Background
I have a FON router which allow anyone to connect to Intenet via my network connection. I like the openess and idea behind FON but I do not want to get in trouble if someone do bad things and using my network connection.
One solution is to connect the FON accesspoint to a separate network segment and let all traffic from that network go through TOR, the onion router.
Another feature is when I want to be anonymous on Internet I plugin my computer to that network segment.
Setup
I use OpenBSD as my firewall and the first step is to download, compile and configure TOR. I downloaded the tarball from https://www.torproject.org and used the normal procedure:
# wget https://www.torproject.org/dist/tor-0.2.2.35.tar.gz # tar xzvf tor-0.2.2.35.tar.gz # cd tor-0.2.2.35 # ./configure&&make&&make install
Configure pf
I use a specific ethernet interface, fxp0, which will route all traffic into tor.
--cut from /etc/pf.conf--
#Tor traffic
tor_if ="fxp0"
# Tor's TransPort
trans_port = "9040"
pass in quick on $tor_if inet proto udp to port domain rdr-to 127.0.0.1 port 5300
pass in quick on $tor_if inet proto { tcp udp } to !($tor_if) rdr-to 127.0.0.1 port $trans_port
--end cut--
Configure tor
# cat /usr/local/etc/tor/torrc VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 DNSPort 5300 Log notice syslog #Log debug stderr RunAsDaemon 1
Note: I know that best practice is to let the tor process run as non root user. That requires read access to /dev/pf and I did not bother to get it working.
Dhcpd config
I assume that a OpenBSD sysadmin knows how to setup dhcpd so I will just show the config addon I did to /etc/dhcpd.conf.
shared-network tor-net {
option domain-name "it-slav-tor-net";
option domain-name-servers 10.1.2.1;
option ntp-servers 10.1.2.1;
subnet 10.1.2.0 netmask 255.255.255.0 {
option routers 10.1.2.1;
range 10.1.2.100 10.1.2.200;
}
The ip-adress of the fxp0 interface is 10.1.2.1
Start tor
# /usr/local/bin/tor Jan 10 20:52:48.880 [notice] Tor v0.2.2.35 (git-b04388f9e7546a9f). This is experimental software. Do not rely on it for strong anonymity. (Running on OpenBSD i386) Jan 10 20:52:48.885 [warn] It's a little hard to tell, but you seem to have Libevent 1.4.0-beta header files, whereas you have linked against Libevent 1.4.14b-stable. This will probably make Tor crash. Jan 10 20:52:48.886 [notice] Initialized libevent version 1.4.14b-stable using method kqueue. Good. Jan 10 20:52:48.886 [notice] Opening Socks listener on 127.0.0.1:9050 Jan 10 20:52:48.887 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040 Jan 10 20:52:48.887 [notice] Opening DNS listener on 127.0.0.1:5300
Final step
Plugin your fon router and enjoy!
Links
The hints to this article was found at:
November 20th, 2012 at 1:53 pm
Definitively a neat idea, and clear tutorial 😀
So is your OpenBSD firewall running 24h/day? Actualy would you mind to a line on the hardware that is used here (guessing internet access <-> firewall <-> Fonera <-> computer)?
November 20th, 2012 at 2:43 pm
Yes some ASCII architecure graphics would help:)
Your guess is correct!
Best regards
Peter