[tor-talk] transparent tor routers

Aeris aeris+tor at imirhil.fr
Mon Jan 18 22:11:30 UTC 2016 

> Besides some extra torrc entries, only a few simple firewall rules are
> needed.

Not so simple firewall rules.

You must avoid Tor inside Tor (worse privacy than Tor only), so if one of the 
user already use Tor (Tor browser or native client), you don’t want to re-
torify his traffic.
Only feasible with 2 access points (1 for naked client, 1 for already Tor 
user), or better (avoid explanation/rtfm for the users) with ipset rules to 
discriminate traffic.
And if ipset, need some smart script (python + stem) to regenerate rules 
regularly from Tor consensus.

AFAIK, small router (as Olimex) don’t have RTC, so your clock is borked at 
boot time and must be set manually if you want your Tor client be able to 
connect (don’t support clock drift more than few hours).
And then, for a fully automated not-savy user targeted device, and more 
difficult if you want no no-Tor traffic at all (NTP forbidden because of UDP), 
you need some others tricks like htpdate or inotify, requiring perl and 
python.

> I can also assure you that Tor works quite well on the router hardware
> mentioned above. I'm only playing with the hardware but I have not
> encountered any problems yet. Performance is OK too.

Problem is not to have working Tor client with transparent proxying, but 
**correct** working Tor client with **correct** transparent proxying.
Or you’re just doing a yet-another-anonabox-craps.

With few MB of memory and MHz of CPU, you just have enough to run a standalone 
Tor client, all others things (ipset, python, stem, perl, ca-certificates, web 
server for webUI config…) can’t fit inside.

And you have problem for Tor upgrade too (not possible on OpenWRT without tech 
skills and reflash).

Regards,
-- 
Aeris
Individual crypto-terrorist group self-radicalized on the digital Internet
https://imirhil.fr/

Protect your privacy, encrypt your communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://café-vie-privée.fr/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20160118/ee4ec3e4/attachment.sig>

More information about the tor-talk mailing list