[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] How to build a Router that will only allow Tor users

Martin Kepplinger:
> I try to configure OpenWRT in a way that it will only allow outgoing
> connections if it is Tor. Basically it is the opposite of "blacklisting
> exit relays on servers": "whitelisting (guard) relays for clients". It
> should *not* run Tor itself.

I actually implemented this while running Tor on the router. This
provides easy retrieval and validation of the consensus.

Before we go further, I think it's worthwhile to put a serious
disclaimer: such a setup will only prevent accidental leaks and will not
prevent targeted attacks. A determined attacker will be able to run a
relay long enough and with sufficient bandwidth to become a Guard. It
will then be trivial for them to recognize non-Tor packets coming at
one of its port.

I need to clean up my notes and turn them into a proper article for the
upcoming Tor Labs. Meanwhile, here's what I have written down already:

--- 8< ---

### First steps

1. Create a new Wi-Fi interface, mode Access Point.
2. Add Wi-Fi interface to new network named âfilteredâ.
3. Configure âfilteredâ to use a static address, and have a DHCP server.
4. Add âfilteredâ interface to new firewall zone named âfilteredâ.
5. Create a rule to allow input for DHCP (UDP port 67).

### Install tools

Get Tor!

    # opkg install tor

Is tor connected?

    # ls -l /var/lib/tor/cached-microdesc-consensus

Get `ipset`:

    # opkg install ipset

### /usr/sbin/refresh-tor-guard-set

Content:

    #!/bin/sh

    while true; do
            ipset -q create tor-guards     hash:ip,port
            ipset -q create tor-guards-new hash:ip,port

            awk '
    /^r / { cmd =     "ipset -q add tor-guards-new " $6 "," $7 "\n";
            cmd = cmd "ipset -q add tor-guards-new " $6 "," $8 }
    /^s / { if ($0 ~ /\<(Guard|Authority)\>/) { print cmd } }
    ' /var/lib/tor/cached-microdesc-consensus | sh

            ipset swap tor-guards-new tor-guards
            ipset destroy tor-guards-new

            sleep 3600
    done

Needs to be set executable:

    # chmod +x /usr/sbin/refresh-tor-guards-set

### /etc/init.d/refresh-tor-guards-set

Content:

    #!/bin/sh /etc/rc.common

    START=50
    STOP=50

    USE_PROCD=1

    start_service() {
            procd_open_instance
            procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
            procd_set_param stderr 1 # same for stderr
            procd_set_param command /usr/sbin/refresh-tor-guard-set
            procd_close_instance
    }

Needs to be set executable:

    # chmod +x /etc/init.d/refresh-tor-guard-set

Enable:

    # /etc/init.d/refresh-tor-guard-set enable
    # /etc/init.d/refresh-tor-guard-set start

### Extra firewall rule

```
config ipset
        option name             tor-guards
	option external		tor-guards
	option family		ipv4
        option storage          hash
        list match              'dest_ip'
        list match              'dest_port'

config rule
        option name             Allow-Tor-Traffic-on-filtered
        option src              filtered
        option dest             wan
	option family		ipv4
	option proto		tcp
        option ipset            tor-guards
        option target           ACCEPT
```

--- >8 ---

I think I made a few adjustments to the above scripts after more tests
since I took the above notes.

Hope that helps,
-- 
Lunar                                             <lunar@xxxxxxxxxxxxxx>

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev