User Tools

Site Tools


Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:howto:tor [2019/05/20 16:16] (current)
ljelinek created
Line 1: Line 1:
 +====== TCP LAN/Wifi transparent routing via Tor ======
 +
 +Tor is a popular anonymization proxy which allows to route TCP connections over several nodes before they reach the desired target. There are //hidden services// with names ending by ''​.onion''​ which are available only via Tor.
 +
 +Tor is commonly used from a local host where it runs as a SOCKS5 proxy. This guide shows the setup where each client connected from the LAN or the Turris router WiFi has all TCP connection routed via Tor.
 +
 +<WRAP center tip 80%>
 +This guide is intended for advanced users. It essentially modifies transport routing in Turris and may lead to network malfunction if managed unwarily. Routing via Tor may have higher error rate which may be manifested e.g. by temporary DNS resolution failures.
 +</​WRAP>​
 +
 +===== Introduction to the Tor anonymization network =====
 +
 +Tor is an anonymization network which uses a special routing method called [[https://​cs.wikipedia.org/​wiki/​Tor_%28software%29 | onion routing]]. Each node can use its own decrypting key to remove one "layer of the onion" and to send a packet to the next node but don't know where the final packet destination is (after "​scaling all layers of the onion"​). For making familiar with Tor, it is suitable to install [[http://​www.root.cz/​clanky/​tor-browser-anonymni-fork-firefoxu/​ | Tor Browser Bundle]] which is the Firefox Web Browser specially modified to use Tor by default.
 +
 +To ensure anonymity, it is essential to figure out that "​stream crossing"​ mus be avoided. If you use the same browser with Tor and without it the ISP and web servers can identify you using cookies. The same applies for DNS as well. You can't use a common DNS because although the data walk through Tor the DNS queries disclose where you connect to. The guide bellow routes DNS via Tor but you need to beware secure using of browsers and other application on you own. The TorProject has a relatively detailed [[https://​www.torproject.org/​docs/​faq.html.en | page with answers for various uses of Tor]].
 +
 +One of the protocols where Tor is not recommended to use is BitTorrent because [[https://​blog.torproject.org/​blog/​bittorrent-over-tor-isnt-good-idea |BitTorrent discloses your real IP address inside the protocol itself]] (it is necessary to work properly).
 +
 +You can find out that browsing via Tor is slower (especially the latency is much worser) than a "​standard"​ broadband Internet connection. Your packet may run around the Earth twice before they reach the destination. The network is operated by volunteers and it's better to avoid big transfers (GBs and more).
 +
 +As noted above, routing the whole home LAN traffic via Tor would be unappropriate. It is possible to separate some part of the network (e.g. WiFi or a specific router port) for routing via Tor which is described in the last part of the guide.
 +
 +===== Important notice =====
 +
 +Transparent routing via tor has the following limitations:​
 +
 +  * DNS can resolve only A and PTR records (which suffices for simple browsing)
 +  * DNS runs only over UDP
 +  * UDP traffice out of the LAN is completely blocked
 +  * internal programs in Turris still communicate over the "​standard Internet",​ only the LAN/Wifi communication is routed via Tor
 +  * disabling IPv6 is strongly recommended
 +  * it is supposed that the internal interface has the original address 192.168.1.1 (you can change it in the settings bellow)
 +
 +<WRAP center important 80%>
 +LAN communication routing over Tor is experimental and it doesn'​t itself ensure anonymity on the network. For example, a browser in a mobile phone doesn'​t know that it communicate over Tor and use the same cookies as usually. Similarly, many protocols may disclose the real IP address. Due to these reasons it is better to use [[https://​www.torproject.org/​projects/​torbrowser.html.en | Tor Browser Bundle]].
 +</​WRAP>​
 +
 +===== Tor installation =====
 +
 +The installation is done in the Foris interface. In the "​Updater"​ section, check "​Tor"​ and press "​Save"​. But this operation only installs the Tor packages. The next step is to use a command line, e.g. via SSH.
 +
 +Edit the ''/​etc/​tor/​torrc''​ file to accomplish this appearance:
 +
 +<​file>​
 +User tor
 +DataDirectory /​var/​lib/​tor
 +Log notice file /​var/​log/​tor/​notices.log
 +
 +VirtualAddrNetwork 10.192.0.0/​10
 +AutomapHostsOnResolve 1
 +TransPort 192.168.1.1:​9040
 +DNSPort 192.168.1.1:​9053
 +</​file>​
 +
 +Tor should be started now and be set to start automatically:​
 +
 +  /​etc/​init.d/​tor start
 +  /​etc/​init.d/​tor enable
 +
 +
 +===== Redirecting LAN traffic using iptables =====
 +
 +Redirection settings are done by adding the following lines into the ''/​etc/​firewall.user''​ file:
 +
 +<​file>​
 +# Turris version
 +source /​etc/​openwrt_release
 +
 +# Tor's TransPort
 +_trans_port=9040
 +
 +# internal interface
 +_int_if=br-lan
 +
 +_non_tor="​127.0.0.0/​8 10.0.0.0/8 172.16.0.0/​12 192.168.0.0/​16"​
 +
 +# external interface
 +if [ "​$DISTRIB_CODENAME"​ == "​omnia"​ ]; then
 + _ext_if=eth1
 +else
 + _ext_if=eth2
 +fi
 +
 +#allow lan access for hosts in $_non_tor
 +for _lan in $_non_tor; do
 +        iptables -t nat -A PREROUTING -i $_int_if -d $_lan -j RETURN
 +done
 +
 +#DNSPort runs only on UDP
 +iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 9053
 +#​Transparent routing through Tor's TransPort
 +iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
 +#Prevent UDP traffic from being forwarded
 +iptables -I FORWARD -i $_int_if -p udp -o $_ext_if -j DROP
 +</​file>​
 +
 +Finally we run a command which applies the new firewall rules:
 +
 +  fw3 restart
 +
 +Now, all IPv4 TCP traffic from LAN and WiFi including the special ''​.onion''​ pseudo-domain is redirected to Tor.
 +
 +===== Disabling IPv6 =====
 +
 +Due to the fact that IPv6 traffic is not redirected it it recommended to disable it. It is accomplished by:
 +
 +  sysctl -w net.ipv6.conf.all.disable_ipv6=1
 +  sysctl -w net.ipv6.conf.default.disable_ipv6=1
 +
 +Furthermore these lines which disable IPv6 after reboot should be added to''/​etc/​sysctl.conf'':​
 +
 +<​file>​
 +net.ipv6.conf.all.disable_ipv6=1
 +net.ipv6.conf.default.disable_ipv6=1
 +</​file>​
 +
 +===== Restoring "​normal"​ LAN routing =====
 +
 +Remove the lines from the ''/​etc/​firewall.user''​ which were added before. Then restart the firewall:
 +
 +  fw3 restart
 +
 +IPv6 can be re-activated by removing the lines added to ''/​etc/​sysctl.conf''​. The router can be eventually restarted.
 +
 +===== Routing only a part of the LAN/WiFi =====
 +
 +The iptables can be modified to route only a part of connections from the LAN or the WiFi. If you want to change ''​_int_if''​ to some of specific interfaces such as ''​eth0'',​ ''​eth1''​ or ''​wlan0''​ inside the iptables script it it necessary to remove the given interface from the ''​br-lan''​ bridge first. It is accomplished by editting ''/​etc/​config/​network''​ for the LAN or ''/​etc/​config/​wireless''​ for the WiFi. After editting, apply the new configuration by executing ''/​etc/​init.d/​network restart''​.
 +
 +As long as the interfaces are in the bridge, iptables can see the connections as to be originated in ''​br-lan''​. You probably want to set an address of the "​debridged"​ interface and to add its setting to the DHCP (''/​etc/​config/​dhcp''​).
 +
 +The guide describing how to detach an interface from the bridge to a separate network (VLAN) is in the [[:​cs:​howto:​advanced_vlan_settings|Advanced VLAN settings]] article. Remember to also update IP addresses in ''/​etc/​tor/​torrc''​ to listen on the newly detached interface.