Use Metarouter to Implement Tor Anonymity Software
This article describes the steps to set up Tor Anonymity software behind a Mikrotik Hotspot using a Metarouter instance. The Metarouter image presented here is for RB4xx MIPSBE boards that support OpenWRT Metarouter images.
The end result is a NATed network that routes only encrypted tor traffic for end users. The only ports that are open to end users include 80 tcp, 53 udp, 8118 tcp and 9050 tcp. 8118 tcp is the Privoxy proxy which acts as a standard http proxy to the Tor Socks proxy. Provoxy also has enhanced privacy features such as "removing ads and other obnoxious junk" . Port 9050 tcp is the Socks proxy available for routing traffic through the tor network. All other ports are blocked for security and anonymity reasons. This configuration may be used to set up a wifi network which automatically routes traffic through tor.
- 1 Tor Background
- 2 Network Description
- 3 Mikrotik Network Configuration
- 4 Mikrotik Metarouter Configuration
- 5 Set up Tor Relay or Bridge (optional)
- 6 See Also
What is Tor?
Put simply, Tor is anonymity software that protects a source computer from eavesdropping by a third party. Tor routes internet packets through a series of encrypted proxies. Each proxy in the chain knows a part of the request, but not the entire request. The destination server also does not know what the source is. Tor may also be referred to as Onion routing. Tor is an open source project run by volunteers from around the world.
From the Tor web site 
"Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy."
Why use Tor?
From the Tor web site 
"Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you're traveling abroad and you connect to your employer's computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted."
Tor Web Site
More information about The Tor Project is available at available at The Tor Homepage.
The network design requires that users be behind a NAT connection. The metarouter runs the Tor service and all web traffic is routed through it. By design, to protect user privacy, only port 80 tcp, port 53 udp, 8118 tcp (privoxy proxy) and port 9050 tcp (tor socks proxy) are open to users.
Mikrotik Network Configuration
Set up bridges
/interface bridge add name=torBridge add name=natBridge /interface bridge port add interface=ether2 bridge=natBridge add interface=ether3 bridge=natBridge add interface=wlan1 bridge=natBridge
These commands set up the necessary bridges and add interfaces to the natBridge. In this example, an RB433AH with wifi card is being used. Three physical ports will be added to the natBridge (ether2, ether3 and wlan1). Ether1 is the port for the internet connection.
Configure Wifi AP
/interface wireless set [find name="wlan1"] disabled=no \ mode=ap-bridge band=2.4ghz-b/g frequency=2412 ssid="Tor Anonymous Web"
This command configures wlan1 interface SSID, mode, band and channel. Settings such as wifi encryption may be adjusted as desired.
Add IP addresses
/ip address add interface=ether1 address=192.168.3.254/24 disabled=no /ip address add interface=natBridge address=10.11.1.1/24 disabled=no /ip address add interface=torBridge address=10.192.168.1/30 disabled=no
Ether1 is the internet IP address. In this example, 192.168.3.0/24 network is being used.
Configure default route (if needed)
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.7
Configure DHCP server for natBridge
/ip pool add name="nat-DHCP" ranges="10.11.1.10-10.11.1.250" /ip dhcp-server network add address=10.11.1.0/24 gateway=10.11.1.1 dns-server=10.192.168.2 /ip dhcp-server add interface="natBridge" lease-time="1:00:00" name="nat-DHCP-Server" \ address-pool="nat-DHCP" authoritative=yes disabled=no
Firewall NAT rules
/ip firewall nat # only masquerade torBridge add chain=srcnat action=masquerade src-address=10.192.168.0/30 disabled=no # transparent proxy redirect add chain=dstnat in-interface=natBridge protocol=tcp dst-port=80 \ action=redirect to-ports=8080 disabled=no # DNS, privoxy and Tor socks forward rules for natBridge add chain=dstnat in-interface=natBridge protocol=udp dst-port=53 \ action=dst-nat to-addresses=10.192.168.2 to-ports=53 disabled=no add chain=dstnat in-interface=natBridge protocol=tcp dst-port=8118 \ action=dst-nat to-addresses=10.192.168.2 to-ports=8118 disabled=no add chain=dstnat in-interface=natBridge protocol=tcp dst-port=9050 \ action=dst-nat to-addresses=10.192.168.2 to-ports=9050 disabled=no # DNS, privoxy and Tor socks forward rules for ether1 (optional) add chain=dstnat in-interface=ether1 protocol=udp dst-port=53 \ action=dst-nat to-addresses=10.192.168.2 to-ports=53 disabled=no add chain=dstnat in-interface=ether1 protocol=tcp dst-port=8118 \ action=dst-nat to-addresses=10.192.168.2 to-ports=8118 disabled=no add chain=dstnat in-interface=ether1 protocol=tcp dst-port=9050 \ action=dst-nat to-addresses=10.192.168.2 to-ports=9050 disabled=no
In this configuration, we don't want to masquerade the natBridge directly. Instead, in order to maintain anonymity, privacy and encryption, only torBridge is masqueraded. Users may only use port 80 tcp and 53 udp by default. Ports 9050 (Tor socks proxy) and 8118 (Privoxy http proxy) are also available in order for users to configure other services such as https or messaging. These nat rules also redirect all port 80 requests to Mikrotik transparent proxy.
Configure Mikrotik Transparent Proxy
/ip proxy set enabled=yes parent-proxy=10.192.168.2 parent-proxy-port=8118 \ cache-on-disk=no max-fresh-time=1h
Configure Hotspot (optional)
/ip hotspot add name="Tor" address-pool=nat-DHCP interface=natBridge idle-timeout=20m disabled=no /ip hotspot user profile set default keepalive-timeout=5m shared-users=1000 transparent-proxy=yes \ rate-limit=512k/1024k /ip hotspot user add comment="" disabled=no name=tor password=tor profile=default /ip hotspot walled-garden add action=allow comment="" disabled=no dst-host=*.torproject.org add action=allow comment="" disabled=no dst-host=*.eff.org /ip dns set servers=10.192.168.2
These commands are optional and will set up hotspot for Tor access with username tor password tor and bandwidth limiting set to 512kbps down and 1024kbps up. Hotspot login page files with a standard accept button are avilable here. Also, if DNS server is not already configured, it should be set at this time.
Mikrotik Metarouter Configuration
Download the metarouter image from the download link and upload the image to the router's root directory.
Import Metarouter image
/metarouter import-image memory-size=32 file-name=openwrt-22250-tor-image.tar.gz
After uploading the .tar.gz file to the root directory, this command will import and start the metarouter image.
Configure Metarouter name and network interface
/metarouter set 0 name=tor /metarouter interface add type=dynamic dynamic-bridge=torBridge virtual-machine=tor
The first command names the new Metarouter virtual machine. The second command sets up a dynamic interface for the metarouter the torBridge interface.
Set up scheduler to periodically reboot metarouter
/system scheduler add disabled=no interval=6h name=restartTor \ on-event="/metarouter set [find name=\"tor\"] \ disabled=no\r\ \n:delay 5\r\ \n/metarouter set [find name=\"tor\"] disabled=no" policy=\ reboot,read,write,policy,test,password,sniff,sensitive
Metarouter needs to be restarted periodically in order for the Tor image to run smoothly.
Set up Tor Relay or Bridge (optional)
The Tor Network relies on the existence of Tor relays, bridges and exit nodes. Anyone may run a relay or bridge and the Tor web site encourages this. It is also possible to run an exit node, however doing this is outside the scope of this article. More information about relays, bridges and exit nodes is available at the Tor Project web site.
Mikrotik Port Forward For Tor Bridge
If Tor bridge is desired, port 443 tcp needs to be reachable from the external network. In RouterOS:
/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=443 \ action=dst-nat to-addresses=10.192.168.2 to-ports=443 disabled=no
Mikrotik Port Forward For Tor Relay
If Tor relay is desired, port 9001 tcp needs to be reachable from the external network. In RouterOS:
/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=9001 \ action=dst-nat to-addresses=10.192.168.2 to-ports=9001 disabled=no
Metarouter console configuration
The next step is to configure Tor in the OpenWRT metarouter. There are several pre-written Tor configuration files in /etc/tor. To run a bridge or relay, copy the relevant file to the running configuration and restart Tor as in the following example. torrc.bridge is the bridge configuration, torrc.relay is the relay configuration and torrc.client is the client-only configuration. By default, the torrc.client configuration is enabled.
root@OpenWrt:/# cd /etc/tor root@OpenWrt:/etc/tor# ls -l -rw-r--r-- 1 root root 7141 Aug 18 00:44 torrc -rw-r--r-- 1 500 500 7219 Aug 18 00:43 torrc.bridge -rw-r--r-- 1 500 500 7143 Aug 8 00:49 torrc.client -rw-r--r-- 1 500 500 7141 Aug 8 02:16 torrc.relay root@OpenWrt:/etc/tor# cp torrc.relay torrc root@OpenWrt:/etc/tor# /etc/init.d/tor stop root@OpenWrt:/etc/tor# /etc/init.d/tor start Aug 18 00:45:18.889 [notice] Tor v0.2.1.26. This is experimental software. Do no t rely on it for strong anonymity. (Running on Linux mips) Aug 18 00:45:18.923 [notice] Choosing default nickname 'openwrt' Aug 18 00:45:18.925 [notice] Your ContactInfo config option is not set. Please c onsider setting it, so we can contact you if your server is misconfigured or som ething else goes wrong. Aug 18 00:45:18.954 [notice] Initialized libevent version 1.4.13-stable using me thod epoll. Good. Aug 18 00:45:18.960 [notice] Opening OR listener on 0.0.0.0:9001 Aug 18 00:45:18.964 [notice] Opening Socks listener on 10.192.168.2:9050 Aug 18 00:45:18.966 [notice] Opening DNS listener on 10.192.168.2:53 root@OpenWrt:/etc/tor#
Occasionally, errors will be displayed when restarting Tor. This is because sometimes Tor does not die as it should when the stop command is issued. If errors are displayed, try the /etc/init.d/tor stop command a few more times until tor is able to be started by a tor start command. Alternatively, the metarouter may be rebooted to get everything set up properly. Tor logs are available in /var/log/tor/notices.log.