Anonymous transparent proxy through Tor on OpenWRT/LEDE

In some public places we want to connect to the Internet without someone watching us. It can be local provider, hotel personnel or something else. With Tor, we can build small machine acting as transparent proxy for simple services as browsing, emails, chatting. In my case, I will use WRAP board with two WiFi cards and OpenWRT/LEDE operating system inside.

There is only one prerequisite: connection hidden to the „first mile of internet“. No dark web, no hacking, … Only privacy.

Limitations: no UDP, limited access to some services. If you don’t know, how Tor works, please study.

About WRAP board, OpenWRT/LEDE and also Tor project you can read at my pages:
Building OpenWRT
OpenWRT at Mikrotik Routerboard 512
Rescue of the PC Engines WRAP 2C
PC Engines WRAP 2 memory upgrade
Hidden Services for Tor

Technical details


  • PC Engines WRAP board with two WiFi cards, one 100 Mbps Ethernet RJ-45 connector and one serial port (RS-232).
  • Two compatible WiFi cards (mini PCI) – Atheros.

You can also use any other piece of hardware, which has similar properties.


  • Operating system: OpenWRT/LEDE (or any other GNU/Linux) with iptables, odhcpd, dropbear, hostapd, wpa_supplicant, udhcpc, dnsmasq.
  • Tor project service.

Final configuration

Black box with WiFi connection to the internet (WAN) over second WiFi card (wlan1). First WiFi card (wlan0) and Ethernet port (eth0) are bridged as br-lan and are used for client access. So it’s possible also to connect a local computer through the Ethernet port.

How it works

Simply, data packets from clients are redirected to Tor, encapsulated, encrypted and transferred over network.


First use on the site:

  1. System boots;
  2. auto start wlan0 and eth0;
  3. auto start DHCP server on br-lan interface (bridge – eth0 and wlan0); now it is possible to connect via WiFi or Ethernet, but there is no internet access;
  4. the client use ssh client to access the box as root;
  5. client configure internet access through wlan1 and reboot the box;
  6. done.

Now, we can use our black box for private surfing.



At first, please set password for root account.

It’s necessary to configure system parameters. The Tor service needs precise time, so, the first thing is – configuration of NTP servers:


Network parameters specifies mainly network type and IP address:

Our clients will have IP addresses from range – delivered by DHCP.

For internet access we can define own static configuration or dynamic over DHCP. This information we have from our provider.

DHCP server

Here we configure assigning of IP addresses to our clients (lan):


Defines access to our box. The wifi-iface for radio0 defines client access (lan), wifi-iface for radio1 defines access to the internet (wan).


Now, we have to redirect data flow through Tor, except SSH. We need SSH for configuring of our box for the first time and later maintenance. But the SSH can be a problem, if we want use it for configuring another computers in the internet. In this case, you can simply modify the appropriate configuration.


This is crucial configuration for Tor service:

All parameters you can found on Tor project pages.

At the end of the file is configuration of hidden service. If you can use it (if not, please ignore), uncomment these lines and create appropriate directories:

After Tor restart, we can found file /etc/tor/hidden_service/ssh/hostname with hostname of the hidden service.

Last words

Now, we have configured Tor transparent proxy on our back box. But this isn’t VPN, our privacy can be compromised on the other side of Tor network.

Leave a Reply