=== Warning: This page is severly outdated, please fix it up ===
[[TOC]]
The following are notes for varying methods of setup and modifications to the Torrouter installation on a [https://www.amazon.co.uk/Buffalo-AirStation-HighPower-Internet-Connections/dp/B0028ACYEK/ref=sr_1_1?ie=UTF8&qid=1291972032&sr=8-1 Buffalo WZR-HP-G300NH (UK)]. This setup differs in that we will use an existing wireless network as our upstream internet provider. The following diagram describes the network topology (network SSID's in grey):
[[Image(https://chart.googleapis.com/chart?cht=gv&chl=graph{bgcolor=transparent;BuffaloWifiRouter[shape=box3d];Internet[shape=ellipse%2Ccolor=%22grey%22%2Cfontcolor=%22gray%22%2Cstyle=dashed];node[shape=box%2Cstyle=filled%2Ccolor=lightgrey];OpenWrt--BuffaloWifiRouter[fontsize=10.0%2Clabel=%22192.168.1.0/24%22%2Cheadport=w]--Upstream--Internet[color=%22gray%22];BuffaloWifiRouter--Upstream[fontsize=10.0%2Clabel=%22address via DHCP%22]--Internet;TransparentTor--BuffaloWifiRouter[fontsize=10.0%2Clabel=%2210.192.0.0/10%22%2Cheadport=e];})]]
"Upstream" should be changed to the SSID of an existing wireless network. The "OpenWrt" network address range (192.168.1.0/10) and "Transparent Tor" network address range (10.192.0.0/10) are set with the assumption that they do not conflict with the "Upstream" network address.
== Installating the OpenWRT image ==
To copy the openwrt image use SSH:
1. Enable a user/password for the factory DD-WRT image
1. Enable SSH via the "Services" / "Services" menu. Save, Apply and then reboot the router.
1. Copy the image: scp openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin <user>@192.168.11.1:/tmp/.
1. or use "[http://wiki.openwrt.org/doc/howto/generic.sysupgrade sysupgrade] -v openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin"
Wait for the device to reboot itself.
== Setup upstream wifi for internet connectivity ==
1. From http://192.168.1.1 go to the "Administration" / "Network" / "Radio0" page.
1. Click the "Enable" wireless checkbox.
1. Setup the first Interface to be a new wireless network that users connect to as they would any other network. Define the ESSID (example: "'''!OpenWrt'''") and password.
1. Add a new Interface to be used to connect to an upstream wireless provider for the routers internet access. Set the ESSID to that of the upstream wireless (example: "'''Upstream'''"). Define the "Mode" as "Client" and the "Network" as "wan".
Important:
* By default the "wan" network interface is set to use DHCP. It is important that the IP provided or used for this interface is on a different network than the "lan" interface, which is 192.168.1.0/24 by default. In our case the upstream wireless network was set to use 192.168.2.0/24.
* The order of the interfaces appears to be important and the upstream connection should always be last.
Test that the connection is working by attaching to the OpenWrt wireless network and connecting to the internet.
== Setup the transtor network interface ==
1. From the "Network" / "Interfaces" page put "transtor" in the text box and click "Add entry"
1. In the interface page change the "Interface" to custom and give it the name "wlan0"
1. Under "Create / Assign firewall-zone" select "transtor"
1. Set the the "Protocol" as static set the IP information as follows:[[BR]]
|| Zone || IPv4-Address || IPv4-Netmask ||
|| transtor || 10.192.0.1 || 255.192.0.0 ||
1. Click "Save & Apply"
(might need to add mac addr definition?)
Setup dhcp for interface:
1. From the "Network" / "Dhcp" page click "Add entry" with the following values:[[BR]]
|| Interface || Start || Limit || Lease time ||
|| transtor || 10 || 100 || 12h ||
1. Click "Save & Apply"
== Setup "transtor" firewall zone rules ==
1. From the "Network" / "Firewall" / "Zones" page
1. Set the "transtor" zone to Incoming=Reject, Outgoing=Accept, Forward=Reject. Leave MASQ and MSS Clamping unchecked.
1. Click "Save & Apply"
1. From the console you will need to add the " conntrack '1' " option to the transtor zone as this option is not supported in the GUI:
{{{
config 'zone'
option 'name' 'transtor'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'conntrack' '1'
}}}
=== Setup port rules: ===
1. From the "Network" / "Firewall" / "Traffic Control" page click "Add Entry"
1. Add entries with values matching each of the following. For each entry you will need to add the "Protocol" field::[[BR]]
|| Source || Destination || Protocol || Source Port || Destination Port || Action ||
Note: the 9053 port should match the DNSPort from torrc and 9040 the TransPort from torrc.
== Setup Tor ==
1. From the "System" / "Software" page click the "Update package lists" link
1. In the "Download and install package" enter "tor" and press "OK"
1. From the "Services" / "Initscripts" enable the tor service
At this point tor must be configured manually from the console.
1. telnet to the router
1. edit /etc/tor/torrc values to match:[[BR]]
{{{
User tor
RunAsDaemon 1
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor
# This is our bridge for the world to use
Nickname OpenWRTTorBridge
SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*
# This is for our transparent network
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.192.0.1
DNSPort 9053
DNSListenAddress 10.192.0.1
# This is where we rate limit the bridge to something reasonable
RelayBandwidthRate 100 KBytes
RelayBandwidthBurst 200 KBytes
# GeoIP for stats
# DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED
# GeoIPFile /etc/tor/geoip
# Logging:
# Log notice file /var/log/tor/notices.log
# Log debug file /var/log/tor/debug.log
}}}
Change the **ListenAddress to the address of the "OpenWrt"/lan interface
1. restart tor: # /etc/init.d/tor restart
1. depending on your version of tor you might need to edit the tor start script to handle late nameserver configuration (see below)
=== Unable to parse '/etc/resolv.conf' error ===
For some network setups the namserver is not given until the upstream network is read and some older versions of tor do not handle this gracefully and will fail to start. Modify /etc/init.d/tor and place loop that delays the start of tor until the nameserver has been configured.
{{{
sed -i -e 's/$BIN $OPTIONS/while [ -z `grep "nameserver" \/etc\/resolv.conf` ] ; do sleep 10; done;\n\t$BIN $OPTIONS/' /etc/init.d/tor
}}}
== Setup "Transparent Tor" access point ==
1. From [http://192.168.1.1/ http://192.168.1.1] go to the "Administration" / "Network" / "Radio0" page.
1. Add a new Interface with the following values:[[BR]]
|| ESSID || Network || Mode || Encryption ||
|| Transparent Tor || transtor || Access Point || No Encryption ||
1. Click "Save & Apply"
== Miscellaneous Options ==
=== Remote control with Vidalia ===
This is not recommended. The Control connection of Tor is not encrypted and opening it over unprotected wifi is not advised. However, to set this up we must:
1. Setup tor Control Port, Addr and Hash password
1. Setup wireless router firewall rule to pass through Control port and to NOT forward this connection through tor
1. Setup Vidalia client
==== Setup tor ====
1. Generate HashedControlPassword (example):[[BR]]# tor --hash-password examplepassword[[BR]]!16:6300B3DF2CDBCAD6605794581971326F4A03437A7502490A133B96966F
1. In the settings change the tor binary location to be nothing (or you might need to add a random binary such as cmd.exe or /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal)
1. Change the Control Port and Address to 10.192.0.1 and 9051
1. Restart Vidalia
=== Change Transparent Tor to password protected ===
Does not seem to work. When enabling encryption on the Transparent Tor AP both the OpenWrt and Transparent Tor AP's fail to initialize. Perhaps the Buffalo router cannot handle more than two encrypted channels (The Upstream AP and OpenWrt AP)
