The purpose of this article is to set up a VLAN with DHCP that is presented to my AP and broadcasted on a SSID called TOR. The VLAN will serve DHCP. All the clients traffic on this VLAN will be redirected through TOR and making it safe to surf the internet from there. I have my AP connected to eth3 and I have chosen to use VLAN 90 for this purpose.
All these instructions are based on my setup in edgerouter-security series.
How?
We first create an interface for the TOR traffic and protect it from reaching other internal networks:
set interfaces ethernet eth3 vif 90 address 192.168.90.1/24 set interfaces ethernet eth3 vif 90 description WIFI_TOR set interfaces ethernet eth3 vif 90 firewall in name PROTECT_IN
And of course we provide DHCP for our TOR-lan:
set service dhcp-server shared-network-name Tor-Subnet subnet 192.168.90.1/24 default-router 192.168.90.1 set service dhcp-server shared-network-name Tor-Subnet subnet 192.168.90.1/24 dns-server 192.168.90.1 set service dhcp-server shared-network-name Tor-Subnet subnet 192.168.90.1/24 start 192.168.90.10 stop 192.168.90.100
Now we put this script in “/config/scripts/post-config.d/iptables-tor” and make it executable with “chmod 755”:
#!/bin/bash TOR_LISTEN_IP=192.168.90.1 TOR_IF=eth3.90 BLOCK_UDP=0 TOR_LISTEN_DNS_PORT=8888 TOR_LISTEN_TCP_PORT=9999 TOR_VIRTUAL_NETWORK=10.192.0.0/10 TORBIN=/usr/bin/tor TORCONFDIR=/etc/tor UDP_BLACK_HOLE_PORT=7777 echo "Making sure config file $TORCONFDIR/torrc is ready for serving as a TOR gateway..." mkdir -p $TORCONFDIR echo VirtualAddrNetwork $TOR_VIRTUAL_NETWORK > $TORCONFDIR/torrc echo AutomapHostsOnResolve 1 >> $TORCONFDIR/torrc echo TransPort $TOR_LISTEN_TCP_PORT >> $TORCONFDIR/torrc echo TransListenAddress $TOR_LISTEN_IP >> $TORCONFDIR/torrc echo DNSPort $TOR_LISTEN_DNS_PORT >> $TORCONFDIR/torrc echo DNSListenAddress $TOR_LISTEN_IP >> $TORCONFDIR/torrc echo "Checking if TOR is installed..." if [ -f $TORBIN ]; then echo "Nice, it is. Doing nothing." else echo "TOR is not installed, installing it." apt-get update apt-get -y install tor fi echo "Checking if iptable rules are already there..." iptables -t nat -C PREROUTING -i $TOR_IF -p udp --dport 53 -j REDIRECT --to-ports $TOR_LISTEN_DNS_PORT 2>/dev/null if (( $? )); then echo "Rules not there. Applying iptables rules." iptables -t nat -A PREROUTING -i $TOR_IF -p tcp --syn -j REDIRECT --to-ports $TOR_LISTEN_TCP_PORT iptables -t nat -A PREROUTING -i $TOR_IF -p udp --dport 53 -j REDIRECT --to-ports $TOR_LISTEN_DNS_PORT if (( $BLOCK_UDP )); then echo "Were are going to blackhole all udp traffic because we are told to." iptables -t nat -A PREROUTING -i $TOR_IF -p udp -j REDIRECT --to-ports $UDP_BLACK_HOLE_PORT fi else echo "Rules are there. Doing nothing." fi
This script will be loaded on boot and it will survive firmware upgrades. Normal users only need to change the first 3 lines to customize it to their needs. The script does the following:
- Creates a config file in /etc/tor/torrc. This file tells the TOR service to act as a gateway. It will tell TOR to route all DNS traffic comming in on port 8888 to the TOR network. It will also tell TOR to route all TCP queries coming in port 9999 to the TOR network
- Checks if the TOR package is installed. If it’s not, then it will be installed
- Checks if the correct iptables rules are in place. If not they will be created. Two rules will be created. The first makes sure that all DNS queries coming in on the TOR-lan-interface will be sent to the TOR gateway listener on port 8888. The second sends all TCP traffic coming in on the TOR-lan-interface to the TOR gateway listener on port 9999.
- If UDP_BLACK_HOLE_PORT is set to 1, an iptable rule will be created that blackholes all UDP traffic coming in on the TOR-lan-interface.
This script runs when the Edgerouter boots, but if you don’t want to reboot your edgerouter now, you can just run the script manually.
Now its time to join our new VLAN via the AP – and do the final test if traffic is routed correctly: https://check.torproject.org
Extra
The TOR gateway is only able to transport TCP. This means that UDP packets will travel through your Edgerouter and thereby it might expose vital information about you. One way to deal with this is modifying the firewall-in ruleset. The lazy way is to change “BLOCK_UDP=0” to “BLOCK_UDP=1”
This will blackhole all udp-traffic, because the TOR listener doesn’t listen on this arbitrary port (UDP_BLACK_HOLE_PORT).
Hi.
It was a very interesting article.
Is there a log to look in to see that everything works.
friendly hälsninga
Johan
Hi Johan,
The best thing to do is to check if the iptable is correct. You do it with this command:
iptables -t nat -L PREROUTING -v
You can also try restarting tor, to see if it has any errors:
service tor restart
Maybe look in the tor log:
tail /var/log/tor/log
Best regards,
Alex
WoW great article ! Could you also cover the use of unbound for dns overs tls for the EdgeRouter ?
The EdgeRouter still use dnsmasq that do not support dns encryption yet and in these days and ages it’s a lack of security feature !
Thanks