FreedomBoxBlog

Routers as Tor bridges

Rob van der Hoeven
Tue Dec 06 2011

Most of the readers of this blog will probably know the Tor project. One of the problems that Tor has encountered is that all nodes of the Tor network are public. This enabled governments to block all IP addresses of the Tor nodes, preventing anyone behind their firewall to use Tor. To solve this problem the Tor project created a pool of unlisted Tor nodes known as bridges. If a user gets blocked, he/she can ask for the IP address of (only) one of these unlisted Tor nodes and use this node as the entry point to the rest of the Tor network.

The function of a Tor bridge is simple: provide an unlisted IP address that blocked users can use to connect to the rest of the Tor network. You can run a full Tor node at the unlisted address, but you don't have to. Forwarding the traffic from the unlisted address to a public Tor node will provide the same functionality and can be done by a simple router.

How to configure a router to forward Tor traffic?

Forwarding traffic from the internet to your local network is very easy. Every router has a nice UI that can be used to do this. Forwarding traffic from the internet to another IP address in the internet zone is slightly more complicated. This type of forwarding is so uncommon that most (all?) routers simply leave it out of the UI.

The first step you have to take if you want your router to forward Tor traffic is to replace the firmware with less limited free software. I replaced the firmware of my TP-Link router with OpenWrt. With OpenWrt you have access to all the functions of your router.

With full control of your router forwarding Tor traffic is simple. I started a ssh connection to my router and typed the following three commands:

iptables -t nat -i eth0.2 -I PREROUTING -p tcp --dst xxx.xxx.xxx.xxx --dport 443 -j DNAT --to-destination 77.247.181.164:443
iptables -t nat -o eth0.2 -I POSTROUTING -p tcp --dst 77.247.181.164 --dport 443 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -I FORWARD -o eth0.2 -p tcp --dst 77.247.181.164 -j ACCEPT

Where:

eth0.2             WAN-interface of the internal router switch
xxx.xxx.xxx.xxx    WAN IP address
77.247.181.164     IP address of the rainbowwarrior Tor node

The first command tells the iptables firewall to translate the WAN IP address to the address of the rainbowwarrior Tor node if the destination port is 443. The second command changes the source address of packets leaving the system into the WAN address. The last command allows traffic with the rainbowwarrior Tor node destination to pass through the system.

That's it. I checked this using a remote system and it seems to work. Double checking with Wireshark showed all traffic was routed through my router-bridge.