HOWTO - UnboundDNS+DNSCrypt+Tor DNS proxy+onion resources

Started by umask, November 23, 2019, 11:30:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 23, 2019, 11:30:25 AM
Hi, i used a tutorial from this topic: https://forum.opnsense.org/index.php?topic=10670.0 and this works for me.

But one exception.. im from Russia, and our providers block many internet resources, tor is the way to avoid this blocks and get resources worked again. In this howto i made work together a DNSCrypt and resolving .onion resources.

Supposed you are a complete all steps from this https://forum.opnsense.org/index.php?topic=10670.0, and it works. Tor transparent proxy works too.


  • 1. Tor config.
    Tor have a trasparent DNS on port 9053 and transparent proxy on port 9040 by deafult config.
    Go to Services: Tor: Configuration check advanced mode

    • Set Transparent IP Pool to local range, example my config is: 172.29.0.0/16
    • Check Map Host To IP Pool
    • In tab SOCKS Proxy ACL you need to accept connections from 127.0.0.1/32
  • 2. Unbound DNS config.
    Unbound DNS has run on UDP port 53 by default.
    Go to Services: Unbound DNS: General

    • Local Zone Type must be set to transparent (in my tests, other options has no forward DNS querry to Tor
    • Custom options set like this:
Code Select
domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no
local-zone: "onion." nodefault

forward-zone:
    name: "onion"
    forward-addr: 127.0.0.1@9053
forward-zone:
   name: "."
   forward-addr: ::1@5353
   forward-addr: 127.0.0.1@5353

  • 3. Firewall Config.
    Go to Firewall: Aliases and add new alias for the Tor Transparent IP Pool example:

    • Name: tor_net
      Type: Network(s)
      Content: 172.29.0.0/16
      Description: Mapped tor hosts
    Then go to Firewall: NAT: Port Forward and add new rule:

    • Interface: LAN
      TCP/IP Version: IPv4
      Protocol: TCP
      Source: LAN Net
      Source port range: From: Any To: Any
      Destination: tor_net (alias)
      Destination port range: From: Any To: Any
      Redirect target IP: Single host or Network > 127.0.0.1
      Redirect target port: (Other) > 9040 (tor transparent proxy port)
Profit.

All DNS traffic except .onion zone will be forwarded by DNSCrypt Proxy, and .onion zone will be forwarded to TOR DNS proxy, connections to .onion sites will be mapped to net 172.29.0.0/16 and forwarded by TOR Transparent proxy on port 9040.

No other config needed on the client PC.

Thank you, and sorry for my english.
Print
Go Up Pages1
User actions