An It-slave in the digital saltmine

Background

I have a FON router which allow anyone to connect to Intenet via my network connection. I like the openess and idea behind FON but I do not want to get in trouble if someone do bad things and using my network connection.

One solution is to connect the FON accesspoint to a separate network segment and let all traffic from that network go through TOR, the onion router. 

Another feature is when I want to be anonymous on Internet I plugin my computer to that network segment.

Setup

I use OpenBSD as my firewall and the first step is to download, compile and configure TOR. I downloaded the tarball from https://www.torproject.org and used the normal procedure:

# wget https://www.torproject.org/dist/tor-0.2.2.35.tar.gz

# tar xzvf tor-0.2.2.35.tar.gz 

# cd tor-0.2.2.35                                                                                                                                                                

# ./configure&&make&&make install

Configure pf

I use a specific ethernet interface, fxp0, which will route all traffic into tor. 

--cut from /etc/pf.conf--

#Tor traffic

tor_if ="fxp0"

# Tor's TransPort

trans_port = "9040"

pass in quick on $tor_if inet proto udp to port domain rdr-to 127.0.0.1 port 5300 

pass in quick on $tor_if inet proto { tcp udp } to !($tor_if) rdr-to 127.0.0.1 port $trans_port

--end cut--

Configure tor

# cat /usr/local/etc/tor/torrc

VirtualAddrNetwork 10.192.0.0/10

AutomapHostsOnResolve 1

TransPort 9040

DNSPort 5300

Log notice syslog

#Log debug stderr

RunAsDaemon 1

Note: I know that best practice is to let the tor process run as non root user. That requires read access to /dev/pf and I did not bother to get it working.

Dhcpd config

I assume that a OpenBSD sysadmin knows how to setup dhcpd so I will just show the config addon I did to /etc/dhcpd.conf.

shared-network tor-net {

        option  domain-name "it-slav-tor-net";

        option  domain-name-servers 10.1.2.1;

        option  ntp-servers 10.1.2.1;


        subnet 10.1.2.0 netmask 255.255.255.0 {

                option routers 10.1.2.1;


                range 10.1.2.100 10.1.2.200;

        }

The ip-adress of the fxp0 interface is 10.1.2.1

Start tor

# /usr/local/bin/tor

Jan 10 20:52:48.880 [notice] Tor v0.2.2.35 (git-b04388f9e7546a9f). This is experimental software. Do not rely on it for strong anonymity. (Running on OpenBSD i386)

Jan 10 20:52:48.885 [warn] It's a little hard to tell, but you seem to have Libevent 1.4.0-beta header files, whereas you have linked against Libevent 1.4.14b-stable.  This will probably make Tor crash.

Jan 10 20:52:48.886 [notice] Initialized libevent version 1.4.14b-stable using method kqueue. Good.

Jan 10 20:52:48.886 [notice] Opening Socks listener on 127.0.0.1:9050

Jan 10 20:52:48.887 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040

Jan 10 20:52:48.887 [notice] Opening DNS listener on 127.0.0.1:5300

Final step

Plugin your fon router and enjoy!

Links

The hints to this article was found at:

•  https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy 

2 Responses to “Anonymise a network segment using TOR and OpenBSD”

1. kozaki Says:
   November 20th, 2012 at 1:53 pm

   Definitively a neat idea, and clear tutorial 😀
   So is your OpenBSD firewall running 24h/day? Actualy would you mind to a line on the hardware that is used here (guessing internet access <-> firewall <-> Fonera <-> computer)?

2. peter Says:
   November 20th, 2012 at 2:43 pm

   Yes some ASCII architecure graphics would help:)

   Your guess is correct!

    

   Best regards

   Peter

Leave a Reply

You must be logged in to post a comment.