Use Metarouter to Implement Tor Anonymity Software

From MikroTik Wiki
Revision as of 15:51, 9 August 2010 by Webasdf (talk | contribs) (Mikrotik Metarouter Configuration)
Jump to: navigation, search

This article describes the steps to set up Tor Anonymity software behind a Mikrotik Hotspot using a Metarouter instance. The Metarouter image presented here is for RB4xx MIPSBE boards that support OpenWRT Metarouter images.

The end result is a NATed network that routes only encrypted tor traffic for end users. The only ports that are open to end users include 80 tcp, 53 udp and 9050 tcp. 9050 tcp is the socks proxy available for routing traffic through the tor network. All other ports are blocked for security and anonymity reasons. This configuration may be used to set up a wifi network which automatically routes traffic through tor.


What is Tor?

Put simply, Tor is anonymity software that protects a source computer from eavesdropping by a third party. Tor routes internet packets through a series of encrypted proxies. Each proxy in the chain knows a part of the request, but not the entire request. The destination server also does not know what the source is. Tor may also be referred to as Onion routing. Tor is an open source project run by volunteers from around the world.

From the Tor web site [1]

"Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy."

Why use Tor?

From the Tor web site [2]

"Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you're traveling abroad and you connect to your employer's computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted."

Tor Web Site

More information about The Tor Project is available at available at The Tor Homepage.

Network Description

The network design requires that users be behind a NAT connection. The metarouter runs the Tor service and all web traffic is routed through it. By design, to protect user privacy, only port 80 tcp, port 53 udp and port 9050 tcp (tor socks proxy) are open to users.

TorMikrotikDiagram.jpg

Mikrotik Network Configuration

/ip firewall nat

# Only masquerade the torBridge
add  chain=srcnat action=masquerade src-address=10.192.168.0/30

Mikrotik Metarouter Configuration

Download the metarouter image from the forum (forum post forthcoming...or wherever I can upload a 3mb file ) and upload the image to the router's root directory. 

/metarouter import-image memory-size=32 file-name=openwrt-22250-tor-image.tar.gz
/metarouter set 0 name=tor

/metarouter interface add type=dynamic dynamic-bridge=torBridge virtual-machine=tor

The first two commands import and name the metarouter virtual machine. The last command sets up a dynamic interface for the metarouter on a bridge named torBridge.

Set up Tor Relay or Bridge (optional)

Retrieved from "https://wiki.mikrotik.com/index.php?title=Use_Metarouter_to_Implement_Tor_Anonymity_Software&oldid=18617"