Serving TOR on an internal LAN

The purpose of this article is to set up a VLAN with DHCP that is presented to my AP and broadcasted on a SSID called TOR. The VLAN will serve DHCP. All the clients traffic on this VLAN will be redirected through TOR and making it safe to surf the internet from there. I have my AP connected to eth3 and I have chosen to use VLAN 90 for this purpose.

All these instructions are based on my setup in edgerouter-security series.


We first create an interface for the TOR traffic and protect it from reaching other internal networks:

set interfaces ethernet eth3 vif 90 address
set interfaces ethernet eth3 vif 90 description WIFI_TOR
set interfaces ethernet eth3 vif 90 firewall in name PROTECT_IN

And of course we provide DHCP for our TOR-lan:

set service dhcp-server shared-network-name Tor-Subnet subnet default-router
set service dhcp-server shared-network-name Tor-Subnet subnet dns-server
set service dhcp-server shared-network-name Tor-Subnet subnet start stop

Now we put this script in “/config/scripts/post-config.d/iptables-tor” and make it executable with “chmod 755”:



echo "Making sure config file $TORCONFDIR/torrc is ready for serving as a TOR gateway..."
mkdir -p $TORCONFDIR
echo VirtualAddrNetwork $TOR_VIRTUAL_NETWORK > $TORCONFDIR/torrc
echo AutomapHostsOnResolve 1 >> $TORCONFDIR/torrc
echo TransPort $TOR_LISTEN_TCP_PORT >> $TORCONFDIR/torrc
echo TransListenAddress $TOR_LISTEN_IP >> $TORCONFDIR/torrc
echo DNSListenAddress $TOR_LISTEN_IP >> $TORCONFDIR/torrc

echo "Checking if TOR is installed..."
if [ -f $TORBIN ];
  echo "Nice, it is. Doing nothing."
  echo "TOR is not installed, installing it."
  apt-get update
  apt-get -y install tor

echo "Checking if iptable rules are already there..."
iptables -t nat -C PREROUTING -i $TOR_IF -p udp --dport 53 -j REDIRECT --to-ports $TOR_LISTEN_DNS_PORT 2>/dev/null
if (( $? ));
  echo "Rules not there. Applying iptables rules."
  iptables -t nat -A PREROUTING -i $TOR_IF -p tcp --syn -j REDIRECT --to-ports $TOR_LISTEN_TCP_PORT
  iptables -t nat -A PREROUTING -i $TOR_IF -p udp --dport 53 -j REDIRECT --to-ports $TOR_LISTEN_DNS_PORT
  if (( $BLOCK_UDP ));
    echo "Were are going to blackhole all udp traffic because we are told to."
    iptables -t nat -A PREROUTING -i $TOR_IF -p udp -j REDIRECT --to-ports $UDP_BLACK_HOLE_PORT
  echo "Rules are there. Doing nothing."

This script will be loaded on boot and it will survive firmware upgrades. Normal users only need to change the first 3 lines to customize it to their needs. The script does the following:

  1. Creates a config file in /etc/tor/torrc. This file tells the TOR service to act as a gateway. It will tell TOR to route all DNS traffic comming in on port 8888 to the TOR network. It will also tell TOR to route all TCP queries coming in port 9999 to the TOR network
  2. Checks if the TOR package is installed. If it’s not, then it will be installed
  3. Checks if the correct iptables rules are in place. If not they will be created. Two rules will be created. The first makes sure that all DNS queries coming in on the TOR-lan-interface will be sent to the TOR gateway listener on port 8888. The second sends all TCP traffic coming in on the TOR-lan-interface to the TOR gateway listener on port 9999.
  4. If UDP_BLACK_HOLE_PORT is set to 1, an iptable rule will be created that blackholes all UDP traffic coming in on the TOR-lan-interface.

This script runs when the Edgerouter boots, but if you don’t want to reboot your edgerouter now, you can just run the script manually.

Now its time to join our new VLAN via the AP – and do the final test if traffic is routed correctly:


The TOR gateway is only able to transport TCP. This means that UDP packets will travel through your Edgerouter and thereby it might expose vital information about you. One way to deal with this is modifying the firewall-in ruleset. The lazy way is to change “BLOCK_UDP=0” to “BLOCK_UDP=1”

This will blackhole all udp-traffic, because the TOR listener doesn’t listen on this arbitrary port (UDP_BLACK_HOLE_PORT).


These instructions was based on this article:

3 thoughts to “Serving TOR on an internal LAN”

  1. Hi.
    It was a very interesting article.
    Is there a log to look in to see that everything works.

    friendly hälsninga

    1. Hi Johan,

      The best thing to do is to check if the iptable is correct. You do it with this command:
      iptables -t nat -L PREROUTING -v

      You can also try restarting tor, to see if it has any errors:
      service tor restart

      Maybe look in the tor log:
      tail /var/log/tor/log

      Best regards,

  2. WoW great article ! Could you also cover the use of unbound for dns overs tls for the EdgeRouter ?
    The EdgeRouter still use dnsmasq that do not support dns encryption yet and in these days and ages it’s a lack of security feature !

Leave a Reply

Your email address will not be published. Required fields are marked *