Anonymizing Middlebox: a Tor transparent proxy with Shorewall

Anonymizing Middlebox: a Tor transparent proxy with Shorewall

Anonymizing Middlebox: a Tor transparent proxy with Shorewall

Tor is a very useful tool for obtaining online privacy. In my case I would like to use my server as an Anonymizing Middlebox.

My setup:
Device > OpenVPN tunnel > Server (local services such as Samba or XMPP can be used without Tor) > Tor transparent proxy > The rest of the world!

The first step is to enable the transparent proxy functionality in Tor on the server. To achieve this, you need to add the following lines to /etc/tor/torrc:

AutomapHostsOnResolve 1
TransPort <$_PROXY_IP_>:9040
DNSPort <$_PROXY_IP_>:5354
SocksPolicy accept <$VPN_SUBNET/MASK>
SocksPolicy reject *

After restarting the Tor service the transparent proxy should be running.

Next up: configuring Shorewall on the server to route traffic into the proxy. I want to route all tcp traffic from my VPN zone trough Tor. If your setup looks different, you should of course modify the rules. Instead of zones, you can also specify an ip address to “Torify” a single device’s traffic.


DNAT vpn $FW:<$_PROXY_IP_>:5354 udp,tcp 53
DNAT vpn $FW:<$_PROXY_IP_>:9040 tcp - -
DNAT vpn $FW:<$_PROXY_IP_>:9040 tcp - - !<$_EXCL_RANGES_>

In the latest column (replacing <$_EXCL_RANGES_>) you need a comma seperated list of all ip ranges or addresses you don’t want to proxy trough tor. The Tor Project provides a list of ranges you certainly need to include. I needed my own external ip on the list too.

That’s all folks. Please note: your device’s browser reveals your identity by default. This is no replacement for the Tor Browser. Take a look at the different tests on
or to find out more about your browsers fingerprint. For more info about Tor Browser’s privacy measures and a way to implement them in Firefox yourself, please read

Note: In Firefox you have to set network.dns.blockDotOnion to false in about:config to visit .onion sites.

Read for more info and other examples.

Consider to donate bandwith to the Tor network by running your own relay!

Leave a Reply

Your email address will not be published. Required fields are marked *