Skip to content

Instantly share code, notes, and snippets.

@kremalicious

kremalicious/tor-openvpn.sh

Last active February 25, 2024 07:40
Show Gist options
  • Star 68 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save kremalicious/4c333c8c54fced00ab10c0a892a2304d to your computer and use it in GitHub Desktop.
Save kremalicious/4c333c8c54fced00ab10c0a892a2304d to your computer and use it in GitHub Desktop.
Download ZIP
Install and configure Tor as proxy for all OpenVPN server traffic
Raw
tor-openvpn.sh
# what we want:
# client -> OpenVPN -> Tor -> Internet
# Install & configure OpenVPN
# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
# assumed OpenVPN configuration
# 10.8.0.1/24-Subnet
# tun0-Interface
# Install & configure Tor
sudo apt install tor
sudo vi /etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
DNSPort 10.8.0.1:53530
TransPort 10.8.0.1:9040
sudo service tor restart
# Check ports
sudo netstat -tulpen | grep tor
tcp 0 0 10.8.0.1:9040 0.0.0.0:* LISTEN 0 3964140 1525/tor
tcp 0 0 127.0.0.1:9051 0.0.0.0:* LISTEN 0 3964141 1525/tor
udp 0 0 10.8.0.1:53530 0.0.0.0:* 0 3964139 1525/tor
# Config IPtables to route all traffic trough Tor proxy
export IPTABLES=/sbin/iptables
export OVPN=tun0
# transparent Tor proxy
$IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530
$IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
$IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
@biscwii
Copy link

biscwii commented Feb 19, 2022
edited

Thanks for this, it helped me a lot !

I have a raspberry pi with AdGuard Home on it (which is a DNS blocker in order to block ads), I would like to configure my openVPN server to use it before routing the traffic through Tor. Do you have an idea where I should put the ip address of my DNS blocker?

EDIT : This is always after asking a question after several days of research that I find myself the answer :
I use @queeup 's script which is really useful (thank you), and replaced this line

$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:53530

with these lines :

$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination *AdGuard_Home_IP*
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p tcp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination *AdGuard_Home_IP*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment