Anonymous transparent proxy through Tor on OpenWRT/LEDE

Napsat komentář

In some public places we want to connect to the Internet without someone watching us. It can be local provider, hotel personnel or something else. With Tor, we can build small machine acting as transparent proxy for simple services as browsing, emails, chatting. In my case, I will use WRAP board with two WiFi cards and OpenWRT/LEDE operating system inside.

There is only one prerequisite: connection hidden to the „first mile of internet“. No dark web, no hacking, … Only privacy.

Limitations: no UDP, limited access to some services. If you don’t know, how Tor works, please study.

About WRAP board, OpenWRT/LEDE and also Tor project you can read at my pages:
Building OpenWRT
OpenWRT at Mikrotik Routerboard 512
Rescue of the PC Engines WRAP 2C
PC Engines WRAP 2 memory upgrade
Hidden Services for Tor

Technical details

Hardware

  • PC Engines WRAP board with two WiFi cards, one 100 Mbps Ethernet RJ-45 connector and one serial port (RS-232).
  • Two compatible WiFi cards (mini PCI) – Atheros.

You can also use any other piece of hardware, which has similar properties.

Software

  • Operating system: OpenWRT/LEDE (or any other GNU/Linux) with iptables, odhcpd, dropbear, hostapd, wpa_supplicant, udhcpc, dnsmasq.
  • Tor project service.

Final configuration

Black box with WiFi connection to the internet (WAN) over second WiFi card (wlan1). First WiFi card (wlan0) and Ethernet port (eth0) are bridged as br-lan and are used for client access. So it’s possible also to connect a local computer through the Ethernet port.

How it works

Simply, data packets from clients are redirected to Tor, encapsulated, encrypted and transferred over network.

 

First use on the site:

  1. System boots;
  2. auto start wlan0 and eth0;
  3. auto start DHCP server on br-lan interface (bridge – eth0 and wlan0); now it is possible to connect via WiFi or Ethernet, but there is no internet access;
  4. the client use ssh client to access the box as root;
  5. client configure internet access through wlan1 and reboot the box;
  6. done.

Now, we can use our black box for private surfing.

Configuration

System

At first, please set password for root account.

It’s necessary to configure system parameters. The Tor service needs precise time, so, the first thing is – configuration of NTP servers:

config system
        option hostname anongw-my
        option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
        option zonename 'Europe/Prague'
        option conloglevel '8'
        option cronloglevel '8'
        option log_size '64'

config timeserver ntp
        list server     pool.ntp.org
        list server     129.6.15.28
        list server     24.56.178.140
        list server     81.168.77.149
        list server     192.12.19.20
        list server     131.215.239.14
        option enabled 1
        option enable_server 1

config rngd
        option enabled '0'
        option device '/dev/urandom'

Network

Network parameters specifies mainly network type and IP address:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
#       option ula_prefix 'fdc2:0405:e04e::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ifname eth0
        option ipaddr '192.168.164.1'
        option netmask '255.255.255.0'
#       option ip6assign '64'
        option ipv6 '0'

config interface 'wan'
        option proto 'dhcp'
#       option proto 'static'
        option ifname wlan1
        option ipaddr '192.168.1.10'
        option gateway '192.168.1.1'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 193.29.206.206'
        option ipv6 '0'

Our clients will have IP addresses from range 192.168.164.0/24 – delivered by DHCP.

For internet access we can define own static configuration or dynamic over DHCP. This information we have from our provider.

DHCP server

Here we configure assigning of IP addresses to our clients (lan):

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option port 0
        option server '//8.8.8.8'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

Wireless

Defines access to our box. The wifi-iface for radio0 defines client access (lan), wifi-iface for radio1 defines access to the internet (wan).

config wifi-device  radio0
        option type     mac80211
        option channel  8
        option hwmode   11g
        option path     'pci0000:00/0000:00:0d.0'
        option htmode
        option txpower '23'
        option country 'CZ'
#       option noscan '1'
        option disabled 0

config wifi-iface
        option device   radio0
        option network  lan
        option mode     ap
        option ssid     mynetwork
        option encryption 'psk2'
        option key 'p4s5w0rd'
        option macaddr '00:3d:b3:92:3b:da'

config wifi-device  radio1
        option type     mac80211
        option channel  auto
        option hwmode   11g
        option path     'pci0000:00/0000:00:11.0'
        option htmode
        option disabled 0

config wifi-iface
        option device   radio1
        option network  wan
        option mode     sta
        option encryption psk2
        option ssid hotel
        option key h8mcjsc
        option macaddr '00:4b:b3:93:f2:f4'

Firewall

Now, we have to redirect data flow through Tor, except SSH. We need SSH for configuring of our box for the first time and later maintenance. But the SSH can be a problem, if we want use it for configuring another computers in the internet. In this case, you can simply modify the appropriate configuration.

iptables -F
iptables -t nat -F

iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i br-lan -p tcp --syn \! --dport 22 -j REDIRECT --to-ports 9040

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o wlan1 -m owner --uid-owner 52 -j ACCEPT

iptables -A OUTPUT -o wlan1 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i wlan1 -j DROP

Tor

This is crucial configuration for Tor service:

VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
AutomapHostsSuffixes .onion,.exit

TransPort 9040
TransListenAddress 0.0.0.0
DNSPort 53
DNSListenAddress 0.0.0.0

User tor

Log notice syslog
DataDirectory /var/run/tor

#HiddenServiceDir /etc/tor/hidden_service/ssh
#HiddenServicePort 8022 127.0.0.1:22

All parameters you can found on Tor project pages.

At the end of the file is configuration of hidden service. If you can use it (if not, please ignore), uncomment these lines and create appropriate directories:

root@anongw-my:/#mkdir -m 0700 -p /etc/tor/hidden_service/ssh
root@anongw-my:/#chown -R tor:tor /etc/tor/hidden_service/ssh

After Tor restart, we can found file /etc/tor/hidden_service/ssh/hostname with hostname of the hidden service.

Last words

Now, we have configured Tor transparent proxy on our back box. But this isn’t VPN, our privacy can be compromised on the other side of Tor network.

Leave a Reply