Hi Martin,
I try to configure OpenWRT in a way that it will only allow outgoing connections if it is Tor. Basically it is the opposite of "blacklisting exit relays on servers": "whitelisting (guard) relays for clients". It should *not* run Tor itself.
Maybe corridor would work for you: https://github.com/rustybird/corridor
You could point it at a Tor control port somewhere in your network if running tor on OpenWRT (just to fetch the networkstatus consensus documents every 1-2 hours) is impossible.
What did *not* work, was starting Torbrowser. That's a hard requirement, and before bebugging it through I ask: Do I miss something when I just allow outgoing connections to
- Guard,
- Authority,
But the authority IP addresses hardcoded in the Tor client source code differ from the authority IP addresses published in the networkstatus consensus...
https://github.com/rustybird/corridor/commit/a56d751df399ab1c54f64b0d4dc59f7...
- and HSDir flagged relays (do I *need* them? that's a different
question probably)
AFAICT, regular clients only make connections to authorities and guards.
Rusty