Tor proxy on OpenWRT

The best way to use Tor network is by browsing using the official Tor Browser. However, if you have specific need to connect to Tor without their official browser, you can setup SOCKS5 or HTTP proxy.

Introduction

No, I am not going to tell what Tor is. That is not why you came to my blog. I could not care less about what you want to do on Tor. However, I know that the common purpose is clear, you want to use Tor for anonymity. This is especially after US congress has at the end of March 2017 given green light to ISPs to sell users’ web browsing history.

Why you should be using Tor Browser

Before you proceed further below, I need to convince you that you really should be using the official Tor Browser to access Tor network and not via a proxy on a regular web browser. Hiding your actual IP address is not of much help to privacy if your browser is leaking its fingerprints. The main purpose of using Tor Browser is to be like others so that you cannot be uniquely identified. Now that you have read that and if you insist on using a proxy, read on.

How to setup Tor proxy on OpenWRT

Ensure clock on OpenWRT is in sync

Verify that system clock on your OpenWRT device is synchronised.

Install OpenWRT packages

SSH into your OpenWRT and execute the following to install necessary packages:

opkg update
opkg install tor

Edit /etc/tor/torrc and add the following line:

User tor

Enable SOCKS5 proxy over Tor

Edit /etc/tor/torrc:

Uncomment this line if you want to allow incoming connections only from within the router:

SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.

Uncomment this line too if you want to allow incoming connections from LAN, you need to of course change the binding address to your router’s LAN IP:

SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.

Setup accept/reject rules, i.e. if your router IP is 192.168.0.1 then setup the accept as 192.168.0.0/24:

SOCKSPolicy accept 127.0.0.1/32
SOCKSPolicy accept 192.168.0.0/24
SOCKSPolicy reject *

End of edits.

To test this, we need to restart Tor and use curl to verify that we really are connected to Tor:

/etc/init.d/tor restart
#wait a few seconds for Tor to establish circuit
curl --socks5 127.0.0.1:9050 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs

The output should be:

Congratulations. This browser is configured to use Tor.

Note: If you are testing against some other SSL websites, PolarSSL issues may show up. The SOCKS5 works fine but you need to connect from another machine with newer SSL libraries instead.

Enable DNS proxy over Tor

Edit /etc/tor/torrc. Add the following line:

DNSPort 9053

To test this, we need to restart Tor and use nslookup/dig to verify:

/etc/init.d/tor restart
#wait a few seconds for Tor to establish circuit
nslookup welcome.opendns.com localhost:9053

The output should be:

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

Name:      welcome.opendns.com
Address 1: 67.215.92.219

Enable HTTP proxy over Tor

Polipo is a HTTP proxy, small and fast thus ideal for routers. It is capable of proxying via SOCKS5.

opkg install polipo

Edit /etc/config/polipo. Add the following lines into config 'polipo' 'general'. Be sure to change the LAN subnet to the correct one:

list 'allowedClients' '127.0.0.1'
list 'allowedClients' '192.168.0.0/24'
option 'socksParentProxy' 'localhost:9050'
option 'socksProxyType' 'socks5'
option 'proxyAddress' '0.0.0.0'

To test this, we need to restart Polipo and use curl to verify:

/etc/init.d/polipo restart
curl --proxy 127.0.0.1:8123 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs

The output should of course be:

Congratulations. This browser is configured to use Tor.