-
-
Save kremalicious/4c333c8c54fced00ab10c0a892a2304d to your computer and use it in GitHub Desktop.
| # what we want: | |
| # client -> OpenVPN -> Tor -> Internet | |
| # Install & configure OpenVPN | |
| # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 | |
| # assumed OpenVPN configuration | |
| # 10.8.0.1/24-Subnet | |
| # tun0-Interface | |
| # Install & configure Tor | |
| sudo apt install tor | |
| sudo vi /etc/tor/torrc | |
| VirtualAddrNetwork 10.192.0.0/10 | |
| AutomapHostsOnResolve 1 | |
| DNSPort 10.8.0.1:53530 | |
| TransPort 10.8.0.1:9040 | |
| sudo service tor restart | |
| # Check ports | |
| sudo netstat -tulpen | grep tor | |
| tcp 0 0 10.8.0.1:9040 0.0.0.0:* LISTEN 0 3964140 1525/tor | |
| tcp 0 0 127.0.0.1:9051 0.0.0.0:* LISTEN 0 3964141 1525/tor | |
| udp 0 0 10.8.0.1:53530 0.0.0.0:* 0 3964139 1525/tor | |
| # Config IPtables to route all traffic trough Tor proxy | |
| export IPTABLES=/sbin/iptables | |
| export OVPN=tun0 | |
| # transparent Tor proxy | |
| $IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT | |
| $IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530 | |
| $IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040 | |
| $IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040 |
Hi,
Reading https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#WARNING I suggest you add some extra iptables rules:
#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
#iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid
iptables -A OUTPUT -m state --state INVALID -j DROP
#iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid
#iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
I have commented out the log ones but left them here just in case anyone wants to have logs in dmesg.
Sorry just a noob question as I don't know iptables but do we run the above iptables commands on the vpn server, or on the client pc? Because it said -i tun0 and tun0 is only on the client pc (on server it is as0t0) so I'm unsure.
Quick question,
Is there a way to enable/disable this? As if I want to use just the OpenVPN connection without tor? Or is this permanent?
I'd like to be able to quickly turn the Tor routing on/off as needed.
Thanks!
Anyone throw this into a docker container yet? I've been struggling for a while and wanted to know if someone got it working well.
@piqle, working on a docker image. Sharing a volume with the same config would mean you can have two image. One with tor and one without. Same config on your devices.
I made a script for my self.#!/bin/bash
#!/bin/bash
if [ $(whoami) != "root" ]; then
echo "Must be run as root"
exit 1
elif ( ! dpkg-query --list openvpn | grep -q "ii"); then
echo "Please install OpenVPN to your system."
exit 1
elif ( ! dpkg-query --list tor | grep -q "ii"); then
echo "Please install Tor to your system."
exit 1
elif ( ! systemctl is-active --quiet openvpn 2>/dev/null); then
echo "OpenVPN server is not running. Please start OpenVPN service and try again!"
exit 1
fi
IPTABLES=$(which iptables) # /sbin/iptables
OVPN=$(ip r | grep "tun" | awk '{print $3}') # tun0
VPN_IP=$(ip r | grep "tun" | awk '{print $9}') # 10.8.0.1
function route() {
local arg=$1
# Config IPtables to route all traffic trough Tor proxy
# transparent Tor proxy
$IPTABLES $arg INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:53530
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:9040
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:9040
## Transproxy leak blocked:
# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#WARNING
$IPTABLES $arg OUTPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES $arg OUTPUT -m state --state INVALID -j DROP
$IPTABLES $arg OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
$IPTABLES $arg OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
}
if ($IPTABLES --check INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT 2>/dev/null); then
echo "Stoping Tor and remove iptables routes"
systemctl stop tor
route "-D"
else
echo "Starting Tor and adding iptables routes"
systemctl start tor
sleep 3
route "-A"
echo "Now you can connect to your VPN and surf on the TOR network"
fi
Could you tell me, if is it possible to access .onion's websites via client connected to OVPN with your configuration?
My browser is configured with Tor but not able to access .onion site check many onion sites but not able to access sites.
Normal sites are accessible but onion sites are not accessible.
I also Add AutomapHostsSuffixes .onion,.exit in the torrc file but no luck.
Could you tell me, if is it possible to access .onion's websites via client connected to OVPN with your configuration?
My browser is configured with Tor but not able to access .onion site check many onion sites but not able to access sites.
Normal sites are accessible but onion sites are not accessible.I also Add AutomapHostsSuffixes .onion,.exit in the torrc file but no luck.
Hi Tufail431,
If you config Tor and iptables well . all openvpn traffic will through Tor exit node.
For example 10.8.0.0 / 24 that mean 10.8.0.1 - 10.8.0.255 will go TransPort 10.8.0.1:9040 and this gateway listening by tor.
if you successful config. you can connect your openvpn client and check the ip address is it Tor exit node. if it correct.
you could browse any onion site as well as possible. for me is worked with anything
hello i am getting this error while i am trying to run the script
bash ovtotor.sh
gives me this :
ovtotor.sh: line 2: $'\r': command not found
ovtotor.sh: line 6: syntax error near unexpected token `elif'
'vtotor.sh: line 6: `elif ( ! dpkg-query --list openvpn | grep -q "ii"); then
Thanks for this, it helped me a lot !
I have a raspberry pi with AdGuard Home on it (which is a DNS blocker in order to block ads), I would like to configure my openVPN server to use it before routing the traffic through Tor. Do you have an idea where I should put the ip address of my DNS blocker?
EDIT : This is always after asking a question after several days of research that I find myself the answer :
I use @queeup 's script which is really useful (thank you), and replaced this line
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:53530
with these lines :
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination *AdGuard_Home_IP*
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p tcp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination *AdGuard_Home_IP*
I can't connect to teamspeak servers with this configuration, is there a fix for this?