[tor-talk] tor setup on wt3020h with openwrt problem

Oğuz Yarımtepe oguzyarimtepe at gmail.com
Sun Dec 28 20:13:39 UTC 2014


Hi,

I installed openwrt on wt3020h router. Plugged LAN port to my wireles
modem. Assuming that after installing the tor and setting up config files i
was assuming i will be able to surf through tor. But even dns resolving is
not working when i connected to the openwrt ssid.
What am i doing wrong?

Below is the config files:

http://pastebin.com/b6dMDJyt

Or can read here:

==> config/dhcp <==

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'

# added manually
config dhcp 'transtor'
    option start '100'
    option leasetime '12h'
    option limit '150'
    option interface 'transtor'

==> config/dropbear <==

config dropbear
    option PasswordAuth 'on'
    option Port '22'

config dropbear
    option Port '22'
    option PasswordAuth 'on'
    option RootPasswordAuth 'on'
    option GatewayPorts 'off'


==> config/firewall <==
config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
    option name        lan
    list   network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT

config zone
    option name        wan
    list   network        'wan'
    list   network        'wan6'
    option input        REJECT
    option output        ACCEPT
    option forward        REJECT
    option masq        1
    option mtu_fix        1

config forwarding
    option src        lan
    option dest        wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name        Allow-DHCP-Renew
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option name        Allow-Ping
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name        Allow-DHCPv6
    option src        wan
    option proto        udp
    option src_ip        fe80::/10
    option src_port        547
    option dest_ip        fe80::/10
    option dest_port    546
    option family        ipv6
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Input
    option src        wan
    option proto    icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    list icmp_type        router-solicitation
    list icmp_type        neighbour-solicitation
    list icmp_type        router-advertisement
    list icmp_type        neighbour-advertisement
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Forward
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option dest        wan
#    option proto    tcp
#    option target    REJECT

# block a specific mac on wan
#config rule
#    option dest        wan
#    option src_mac    00:11:22:33:44:66
#    option target    REJECT

# block incoming ICMP traffic on a zone
#config rule
#    option src        lan
#    option proto    ICMP
#    option target    DROP

# port redirect port coming in on wan to lan
#config redirect
#    option src            wan
#    option src_dport    80
#    option dest            lan
#    option dest_ip        192.168.16.235
#    option dest_port    80
#    option proto        tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#    option src        wan
#    option src_dport    22001
#    option dest        lan
#    option dest_port    22
#    option proto        tcp

# allow IPsec/ESP and ISAKMP passthrough
#config rule
#    option src        wan
#    option dest        lan
#    option protocol        esp
#    option target        ACCEPT

#config rule
#    option src        wan
#    option dest        lan
#    option src_port        500
#    option dest_port    500
#    option proto        udp
#    option target        ACCEPT

### FULL CONFIG SECTIONS
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port    80
#    option dest        wan
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp
#    option target    REJECT

#config redirect
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port        1024
#    option src_dport    80
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp

#added manually
#config zone
#    option name 'tor'
##    option input 'ACCEPT'
#    option forward 'REJECT'
#    option output 'ACCEPT'
#    option network 'tor'

#Allow Tor Bridge incoming for censored users
config rule
        option src wan
        option proto tcp
        option dest_port 443
        option target ACCEPT

config zone
        option name     transtor
        option input    REJECT
        option output   ACCEPT
        option forward  REJECT
        option syn_flood 1
        option conntrack 1 #this setting is mandatory

# Allow Transparent clients the ability to DHCP an address
# XXX TODO: Audit this to ensure it doesn't leak UDP port 67 to the net!
config rule
    option name         'Allow-Tor-DHCP'
        option src              transtor
        option proto            udp
        option dest_port        67
        option target           ACCEPT
# Tor transparent-proxy-port (set in /etc/tor/torrc)
config rule
    option name         'Allow-Tor-Transparent'
        option src              transtor
        option proto            tcp
        option dest_port        9040
        option target           ACCEPT
# Tor DNS-proxy-port (set in /etc/tor/torrc)
config rule
    option name         'Allow-Tor-DNS'
        option src              transtor
        option proto            udp
        option dest_port        9053
        option target           ACCEPT

==> config/luci <==

config core 'main'
    option lang 'auto'
    option mediaurlbase '/luci-static/openwrt.org'
    option resourcebase '/luci-static/resources'

config extern 'flash_keep'
    option uci '/etc/config/'
    option dropbear '/etc/dropbear/'
    option openvpn '/etc/openvpn/'
    option passwd '/etc/passwd'
    option opkg '/etc/opkg.conf'
    option firewall '/etc/firewall.user'
    option uploads '/lib/uci/upload/'

config internal 'languages'
    option en 'English'

config internal 'sauth'
    option sessionpath '/tmp/luci-sessions'
    option sessiontime '3600'

config internal 'ccache'
    option enable '1'

config internal 'themes'
    option Bootstrap '/luci-static/bootstrap'


==> config/network <==

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd80:0fb3:b4e3::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option force_link '1'
    option macaddr '20:28:18:a0:a8:fe'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    # added manually
    # option conntrack '1'
    # option delegate '0'
    # option dns '192.168.1.1'
  ## option defaultroute 0
    ## option peerdns 0

config interface 'wan'
    option ifname 'eth0.2'
    option force_link '1'
    option macaddr '20:28:18:a0:a8:ff'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0 6t'

# added manually
config interface transtor
        option ifname   "wlan0"
        option proto    static
        option ipaddr 192.168.2.1
        option netmask 255.255.255.0

==> config/system <==

config system
    option hostname 'OpenWrt'
    option timezone 'UTC'

config timeserver 'ntp'
    list server '0.openwrt.pool.ntp.org'
    list server '1.openwrt.pool.ntp.org'
    list server '2.openwrt.pool.ntp.org'
    list server '3.openwrt.pool.ntp.org'
    option enabled '1'
    option enable_server '0'

config led 'led_power'
    option name 'power'
    option sysfs 'nexx:blue:power'
    option default '0'


==> config/ucitrack <==
config network
    option init network
    list affects dhcp
    list affects radvd

config wireless
    list affects network

config firewall
    option init firewall
    list affects luci-splash
    list affects qos
    list affects miniupnpd

config olsr
    option init olsrd

config dhcp
    option init dnsmasq

config dropbear
    option init dropbear

config httpd
    option init httpd

config fstab
    option init fstab

config qos
    option init qos

config system
    option init led
    list affects luci_statistics

config luci_splash
    option init luci_splash

config upnpd
    option init miniupnpd

config ntpclient
    option init ntpclient

config samba
    option init samba

config tinyproxy
    option init tinyproxy

config 6relayd
    option init 6relayd

==> config/uhttpd <==

config uhttpd 'main'
    list listen_http '0.0.0.0:80'
    list listen_http '[::]:80'
    list listen_https '0.0.0.0:443'
    list listen_https '[::]:443'
    option home '/www'
    option rfc1918_filter '1'
    option max_requests '3'
    option max_connections '100'
    option cert '/etc/uhttpd.crt'
    option key '/etc/uhttpd.key'
    option cgi_prefix '/cgi-bin'
    option script_timeout '60'
    option network_timeout '30'
    option http_keepalive '20'
    option tcp_keepalive '1'
    option ubus_prefix '/ubus'

config cert 'px5g'
    option days '730'
    option bits '1024'
    option country 'DE'
    option state 'Berlin'
    option location 'Berlin'
    option commonname 'OpenWrt'


==> config/wireless <==

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path '10180000.wmac'
    option htmode 'HT20'

config wifi-iface
    option device 'radio0'
    option network 'transtor'
    option mode 'ap'
    option encryption 'none'
    option ssid 'OnionWRT'


==> config/wireless.bak <==
config wifi-device  radio0
    option type     mac80211
    option channel  11
    option hwmode    11g
    option path    '10180000.wmac'
    option htmode    HT20

config wifi-iface
    option device   radio0
    option network  lan
    option mode     ap
    option ssid     OpenWrt
    option encryption none

I installed tor and running. I can see that the ports 9040 and 9053 is
listened. So will be happy if anyone had such an openwrt experience helps.



-- 
Oğuz Yarımtepe
http://about.me/oguzy


More information about the tor-talk mailing list