OPNsense with Tor with transparent proxy

Started by Labber53, July 14, 2024, 06:40:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 14, 2024, 06:40:09 PM
BLUF: can't get Tor and transparent proxy working again

Some time ago I had OPNsense working with transparent proxy and Tor to isolate my Lab.

I just rebuilt everything on XCP-ng instead of ESXi. I lost the password to my OPNsense VM, so I am re-creating from scratch and writing a Tutorial on how I did it. My intention is to post it in the Tutorials section.

I'm stuck. Anyone have a link or a tutorial for the latest version of OPNsense?

Here is what I have so far if you want to play along and help fix it. Simple firewall WAN, LAN. configure/test from a PC on the LAN.

1. Log in to firewall via https
2. System > Firmware > Plugins
  -  os-tor - click "+" to install
3. Refresh the page
4. Click Services > Tor > Configuration
  - General Tab
    - Enable: Yes
    - Listen Interfaces: LAN
    - Enable Advanced Mode
      - Check Enable Transparent Proxy
      - Confirm SOCKS port number: 9050
      - Confirm Control Port: 9051
      - Confirm Transparent port: 9040
      - Confirm Transparent DNS port: 9053
  - Click Save
5. Firewall > Rules > LAN
  - Add rule to top of policy
    - Action: Pass
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: This Firewall
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Allow DNS to firewall
    - Click Save
    - Move the new rule to the top if necessary
      - Put a Check next to new rule Allow DNS to Firewall
      - Click the arrow icon to the right of the first rule to move it to the top
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  -  Add a second rule just below it
    - Action: Blick
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: any
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Deny unsanctioned DNS
    - Click Save
    - Move the new rule below the first rule if necessary
      - Put a Check next to new rule Deny unsanctioned DNS
      - Click the arrow icon to the right of the <ins>second</ins> rule to move it to the second position
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  - Click Apply Changes
6. Firewal > NAT > Port Forward
  - Add rule
    - Click the "+" to add a rule
    - Interface: LAN (be sure you ONLY select LAN)
    - TCP/IP Version: IPv4
    - Protocol: TCP (TOR rejects UDP packets except for DNS requests)
    - Source: LAN net
    - Source port range: any
    - Destination: ANY
    - Destination Port: ANY
    - Redirect Target IP: Single Host or Network: 127.0.0.1
    - Redirect Target Port: (other) 9040 (this is the Transparent TOR port)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Port forward to Tor
    - Filter rule association:
      - (default) add associated filter rule
    - Click Save
    - Click Apply changes
- Reboot the firewall
  - Power > Reboot > confirm
- Using your browser connect to https://check.torproject.org
  - You should see "Congratulations. This browser is configured to use Tor."
July 24, 2024, 08:12:42 PM #1
There is no longer Services > Web Proxy > Administration in the OPNsense menu.

At least not in community edition 24.1.10_3

https://docs.opnsense.org/manual/how-tos/proxytransparent.html refers to Go to Services ‣ Web Proxy ‣ Administration

Is there a way to enable the transparent proxy in 24.1.10_3?
July 24, 2024, 08:36:12 PM #2
System > Firmware > Plugins

Install the os-squid plugin.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions