├── README.md ├── onionwrt └── install-tor.sh └── openwrt-1505 ├── openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-factory.bin └── openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin /README.md: -------------------------------------------------------------------------------- 1 | # tor-router-nexx-wt3020 2 | Make a cheap TOR router for $10 3 | 4 | ## Configuring your TOR router into a Nexx WT3020 5 | 6 | My default configuration after installation 7 | 8 | * ESSID=`OnionWRT` 9 | * WPA2=`t0rmenta` 10 | * IP_LAN=`192.168.10.1` 11 | * CREDENTIALS_LUCI_WEB=`root:t0rmenta` 12 | 13 | 14 | ## Luci & OpenWrt & Kernel versioning 15 | 16 | * Hostname: `OpenWrt` 17 | * Model: `Nexx WT3020` 18 | * Firmware Version: `OpenWrt Chaos Calmer 15.05 / LuCI (git-15.248.30277-3836b45)` 19 | * Kernel Version: `3.18.20` 20 | 21 | 22 | ## Installation 23 | 24 | ```sh 25 | $ ssh root@192.168.10.1 26 | root@192.168.10.1's password: t0rmenta 27 | 28 | 29 | BusyBox v1.23.2 (2015-07-25 03:03:02 CEST) built-in shell (ash) 30 | 31 | _______ ________ __ 32 | | |.-----.-----.-----.| | | |.----.| |_ 33 | | - || _ | -__| || | | || _|| _| 34 | |_______|| __|_____|__|__||________||__| |____| 35 | |__| W I R E L E S S F R E E D O M 36 | ----------------------------------------------------- 37 | CHAOS CALMER (15.05, r46767) 38 | ----------------------------------------------------- 39 | * 1 1/2 oz Gin Shake with a glassful 40 | * 1/4 oz Triple Sec of broken ice and pour 41 | * 3/4 oz Lime Juice unstrained into a goblet. 42 | * 1 1/2 oz Orange Juice 43 | * 1 tsp. Grenadine Syrup 44 | ----------------------------------------------------- 45 | 46 | root@OpenWrt:~# wget -qO - https://github.com/enovella/tor-router-nexx-wt3020/blob/master/onionwrt/install-tor.sh | sh 47 | Installing tor (0.2.5.12-1) to root... 48 | Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/packages/tor_0.2.5.12-1_ramips_24kec.ipk. 49 | Installing libevent2 (2.0.22-1) to root... 50 | Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/libevent2_2.0.22-1_ramips_24kec.ipk. 51 | Installing libopenssl (1.0.2g-1) to root... 52 | Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/libopenssl_1.0.2g-1_ramips_24kec.ipk. 53 | Installing zlib (1.2.8-1) to root... 54 | Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/zlib_1.2.8-1_ramips_24kec.ipk. 55 | Installing libpthread (0.9.33.2-1) to root... 56 | Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/libpthread_0.9.33.2-1_ramips_24kec.ipk. 57 | Installing librt (0.9.33.2-1) to root... 58 | Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/librt_0.9.33.2-1_ramips_24kec.ipk. 59 | Configuring libpthread. 60 | Configuring libevent2. 61 | Configuring librt. 62 | Configuring zlib. 63 | Configuring libopenssl. 64 | Configuring tor. 65 | ``` 66 | 67 | After installation: 68 | ```sh 69 | $ ssh root@192.168.10.1 70 | root@192.168.10.1's password: t0rmenta 71 | 72 | 73 | BusyBox v1.23.2 (2015-07-25 03:03:02 CEST) built-in shell (ash) 74 | 75 | _______ ________ __ 76 | | |.-----.-----.-----.| | | |.----.| |_ 77 | | - || _ | -__| || | | || _|| _| 78 | |_______|| __|_____|__|__||________||__| |____| 79 | |__| W I R E L E S S F R E E D O M 80 | ----------------------------------------------------- 81 | CHAOS CALMER (15.05, r46767) 82 | ----------------------------------------------------- 83 | * 1 1/2 oz Gin Shake with a glassful 84 | * 1/4 oz Triple Sec of broken ice and pour 85 | * 3/4 oz Lime Juice unstrained into a goblet. 86 | * 1 1/2 oz Orange Juice 87 | * 1 tsp. Grenadine Syrup 88 | ----------------------------------------------------- 89 | root@OpenWrt:~# ifconfig 90 | br-lan Link encap:Ethernet HWaddr 20:28:18:XX:XX:XX 91 | inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0 92 | inet6 addr: fd3d:fc2c:67d1::1/60 Scope:Global 93 | inet6 addr: fe80::2228:18ff:fea1:d47e/64 Scope:Link 94 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 95 | RX packets:22290 errors:0 dropped:0 overruns:0 frame:0 96 | TX packets:22915 errors:0 dropped:0 overruns:0 carrier:0 97 | collisions:0 txqueuelen:0 98 | RX bytes:2218856 (2.1 MiB) TX bytes:30314062 (28.9 MiB) 99 | 100 | eth0 Link encap:Ethernet HWaddr 20:28:18:XX:XX:XX 101 | inet6 addr: fe80::2228:18ff:fea1:d47e/64 Scope:Link 102 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 103 | RX packets:33217 errors:0 dropped:0 overruns:0 frame:0 104 | TX packets:14049 errors:0 dropped:0 overruns:0 carrier:0 105 | collisions:0 txqueuelen:1000 106 | RX bytes:36908369 (35.1 MiB) TX bytes:4827571 (4.6 MiB) 107 | Interrupt:5 108 | 109 | eth0.1 Link encap:Ethernet HWaddr 20:28:18:XX:XX:XX 110 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 111 | RX packets:0 errors:0 dropped:0 overruns:0 frame:0 112 | TX packets:406 errors:0 dropped:0 overruns:0 carrier:0 113 | collisions:0 txqueuelen:0 114 | RX bytes:0 (0.0 B) TX bytes:32668 (31.9 KiB) 115 | 116 | eth0.2 Link encap:Ethernet HWaddr 20:28:18:XX:XX:XX 117 | inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0 118 | inet6 addr: fe80::2228:18ff:fea1:d47f/64 Scope:Link 119 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 120 | RX packets:32941 errors:0 dropped:0 overruns:0 frame:0 121 | TX packets:13295 errors:0 dropped:0 overruns:0 carrier:0 122 | collisions:0 txqueuelen:0 123 | RX bytes:36294465 (34.6 MiB) TX bytes:4709824 (4.4 MiB) 124 | 125 | lo Link encap:Local Loopback 126 | inet addr:127.0.0.1 Mask:255.0.0.0 127 | inet6 addr: ::1/128 Scope:Host 128 | UP LOOPBACK RUNNING MTU:65536 Metric:1 129 | RX packets:355 errors:0 dropped:0 overruns:0 frame:0 130 | TX packets:355 errors:0 dropped:0 overruns:0 carrier:0 131 | collisions:0 txqueuelen:0 132 | RX bytes:32670 (31.9 KiB) TX bytes:32670 (31.9 KiB) 133 | 134 | wlan0 Link encap:Ethernet HWaddr 20:28:18:XX:XX:XX 135 | inet6 addr: fe80::2228:18ff:fea1:d47e/64 Scope:Link 136 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 137 | RX packets:22451 errors:0 dropped:0 overruns:0 frame:0 138 | TX packets:30284 errors:0 dropped:0 overruns:0 carrier:0 139 | collisions:0 txqueuelen:1000 140 | RX bytes:2553318 (2.4 MiB) TX bytes:31425402 (29.9 MiB) 141 | 142 | root@OpenWrt:~# route 143 | Kernel IP routing table 144 | Destination Gateway Genmask Flags Metric Ref Use Iface 145 | default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2 146 | 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0.2 147 | 192.168.1.1 * 255.255.255.255 UH 0 0 0 eth0.2 148 | 192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan 149 | 150 | root@OpenWrt:~# netstat -putan 151 | Active Internet connections (servers and established) 152 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 153 | tcp 0 0 192.168.10.1:9040 0.0.0.0:* LISTEN 844/tor 154 | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 858/uhttpd 155 | tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1083/dnsmasq 156 | tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 802/dropbear 157 | tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 844/tor 158 | tcp 0 0 192.168.1.101:32809 45.76.138.70:443 ESTABLISHED 844/tor 159 | tcp 0 746 192.168.10.1:80 192.168.10.118:38217 ESTABLISHED 858/uhttpd 160 | tcp 0 1 192.168.10.1:9040 192.168.10.198:38514 FIN_WAIT1 - 161 | tcp 0 0 192.168.10.1:9040 192.168.10.198:38566 ESTABLISHED 844/tor 162 | tcp 0 0 192.168.10.1:9040 192.168.10.118:37705 ESTABLISHED 844/tor 163 | tcp 0 0 192.168.10.1:9040 192.168.10.118:47263 ESTABLISHED 844/tor 164 | tcp 0 0 192.168.10.1:9040 192.168.10.118:54239 ESTABLISHED 844/tor 165 | tcp 0 0 192.168.10.1:9040 192.168.10.198:48133 ESTABLISHED 844/tor 166 | tcp 0 0 192.168.10.1:9040 192.168.10.198:49601 ESTABLISHED 844/tor 167 | tcp 0 0 192.168.10.1:9040 192.168.10.198:41065 ESTABLISHED 844/tor 168 | tcp 0 0 192.168.10.1:9040 192.168.10.118:54242 ESTABLISHED 844/tor 169 | tcp 0 0 192.168.10.1:9040 192.168.10.198:48413 ESTABLISHED 844/tor 170 | tcp 0 288 192.168.10.1:22 192.168.10.118:59063 ESTABLISHED 2209/dropbear 171 | tcp 0 0 192.168.10.1:9040 192.168.10.118:43619 ESTABLISHED 844/tor 172 | tcp 0 0 192.168.10.1:9040 192.168.10.198:48954 ESTABLISHED 844/tor 173 | tcp 0 0 192.168.10.1:9040 192.168.10.198:48947 ESTABLISHED 844/tor 174 | tcp 0 0 192.168.10.1:9040 192.168.10.118:43595 ESTABLISHED 844/tor 175 | tcp 0 0 192.168.10.1:80 192.168.10.118:38264 TIME_WAIT - 176 | tcp 0 0 192.168.10.1:9040 192.168.10.198:38564 ESTABLISHED 844/tor 177 | tcp 0 0 192.168.1.101:58004 148.251.190.229:9010 ESTABLISHED 844/tor 178 | tcp 0 0 :::80 :::* LISTEN 858/uhttpd 179 | tcp 0 0 :::53 :::* LISTEN 1083/dnsmasq 180 | tcp 0 0 :::22 :::* LISTEN 802/dropbear 181 | udp 0 0 0.0.0.0:53 0.0.0.0:* 1083/dnsmasq 182 | udp 0 0 0.0.0.0:67 0.0.0.0:* 1083/dnsmasq 183 | udp 0 0 192.168.10.1:9053 0.0.0.0:* 844/tor 184 | udp 0 0 :::546 :::* 931/odhcp6c 185 | udp 0 0 :::547 :::* 772/odhcpd 186 | udp 0 0 :::53 :::* 1083/dnsmasq 187 | root@OpenWrt:~# 188 | ``` 189 | 190 | Enjoy! 191 | -------------------------------------------------------------------------------- /onionwrt/install-tor.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ############################################################################################ 3 | # Configure OnionWRT # 4 | # Reused from: # 5 | # 1) http://onionwrt.us.to/install # 6 | # 2) https://byteseclabs.com/some-work-mostly-fun/2016/11/14/make-a-cheap-tor-anonymizer # 7 | ############################################################################################ 8 | 9 | LAN_IP=$(uci get network.lan.ipaddr) 10 | opkg update 2>&1 >/dev/null 11 | 12 | # Install Tor 13 | ( opkg list-installed |grep -q tor ) || opkg install tor 14 | ( opkg list-installed |grep -q tor ) || { echo "Error: Tor is not installed."; exit; } 15 | 16 | # Configure Tor 17 | # Create User and Group 18 | ( cat /etc/passwd |grep -q ^tor ) || echo "tor:*:52:52:tor:/var/run/tor:/bin/false" >> /etc/passwd 19 | ( cat /etc/shadow |grep -q ^tor ) || echo "tor:*:0:0:99999:7:::" >> /etc/shadow 20 | ( cat /etc/group |grep -q ^tor ) || echo "tor:x:52:" >> /etc/group 21 | 22 | # House Keeping 23 | killall -9 tor 24 | rm -rf /etc/tor 25 | rm -rf /var/lib/tor 26 | rm -f /var/run/tor.pid 27 | 28 | # Create Tor Configuration 29 | mkdir -p /etc/tor 30 | 31 | cat > /etc/tor/torrc << EOF 32 | # Tor configuration auto-generated by onionwrt script 33 | User tor 34 | RunAsDaemon 1 35 | PidFile /var/run/tor.pid 36 | DataDirectory /var/lib/tor 37 | VirtualAddrNetwork 10.192.0.0/10 38 | AutomapHostsSuffixes .onion,.exit 39 | AutomapHostsOnResolve 1 40 | TransPort 9040 41 | TransListenAddress 127.0.0.1 42 | TransListenAddress ${LAN_IP} 43 | DNSPort 9053 44 | DNSListenAddress 127.0.0.1 45 | DNSListenAddress 0.0.0.0:5300 46 | DNSListenAddress ${LAN_IP} 47 | ControlPort 9051 48 | 49 | EOF 50 | 51 | mkdir -p /var/lib/tor 52 | chown tor /var/lib/tor 53 | mkdir -p /var/run 54 | touch /var/run/tor.pid 55 | chown tor /var/run/tor.pid 56 | 57 | # Configure transparent proxy 58 | sed -i -e '/# DNT/d' /etc/firewall.user 59 | 60 | cat >> /etc/firewall.user << EOF 61 | iptables -t nat -A PREROUTING -i br-lan -s $(uci get network.lan.ipaddr)/$(ipcalc.sh $(uci get network.lan.ipaddr) $(uci get network.lan.netmask)|grep PREFIX|cut -d "=" -f 2) -d $(uci get network.lan.ipaddr) -j RETURN # DNT 62 | iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-ports 9053 # DNT 63 | iptables -t nat -A PREROUTING -i br-lan -p tcp --syn -j REDIRECT --to-ports 9040 # DNT 64 | # Drop ICMP # DNT 65 | iptables -A INPUT -p icmp --icmp-type 8 -j DROP # DNT 66 | # security rules from https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html # DNT 67 | iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP # DNT 68 | iptables -A OUTPUT -m state --state INVALID -j DROP # DNT 69 | # security rules to prevent kernel leaks from link above # DNT 70 | iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP # DNT 71 | iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP # DNT 72 | # disable chrome and firefox udp leaks # DNT 73 | iptables -t nat -A PREROUTING -p udp -m multiport --dport 3478,19302 -j REDIRECT --to-ports 9999 # DNT 74 | iptables -t nat -A PREROUTING -p udp -m multiport --sport 3478,19302 -j REDIRECT --to-ports 9999 # DNT 75 | 76 | EOF 77 | 78 | # Configure WiFi. 79 | [ -z "$SSID" ] && SSID=OnionWRT 80 | [ -z "$KEY" ] && KEY=t0rmenta 81 | 82 | # Check key 83 | if [ ! -z "$KEY" ] 84 | then 85 | [ $(echo -n $KEY| wc -c) -lt 7 ] && { echo "KEY is too short."; exit; } 86 | [ $(echo -n $KEY| wc -c) -gt 62 ] && { echo "KEY is too long."; exit; } 87 | ( opkg list-installed |grep -q wpad-mini ) || opkg install wpad-mini 88 | fi 89 | 90 | mv /etc/config/wireless /etc/config/wireless.bak 91 | wifi detect |grep -v disabled|grep -v REMOVE > /etc/config/wireless 92 | 93 | # Configure all "lan" wifis. 94 | for radio in $(uci show wireless|grep lan|cut -d "." -f 2) 95 | do 96 | uci set wireless.${radio}.ssid=${SSID} 97 | [ ! -z "$KEY" ] && { uci set wireless.${radio}.encryption=psk;uci set wireless.${radio}.key=${KEY}; } || uci set wireless.${radio}.encryption=none 98 | done 99 | 100 | uci commit 101 | 102 | # WiFi up 103 | wifi 104 | /etc/init.d/tor enable 105 | /etc/init.d/tor start 106 | /etc/init.d/firewall stop 107 | /etc/init.d/firewall start -------------------------------------------------------------------------------- /openwrt-1505/openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-factory.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enovella/tor-router-nexx-wt3020/a1c4e729378792f9f5e6b6252b066ae187d0338c/openwrt-1505/openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-factory.bin -------------------------------------------------------------------------------- /openwrt-1505/openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enovella/tor-router-nexx-wt3020/a1c4e729378792f9f5e6b6252b066ae187d0338c/openwrt-1505/openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin --------------------------------------------------------------------------------