Tor on OpenWrt

准备工作

  • OpenWrt系统 (推荐使用树莓派3B)
  • 科学上网代理
    • 方案一: socks5代理 (使用Socks5Proxy配置)
    • 方案二: shadowsocks上级路由 (无需额外配置)

安装Tor

$ opkg update
$ opkg install tor

$ vi /etc/tor/torrc
$ vi /etc/config/dhcp
$ vi /etc/firewall.user

$ /etc/init.d/tor restart
$ /etc/init.d/dnsmasq restart
$ /etc/init.d/firewall restart

配置Tor

# /etc/tor/torrc

RunAsDaemon 0  
DataDirectory /var/lib/tor  
User tor  
#Socks5Proxy 127.0.0.1:1080
SocksPort 0.0.0.0:9050  
TransPort 0.0.0.0:9040  
DNSPort 0.0.0.0:9053  
AvoidDiskWrites 1  

Socks5 Proxy (可选)

本配置适用于方案二, 若采用方案一, 需要额外运行ss-local, 并且设置开机启动.

# /etc/rc.local

ss-local -c /etc/shadowsocks.json -f /var/run/ss-local.pid

exit 0  
{
    "server": "1.2.3.4",
    "server_port": 8388,
    "local_address": "127.0.0.1",
    "local_port": 1080,
    "password": "******",
    "timeout": 60,
    "method": "chacha20",
    "auth": true
}

配置DNS

# /etc/config/dhcp

config dnsmasq  
       option noresolv '1'
       list server '127.0.0.1#9053'

配置Firewall

# /etc/firewall.user

iptables -t nat -X TOR  
iptables -t nat -N TOR  
iptables -t nat -A TOR -d 0.0.0.0/8 -j RETURN  
iptables -t nat -A TOR -d 10.0.0.0/8 -j RETURN  
iptables -t nat -A TOR -d 127.0.0.0/8 -j RETURN  
iptables -t nat -A TOR -d 169.254.0.0/16 -j RETURN  
iptables -t nat -A TOR -d 172.16.0.0/12 -j RETURN  
iptables -t nat -A TOR -d 192.168.0.0/16 -j RETURN  
iptables -t nat -A TOR -d 224.0.0.0/4 -j RETURN  
iptables -t nat -A TOR -d 240.0.0.0/4 -j RETURN  
iptables -t nat -A TOR -p udp --dport 53 -j REDIRECT --to-ports 9053  
iptables -t nat -A TOR -p tcp --syn -j REDIRECT --to-ports 9040  
iptables -t nat -A PREROUTING -i br-lan -j TOR  

请根据具体情况, 把br-lan改为正确的Interface名称, 并且完善firewall相关配置.

调试Tor

$ /etc/init.d/tor stop
$ tor
Aug 16 11:49:43.222 [notice] Tor v0.2.7.6 running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.2h and Zlib 1.2.8.  
Aug 16 11:49:43.223 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning  
Aug 16 11:49:43.223 [notice] Read configuration file "/etc/tor/torrc".  
Aug 16 11:49:43.250 [warn] You specified a public address '0.0.0.0:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.  
Aug 16 11:49:43.250 [warn] You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.  
Aug 16 11:49:43.250 [warn] You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.  
Aug 16 11:49:43.251 [notice] Opening Socks listener on 0.0.0.0:9050  
Aug 16 11:49:43.251 [notice] Opening DNS listener on 0.0.0.0:9053  
Aug 16 11:49:43.251 [notice] Opening Transparent pf/netfilter listener on 0.0.0.0:9040  
Aug 16 11:49:44.000 [notice] Bootstrapped 0%: Starting  
Aug 16 11:49:46.000 [notice] Bootstrapped 5%: Connecting to directory server  
Aug 16 11:49:46.000 [notice] Bootstrapped 80%: Connecting to the Tor network  
Aug 16 11:49:46.000 [notice] Bootstrapped 85%: Finishing handshake with first hop  
Aug 16 11:49:53.000 [notice] Bootstrapped 90%: Establishing a Tor circuit  
Aug 16 11:49:58.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.  
Aug 16 11:49:58.000 [notice] Bootstrapped 100%: Done  
^C
$ /etc/init.d/tor start

参考资料