My OpenWrt Tor configuration

Rob van der Hoeven
Thu Apr 21 2016

In my previous article I shared my thoughts on running Tor on the router. I described an ideal Tor router configuration and argued that having Tor on the router benefits both security and usability.

This article is about that ideal Tor router configuration. How did I configure my router, and why did I choose the configuration? The interesting part is that it really is “just configuration”. No programming involved. Even more interesting, it's easy too!

The router

All the configuration is for a GL-AR150 portable router. A very cheap router ($25 on Amazon) that has special Tor firmware that you can install after you bought the device. To be honest, when I bought the device I did not expect much of it. It just seemed too cheap to be more than a toy. Boy was I wrong - after playing with it for some time I realized that it is the most powerful router I have ever owned.

So, what are the specs? (more details here)

Chip:     Atheros 9331 Soc at 400MHz
OS:       OpenWrt Chaos Calmer 15.05
RAM:      64 MB
ROM:      16 MB
USB:      1*USB 2.0
Ethernet: 2 * 100 Mbps 
Wireless: 802.11b/g/n (150 Mbps)

In the default configuration one of the Ethernet ports (eth0) must be connected to the Internet modem (WAN). The second Ethernet port (eth1) and the wireless interface are used for the LAN. Because I was interested in the Tor firmware I have not played much with the factory configuration.

Original Tor configuration

After installing the manufacturers Tor firmware the router has the following configuration:

Wired:

eth0 - Configured as WAN interface
eth1 - Transparently routes all LAN traffic through the Tor-network

Wireless:

SSID OpenWrt - Acts as a normal LAN wifi interface (no Tor routing)
SSID tor     - Transparently routes all LAN traffic through the Tor-network.

To prevent repeating myself I will discus the details of this configuration when I compare it with my own configuration. Let's get started:

My Tor configuration

My Tor configuration is as follows:

Wired:

eth0 - Used as WAN interface
eth1 - Limits Internet access to programs using the Tor SOCKS interface

Wireless:

SSID tor_off    - Normal, unrestricted LAN wifi interface
SSID tor_medium - Transparently routes all LAN traffic through the Tor-network.
SSID tor_max    - Limits Internet access to programs using the Tor SOCKS interface.

As you can see I configured an extra way to connect to the Internet. Eth1 and SSID tor_max only allow programs that are configured to use the Tor SOCKS interface to connect to the Internet. Why have I done this? The reason is that the transparent Tor interface does not offer the best possible privacy protection. With transparent routing many chatty background services are also routed through Tor and their invisible traffic can de-anonymize the user. An example is a mail program that checks the mail every 10 minutes over an unencrypted connection.

The SOCKS-only interfaces do not have a route to the WAN interface, so it's not possible to connect to the Internet directly. To make connected computers aware of this, gateway and name server addresses are not set by the router's DHCP server. Eth1 and the tor_max AP are part of a bridged network. Computers connected to eth1 can access computers connected to the tor_max AP (and vice versa).

One of the things I did not like of the original configuration was the fact that the transparent Tor routing blindly forwarded all TCP traffic to the Tor daemon. This prevented accessing the router's UI and SSH server. My setup only forwards non-local TCP traffic so that the UI and SSH server can always be reached.

Usage scenario

I think we all know that the Internet can be dangerous with regard to privacy and security. Spy-ware, Trojans etc. all need the Internet to function. So why do we allow our computers to be connected to the Internet all the time? It would be better if we could choose which programs can use the Internet and when. With this in mind I came to the following wired network configuration:

computer(s) – network switch – eth1[GL-AR150]eth0 – Cable modem – The Internet

As said before, the eth1 interface has no Internet connection. This is not as inconvenient as you might think because my web-browser can still connect to the Internet by using the Tor SOCKS proxy provided by the router.

What if a computer needs an Internet connection? Then there are two options:

First I can plug-in a handy USB wifi adapter and connect to the tor_off access point. The DHCP server on this access point will set the gateway and name server addresses making it possible to use the Internet. If you have an integrated wifi adapter (laptops) things are of course simpler - configure the adapter to use the tor_off access point by default, and only switch on wifi if you need an Internet connection.
The second option would be to use the router's UI to reconfigure eth1 into a normal forwarding configuration. This involves changing the network, DHCP and firewall settings and restarting these services. The disadvantage of this solution is that all computers connected to the switch get full Internet access too.

I did not like the second option. Making it safe would involve MAC filtering so that only one computer at a time gets connected. This can be done but it is complicated. I like simple, so I did not even try to implement the second option.

One big advantage of my setup is that it's now safe to use devices that are designed to spy on you (I mean Android devices of course). I remember that I was quite shocked when I first browsed the Google Play store. Almost all the apps were spy-ware! A simple flashlight app would need access to your contacts, location, history, birth-certificate etc. On my Android tablet I read a lot of books and I am worried that the book reader apps would report on everything I read. Something like: Rob is reading "The hitchhikers guide to the galaxy" and made a note on page 42 about the importance of towels. These worries made me decide to disable wifi on my tablet which is of course a major PITA. With my new setup I connect my tablet to the tor_max access point. This gives apps on the tablet access to to my internal network, but not to the Internet. They cannot send their reports or download helpful adds! Also, by configuring Firefox to use the SOCKS proxy, I can use my tablet for web surfing.

A new status page

Being a programmer I could not resist to explore how the GL-AR150 could be programmed. This turned out to be quite a disappointment. It was way too easy! No kidding, the OpenWrt people did an excellent job, programming an OpenWrt device is fun!

I enjoyed myself making a small status page (example here) similar to the home page of the original GL-AR150 firmware. The difference is that there is no need to log in to see the router's status. It also displays much faster.

You can access the new status page by surfing to /torbox on the routers IP address:

http://192.168.100.1/torbox   (eth1 and tor_max) 
http://172.16.1.1/torbox      (tor_off)
http://172.16.50.1/torbox     (tor_medium)

Note: torbox is just an internal name I use for my router. I do not intend to release a project/product under the same name.

Installing the status page does not replace the web-UI of the manufacturer. You can still reach it by surfing to the bare IP-address. Remember however that the web-UI of the manufacturer was designed for the manufacturer's configuration. It contains some hard-coded values and is incompatible with my configuration. Choose the more generic LUCI web-UI from the manufacturer's UI if you want to change a setting (note: I find it easier to edit the files in the etc/config/ directory)

Installing the configuration

I hope you like my configuration enough to give it a try. If you do, remember that I can give you no warranties. Use my configuration at your own risk. As far as I know it's not possible to brick your device. It should always be possible to restore the factory configuration by pressing the reset button for 10 seconds.

My configuration requires the manufacturer's Tor firmware (version 1.3 at the time of writing). You can download and install this firmware by following the instructions in this article: new-tor-firmware-for-gl-ar150-and-gl-inet6416. The firmware link in the article is not the latest version. You can download the latest version at http://www.gl-inet.com/firmware/ar150/tor/

After you installed the Tor firmware you must use its UI to set the board-name (use torbox), root password and timezone of the router. You can access the router's UI by connecting to http://192.168.8.1 (if you are asked for a password use goodlife)

Before installing my configuration it's important to check if the manufacturers Tor firmware works. If not, my configuration will not function too.

Installing the configuration is a simple copy-paste process. Replacing some files and adding others. The file containing the configuration has the same directory structure as the router and can be downloaded here. Inside the archive you find the following directories and files:

Files for changing the network configuration:

etc/config/dhcp
etc/config/firewall
etc/config/network
etc/config/wireless

A new Tor configuration file:

etc/tor/torrc

Files for adding an extra status-page:

etc/config/uhttpd
www/torbox.css
www/torbox.lua
www/bumblebee.jpg

After you unpacked the archive you might want to change the wireless passwords in etc/config/wireless. It's best to use a different password for the tor_max interface because this interface has access to your LAN computers/devices. If you want you can also change the ssid's. Do not change the other options!

The best way to copy-paste the files is by making a SFTP connection to the router. When I tried this, it did not work. The dropbear SSH server of the router did not support SFTP. I had to install the openssh-sftp-package to get SFTP working:

ssh root@192.168.8.1

opkg update
opkg install openssh-sftp-server

It is also possible to use the LUCI web-UI of the router to install the package. You can access the web-UI by connection to the OpenWrt wifi access point and then surf to http://192.168.8.1/

On Debian you can now use Nautilus's “File->Connect to server” to establish a SSH connection to the router (use IP address 192.168.8.1). After copy-pasting you have to restart the router for the configuration to take effect. The configuration changes IP addresses and SSID's to the following:

eth1:              IP 192.168.100.1   network 192.168.100.0/24
SSID tor_off:      IP 172.16.1.1      network 172.16.1.0/24
SSID tor_medium:   IP 172.16.50.1     network 172.16.50.0/24
SSID tor_max:      IP 192.168.100.1   network 192.168.100.0/24

If you did not change the password in the wireless configuration file, the password for the wifi access points is goodlife.

Give it a try!

If you like my setup, I hope you will give it a try. The hardware is very cheap, so for most of you buying the device needed will not be a problem. Here are some links to shops:

The GL-iNet webshop

GL-AR150 on Amazon
Same with external antenna

If you are living in The Netherlands and have no credit-card, you can buy one from Deal Extreme where you can pay with iDeal.

GL-AR150 on Deal Extreme

HOEVENSTEIN