automate/020_openwrt-tor.sh

opkg update
opkg install tor tor-geoip tor-hs

# Configuring tor
cat <<EOF | tee -a /etc/tor/torrc >/dev/null
RunAsDaemon 1
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
## Only run as a client, never a relay or exit
ClientOnly
PidFile /var/run/tor.pid
DataDirectory /var/lib/tor
User tor
SocksPort 9050
SocksPort 192.168.1.1:9050
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
VirtualAddrNetworkIPv4 10.192.0.0/10
TransPort 192.168.1.1:9040
DNSPort 192.168.1.1:9053
ControlPort 9051
EOF

# Configuring firewall
cat <<EOF | tee -a /etc/config/firewall >/dev/null
config zone 'tor'
    option name 'tor'
    option network 'lan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option conntrack '1'
	
config rule
    option name 'Allow-Tor-DHCP'
    option src 'tor'
    option proto 'udp'
    option dest_port '67'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-DNS'
    option src 'tor'
    option proto 'udp'
    option dest_port '9053'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-Transparent'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9040'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Tor-SOCKS'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9050'
    option target 'ACCEPT'
    option family 'ipv4'
EOF


cat <<EOF | tee -a /etc/firewall.user >/dev/null
enable_transparent_tor() {

	ifname=br-lan

	# Allow direct access to the Tor daemon
	iptables -t nat -A PREROUTING -i $ifname -p tcp --dport 9050 -j ACCEPT

	# provide transparent routing for TCP and DNS
	iptables -t nat -A PREROUTING -i $ifname -p udp --dport 53 -j REDIRECT --to-ports 9053
	iptables -t nat -A PREROUTING -i $ifname -p tcp --syn -j REDIRECT --to-ports 9040
}

enable_transparent_tor
EOF

lan_ip=$(uci get network.lan.ipaddr)
[ -n "$lan_ip" ] && sed -i "s/192.168\..*\..*:/$lan_ip:/g" /etc/tor/torrc


# Configuring tor hidden service
# SSH
cat <<EOF | tee -a /etc/config/tor-hs >/dev/null

config hidden-service
	option Name 'sshd'
	option Description "Hidden service for ssh"
	option Enabled 'false'
	option IPv4 '127.0.0.1'
	#public port=2222, local port=22
	list PublicLocalPort '2222;22'

EOF

# COMMON
cat <<EOF | tee -a /etc/config/tor-hs >/dev/null
config tor-hs common
	option GenConf "/etc/tor/torrc_hs"
	option HSDir "/etc/tor/hidden_service"
	option RestartTor "true"
	option UpdateTorConf "true"
EOF

/etc/init.d/tor-hs enable
/etc/init.d/tor-hs start

/etc/init.d/tor restart
/etc/init.d/rpcd restart

ubus call tor_rpcd.sh list-hs '{}'


 Secure access with client authorization.

# Install packages
opkg update
opkg install openssl-util coreutils-base32
 
# Enable Tor onion service
cat << EOF >> /etc/tor/custom
HiddenServiceDir /etc/tor/hidden_service
HiddenServicePort 22 127.0.0.1:22
EOF
umask go=
mkdir -p /etc/tor/hidden_service
chown -R tor:tor /etc/tor/hidden_service
/etc/init.d/tor restart
 
# Enable client authorization
openssl genpkey -algorithm x25519 -out /etc/tor/hidden_service.pem

TOR_KEY="$(openssl pkey \
-in /etc/tor/hidden_service.pem -outform der \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"

TOR_PUB="$(openssl pkey \
-in /etc/tor/hidden_service.pem -outform der -pubout \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"

TOR_HOST="$(cat /etc/tor/hidden_service/hostname)"
cat << EOF > client.auth_private
${TOR_HOST%.onion}:descriptor:x25519:${TOR_KEY}
EOF

cat << EOF > /etc/tor/hidden_service/authorized_clients/client.auth
descriptor:x25519:${TOR_PUB}
EOF

chown -R tor:tor /etc/tor/hidden_service
/etc/init.d/tor restart
 
# Fetch onion service hostname
echo ${TOR_HOST}


## Configure client authorization
#cat << EOF >> /etc/tor/custom
#ClientOnionAuthDir /etc/tor/onion_auth
#EOF
#umask go=
#mkdir -p /etc/tor/onion_auth
#TOR_AUTH="$(cat client.auth_private)"
#cat << EOF > /etc/tor/onion_auth/client.auth_private
#${TOR_AUTH}
#EOF
#chown -R tor:tor /etc/tor/onion_auth
#/etc/init.d/tor restart
 
# Access onion service with:
# ssh ${TOR_AUTH%%:*}.onion