Anonymizing Middlebox: a Tor transparent proxy with Shorewall

applications, gnu/linux, networking, privacy

Anonymizing Middlebox: a Tor transparent proxy with Shorewall

jeweet
09/04/2017
No Comments
Anonymizing Middlebox: a Tor transparent proxy with Shorewall

Tor is a very useful tool for obtaining online privacy. In my case I would like to use my server as an Anonymizing Middlebox.

My setup:
Device > OpenVPN tunnel > Server (local services such as Samba or XMPP can be used without Tor) > Tor transparent proxy > The rest of the world!

The first step is to enable the transparent proxy functionality in Tor on the server. To achieve this, you need to add the following lines to /etc/tor/torrc:

VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort <$_PROXY_IP_>:9040
DNSPort <$_PROXY_IP_>:5354
SocksPolicy accept <$VPN_SUBNET/MASK>
SocksPolicy reject *

After restarting the Tor service the transparent proxy should be running.

Next up: configuring Shorewall on the server to route traffic into the proxy. I want to route all tcp traffic from my VPN zone trough Tor. If your setup looks different, you should of course modify the rules. Instead of zones, you can also specify an ip address to “Torify” a single device’s traffic.

/etc/shorewall/rules





#ACTION
SOURCE
DEST
PROTO
DPORT
SPORT
ORIG_DEST




DNAT
vpn
$FW:<$_PROXY_IP_>:5354
udp,tcp
53






DNAT
vpn
$FW:<$_PROXY_IP_>:9040
tcp
-       
-
10.192.0.0/10




DNAT
vpn
$FW:<$_PROXY_IP_>:9040
tcp
-
-
!<$_EXCL_RANGES_>

In the latest column (replacing <$_EXCL_RANGES_>) you need a comma seperated list of all ip ranges or addresses you don’t want to proxy trough tor. The Tor Project provides a list of ranges you certainly need to include. I needed my own external ip on the list too.

0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
192.88.99.0/24
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/3

That’s all folks. Please note: your device’s browser reveals your identity by default. This is no replacement for the Tor Browser. Take a look at the different tests on
https://browserleaks.com/ or https://panopticlick.eff.org/ to find out more about your browsers fingerprint. For more info about Tor Browser’s privacy measures and a way to implement them in Firefox yourself, please read https://www.torproject.org/projects/torbrowser/design.

Note: In Firefox you have to set network.dns.blockDotOnion to false in about:config to visit .onion sites.

Read https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy for more info and other examples.

Consider to donate bandwith to the Tor network by running your own relay!

Leave a Reply

Your email address will not be published. Required fields are marked *