Tor is a very useful tool for obtaining online privacy. In my case I would like to use my server as an Anonymizing Middlebox.
My setup:
Device > OpenVPN tunnel > Server (local services such as Samba or XMPP can be used without Tor) > Tor transparent proxy > The rest of the world!
The first step is to enable the transparent proxy functionality in Tor on the server. To achieve this, you need to add the following lines to /etc/tor/torrc:
VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort <$_PROXY_IP_>:9040 DNSPort <$_PROXY_IP_>:5354 SocksPolicy accept <$VPN_SUBNET/MASK> SocksPolicy reject *
After restarting the Tor service the transparent proxy should be running.
Next up: configuring Shorewall on the server to route traffic into the proxy. I want to route all tcp traffic from my VPN zone trough Tor. If your setup looks different, you should of course modify the rules. Instead of zones, you can also specify an ip address to “Torify” a single device’s traffic.
/etc/shorewall/rules
#ACTION | SOURCE | DEST | PROTO | DPORT | SPORT | ORIG_DEST |
DNAT | vpn | $FW:<$_PROXY_IP_>:5354 | udp,tcp | 53 | ||
DNAT | vpn | $FW:<$_PROXY_IP_>:9040 | tcp | - | - | 10.192.0.0/10 |
DNAT | vpn | $FW:<$_PROXY_IP_>:9040 | tcp | - | - | !<$_EXCL_RANGES_> |
In the latest column (replacing <$_EXCL_RANGES_>) you need a comma seperated list of all ip ranges or addresses you don’t want to proxy trough tor. The Tor Project provides a list of ranges you certainly need to include. I needed my own external ip on the list too.
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
192.88.99.0/24
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/3
That’s all folks. Please note: your device’s browser reveals your identity by default. This is no replacement for the Tor Browser. Take a look at the different tests on
https://browserleaks.com/ or https://panopticlick.eff.org/ to find out more about your browsers fingerprint. For more info about Tor Browser’s privacy measures and a way to implement them in Firefox yourself, please read https://www.torproject.org/projects/torbrowser/design.
Note: In Firefox you have to set network.dns.blockDotOnion to false in about:config to visit .onion sites.
Read https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy for more info and other examples.
Consider to donate bandwith to the Tor network by running your own relay!