Use Metarouter to Implement Tor Anonymity Software
This article describes the steps to set up Tor Anonymity software behind a Mikrotik Hotspot using a Metarouter instance. The Metarouter image presented here is for RB4xx MIPSBE boards that support OpenWRT Metarouter images.
The end result is a NATed network that routes only encrypted tor traffic for end users. The only ports that are open to end users include 80 tcp, 53 udp, 8118 tcp and 9050 tcp. 8118 tcp is the Privoxy proxy which acts as a standard http proxy to the Tor Socks proxy. Provoxy also has enhanced privacy features such as "removing ads and other obnoxious junk" [1]. Port 9050 tcp is the Socks proxy available for routing traffic through the tor network. All other ports are blocked for security and anonymity reasons. This configuration may be used to set up a wifi network which automatically routes traffic through tor.
Contents
What is Tor?
Put simply, Tor is anonymity software that protects a source computer from eavesdropping by a third party. Tor routes internet packets through a series of encrypted proxies. Each proxy in the chain knows a part of the request, but not the entire request. The destination server also does not know what the source is. Tor may also be referred to as Onion routing. Tor is an open source project run by volunteers from around the world.
From the Tor web site [2]
"Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy."
Why use Tor?
From the Tor web site [3]
"Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you're traveling abroad and you connect to your employer's computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted."
Tor Web Site
More information about The Tor Project is available at available at The Tor Homepage.
Network Description
The network design requires that users be behind a NAT connection. The metarouter runs the Tor service and all web traffic is routed through it. By design, to protect user privacy, only port 80 tcp, port 53 udp, 8118 tcp (privoxy proxy) and port 9050 tcp (tor socks proxy) are open to users.
Mikrotik Network Configuration
# Set up bridges /interface bridge add name=torBridge add name=natBridge # Add interfaces to natBridge # In this example, an RB433AH with wifi card is being used # Three physical ports will be added to the natBridge (ether2, ether3 and wlan1) # ether1 is the port for the internet connection /interface bridge port add interface=ether2 bridge=natBridge add interface=ether3 bridge=natBridge add interface=wlan1 bridge=natBridge # Configure wlan1 interface SSID. Other settings may be adjusted as desired (ie frequency or wifi encryption) /interface wireless set [find name="wlan1"] disabled=no ssid="Tor Anonymous Web" # Add IP addresses # ether1 is the internet IP address...in this example, 192.168.3.0/24 network is being used /ip address add interface=ether1 address=192.168.3.254/24 disabled=no /ip address add interface=natBridge address=10.11.1.1/24 disabled=no /ip address add interface=torBridge address=10.192.168.1/30 disabled=no # Add default route for the internet connection /ip route dst-address=0.0.0.0/0 gateway=192.168.3.7 # Configure DHCP server for natBridge /ip pool add name="nat-DHCP" ranges="10.11.1.10-10.11.1.250" /ip dhcp-server network add address=10.11.1.0/24 gateway=10.11.1.1 /ip dhcp-server add interface="natBridge" lease-time="1:00:00" name="nat-DHCP-Server" \ address-pool="nat-DHCP" authoritative=yes disabled=no # Firewall NAT rules /ip firewall nat add chain=srcnat action=masquerade src-address=10.192.168.0/30 disabled=no add chain=dstnat in-interface=natBridge protocol=tcp dst-port=80 action=redirect to-ports=8080 # maybe need this and maybe not add chain=srcnat action=masquerade src-address=10.11.1.0/24 disabled=no # Configure Hotspot (optional) # Configure Mikrotik Transparent Proxy /ip proxy set enabled=yes parent-proxy=10.192.168.2 parent-proxy-port=8118 \ cache-on-disk=no max-fresh-time=1h
Mikrotik Metarouter Configuration
Download the metarouter image from the forum (forum post forthcoming...or wherever I can upload a 3mb file ) and upload the image to the router's root directory.
/metarouter import-image memory-size=32 file-name=openwrt-22250-tor-image.tar.gz /metarouter set 0 name=tor /metarouter interface add type=dynamic dynamic-bridge=torBridge virtual-machine=tor
The first two commands import and name the metarouter virtual machine. The last command sets up a dynamic interface for the metarouter on a bridge named torBridge.
