor/master/src/config/geoip -O /etc/tor/geoip # Download GeoIP (IPv6) wget https://raw.githubusercontent.com/torproject/tor/master/src/config/geoip6 -O /etc/tor/geoip6 fi If you are connected with TorGuards VPN and everything runs over VPN, then your tor might be inactive if it starts before openvpn during the boot because openvpn changes routes and tor needs to be restarted. In this case you can edit openvpn's start scripts, or tor's startscripts or simply adding this command under System->Startup section "Local Startup" # Put your custom commands here that should be executed once # the system init finished. By default this file does nothing. sleep 10 /etc/init.d/tor reload /etc/init.d/tor restart exit 0 How to get geoip and geoipv6 files Method 1 - download directly from your router(geoip is 1~ 3,5MB, geoip6 ~ 1,7MB) Download directly to your box. # Download file to specific location # wget <file.ext> -O /path/to/folder/file.ext # INFO: make sure /etc/tor folder exists # Download GeoIP (IPv4) wget https://raw.githubusercontent.com/torproject/tor/master/src/config/geoip -O /etc/tor/geoip # Download GeoIP (IPv6) wget https://raw.githubusercontent.com/torproject/tor/master/src/config/geoip6 -O /etc/tor/geoip6 Method 2 - use files provided by TorBrowser The easiest was is to install TorBrowser and use files provided by TorBrowser. geoip files are located in: TorBrowserInstallDir/Browser/TorBrowser/Data/Tor For windows users mostly in: C:\Users\YourUsername\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor Upload geoip and geoip6 to your router. Method 3 - download latest DB and convert it For this method you need to install python on your openwrt. Run these commands directly on the box.For python you need usb storage as it takes a lot space, do not install python on opewrt if you don not run the system on usb. Download latest GeoLite2-Country.mmdb.gz # Download latest GeoIP to temp folder wget -N http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz -O /tmp/GeoLite2-Country.mmdb.gz Download python script for converting mmdb # Download convert script wget https://github.com/torproject/tor/blob/master/src/config/mmdb-convert.py -O /etc/tor/mmdb-convert.py Extract and Convert mmdb # Extract GeoLite2-City.mmdb gunzip /tmp/GeoLite2-Country.mmdb.gz # Convert GeoLite2-Country.mmdb to geoip python /etc/tor/mmdb-convert.py /tmp/GeoLite2-Country.mmdb > output TorGuard works blazing fast with Tor Network(!!!TORGUARD TEAM IS AMAZING, THANKS FOR GREAT SERVICES!!!) Thats it, enjoy tor network. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.