Use Metarouter to Implement Tor Anonymity Software
This article describes the steps to set up Tor Anonymity software behind a Mikrotik Hotspot using a Metarouter instance. The Metarouter image presented here is for RB4xx MIPSBE boards that support OpenWRT Metarouter images.
The end result is a NATed network that routes only encrypted tor traffic for end users. The only ports that are open to end users include 80 tcp, 53 udp, 8118 tcp and 9050 tcp. 8118 tcp is the Privoxy proxy which acts as a standard http proxy to the Tor Socks proxy. Provoxy also has enhanced privacy features such as "removing ads and other obnoxious junk" [1]. Port 9050 tcp is the Socks proxy available for routing traffic through the tor network. All other ports are blocked for security and anonymity reasons. This configuration may be used to set up a wifi network which automatically routes traffic through tor.
Contents
What is Tor?
Put simply, Tor is anonymity software that protects a source computer from eavesdropping by a third party. Tor routes internet packets through a series of encrypted proxies. Each proxy in the chain knows a part of the request, but not the entire request. The destination server also does not know what the source is. Tor may also be referred to as Onion routing. Tor is an open source project run by volunteers from around the world.
From the Tor web site [2]
"Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy."
Why use Tor?
From the Tor web site [3]
"Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you're traveling abroad and you connect to your employer's computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted."
Tor Web Site
More information about The Tor Project is available at available at The Tor Homepage.
Network Description
The network design requires that users be behind a NAT connection. The metarouter runs the Tor service and all web traffic is routed through it. By design, to protect user privacy, only port 80 tcp, port 53 udp, 8118 tcp (privoxy proxy) and port 9050 tcp (tor socks proxy) are open to users.
Mikrotik Network Configuration
Set up bridges
/interface bridge add name=torBridge add name=natBridge /interface bridge port add interface=ether2 bridge=natBridge add interface=ether3 bridge=natBridge add interface=wlan1 bridge=natBridge
These commands set up the necessary bridges and add interfaces to the natBridge. In this example, an RB433AH with wifi card is being used. Three physical ports will be added to the natBridge (ether2, ether3 and wlan1). Ether1 is the port for the internet connection.
Configure Wifi AP
/interface wireless set [find name="wlan1"] disabled=no \ mode=ap-bridge band=2.4ghz-b/g frequency=2412 ssid="Tor Anonymous Web"
This command configures wlan1 interface SSID, mode, band and channel. Settings such as wifi encryption may be adjusted as desired.
Add IP addresses
/ip address add interface=ether1 address=192.168.3.254/24 disabled=no /ip address add interface=natBridge address=10.11.1.1/24 disabled=no /ip address add interface=torBridge address=10.192.168.1/30 disabled=no
Ether1 is the internet IP address. In this example, 192.168.3.0/24 network is being used.
Configure default route (if needed)
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.7
Configure DHCP server for natBridge
/ip pool add name="nat-DHCP" ranges="10.11.1.10-10.11.1.250" /ip dhcp-server network add address=10.11.1.0/24 gateway=10.11.1.1 dns-server=10.192.168.2 /ip dhcp-server add interface="natBridge" lease-time="1:00:00" name="nat-DHCP-Server" \ address-pool="nat-DHCP" authoritative=yes disabled=no
Firewall NAT rules
/ip firewall nat # only masquerade torBridge add chain=srcnat action=masquerade src-address=10.192.168.0/30 disabled=no # transparent proxy redirect add chain=dstnat in-interface=natBridge protocol=tcp dst-port=80 \ action=redirect to-ports=8080 disabled=no # DNS, privoxy and Tor socks forward rules for natBridge add chain=dstnat in-interface=natBridge protocol=udp dst-port=53 \ action=dst-nat to-addresses=10.192.168.2 to-ports=53 disabled=no add chain=dstnat in-interface=natBridge protocol=tcp dst-port=8118 \ action=dst-nat to-addresses=10.192.168.2 to-ports=8118 disabled=no add chain=dstnat in-interface=natBridge protocol=tcp dst-port=9050 \ action=dst-nat to-addresses=10.192.168.2 to-ports=9050 disabled=no # DNS, privoxy and Tor socks forward rules for ether1 (optional) add chain=dstnat in-interface=ether1 protocol=udp dst-port=53 \ action=dst-nat to-addresses=10.192.168.2 to-ports=53 disabled=no add chain=dstnat in-interface=ether1 protocol=tcp dst-port=8118 \ action=dst-nat to-addresses=10.192.168.2 to-ports=8118 disabled=no add chain=dstnat in-interface=ether1 protocol=tcp dst-port=9050 \ action=dst-nat to-addresses=10.192.168.2 to-ports=9050 disabled=no
In this configuration, we don't want to masquerade the natBridge directly. Instead, in order to maintain anonymity, privacy and encryption, only torBridge is masqueraded. Users may only use port 80 tcp and 53 udp by default. Ports 9050 (Tor socks proxy) and 8118 (Privoxy http proxy) are also available in order for users to configure other services such as https or messaging. These nat rules also redirect all port 80 requests to Mikrotik transparent proxy.
Configure Mikrotik Transparent Proxy
/ip proxy set enabled=yes parent-proxy=10.192.168.2 parent-proxy-port=8118 \ cache-on-disk=no max-fresh-time=1h
Configure Hotspot (optional)
Mikrotik Metarouter Configuration
Obtain Tor Metarouter image from forum
Download the metarouter image from the forum (forum post forthcoming...or wherever I can upload a 3mb file ) and upload the image to the router's root directory.
Upload and import Metarouter image
/metarouter import-image memory-size=32 file-name=openwrt-22250-tor-image.tar.gz
After uploading the .tar.gz file to the root directory, this command will import and start the metarouter image.
Configure Metarouter name and network interface
/metarouter set 0 name=tor /metarouter interface add type=dynamic dynamic-bridge=torBridge virtual-machine=tor
The first command names the new Metarouter virtual machine. The second command sets up a dynamic interface for the metarouter the torBridge interface.
Set up scheduler to periodically reboot metarouter
/system scheduler add disabled=no interval=6h name=restartTor \ on-event="/metarouter set [find name=\"tor\"] \ disabled=no\r\ \n:delay 5\r\ \n/metarouter set [find name=\"tor\"] disabled=no" policy=\ reboot,read,write,policy,test,password,sniff,sensitive
Metarouter needs to be restarted periodically in order for the Tor image to run smoothly.
