Martin Kepplinger:
I try to configure OpenWRT in a way that it will only allow outgoing connections if it is Tor. Basically it is the opposite of "blacklisting exit relays on servers": "whitelisting (guard) relays for clients". It should *not* run Tor itself.
I actually implemented this while running Tor on the router. This provides easy retrieval and validation of the consensus.
Before we go further, I think it's worthwhile to put a serious disclaimer: such a setup will only prevent accidental leaks and will not prevent targeted attacks. A determined attacker will be able to run a relay long enough and with sufficient bandwidth to become a Guard. It will then be trivial for them to recognize non-Tor packets coming at one of its port.
I need to clean up my notes and turn them into a proper article for the upcoming Tor Labs. Meanwhile, here's what I have written down already:
--- 8< ---
### First steps
1. Create a new Wi-Fi interface, mode Access Point. 2. Add Wi-Fi interface to new network named “filtered”. 3. Configure “filtered” to use a static address, and have a DHCP server. 4. Add “filtered” interface to new firewall zone named “filtered”. 5. Create a rule to allow input for DHCP (UDP port 67).
### Install tools
Get Tor!
# opkg install tor
Is tor connected?
# ls -l /var/lib/tor/cached-microdesc-consensus
Get `ipset`:
# opkg install ipset
### /usr/sbin/refresh-tor-guard-set
Content:
#!/bin/sh
while true; do ipset -q create tor-guards hash:ip,port ipset -q create tor-guards-new hash:ip,port
awk ' /^r / { cmd = "ipset -q add tor-guards-new " $6 "," $7 "\n"; cmd = cmd "ipset -q add tor-guards-new " $6 "," $8 } /^s / { if ($0 ~ /<(Guard|Authority)>/) { print cmd } } ' /var/lib/tor/cached-microdesc-consensus | sh
ipset swap tor-guards-new tor-guards ipset destroy tor-guards-new
sleep 3600 done
Needs to be set executable:
# chmod +x /usr/sbin/refresh-tor-guards-set
### /etc/init.d/refresh-tor-guards-set
Content:
#!/bin/sh /etc/rc.common
START=50 STOP=50
USE_PROCD=1
start_service() { procd_open_instance procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} procd_set_param stderr 1 # same for stderr procd_set_param command /usr/sbin/refresh-tor-guard-set procd_close_instance }
Needs to be set executable:
# chmod +x /etc/init.d/refresh-tor-guard-set
Enable:
# /etc/init.d/refresh-tor-guard-set enable # /etc/init.d/refresh-tor-guard-set start
### Extra firewall rule
``` config ipset option name tor-guards option external tor-guards option family ipv4 option storage hash list match 'dest_ip' list match 'dest_port'
config rule option name Allow-Tor-Traffic-on-filtered option src filtered option dest wan option family ipv4 option proto tcp option ipset tor-guards option target ACCEPT ```
--- >8 ---
I think I made a few adjustments to the above scripts after more tests since I took the above notes.
Hope that helps,