├── LICENSE ├── README.md └── OpenWrt-TorRouter.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Sagar Khandve 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #### OpenWrt - Tor Router provide anonymous communication with onion routing. 2 | 1. Connect to OpenWrt router using ssh connection. 3 | ```shell 4 | ssh root@192.168.1.1 5 | ``` 6 | 2. Clone this repository and `cd` into it and execute the script. 7 | ```shell 8 | git clone https://github.com/sagarkhandve/OpenWrt-TorRouter.git 9 | cd OpenWrt-TorRouter/ 10 | chmod +x OpenWrt-TorRouter.sh 11 | sh OpenWrt-TorRouter.sh 12 | ``` 13 | 3. Verify that you are using Tor. 14 | ```shell 15 | https://check.torproject.org/ 16 | ``` 17 | 4. Check your client public IP addresses. 18 | ```shell 19 | https://ipleak.net/ 20 | ``` 21 | 5. Make sure there is no DNS leak on the client side. 22 | ```shell 23 | https://dnsleaktest.com/ 24 | ``` 25 | ### Troubleshooting. 26 | 1. Restart services. 27 | ```shell 28 | /etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/tor restart 29 | ``` 30 | 2. Log and status. 31 | ```shell 32 | logread -e Tor; netstat -l -n -p | grep -e tor 33 | ``` 34 | 3. Runtime configuration. 35 | ```shell 36 | pgrep -f -a tor 37 | iptables-save -c; ip6tables-save -c; ipset list 38 | ``` 39 | 4. Persistent configuration. 40 | ```shell 41 | uci show firewall; uci show tor; grep -v -r -e "^#" -e "^$" /etc/tor 42 | ``` 43 | ## 44 | [![License](https://img.shields.io/badge/LICENSE-MIT-blue?style=flat-square&logo)](#license "Go to license section") 45 | -------------------------------------------------------------------------------- /OpenWrt-TorRouter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Author : Sagar Khandve 4 | #Email : i.sagarkhandve@gmail.com 5 | 6 | # Install packages 7 | opkg update 8 | opkg install tor iptables-mod-extra 9 | 10 | # Configure Tor client 11 | cat << EOF > /etc/tor/custom 12 | AutomapHostsOnResolve 1 13 | AutomapHostsSuffixes . 14 | VirtualAddrNetworkIPv4 172.16.0.0/12 15 | VirtualAddrNetworkIPv6 fc00::/7 16 | DNSPort 0.0.0.0:9053 17 | DNSPort [::]:9053 18 | TransPort 0.0.0.0:9040 19 | TransPort [::]:9040 20 | EOF 21 | cat << EOF >> /etc/sysupgrade.conf 22 | /etc/tor/custom 23 | EOF 24 | uci del_list tor.conf.tail_include="/etc/tor/custom" 25 | uci add_list tor.conf.tail_include="/etc/tor/custom" 26 | uci commit tor 27 | /etc/init.d/tor restart 28 | 29 | #Configure firewall to intercept LAN traffic. Disable LAN to WAN forwarding to avoid traffic leak. 30 | # Intercept TCP traffic 31 | uci -q delete firewall.tcp_int 32 | uci set firewall.tcp_int="redirect" 33 | uci set firewall.tcp_int.name="Intercept-TCP" 34 | uci set firewall.tcp_int.src="lan" 35 | uci set firewall.tcp_int.dest_port="9040" 36 | uci set firewall.tcp_int.proto="tcp" 37 | uci set firewall.tcp_int.extra="--syn -m addrtype ! --dst-type LOCAL,BROADCAST" 38 | uci set firewall.tcp_int.target="DNAT" 39 | 40 | # Disable LAN to WAN forwarding 41 | uci rename firewall.@forwarding[0]="lan_wan" 42 | uci set firewall.lan_wan.enabled="0" 43 | uci commit firewall 44 | /etc/init.d/firewall restart 45 | 46 | # DNS over Tor Configure firewall to intercept DNS traffic. 47 | # Intercept DNS traffic 48 | uci -q delete firewall.dns_int 49 | uci set firewall.dns_int="redirect" 50 | uci set firewall.dns_int.name="Intercept-DNS" 51 | uci set firewall.dns_int.src="lan" 52 | uci set firewall.dns_int.src_dport="53" 53 | uci set firewall.dns_int.proto="tcp udp" 54 | uci set firewall.dns_int.target="DNAT" 55 | uci commit firewall 56 | /etc/init.d/firewall restart 57 | 58 | #Redirect DNS traffic to Tor. 59 | # Enable DNS over Tor 60 | /etc/init.d/dnsmasq stop 61 | uci set dhcp.@dnsmasq[0].boguspriv="0" 62 | uci set dhcp.@dnsmasq[0].rebind_protection="0" 63 | uci set dhcp.@dnsmasq[0].noresolv="1" 64 | uci -q delete dhcp.@dnsmasq[0].server 65 | uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053" 66 | uci add_list dhcp.@dnsmasq[0].server="::1#9053" 67 | uci commit dhcp 68 | /etc/init.d/dnsmasq start 69 | 70 | #Enable NAT6 to process IPv6 traffic when using dual-stack mode. 71 | # Install packages 72 | opkg update 73 | opkg install kmod-ipt-nat6 74 | 75 | # Enable NAT6 76 | cat << "EOF" > /etc/firewall.nat6 77 | iptables-save -t nat \ 78 | | sed -e " 79 | /\sMASQUERADE$/d 80 | /\s[DS]NAT\s/d 81 | /\s--match-set\s\S*/s//\06/ 82 | /,BROADCAST\s/s// /" \ 83 | | ip6tables-restore -T nat 84 | EOF 85 | cat << "EOF" >> /etc/sysupgrade.conf 86 | /etc/firewall.nat6 87 | EOF 88 | uci -q delete firewall.nat6 89 | uci set firewall.nat6="include" 90 | uci set firewall.nat6.path="/etc/firewall.nat6" 91 | uci set firewall.nat6.reload="1" 92 | uci commit firewall 93 | /etc/init.d/firewall restart 94 | --------------------------------------------------------------------------------