This documentation applies only Turris OS 3.x that is no longer present in newly sold routers. The new documentation is located at https://docs.turris.cz/.
Tor is a popular anonymization proxy which allows to route TCP connections over several nodes before they reach the desired target. There are hidden services with names ending by
.onion which are available only via Tor.
Tor is commonly used from a local host where it runs as a SOCKS5 proxy. This guide shows the setup where each client connected from the LAN or the Turris router WiFi has all TCP connection routed via Tor.
This guide is intended for advanced users. It essentially modifies transport routing in Turris and may lead to network malfunction if managed unwarily. Routing via Tor may have higher error rate which may be manifested e.g. by temporary DNS resolution failures.
Tor is an anonymization network which uses a special routing method called onion routing. Each node can use its own decrypting key to remove one “layer of the onion” and to send a packet to the next node but don't know where the final packet destination is (after “scaling all layers of the onion”). For making familiar with Tor, it is suitable to install Tor Browser Bundle which is the Firefox Web Browser specially modified to use Tor by default.
To ensure anonymity, it is essential to figure out that “stream crossing” mus be avoided. If you use the same browser with Tor and without it the ISP and web servers can identify you using cookies. The same applies for DNS as well. You can't use a common DNS because although the data walk through Tor the DNS queries disclose where you connect to. The guide bellow routes DNS via Tor but you need to beware secure using of browsers and other application on you own. The TorProject has a relatively detailed page with answers for various uses of Tor.
One of the protocols where Tor is not recommended to use is BitTorrent because BitTorrent discloses your real IP address inside the protocol itself (it is necessary to work properly).
You can find out that browsing via Tor is slower (especially the latency is much worser) than a “standard” broadband Internet connection. Your packet may run around the Earth twice before they reach the destination. The network is operated by volunteers and it's better to avoid big transfers (GBs and more).
As noted above, routing the whole home LAN traffic via Tor would be unappropriate. It is possible to separate some part of the network (e.g. WiFi or a specific router port) for routing via Tor which is described in the last part of the guide.
Transparent routing via tor has the following limitations:
LAN communication routing over Tor is experimental and it doesn't itself ensure anonymity on the network. For example, a browser in a mobile phone doesn't know that it communicate over Tor and use the same cookies as usually. Similarly, many protocols may disclose the real IP address. Due to these reasons it is better to use Tor Browser Bundle.
The installation is done in the Foris interface. In the “Updater” section, check “Tor” and press “Save”. But this operation only installs the Tor packages. The next step is to use a command line, e.g. via SSH.
/etc/tor/torrc file to accomplish this appearance:
User tor DataDirectory /var/lib/tor Log notice file /var/log/tor/notices.log VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 192.168.1.1:9040 DNSPort 192.168.1.1:9053
Tor should be started now and be set to start automatically:
/etc/init.d/tor start /etc/init.d/tor enable
Redirection settings are done by adding the following lines into the
# Turris version source /etc/openwrt_release # Tor's TransPort _trans_port=9040 # internal interface _int_if=br-lan _non_tor="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # external interface if [ "$DISTRIB_CODENAME" == "omnia" ]; then _ext_if=eth1 else _ext_if=eth2 fi #allow lan access for hosts in $_non_tor for _lan in $_non_tor; do iptables -t nat -A PREROUTING -i $_int_if -d $_lan -j RETURN done #DNSPort runs only on UDP iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 9053 #Transparent routing through Tor's TransPort iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port #Prevent UDP traffic from being forwarded iptables -I FORWARD -i $_int_if -p udp -o $_ext_if -j DROP
Finally we run a command which applies the new firewall rules:
Now, all IPv4 TCP traffic from LAN and WiFi including the special
.onion pseudo-domain is redirected to Tor.
Due to the fact that IPv6 traffic is not redirected it it recommended to disable it. It is accomplished by:
sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1
Furthermore these lines which disable IPv6 after reboot should be added to
Remove the lines from the
/etc/firewall.user which were added before. Then restart the firewall:
IPv6 can be re-activated by removing the lines added to
/etc/sysctl.conf. The router can be eventually restarted.
The iptables can be modified to route only a part of connections from the LAN or the WiFi. If you want to change
_int_if to some of specific interfaces such as
wlan0 inside the iptables script it it necessary to remove the given interface from the
br-lan bridge first. It is accomplished by editting
/etc/config/network for the LAN or
/etc/config/wireless for the WiFi. After editting, apply the new configuration by executing
As long as the interfaces are in the bridge, iptables can see the connections as to be originated in
br-lan. You probably want to set an address of the “debridged” interface and to add its setting to the DHCP (
The guide describing how to detach an interface from the bridge to a separate network (VLAN) is in the Advanced VLAN settings article. Remember to also update IP addresses in
/etc/tor/torrc to listen on the newly detached interface.