Skip to content

Changes

Page history
Raw import from Trac using Trac markup language. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Hide whitespace changes
Inline Side-by-side
doc/Torouter/OpenWRT_setup_notes.md 0 → 100644
View page @ 53a16e3a
=== Warning: This page is severly outdated, please fix it up ===
[[TOC]]
The following are notes for varying methods of setup and modifications to the Torrouter installation on a [https://www.amazon.co.uk/Buffalo-AirStation-HighPower-Internet-Connections/dp/B0028ACYEK/ref=sr_1_1?ie=UTF8&qid=1291972032&sr=8-1 Buffalo WZR-HP-G300NH (UK)]. This setup differs in that we will use an existing wireless network as our upstream internet provider. The following diagram describes the network topology (network SSID's in grey):
[[Image(https://chart.googleapis.com/chart?cht=gv&chl=graph{bgcolor=transparent;BuffaloWifiRouter[shape=box3d];Internet[shape=ellipse%2Ccolor=%22grey%22%2Cfontcolor=%22gray%22%2Cstyle=dashed];node[shape=box%2Cstyle=filled%2Ccolor=lightgrey];OpenWrt--BuffaloWifiRouter[fontsize=10.0%2Clabel=%22192.168.1.0/24%22%2Cheadport=w]--Upstream--Internet[color=%22gray%22];BuffaloWifiRouter--Upstream[fontsize=10.0%2Clabel=%22address via DHCP%22]--Internet;TransparentTor--BuffaloWifiRouter[fontsize=10.0%2Clabel=%2210.192.0.0/10%22%2Cheadport=e];})]]
"Upstream" should be changed to the SSID of an existing wireless network. The "OpenWrt" network address range (192.168.1.0/10) and "Transparent Tor" network address range (10.192.0.0/10) are set with the assumption that they do not conflict with the "Upstream" network address.
== Installating the OpenWRT image ==
To copy the openwrt image use SSH:
1. Enable a user/password for the factory DD-WRT image
1. Enable SSH via the "Services" / "Services" menu. Save, Apply and then reboot the router.
1. Copy the image: scp openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin <user>@192.168.11.1:/tmp/.
1. Install the image:
1. ssh <user>@192.168.11.1
1. # cd /tmp
1. # mtd -r write openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin firmware
1. or use "[http://wiki.openwrt.org/doc/howto/generic.sysupgrade sysupgrade] -v openwrt-ar71xx-wzr-hp-g300nh-jffs2-sysupgrade.bin"
Wait for the device to reboot itself.
== Setup upstream wifi for internet connectivity ==
1. From http://192.168.1.1 go to the "Administration" / "Network" / "Radio0" page.
1. Click the "Enable" wireless checkbox.
1. Setup the first Interface to be a new wireless network that users connect to as they would any other network. Define the ESSID (example: "'''!OpenWrt'''") and password.
1. Add a new Interface to be used to connect to an upstream wireless provider for the routers internet access. Set the ESSID to that of the upstream wireless (example: "'''Upstream'''"). Define the "Mode" as "Client" and the "Network" as "wan".
Important:
* By default the "wan" network interface is set to use DHCP. It is important that the IP provided or used for this interface is on a different network than the "lan" interface, which is 192.168.1.0/24 by default. In our case the upstream wireless network was set to use 192.168.2.0/24.
* The order of the interfaces appears to be important and the upstream connection should always be last.
Test that the connection is working by attaching to the OpenWrt wireless network and connecting to the internet.
== Setup the transtor network interface ==
1. From the "Network" / "Interfaces" page put "transtor" in the text box and click "Add entry"
1. In the interface page change the "Interface" to custom and give it the name "wlan0"
1. Under "Create / Assign firewall-zone" select "transtor"
1. Set the the "Protocol" as static set the IP information as follows:[[BR]]
|| Zone || IPv4-Address || IPv4-Netmask ||
|| transtor || 10.192.0.1 || 255.192.0.0 ||
1. Click "Save & Apply"
(might need to add mac addr definition?)
Setup dhcp for interface:
1. From the "Network" / "Dhcp" page click "Add entry" with the following values:[[BR]]
|| Interface || Start || Limit || Lease time ||
|| transtor || 10 || 100 || 12h ||
1. Click "Save & Apply"
== Setup "transtor" firewall zone rules ==
1. From the "Network" / "Firewall" / "Zones" page
1. Set the "transtor" zone to Incoming=Reject, Outgoing=Accept, Forward=Reject. Leave MASQ and MSS Clamping unchecked.
1. Click "Save & Apply"
1. From the console you will need to add the " conntrack '1' " option to the transtor zone as this option is not supported in the GUI:
{{{
config 'zone'
option 'name' 'transtor'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'conntrack' '1'
}}}
=== Setup port rules: ===
1. From the "Network" / "Firewall" / "Traffic Control" page click "Add Entry"
1. Add entries with values matching each of the following. For each entry you will need to add the "Protocol" field::[[BR]]
|| Source || Destination || Protocol || Source Port || Destination Port || Action ||
|| wan || Device || tcp || || 443 || Accept ||
|| transtor || Device || udp || || 67 || Accept ||
|| transtor || Device || tcp || || 9040 || Accept ||
|| transtor || Device || udp || || 9053 || Accept ||
1. Click "Save & Apply"
=== Setup traffic redirection: ===
1. From the console (no GUI support) telnet to the router and execute:[[BR]]
{{{
opkg install iptables-mod-nat iptables-mod-nat-extra
}}}
{{{
cat << 'EOF' >> /etc/firewall.user
# Redirection rules for Transparent Tor
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
EOF
}}}
Note: the 9053 port should match the DNSPort from torrc and 9040 the TransPort from torrc.
== Setup Tor ==
1. From the "System" / "Software" page click the "Update package lists" link
1. In the "Download and install package" enter "tor" and press "OK"
1. From the "Services" / "Initscripts" enable the tor service
At this point tor must be configured manually from the console.
1. telnet to the router
1. edit /etc/tor/torrc values to match:[[BR]]
{{{
User tor
RunAsDaemon 1
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor
# This is our bridge for the world to use
Nickname OpenWRTTorBridge
SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*
# This is for our transparent network
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.192.0.1
DNSPort 9053
DNSListenAddress 10.192.0.1
# This is where we rate limit the bridge to something reasonable
RelayBandwidthRate 100 KBytes
RelayBandwidthBurst 200 KBytes
# GeoIP for stats
# DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED
# GeoIPFile /etc/tor/geoip
# Logging:
# Log notice file /var/log/tor/notices.log
# Log debug file /var/log/tor/debug.log
}}}
Change the **ListenAddress to the address of the "OpenWrt"/lan interface
1. restart tor: # /etc/init.d/tor restart
1. depending on your version of tor you might need to edit the tor start script to handle late nameserver configuration (see below)
=== Unable to parse '/etc/resolv.conf' error ===
For some network setups the namserver is not given until the upstream network is read and some older versions of tor do not handle this gracefully and will fail to start. Modify /etc/init.d/tor and place loop that delays the start of tor until the nameserver has been configured.
{{{
sed -i -e 's/$BIN $OPTIONS/while [ -z `grep "nameserver" \/etc\/resolv.conf` ] ; do sleep 10; done;\n\t$BIN $OPTIONS/' /etc/init.d/tor
}}}
== Setup "Transparent Tor" access point ==
1. From [http://192.168.1.1/ http://192.168.1.1] go to the "Administration" / "Network" / "Radio0" page.
1. Add a new Interface with the following values:[[BR]]
|| ESSID || Network || Mode || Encryption ||
|| Transparent Tor || transtor || Access Point || No Encryption ||
1. Click "Save & Apply"
== Miscellaneous Options ==
=== Remote control with Vidalia ===
This is not recommended. The Control connection of Tor is not encrypted and opening it over unprotected wifi is not advised. However, to set this up we must:
1. Setup tor Control Port, Addr and Hash password
1. Setup wireless router firewall rule to pass through Control port and to NOT forward this connection through tor
1. Setup Vidalia client
==== Setup tor ====
1. Generate HashedControlPassword (example):[[BR]]# tor --hash-password examplepassword[[BR]]!16:6300B3DF2CDBCAD6605794581971326F4A03437A7502490A133B96966F
1. Add /etc/tor/rc:[[BR]]
{{{
ControlPort 9051
ControlListenAddress 10.192.0.1
HashedControlPassword 16:6300B3DF2CDBCAD6605794581971326F4A03437A7502490A133B96966F
}}}
1. Restart tor:[[BR]]# /etc/init.d/tor restart
==== Setup wireless router firewall ====
1. Add to /etc/config/firewall:[[BR]]
{{{
config 'rule'
option 'src' 'transtor'
option 'proto' 'tcp'
option 'dest_port' '9051'
option 'target' 'ACCEPT'
}}}
1. Change /etc/firewall.user to:[[BR]]
{{{
# Redirection rules for Transparent Tor
iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 9053
# iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040
# So that we can setup local control port
iptables -t nat -A PREROUTING -i wlan1 -p tcp ! -d 10.192.0.1 --syn -j REDIRECT --to-ports 9040
}}}
1. Restart firewall:[[BR]]# /etc/init.d/firewall restart
==== Setup Vidalia client ====
1. In the settings change the tor binary location to be nothing (or you might need to add a random binary such as cmd.exe or /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal)
1. Change the Control Port and Address to 10.192.0.1 and 9051
1. Restart Vidalia
=== Change Transparent Tor to password protected ===
Does not seem to work. When enabling encryption on the Transparent Tor AP both the OpenWrt and Transparent Tor AP's fail to initialize. Perhaps the Buffalo router cannot handle more than two encrypted channels (The Upstream AP and OpenWrt AP)
=== Hardware assisted Software 'brick prevention ===
It would be 'neat' to use the reset button to reinstall and reconfigure the router to a base image.
This would allow most non-technical (and technical) from having to open up their devices.
This feature 'mostly' works on ddwrt and there is a /sys gpio entry on openwrt - so hopefully this won't be hard to implement.
It should also be noted that some device (the A0 A2) revision (it seems) cannot simply be tftp booted to 'unbrick' them.
(this may be a quirk in the uboot settings for the specific hardware I have though).
=== Building a custom Image ===
{{{XXX: FIX THIS UP WITH ACTUAL VALID COMPLETE CONFIGS ETC.}}}
As per http://wiki.openwrt.org/doc/howto/build
{{{
mkdir OpenWrt/
cd OpenWrt/
svn co svn://svn.openwrt.org/openwrt/branches/backfire
#for packages
cd backfire_10.03
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig
# the configuration should have at least the following selected
CONFIG_TARGET_ar71xx=y
CONFIG_TARGET_ar71xx_WZRHPG300NH=y
CONFIG_TARGET_BOARD="ar71xx"
...
CONFIG_LINUX_2_6_32=y
CONFIG_DEFAULT_base-files=y
CONFIG_DEFAULT_busybox=y
CONFIG_DEFAULT_dnsmasq=y
CONFIG_DEFAULT_dropbear=y
CONFIG_DEFAULT_kmod-ath9k=y
CONFIG_DEFAULT_mtd=y
CONFIG_DEFAULT_opkg=y
...
CONFIG_DEFAULT_wpad-mini=y
...
CONFIG_PACKAGE_tor=y
}}}
== The following 'files' directory could be put into some kind of version control. (along with a working .config) ==
Then you can put the pre-configured network settings into the image like this:
{{{
mkdir -p files/etc/config/
mkdir -p files/etc/tor
cat << 'EOF' >> files/etc/config/network
config interface lan
option ifname eth0
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0
option defaultroute 0
option peerdns 0
option type bridge
config interface transtor
option ifname "wlan0"
option proto static
option ipaddr 192.168.2.1
option netmask 255.255.255.0
EOF
cat << 'EOF' > files/etc/config/wireless
#
# XXX TODO: We want to ensure the wireless AP has a static MAC
# This will ensure that no GeoIP database of MAC addresses can locate a client
# leaking MAC data.
#
config wifi-device radio0
option type mac80211
option channel 11
option phy phy0
option hwmode 11ng
option htmode HT20
list ht_capab SHORT-GI-40
list ht_capab DSSS_CCK-40
# REMOVE THIS LINE TO ENABLE WIFI:
# option disabled 1
config wifi-iface
option device radio0
option network transtor
option mode ap
option ssid 'Transparent Tor'
option encryption none
option macaddr 00:88:88:88:00:2A # see http://outflux.net/geoloc/?mac=00-88-88-88-00-2A+ for the location info associated with this mac addr
EOF
cat << 'EOF' >> files/etc/config/dhcp
config 'dhcp' 'transtor'
option 'interface' 'transtor'
option 'start' '23'
option 'limit' '250'
option 'leasetime' '12h'
EOF
}}}
Tor configuration:
{{{
cat << 'EOF' > files/etc/tor/torrc
# This is a configuration for a Tor bridge on the WAN interface
# and it also runs with a transport to allow for transparent proxying
# on a specific wireless interface.
#
User tor
RunAsDaemon 1
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor
# This is our bridge for the world to use
Nickname OpenWRTTorBridge
SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*
# This is for our transparent network
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.2.1
DNSPort 9053
DNSListenAddress 192.168.2.1
# This is where we rate limit the bridge to something reasonable
RelayBandwidthRate 100 KBytes
RelayBandwidthBurst 200 KBytes
# GeoIP for stats
# DO NOT UNCOMMENT THIS LINE UNTIL GEOIP SUPPORT IS CONFIRMED
# GeoIPFile /etc/tor/geoip
EOF
}}}
Firewall:
{{{
cat << 'EOF' >> files/etc/config/firewall
#Allow Tor Bridge incoming for censored users
config rule
option src wan
option proto tcp
option dest_port 443
option target ACCEPT
config zone
option name transtor
option input REJECT
option output ACCEPT
option forward REJECT
option syn_flood 1
option conntrack 1 #this setting is mandatory
# Allow Transparent clients the ability to DHCP an address
# XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
config rule
option src transtor
option proto udp
option dest_port 67
option target ACCEPT
# Tor transparent-proxy-port (set in /etc/tor/torrc)
config rule
option src transtor
option proto tcp
option dest_port 9040
option target ACCEPT
# Tor DNS-proxy-port (set in /etc/tor/torrc)
config rule
option src transtor
option proto udp
option dest_port 9053
option target ACCEPT
EOF
cat << 'EOF' >> files/etc/firewall.user
# Redirection rules for Transparent Tor
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport ! 53 --syn -j REDIRECT --to-ports 9040
EOF
}}}
Then enter:
{{{
make
}}}
After '''make''' finishes images can be found in the '''bin/''' folder.