Show Posts
1
Tutorials and FAQs / HOWTO - UnboundDNS+DNSCrypt+Tor DNS proxy+onion resources
« on: November 23, 2019, 11:30:25 am »
Hi, i used a tutorial from this topic: https://forum.opnsense.org/index.php?topic=10670.0 and this works for me.
But one exception.. im from Russia, and our providers block many internet resources, tor is the way to avoid this blocks and get resources worked again. In this howto i made work together a DNSCrypt and resolving .onion resources.
Supposed you are a complete all steps from this https://forum.opnsense.org/index.php?topic=10670.0, and it works. Tor transparent proxy works too.
All DNS traffic except .onion zone will be forwarded by DNSCrypt Proxy, and .onion zone will be forwarded to TOR DNS proxy, connections to .onion sites will be mapped to net 172.29.0.0/16 and forwarded by TOR Transparent proxy on port 9040.
No other config needed on the client PC.
Thank you, and sorry for my english.
But one exception.. im from Russia, and our providers block many internet resources, tor is the way to avoid this blocks and get resources worked again. In this howto i made work together a DNSCrypt and resolving .onion resources.
Supposed you are a complete all steps from this https://forum.opnsense.org/index.php?topic=10670.0, and it works. Tor transparent proxy works too.
- 1. Tor config.
Tor have a trasparent DNS on port 9053 and transparent proxy on port 9040 by deafult config.
Go to Services: Tor: Configuration check advanced mode- Set Transparent IP Pool to local range, example my config is: 172.29.0.0/16
- Check Map Host To IP Pool
- In tab SOCKS Proxy ACL you need to accept connections from 127.0.0.1/32
- 2. Unbound DNS config.
Unbound DNS has run on UDP port 53 by default.
Go to Services: Unbound DNS: General- Local Zone Type must be set to transparent (in my tests, other options has no forward DNS querry to Tor
- Custom options set like this:
Code: [Select]
domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no
local-zone: "onion." nodefault
forward-zone:
name: "onion"
forward-addr: 127.0.0.1@9053
forward-zone:
name: "."
forward-addr: ::1@5353
forward-addr: 127.0.0.1@5353
- 3. Firewall Config.
Go to Firewall: Aliases and add new alias for the Tor Transparent IP Pool example:- Name: tor_net
Type: Network(s)
Content: 172.29.0.0/16
Description: Mapped tor hosts
- Interface: LAN
TCP/IP Version: IPv4
Protocol: TCP
Source: LAN Net
Source port range: From: Any To: Any
Destination: tor_net (alias)
Destination port range: From: Any To: Any
Redirect target IP: Single host or Network > 127.0.0.1
Redirect target port: (Other) > 9040 (tor transparent proxy port)
- Name: tor_net
All DNS traffic except .onion zone will be forwarded by DNSCrypt Proxy, and .onion zone will be forwarded to TOR DNS proxy, connections to .onion sites will be mapped to net 172.29.0.0/16 and forwarded by TOR Transparent proxy on port 9040.
No other config needed on the client PC.
Thank you, and sorry for my english.