|
= OpenWRT Tor transparent proxy+bridge =
|
|
# OpenWRT Tor transparent proxy+bridge
|
|
This document gives some instructions on how to setup, on OpenWRT platform, a wireless network, whose clients gets tunneled transparently through Tor. Optionally, a public [https://www.torproject.org/docs/bridges.html.en Tor bridge] can be configured.
|
|
This document gives some instructions on how to setup, on OpenWRT platform, a wireless network, whose clients gets tunneled transparently through Tor. Optionally, a public [Tor bridge](https://www.torproject.org/docs/bridges.html.en) can be configured.
|
|
|
|
|
|
=== Status of Tor on OpenWRT ===
|
|
### Status of Tor on OpenWRT
|
|
Tor is generally well maintained on OpenWRT and it relies on community support. For detailed OpenWRT install and configuation, please see [wiki:doc/Torouter/OpenWRT_setup_notes OpenWRT_setup_notes]
|
|
Tor is generally well maintained on OpenWRT and it relies on community support. For detailed OpenWRT install and configuation, please see [OpenWRT_setup_notes](./doc/Torouter/OpenWRT_setup_notes)
|
|
|
|
|
|
=== Hardware requirements ===
|
|
### Hardware requirements
|
|
Minimum hardware requirements are :
|
|
Minimum hardware requirements are :
|
|
|
|
|
|
* 64 Mio RAM (32Mio is too low, tor crashes because of that)
|
|
* 64 Mio RAM (32Mio is too low, tor crashes because of that)
|
|
* 32 Mio flash (you may want to [http://wiki.openwrt.org/doc/howto/extroot use a usb stick] if you don't have that much flash on your router)
|
|
* 32 Mio flash (you may want to [use a usb stick](http://wiki.openwrt.org/doc/howto/extroot) if you don't have that much flash on your router)
|
|
* A fast processor (ex: Atheros 700MHz cpu is enough to route 10Mbps over Tor, no more)
|
|
* A fast processor (ex: Atheros 700MHz cpu is enough to route 10Mbps over Tor, no more)
|
|
|
|
|
|
==== Buffalo WZR-HP-G300NH ====
|
|
#### Buffalo WZR-HP-G300NH
|
|
That tutorial investigates the ([http://www.amazon.com/dp/B0028ACYEK Buffalo WZR-HP-G300NH (US)] / [http://www.amazon.co.uk/dp/B0028ACYEK Buffalo WZR-HP-G300NH (UK)] / [http://www.amazon.de/dp/B0028ACYEK Buffalo WZR-HP-G300NH (DE)] / [http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h OpenWRT wiki]) hardware. See the open tickets in the Status section below for current state. This runs OpenWRT.
|
|
That tutorial investigates the ([Buffalo WZR-HP-G300NH (US)](http://www.amazon.com/dp/B0028ACYEK) / [Buffalo WZR-HP-G300NH (UK)](http://www.amazon.co.uk/dp/B0028ACYEK) / [Buffalo WZR-HP-G300NH (DE)](http://www.amazon.de/dp/B0028ACYEK) / [OpenWRT wiki](http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h)) hardware. See the open tickets in the Status section below for current state. This runs OpenWRT.
|
|
|
|
|
|
Note that the cpu should prevent you from running more than ~6Mbps over tor (to be tested).
|
|
Note that the cpu should prevent you from running more than ~6Mbps over tor (to be tested).
|
|
|
|
|
|
=== TP-LIINK TL-WR1043nd ===
|
|
### TP-LIINK TL-WR1043nd
|
|
[http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd TP-LINK TL-WR1043ND] is also a good candidate with a more powerful CPU than the Buffalo, and a lot cheaper (~60€). Note that only v2.x and v3.x of that hardware match hardware requirements for tor. Due to small flash you ''must'' [http://wiki.openwrt.org/doc/howto/extroot use an usb key for storage].
|
|
[TP-LINK TL-WR1043ND](http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd) is also a good candidate with a more powerful CPU than the Buffalo, and a lot cheaper (~60€). Note that only v2.x and v3.x of that hardware match hardware requirements for tor. Due to small flash you _must_ [use an usb key for storage](http://wiki.openwrt.org/doc/howto/extroot).
|
|
|
|
|
|
== Re-flashing the stock operating system to something reproducible ==
|
|
## Re-flashing the stock operating system to something reproducible
|
|
At the moment, we're using a stock OpenWRT (backfire 10.03.1-rc4) build as our router base OS. In the future, we will build our own images and that build information will be added to this page when it is relevant. The default operating system for the target hardware platform is either a modified version of DD-WRT (buffarlo) or stock TP-LINK firmware. For various reasons, we want to reflash the OS to a stock OpenWRT.
|
|
At the moment, we're using a stock OpenWRT (backfire 10.03.1-rc4) build as our router base OS. In the future, we will build our own images and that build information will be added to this page when it is relevant. The default operating system for the target hardware platform is either a modified version of DD-WRT (buffarlo) or stock TP-LINK firmware. For various reasons, we want to reflash the OS to a stock OpenWRT.
|
|
|
|
|
|
=== Flashing Buffalo with OpenWRT ===
|
|
### Flashing Buffalo with OpenWRT
|
|
You have mainly two « easy » options, both described in openwrt wiki to install openwrt on your router :
|
|
You have mainly two « easy » options, both described in openwrt wiki to install openwrt on your router :
|
|
|
|
|
|
* [http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h#migrate_from_dd-wrt_to_openwrt using ssh on the stock firmware] (modified DD-WRT)
|
|
* [using ssh on the stock firmware](http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h#migrate_from_dd-wrt_to_openwrt) (modified DD-WRT)
|
|
* Alternatively, you can use the alternate method (see next section)
|
|
* Alternatively, you can use the alternate method (see next section)
|
|
* Still you can [http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h#oem_installation_using_the_tftp_method use TFTP] method (a bit harder)
|
|
* Still you can [use TFTP](http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h#oem_installation_using_the_tftp_method) method (a bit harder)
|
|
|
|
|
|
==== Alternate buffalo flash method ====
|
|
#### Alternate buffalo flash method
|
|
If SSH cannot be enabled for any reason on the factory DD-WRT, FLASH the new OpenWRT image by first loading a vanilla DD-WRT image.
|
|
If SSH cannot be enabled for any reason on the factory DD-WRT, FLASH the new OpenWRT image by first loading a vanilla DD-WRT image.
|
|
|
|
|
|
===== 1. Obtain shell access on the router using a vanilla DD-WRT =====
|
|
##### 1. Obtain shell access on the router using a vanilla DD-WRT
|
|
Download DD-WRT [http://dd-wrt.com/site/support/router-database from here] by typing ''wzr-hp-g300nh'' in the search box and downloading the "Special File for initial flashing." The filename should be something like ''buffalo_to_ddwrt_webflash-MULTI.bin''. Now, flash DD-WRT on to the router from the stock web interface, and wait for it to boot. Note that this takes a little while, at least a minute. The DIAG LED will be lit, then it will blink, and when it's not lit the router is ready for action.
|
|
Download DD-WRT [from here](http://dd-wrt.com/site/support/router-database) by typing _wzr-hp-g300nh_ in the search box and downloading the "Special File for initial flashing." The filename should be something like _buffalo_to_ddwrt_webflash-MULTI.bin_. Now, flash DD-WRT on to the router from the stock web interface, and wait for it to boot. Note that this takes a little while, at least a minute. The DIAG LED will be lit, then it will blink, and when it's not lit the router is ready for action.
|
|
|
|
|
|
Go to the DD-WRT web interface by browsing to http://192.168.1.1/ (standard user: root, pw empty) and enable Telnet management this way: Administration (Tab) -> Management (Tab) -> Remote Access (Group) -> Telnet. Telnet into the router using the same credentials as for the web interface.
|
|
Go to the DD-WRT web interface by browsing to http://192.168.1.1/ (standard user: root, pw empty) and enable Telnet management this way: Administration (Tab) -> Management (Tab) -> Remote Access (Group) -> Telnet. Telnet into the router using the same credentials as for the web interface.
|
|
|
|
|
|
Congratulations, you have a shell. Now on to OpenWRT.
|
|
Congratulations, you have a shell. Now on to OpenWRT.
|
|
|
|
|
|
===== 2. Once you have a remote shell on the router =====
|
|
##### 2. Once you have a remote shell on the router
|
|
Once you have a remote shell and are able to issue commands as root, this is the way to reflash your router:
|
|
Once you have a remote shell and are able to issue commands as root, this is the way to reflash your router:
|
|
|
|
|
|
{{{
|
|
```
|
|
cd /tmp
|
|
cd /tmp
|
|
wget http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin
|
|
wget http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin
|
|
mtd -r write openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin linux
|
|
mtd -r write openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin linux
|
|
}}}
|
|
```
|
|
=== Flashing TPLINK TL-WR1043ND with OpenWRT ===
|
|
### Flashing TPLINK TL-WR1043ND with OpenWRT
|
|
The procedure is [http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd#installation detailed in OpenWRT wiki], (works well with !OpenWrt !BarrierBreaker 14.07).
|
|
The procedure is [detailed in OpenWRT wiki](http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd#installation), (works well with OpenWrt BarrierBreaker 14.07).
|
|
|
|
|
|
== Get ready to set up OpenWRT ==
|
|
## Get ready to set up OpenWRT
|
|
After flashing your router, it automatically reboots into a mint OpenWRT that listens on 192.168.1.1 with a password-less telnet root shell. Connect via ethernet (you might have to manually set your interface address to something like 192.168.1.2) to one of the Buffalo's four LAN ports,
|
|
After flashing your router, it automatically reboots into a mint OpenWRT that listens on 192.168.1.1 with a password-less telnet root shell. Connect via ethernet (you might have to manually set your interface address to something like 192.168.1.2) to one of the Buffalo's four LAN ports,
|
|
|
|
|
|
log in via telnet:
|
|
log in via telnet:
|
|
|
|
|
|
{{{
|
|
```
|
|
telnet 192.168.1.1
|
|
telnet 192.168.1.1
|
|
}}}
|
|
```
|
|
and set a new root password:
|
|
and set a new root password:
|
|
|
|
|
|
{{{
|
|
```
|
|
root@OpenWrt:~# passwd
|
|
root@OpenWrt:~# passwd
|
|
Changing password for root
|
|
Changing password for root
|
|
New password:
|
|
New password:
|
|
Retype password:
|
|
Retype password:
|
|
Password for root changed by root
|
|
Password for root changed by root
|
|
}}}
|
|
```
|
|
After setting a password, telnet shuts down and an SSH server starts on the router. So log out, log back via SSH as root, and connect the router's WAN port to your home DHCP router for the rest of the setup process.
|
|
After setting a password, telnet shuts down and an SSH server starts on the router. So log out, log back via SSH as root, and connect the router's WAN port to your home DHCP router for the rest of the setup process.
|
|
|
|
|
|
== Update and install packages ==
|
|
## Update and install packages
|
|
Update the package list:
|
|
Update the package list:
|
|
|
|
|
|
{{{
|
|
```
|
|
opkg update
|
|
opkg update
|
|
}}}
|
|
```
|
|
Before OpenWRT 11 you had to install the proper iptables packages. Now they are included, so if you are on OpenWRT 11 you can leave out this step:
|
|
Before OpenWRT 11 you had to install the proper iptables packages. Now they are included, so if you are on OpenWRT 11 you can leave out this step:
|
|
|
|
|
|
{{{
|
|
```
|
|
opkg install iptables-mod-nat iptables-mod-nat-extra
|
|
opkg install iptables-mod-nat iptables-mod-nat-extra
|
|
}}}
|
|
```
|
|
Install Tor:
|
|
Install Tor:
|
|
|
|
|
|
{{{
|
|
```
|
|
opkg install tor
|
|
opkg install tor
|
|
}}}
|
|
```
|
|
These packages should be installed but if they're not - install wireless driver and AP support packages:
|
|
These packages should be installed but if they're not - install wireless driver and AP support packages:
|
|
|
|
|
|
{{{
|
|
```
|
|
opkg update
|
|
opkg update
|
|
opkg install kmod-ath9k
|
|
opkg install kmod-ath9k
|
|
opkg install wpad-mini
|
|
opkg install wpad-mini
|
|
}}}
|
|
```
|
|
== Configuration ==
|
|
## Configuration
|
|
Now reconfigure the wireless network:
|
|
Now reconfigure the wireless network:
|
|
|
|
|
|
{{{
|
|
```
|
|
cat << 'EOF' > /etc/config/wireless
|
|
cat << 'EOF' > /etc/config/wireless
|
|
|
|
|
|
#
|
|
#
|
... | @@ -123,10 +123,10 @@ config wifi-iface |
... | @@ -123,10 +123,10 @@ config wifi-iface |
|
option macaddr 00:88:88:88:00:2A # see http://outflux.net/geoloc/?mac=00-88-88-88-00-2A+ for the location info associated with this mac addr
|
|
option macaddr 00:88:88:88:00:2A # see http://outflux.net/geoloc/?mac=00-88-88-88-00-2A+ for the location info associated with this mac addr
|
|
|
|
|
|
EOF
|
|
EOF
|
|
}}}
|
|
```
|
|
Configure Tor as a bridge:
|
|
Configure Tor as a bridge:
|
|
|
|
|
|
{{{
|
|
```
|
|
cat << 'EOF' > /etc/tor/torrc
|
|
cat << 'EOF' > /etc/tor/torrc
|
|
# This is a configuration for a Tor bridge on the WAN interface
|
|
# This is a configuration for a Tor bridge on the WAN interface
|
|
# and it also runs with a transport to allow for transparent proxying
|
|
# and it also runs with a transport to allow for transparent proxying
|
... | @@ -147,10 +147,10 @@ DNSPort 192.168.2.1:9053 |
... | @@ -147,10 +147,10 @@ DNSPort 192.168.2.1:9053 |
|
# DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED
|
|
# DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED
|
|
# GeoIPFile /etc/tor/geoip
|
|
# GeoIPFile /etc/tor/geoip
|
|
EOF
|
|
EOF
|
|
}}}
|
|
```
|
|
Add the following only if you want/can host a public [https://www.torproject.org/docs/bridges.html.en tor bridge] (optional).
|
|
Add the following only if you want/can host a public [tor bridge](https://www.torproject.org/docs/bridges.html.en) (optional).
|
|
|
|
|
|
{{{
|
|
```
|
|
cat << 'EOF' >> /etc/tor/torrc
|
|
cat << 'EOF' >> /etc/tor/torrc
|
|
|
|
|
|
# This is our bridge for the world to use
|
|
# This is our bridge for the world to use
|
... | @@ -165,10 +165,10 @@ RelayBandwidthRate 100 KBytes |
... | @@ -165,10 +165,10 @@ RelayBandwidthRate 100 KBytes |
|
RelayBandwidthBurst 200 KBytes
|
|
RelayBandwidthBurst 200 KBytes
|
|
|
|
|
|
EOF
|
|
EOF
|
|
}}}
|
|
```
|
|
Add new network interface for Tor wireless network:
|
|
Add new network interface for Tor wireless network:
|
|
|
|
|
|
{{{
|
|
```
|
|
cat << 'EOF' >> /etc/config/network
|
|
cat << 'EOF' >> /etc/config/network
|
|
|
|
|
|
config interface transtor
|
|
config interface transtor
|
... | @@ -178,10 +178,10 @@ config interface transtor |
... | @@ -178,10 +178,10 @@ config interface transtor |
|
option netmask 255.255.255.0
|
|
option netmask 255.255.255.0
|
|
|
|
|
|
EOF
|
|
EOF
|
|
}}}
|
|
```
|
|
Update the DHCP config to ensure that DHCP is provided for wireless clients on the transparent Tor wifi network:
|
|
Update the DHCP config to ensure that DHCP is provided for wireless clients on the transparent Tor wifi network:
|
|
|
|
|
|
{{{
|
|
```
|
|
cat << 'EOF' >> /etc/config/dhcp
|
|
cat << 'EOF' >> /etc/config/dhcp
|
|
|
|
|
|
config 'dhcp' 'transtor'
|
|
config 'dhcp' 'transtor'
|
... | @@ -190,10 +190,10 @@ config 'dhcp' 'transtor' |
... | @@ -190,10 +190,10 @@ config 'dhcp' 'transtor' |
|
option 'limit' '250'
|
|
option 'limit' '250'
|
|
option 'leasetime' '12h'
|
|
option 'leasetime' '12h'
|
|
EOF
|
|
EOF
|
|
}}}
|
|
```
|
|
Update the master firewall config:
|
|
Update the master firewall config:
|
|
|
|
|
|
{{{
|
|
```
|
|
cat << 'EOF' >> /etc/config/firewall
|
|
cat << 'EOF' >> /etc/config/firewall
|
|
|
|
|
|
#Allow Tor Bridge incoming for censored users
|
|
#Allow Tor Bridge incoming for censored users
|
... | @@ -231,10 +231,10 @@ config rule |
... | @@ -231,10 +231,10 @@ config rule |
|
option dest_port 9053
|
|
option dest_port 9053
|
|
option target ACCEPT
|
|
option target ACCEPT
|
|
EOF
|
|
EOF
|
|
}}}
|
|
```
|
|
Update the user supplied iptables rules:
|
|
Update the user supplied iptables rules:
|
|
|
|
|
|
{{{
|
|
```
|
|
cat << 'EOF' >> /etc/firewall.user
|
|
cat << 'EOF' >> /etc/firewall.user
|
|
|
|
|
|
# Redirection rules for Transparent Tor
|
|
# Redirection rules for Transparent Tor
|
... | @@ -242,32 +242,32 @@ iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports |
... | @@ -242,32 +242,32 @@ iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports |
|
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
|
|
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
|
|
|
|
|
|
EOF
|
|
EOF
|
|
}}}
|
|
```
|
|
Re-detect the wireless:
|
|
Re-detect the wireless:
|
|
|
|
|
|
{{{
|
|
```
|
|
wifi
|
|
wifi
|
|
}}}
|
|
```
|
|
Reload the network:
|
|
Reload the network:
|
|
|
|
|
|
{{{
|
|
```
|
|
/etc/init.d/network reload
|
|
/etc/init.d/network reload
|
|
}}}
|
|
```
|
|
Restart the firewall:
|
|
Restart the firewall:
|
|
|
|
|
|
{{{
|
|
```
|
|
/etc/init.d/firewall reload
|
|
/etc/init.d/firewall reload
|
|
}}}
|
|
```
|
|
Start Tor:
|
|
Start Tor:
|
|
|
|
|
|
{{{
|
|
```
|
|
/etc/init.d/tor start
|
|
/etc/init.d/tor start
|
|
}}}
|
|
```
|
|
Now your router should be a Tor bridge with port 443 open to the world on the WAN port. It will also advertise a wireless network with the SSID "Transparent Tor" and any client joining that network will be given an RFC1918 address with all of their traffic being routed through Tor. Any traffic that is unsupported (non-DNS UDP, ICMP, etc) will be rejected by the router. If this router is behind a NAT, we will not currently open the required ports as the current OpenWRT project does not build with tor-fw-helper.
|
|
Now your router should be a Tor bridge with port 443 open to the world on the WAN port. It will also advertise a wireless network with the SSID "Transparent Tor" and any client joining that network will be given an RFC1918 address with all of their traffic being routed through Tor. Any traffic that is unsupported (non-DNS UDP, ICMP, etc) will be rejected by the router. If this router is behind a NAT, we will not currently open the required ports as the current OpenWRT project does not build with tor-fw-helper.
|
|
|
|
|
|
== Disk Space Problems ==
|
|
## Disk Space Problems
|
|
If you run into problems where tor crashes due to the lack of disk space (flash being so small) add the following into /etc/tor/torrc:
|
|
If you run into problems where tor crashes due to the lack of disk space (flash being so small) add the following into /etc/tor/torrc:
|
|
|
|
|
|
{{{
|
|
```
|
|
AvoidDiskWrites 1
|
|
AvoidDiskWrites 1
|
|
}}} |
|
``` |
|
\ No newline at end of file |
|
\ No newline at end of file |