[tor-dev] How to build a Router that will only allow Tor users

Rusty Bird rustybird at openmailbox.org
Tue Mar 15 18:07:50 UTC 2016


Hi Martin,

> I try to configure OpenWRT in a way that it will only allow outgoing
> connections if it is Tor. Basically it is the opposite of "blacklisting
> exit relays on servers": "whitelisting (guard) relays for clients". It
> should *not* run Tor itself.

Maybe corridor would work for you: https://github.com/rustybird/corridor

You could point it at a Tor control port somewhere in your network if
running tor on OpenWRT (just to fetch the networkstatus consensus
documents every 1-2 hours) is impossible.

> What did *not* work, was starting Torbrowser. That's a hard requirement,
> and before bebugging it through I ask: Do I miss something when I just
> allow outgoing connections to
> 
>  * Guard,
>  * Authority,

But the authority IP addresses hardcoded in the Tor client source code
differ from the authority IP addresses published in the networkstatus
consensus...

https://github.com/rustybird/corridor/commit/a56d751df399ab1c54f64b0d4dc59f732dc0adc3

>  * and HSDir flagged relays (do I *need* them? that's a different
> question probably)

AFAICT, regular clients only make connections to authorities and guards.

Rusty

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160315/c1204b90/attachment-0001.sig>


More information about the tor-dev mailing list