Welcome to It-Slav.Net blog
Peter Andersson

I've already got a female to worry about. Her name is the Enterprise.
-- Kirk, "The Corbomite Maneuver", stardate 1514.0


I have a FON router which allow anyone to connect to Intenet via my network connection. I like the openess and idea behind FON but I do not want to get in trouble if someone do bad things and using my network connection.

One solution is to connect the FON accesspoint to a separate network segment and let all traffic from that network go through TOR, the onion router. 

Another feature is when I want to be anonymous on Internet I plugin my computer to that network segment.


I use OpenBSD as my firewall and the first step is to download, compile and configure TOR. I downloaded the tarball from https://www.torproject.org and used the normal procedure:

# wget https://www.torproject.org/dist/tor-

# tar xzvf tor- 

# cd tor-                                                                                                                                                                

# ./configure&&make&&make install


Configure pf

I use a specific ethernet interface, fxp0, which will route all traffic into tor. 


--cut from /etc/pf.conf--

#Tor traffic

tor_if ="fxp0"

# Tor's TransPort

trans_port = "9040"

pass in quick on $tor_if inet proto udp to port domain rdr-to port 5300 

pass in quick on $tor_if inet proto { tcp udp } to !($tor_if) rdr-to port $trans_port

--end cut--


Configure tor


# cat /usr/local/etc/tor/torrc


AutomapHostsOnResolve 1

TransPort 9040

DNSPort 5300

Log notice syslog

#Log debug stderr

RunAsDaemon 1


Note: I know that best practice is to let the tor process run as non root user. That requires read access to /dev/pf and I did not bother to get it working.


Dhcpd config

I assume that a OpenBSD sysadmin knows how to setup dhcpd so I will just show the config addon I did to /etc/dhcpd.conf.


shared-network tor-net {

        option  domain-name "it-slav-tor-net";

        option  domain-name-servers;

        option  ntp-servers;

        subnet netmask {

                option routers;




The ip-adress of the fxp0 interface is


Start tor


# /usr/local/bin/tor

Jan 10 20:52:48.880 [notice] Tor v0.2.2.35 (git-b04388f9e7546a9f). This is experimental software. Do not rely on it for strong anonymity. (Running on OpenBSD i386)

Jan 10 20:52:48.885 [warn] It's a little hard to tell, but you seem to have Libevent 1.4.0-beta header files, whereas you have linked against Libevent 1.4.14b-stable.  This will probably make Tor crash.

Jan 10 20:52:48.886 [notice] Initialized libevent version 1.4.14b-stable using method kqueue. Good.

Jan 10 20:52:48.886 [notice] Opening Socks listener on

Jan 10 20:52:48.887 [notice] Opening Transparent pf/netfilter listener on

Jan 10 20:52:48.887 [notice] Opening DNS listener on


Final step

Plugin your fon router and enjoy!



The hints to this article was found at:

2 Responses to “Anonymise a network segment using TOR and OpenBSD”

  1. kozaki Says:

    Definitively a neat idea, and clear tutorial 😀
    So is your OpenBSD firewall running 24h/day? Actualy would you mind to a line on the hardware that is used here (guessing internet access <-> firewall <-> Fonera <-> computer)?

  2. peter Says:

    Yes some ASCII architecure graphics would help:)

    Your guess is correct!


    Best regards


Leave a Reply

Book reviews
FreePBX 2.5
Powerful Telephony Solutions

Asterisk 1.6
Build a feature rich telephony system with Asterisk

Learning NAGIOS 3.0

Cacti 0.8 Network Monitoring,
Monitor your network with ease!