Tor Configuration

[nasheayahu]

Transparent Port

I'm following Tor Configuration guide, but it left out an example of how to create the NAT rule for this Port.  Has anyone put together a complete tutorial on this or know of one?

[cmanzur]

Suppose you have:
- 1 machine in LAN. Its gateway it the OPNSENSE. The network is 192.168.0.0/24
- 1 OPNSense with 2 interfaces: LAN & WAN

Go to SERVICES -> TOR -> Configuration
- Check Enable
- SOCKS Port Number: 9050
- Control Port: 9051
- Check Enable Transparent Proxy
- Transparent Port: 9040

Go to SERVICES -> TOR -> SOCKS Proxy ACL
Add 2 ACL:

- Protocol IPv4
- Network: 127.0.0.1/32
- Action: Accept

- Protocol IPv4
- Network: 192.168.0.0/24  (here your LAN network)
- Action: Accept

Click "Reload Service" button

Go to FIREWALL -> NAT -> PORT-FORWARD
Add the following rule:
- Interface: LAN
- Source: LAN Net
- Destination: ANY
- Destination Port: ANY
- Redirect Target IP: Single Host or Network: 127.0.0.1
- Redirect Target Port: 9040 (this is the Transparent TOR Port)

Click "APPLY CHANGES" button

How to test?
Login into machine (on LAN) and run:
curl ifconfig.me
The output should be an TOR network IP.

If you disable the PORT-FORWARD rule you should see you normal IP.

Of course, depending on your LAN configuration maybe you must add more FW rules.

[nasheayahu]

Hi cmanzur,

Doing so many projects I delayed in completing this one.  Will set some time this week to do this and will get back with you.  This is one of our top priorities.

Thanks for you help!...

[McFarTech]

Hi.

Did you ever get this working? I am looking to do the same. I have a certain network range / vlan on my OpnSense that i would like to alway go out via Tor. No matter what i do i just can get this to work

[TommyTran732]

This works for me.

One thing missing in the instruction is that you also need to NAT port 53 TCP/UDP on the interface used for Tor to 127.0.0.1:9053 to prevent DNS leaks.

Oh, and the 127.0.0.1 Socks ACL seems unnecessary.

[rabo]

This works for me.

One thing missing in the instruction is that you also need to NAT port 53 TCP/UDP on the interface used for Tor to 127.0.0.1:9053 to prevent DNS leaks.

Oh, and the 127.0.0.1 Socks ACL seems unnecessary.

Hello tommy, does tor work for you?

Can you help me?

I have done everything as above, but it does not work.

Can you give me a short instruction how to change something?

What to do here "One thing missing in the instruction is that you also need to NAT port 53 TCP/UDP on the interface used for Tor to 127.0.0.1:9053 to prevent DNS leaks.", exactly?

Thanks

[WaleCanaty]

I ran into the same issue with setting up the NAT rule for a transparent port while following a Tor Configuration guide. It’s a bit tricky, isn’t it? I found myself stumbling through various resources and eventually came across The Hidden Wiki. Surprisingly, it had some useful links and advice on network configurations that weren't immediately obvious in other tutorials. It was like finding a helpful breadcrumb trail. If anyone has a detailed guide or more insights, I’d love to hear about it.

[eldee]

Thank you, this worked for me. I can now protect a subset of my LAN with this approach 192.168.15.0/24, and with TommyTran732 suggestion, I confirm I do not see DNS leaks.

Question: Does anyone know how to configure Tor Browser to use the OPNSense Tor transparent proxy? I'd like to avoid to have Tor Browser establish a Tor connection within the Tor connection already provided by OPNSense.

[erica.vh]

How would you set it up to have only a few user going through TOR and not others ?
Like device3 on LAN1, and device 2,3,4 on LAN2 and device5 on LAN3
All other devices goes straight to "normal" NAT ?

[eldee]

How would you set it up to have only a few user going through TOR and not others ?
Like device3 on LAN1, and device 2,3,4 on LAN2 and device5 on LAN3
All other devices goes straight to "normal" NAT ?

My LAN uses a broader set of IPs (192.168.0.0/15), but I don’t want to have all client on that LAN to go through Tor. So I configured it to only have clients with IPs on 192.168.15.0/24 subnet to go through the Tor tunnel.

In my case there is only one single LAN (and no VLANs). To make it work, I just set up DNAT (port forward) for hosts  with source in the subnet 192.168.15.0/24 to redirect to target ip 127.0.0.1 and port 9040 ( plus another rule similar to this one but for the DNS to port 9053).

Hope that helps.

Do you folks have a pointer for me on how to resolve the question on Tor browser?

Question: Does anyone know how to configure Tor Browser to use the OPNSense Tor transparent proxy? I'd like to avoid to have Tor Browser establish a Tor connection within the Tor connection already provided by OPNSense.