User Tools

Site Tools


TCP LAN/Wifi transparent routing via Tor

Tor is a popular anonymization proxy which allows to route TCP connections over several nodes before they reach the desired target. There are hidden services with names ending by .onion which are available only via Tor.

Tor is commonly used from a local host where it runs as a SOCKS5 proxy. This guide shows the setup where each client connected from the LAN or the Turris router WiFi has all TCP connection routed via Tor.

This guide is intended for advanced users. It essentially modifies transport routing in Turris and may lead to network malfunction if managed unwarily. Routing via Tor may have higher error rate which may be manifested e.g. by temporary DNS resolution failures.

Introduction to the Tor anonymization network

Tor is an anonymization network which uses a special routing method called onion routing. Each node can use its own decrypting key to remove one “layer of the onion” and to send a packet to the next node but don't know where the final packet destination is (after “scaling all layers of the onion”). For making familiar with Tor, it is suitable to install Tor Browser Bundle which is the Firefox Web Browser specially modified to use Tor by default.

To ensure anonymity, it is essential to figure out that “stream crossing” mus be avoided. If you use the same browser with Tor and without it the ISP and web servers can identify you using cookies. The same applies for DNS as well. You can't use a common DNS because although the data walk through Tor the DNS queries disclose where you connect to. The guide bellow routes DNS via Tor but you need to beware secure using of browsers and other application on you own. The TorProject has a relatively detailed page with answers for various uses of Tor.

One of the protocols where Tor is not recommended to use is BitTorrent because BitTorrent discloses your real IP address inside the protocol itself (it is necessary to work properly).

You can find out that browsing via Tor is slower (especially the latency is much worser) than a “standard” broadband Internet connection. Your packet may run around the Earth twice before they reach the destination. The network is operated by volunteers and it's better to avoid big transfers (GBs and more).

As noted above, routing the whole home LAN traffic via Tor would be unappropriate. It is possible to separate some part of the network (e.g. WiFi or a specific router port) for routing via Tor which is described in the last part of the guide.

Important notice

Transparent routing via tor has the following limitations:

  • DNS can resolve only A and PTR records (which suffices for simple browsing)
  • DNS runs only over UDP
  • UDP traffice out of the LAN is completely blocked
  • internal programs in Turris still communicate over the “standard Internet”, only the LAN/Wifi communication is routed via Tor
  • disabling IPv6 is strongly recommended
  • it is supposed that the internal interface has the original address 192.168.1.1 (you can change it in the settings bellow)

LAN communication routing over Tor is experimental and it doesn't itself ensure anonymity on the network. For example, a browser in a mobile phone doesn't know that it communicate over Tor and use the same cookies as usually. Similarly, many protocols may disclose the real IP address. Due to these reasons it is better to use Tor Browser Bundle.

Tor installation

The installation is done in the Foris interface. In the “Updater” section, check “Tor” and press “Save”. But this operation only installs the Tor packages. The next step is to use a command line, e.g. via SSH.

Edit the /etc/tor/torrc file to accomplish this appearance:

User tor
DataDirectory /var/lib/tor
Log notice file /var/log/tor/notices.log

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.1.1:9040
DNSPort 192.168.1.1:9053

Tor should be started now and be set to start automatically:

/etc/init.d/tor start
/etc/init.d/tor enable

Redirecting LAN traffic using iptables

Redirection settings are done by adding the following lines into the /etc/firewall.user file:

# Turris version
source /etc/openwrt_release

# Tor's TransPort
_trans_port=9040

# internal interface
_int_if=br-lan

_non_tor="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

# external interface
if [ "$DISTRIB_CODENAME" == "omnia" ]; then
	_ext_if=eth1
else
	_ext_if=eth2
fi

#allow lan access for hosts in $_non_tor
for _lan in $_non_tor; do
        iptables -t nat -A PREROUTING -i $_int_if -d $_lan -j RETURN
done

#DNSPort runs only on UDP
iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 9053
#Transparent routing through Tor's TransPort
iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
#Prevent UDP traffic from being forwarded
iptables -I FORWARD -i $_int_if -p udp -o $_ext_if -j DROP

Finally we run a command which applies the new firewall rules:

fw3 restart

Now, all IPv4 TCP traffic from LAN and WiFi including the special .onion pseudo-domain is redirected to Tor.

Disabling IPv6

Due to the fact that IPv6 traffic is not redirected it it recommended to disable it. It is accomplished by:

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Furthermore these lines which disable IPv6 after reboot should be added to/etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

Restoring "normal" LAN routing

Remove the lines from the /etc/firewall.user which were added before. Then restart the firewall:

fw3 restart

IPv6 can be re-activated by removing the lines added to /etc/sysctl.conf. The router can be eventually restarted.

Routing only a part of the LAN/WiFi

The iptables can be modified to route only a part of connections from the LAN or the WiFi. If you want to change _int_if to some of specific interfaces such as eth0, eth1 or wlan0 inside the iptables script it it necessary to remove the given interface from the br-lan bridge first. It is accomplished by editting /etc/config/network for the LAN or /etc/config/wireless for the WiFi. After editting, apply the new configuration by executing /etc/init.d/network restart.

As long as the interfaces are in the bridge, iptables can see the connections as to be originated in br-lan. You probably want to set an address of the “debridged” interface and to add its setting to the DHCP (/etc/config/dhcp).

The guide describing how to detach an interface from the bridge to a separate network (VLAN) is in the Advanced VLAN settings article. Remember to also update IP addresses in /etc/tor/torrc to listen on the newly detached interface.