Serving TOR on an internal LAN

The purpose of this article is to set up a VLAN with DHCP that is presented to my AP and broadcasted on a SSID called TOR. The VLAN will serve DHCP. All the clients traffic on this VLAN will be redirected through TOR and making it safe to surf the internet from there. I have my AP connected to eth3 and I have chosen to use VLAN 90 for this purpose.

All these instructions are based on my setup in edgerouter-security series.

How?

We first create an interface for the TOR traffic and protect it from reaching other internal networks:

set interfaces ethernet eth3 vif 90 address 192.168.90.1/24
set interfaces ethernet eth3 vif 90 description WIFI_TOR
set interfaces ethernet eth3 vif 90 firewall in name PROTECT_IN

And of course we provide DHCP for our TOR-lan:

set service dhcp-server shared-network-name Tor-Subnet subnet 192.168.90.1/24 default-router 192.168.90.1
set service dhcp-server shared-network-name Tor-Subnet subnet 192.168.90.1/24 dns-server 192.168.90.1
set service dhcp-server shared-network-name Tor-Subnet subnet 192.168.90.1/24 start 192.168.90.10 stop 192.168.90.100

Now we put this script in “/config/scripts/post-config.d/iptables-tor” and make it executable with “chmod 755”:

#!/bin/bash
TOR_LISTEN_IP=192.168.90.1
TOR_IF=eth3.90
BLOCK_UDP=0

TOR_LISTEN_DNS_PORT=8888
TOR_LISTEN_TCP_PORT=9999
TOR_VIRTUAL_NETWORK=10.192.0.0/10
TORBIN=/usr/bin/tor
TORCONFDIR=/etc/tor
UDP_BLACK_HOLE_PORT=7777


echo "Making sure config file $TORCONFDIR/torrc is ready for serving as a TOR gateway..."
mkdir -p $TORCONFDIR
echo VirtualAddrNetwork $TOR_VIRTUAL_NETWORK > $TORCONFDIR/torrc
echo AutomapHostsOnResolve 1 >> $TORCONFDIR/torrc
echo TransPort $TOR_LISTEN_TCP_PORT >> $TORCONFDIR/torrc
echo TransListenAddress $TOR_LISTEN_IP >> $TORCONFDIR/torrc
echo DNSPort $TOR_LISTEN_DNS_PORT >> $TORCONFDIR/torrc
echo DNSListenAddress $TOR_LISTEN_IP >> $TORCONFDIR/torrc


echo "Checking if TOR is installed..."
if [ -f $TORBIN ];
then
  echo "Nice, it is. Doing nothing."
else
  echo "TOR is not installed, installing it."
  apt-get update
  apt-get -y install tor
fi


echo "Checking if iptable rules are already there..."
iptables -t nat -C PREROUTING -i $TOR_IF -p udp --dport 53 -j REDIRECT --to-ports $TOR_LISTEN_DNS_PORT 2>/dev/null
if (( $? ));
then
  echo "Rules not there. Applying iptables rules."
  iptables -t nat -A PREROUTING -i $TOR_IF -p tcp --syn -j REDIRECT --to-ports $TOR_LISTEN_TCP_PORT
  iptables -t nat -A PREROUTING -i $TOR_IF -p udp --dport 53 -j REDIRECT --to-ports $TOR_LISTEN_DNS_PORT
  if (( $BLOCK_UDP ));
  then
    echo "Were are going to blackhole all udp traffic because we are told to."
    iptables -t nat -A PREROUTING -i $TOR_IF -p udp -j REDIRECT --to-ports $UDP_BLACK_HOLE_PORT
  fi
else
  echo "Rules are there. Doing nothing."
fi

This script will be loaded on boot and it will survive firmware upgrades. Normal users only need to change the first 3 lines to customize it to their needs. The script does the following:

  1. Creates a config file in /etc/tor/torrc. This file tells the TOR service to act as a gateway. It will tell TOR to route all DNS traffic comming in on port 8888 to the TOR network. It will also tell TOR to route all TCP queries coming in port 9999 to the TOR network
  2. Checks if the TOR package is installed. If it’s not, then it will be installed
  3. Checks if the correct iptables rules are in place. If not they will be created. Two rules will be created. The first makes sure that all DNS queries coming in on the TOR-lan-interface will be sent to the TOR gateway listener on port 8888. The second sends all TCP traffic coming in on the TOR-lan-interface to the TOR gateway listener on port 9999.
  4. If UDP_BLACK_HOLE_PORT is set to 1, an iptable rule will be created that blackholes all UDP traffic coming in on the TOR-lan-interface.

This script runs when the Edgerouter boots, but if you don’t want to reboot your edgerouter now, you can just run the script manually.

Now its time to join our new VLAN via the AP – and do the final test if traffic is routed correctly: https://check.torproject.org

Extra

The TOR gateway is only able to transport TCP. This means that UDP packets will travel through your Edgerouter and thereby it might expose vital information about you. One way to deal with this is modifying the firewall-in ruleset. The lazy way is to change “BLOCK_UDP=0” to “BLOCK_UDP=1”

This will blackhole all udp-traffic, because the TOR listener doesn’t listen on this arbitrary port (UDP_BLACK_HOLE_PORT).

 

These instructions was based on this article: https://www.caseyc.net/home/2014/06/08/tor-wireless-network/

2 thoughts on “Serving TOR on an internal LAN

    1. Hi Johan,

      The best thing to do is to check if the iptable is correct. You do it with this command:
      iptables -t nat -L PREROUTING -v

      You can also try restarting tor, to see if it has any errors:
      service tor restart

      Maybe look in the tor log:
      tail /var/log/tor/log

      Best regards,
      Alex

Leave a Reply

Your email address will not be published. Required fields are marked *