[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: funneling a wireless net's outbound connections through tor

     Once again, the Internet has patched around a failure, and information
resumes its flow.  Thank you, tup!
     On Tue, 2 Oct 2007 03:54:56 +0000 tup <tup.tuple@xxxxxxxxxxxxxx> wrote:
>On 9/28/07, Scott Bennett <bennett@xxxxxxxxxx> wrote:
>>      I'm trying to set up a free wireless service for those of my neighbors
>> within range of a little wireless router I have.  To keep things safe for
>> me and at least somewhat safer for them, I want to route all the outbound
>> connections from that router through tor using pf under FreeBSD 6.2-STABLE
>> (i386).  In order to keep such traffic distinguishable from my own local
>> traffic, I intend to route it to tor on a second loopback interface (lo1).
>> I've looked at instructions for doing something like this at
>>         http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy
>The second loopback interface is simply a kludge I found that allows
>pf to apply rdr rules to locally-originated traffic. You don't need it if
>you're only trying to redirect others' traffic; see section 3.2 in that
>wiki page.

     Yeah, that much I had gotten.  I only wanted it on a separate interface,
so that I could see traffic volume for the wireless router at a glance with
systat(1).  If it went via lo0, I would have no way to distinguish the wireless
traffic volume from all other loopback traffic.
>>      dns-proxy-tor apparently uses the MAPADDRESS command via the tor
>> control port, so it is also necessary to specify a VirtualAddrNetwork in
>> torrc for dns-proxy-tor's use, so those instructions include an example of
>> VirtualAddrNetwork.
>>      However, I had been hoping to use DNSPort in torrc instead of running
>> dns-proxy-tor.  Am I correct in thinking that I will not neet to specify a
>> VirtualAddrNetwork?
>You'll still want to set VirtualAddrNetwork to an unused, private
>address space so that .onion and .exit names will resolve to routable
>addresses when you specify 'AutomapHostsOnResolve 1'.

     Ah.  Another undocumented command for use in torrc.  Thanks for the info!
>>      A second question for someone who uses or has used pf under FreeBSD
>> or OpenBSD involves the use of rdr commands to redirect the TCP connections
>> from the interface connected to the wireless router's "WAN" port.  If the
>> rdr changes the TCP or UDP packets' destination addresses to lo1's address
>> (, how does tor know what the original destination is supposed
>> to be?  I didn't find anything in the tor documentation or elsewhere to
>> explain this.
>This is a platform-specific implementation detail, which explains why
>it's not documented. What happens is that the route-to rule routes
>traffic to lo1, where the rdr rule actually rewrites the destination
>address and port to The original destination is kept
>around in the connection state table, so it can be looked up by Tor
>with the right ioctl(2) command on /dev/pf; see pf(4).

     *Oh*.  Okay.  That makes it much clearer.  Thank you once more.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *