Most of the readers of this blog will probably know the Tor project. One of the problems that Tor has encountered is that all nodes of the Tor network are public. This enabled governments to block all IP addresses of the Tor nodes, preventing anyone behind their firewall to use Tor. To solve this problem the Tor project created a pool of unlisted Tor nodes known as bridges. If a user gets blocked, he/she can ask for the IP address of (only) one of these unlisted Tor nodes and use this node as the entry point to the rest of the Tor network.
The function of a Tor bridge is simple: provide an unlisted IP address that blocked users can use to connect to the rest of the Tor network. You can run a full Tor node at the unlisted address, but you don’t have to. Forwarding the traffic from the unlisted address to a public Tor node will provide the same functionality and can be done by a simple router.
How to configure a router to forward Tor traffic?
Forwarding traffic from the internet to your local network is very easy. Every router has a nice UI that can be used to do this. Forwarding traffic from the internet to another IP address in the internet zone is slightly more complicated. This type of forwarding is so uncommon that most (all?) routers simply leave it out of the UI.
The first step you have to take if you want your router to forward Tor traffic is to replace the firmware with less limited free software. I replaced the firmware of my TP-Link router with OpenWrt. With OpenWrt you have access to all the functions of your router.
With full control of your router forwarding Tor traffic is simple. I started a ssh connection to my router and typed the following three commands:
iptables -t nat -i eth0.2 -I PREROUTING -p tcp --dst xxx.xxx.xxx.xxx --dport 443 -j DNAT --to-destination 77.247.181.164:443 iptables -t nat -o eth0.2 -I POSTROUTING -p tcp --dst 77.247.181.164 --dport 443 -j SNAT --to-source xxx.xxx.xxx.xxx iptables -I FORWARD -o eth0.2 -p tcp --dst 77.247.181.164 -j ACCEPT
Where:
| eth0.2 | WAN-interface of the internal router switch |
| xxx.xxx.xxx.xxx | WAN IP address |
| 77.247.181.164 | IP address of the rainbowwarrior Tor node |
The first command tells the iptables firewall to translate the WAN IP address to the address of the rainbowwarrior Tor node if the destination port is 443. The second command changes the source address of packets leaving the system into the WAN address. The last command allows traffic with the rainbowwarrior Tor node destination to pass through the system.
That’s it. I checked this using a remote system and it seems to work. Double checking with Wireshark showed all traffic was routed through my router-bridge.
2 comments
Fabio Pietrosanti (naif)
June 12, 2012 at 15:42 (UTC 2) Link to this comment
Now the next-question is:
* How to “publish” this simplified bridge to the Bridge directory authority?
Imho we should really think about implementing this availability for anyone to “donate” an IP:Port pair .
As long as the user have a fixed IP address
Think about providing easy configuration guides for the most commonly known home-routers around the world, so that any user with just “few clicks on a couple of web pages” can donate his bandwidth and IP:Port pair.
A discussion about it started some times ago here:
https://lists.torproject.org/pipermail/tor-talk/2012-January/022836.html
Maybe we should try to write a small .txt or Tor Ticket to discuss about this idea.
robvanderhoeven
June 13, 2012 at 11:06 (UTC 2) Link to this comment
Here are some wild ideas (meaning: there are some inconsistencies) for updating the Bridge directory authority: A Tor node can determine if an incomming connection is from a router-bridge. If the IP address of a sender is not from another listed Tor node, it can probe if the sender IP address forwards (unmodified) messages to itself. First check if the sender has an open port, then send a “special” Tor packet and see if it arrives as input. If the special packet arrives, then the Tor node can send a message to the Bridge directory authority with the newly discovered router-bridge. (Note: router-bridges do not need to have a fixed IP address for this to work). A router-bridge that does not want to be reported to the Bridge directory authority can simply block incomming connections from the Tor node to which it forwards messages. Note: A Tor node must never directly probe the router-bridge (this would be an easy way for an attacker to detect router-bridges) instead it must an unlisted system (maybe use the system of the user that connects through the router-bridge?) to do the probing.
I think it is not possible to use unmodified routers. The default UI simply does not support internet to internet forwarding. You have to install free software like OpenWrt to make this possible. Once you have replaced the firmware you have to figure out the internal switch setup. Should not be too difficult because OpenWrt needs this info too (it was documented nicely for my router).
BTW, you can use any GNU/Linux system to do internet to internet routing. I have also tried this on my FreedomBox.