OPNsense with Tor with transparent proxy

Started by Labber53, July 14, 2024, 06:40:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 14, 2024, 06:40:09 PM
BLUF: can't get Tor and transparent proxy working again

Some time ago I had OPNsense working with transparent proxy and Tor to isolate my Lab.

I just rebuilt everything on XCP-ng instead of ESXi. I lost the password to my OPNsense VM, so I am re-creating from scratch and writing a Tutorial on how I did it. My intention is to post it in the Tutorials section.

I'm stuck. Anyone have a link or a tutorial for the latest version of OPNsense?

Here is what I have so far if you want to play along and help fix it. Simple firewall WAN, LAN. configure/test from a PC on the LAN.

1. Log in to firewall via https
2. System > Firmware > Plugins
  -  os-tor - click "+" to install
3. Refresh the page
4. Click Services > Tor > Configuration
  - General Tab
    - Enable: Yes
    - Listen Interfaces: LAN
    - Enable Advanced Mode
      - Check Enable Transparent Proxy
      - Confirm SOCKS port number: 9050
      - Confirm Control Port: 9051
      - Confirm Transparent port: 9040
      - Confirm Transparent DNS port: 9053
  - Click Save
5. Firewall > Rules > LAN
  - Add rule to top of policy
    - Action: Pass
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: This Firewall
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Allow DNS to firewall
    - Click Save
    - Move the new rule to the top if necessary
      - Put a Check next to new rule Allow DNS to Firewall
      - Click the arrow icon to the right of the first rule to move it to the top
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  -  Add a second rule just below it
    - Action: Blick
    - Quick: Checked
    - Interface: LAN
    - Direction: in
    - TCP/IP Version: IPv4
    - Protocol: TCP/UDP
    - Source: LAN net
    - Destination: any
    - Destination port range: From 53 to 53 (DNS)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Deny unsanctioned DNS
    - Click Save
    - Move the new rule below the first rule if necessary
      - Put a Check next to new rule Deny unsanctioned DNS
      - Click the arrow icon to the right of the <ins>second</ins> rule to move it to the second position
    -  Allow LAN net to This Firewall IP for TCP/IP DNS
  - Click Apply Changes
6. Firewal > NAT > Port Forward
  - Add rule
    - Click the "+" to add a rule
    - Interface: LAN (be sure you ONLY select LAN)
    - TCP/IP Version: IPv4
    - Protocol: TCP (TOR rejects UDP packets except for DNS requests)
    - Source: LAN net
    - Source port range: any
    - Destination: ANY
    - Destination Port: ANY
    - Redirect Target IP: Single Host or Network: 127.0.0.1
    - Redirect Target Port: (other) 9040 (this is the Transparent TOR port)
    - Log: This is not recommended for this Lab, but enable if you wish
    - Description: Port forward to Tor
    - Filter rule association:
      - (default) add associated filter rule
    - Click Save
    - Click Apply changes
- Reboot the firewall
  - Power > Reboot > confirm
- Using your browser connect to https://check.torproject.org
  - You should see "Congratulations. This browser is configured to use Tor."
July 24, 2024, 08:12:42 PM #1
There is no longer Services > Web Proxy > Administration in the OPNsense menu.

At least not in community edition 24.1.10_3

https://docs.opnsense.org/manual/how-tos/proxytransparent.html refers to Go to Services ‣ Web Proxy ‣ Administration

Is there a way to enable the transparent proxy in 24.1.10_3?
July 24, 2024, 08:36:12 PM #2
System > Firmware > Plugins

Install the os-squid plugin.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 13, 2025, 05:51:21 AM #3
This is the build for OPNsense 25.7.5. This successfully create an isolated test lab behind a firewall where traffic can only egress via Tor.

Setup:
1. Simple firewall WAN, LAN. configure/test from a PC on the LAN. All in proxmox 9.
2. proxmox vbr0 (dhcp) for the WAN, which connects to a lab network for access to the Internet
3. proxmox vbr1 (192.168.101.254/24) for the LAN, which is the secured network
4. Put a VM with a web browser on vbr1

Configuration:
0. WAN interface is vtnet0, LAN is vtnet1
1. Initial setup wizard https://192.168.101.254
- Hostname: isolationfw
- Domain: proxmox.lab
- DNS: 8.8.8.8 and 8.8.4.4 (unfiltered DNS)
- _Uncheck_ override DNS
- WAN DHCP, _uncheck_ block RFC1918 private networks since the lab is also private address space
- LAN review and click next
- update root password or leave the same and click next
2. Update System > Firmware > Status > Check for Updates, apply and reboot (optionally install plugin os-qemeu-guest-agent for proxmox and enable qemu agent in proxmox)
3. Test normal Internet access form the VM behind the firewall (web pages, nslookup, etc.)
4. Disable Internet and DNS
- Firewall > Rules > LAN
- Change the IPv4 rule to be a Block action
- Change the IPv6 rule to be a Block action
- Click Apply changes
5. Confirm that Internet browsing fails and that nslookup from the command line also fails (i.e., 'nslookup google.com' times out)
6. Configure Tor
This provides some anonymity, if done correctly
- Configure the firewall to transparently proxy Internet traffic over Tor
- Be careful to <ins>configure DNS correctly</ins> to forward over Tor so your DNS traffic is not leaked
- You many choose to configure the firewall to instead use a VPN service; be mindful of the terms and conditions and that in some cases they will surrender details of your activity to under court order
- System > Firmware > Plugins
- Check Show community plugins, install os-tor
- Refresh the page
- Services > Tor > Configuration
- General tab: Enable : yes, listen on LAN (only)
- Enable advanced mode, check Enable Transparent Proxy
- Click Save
- SOCKS Proxy ACL tab: Add acl IPv4, network 192.168.101.0/24, accept, save, reload service
7. Configure firewall
- Firewall > NAT > Port Forward
- Add rule Allow interface LAN IPv4 TCP/IP LAN Net to destination any port DNS, redirect target IP 127.0.0.1 redirect target port other 9053 description Tor for DNS
- Add rule below (at end) Allow interface LAN IPv4 TCP LAN Net to destination any port any, redirect target IP 127.0.0.1 redirect target port other 9040 description Tor for tcp traffic
- Firewall > Rules > LAN
- Move the automatic rules to the TOP
- First port 9053 rule
- Next port 9040 rule
- Followed by the block rules
- Click Save
- Click Apply changes
- Reboot the firewall
8. Test from the test VM
- Internet browser works
- nslookup works
- Using your browser connect to https://check.torproject.org
- You should see "Congratulations. This browser is configured to use Tor."

Checking for leaks. Log in to the OPNsense firewall.
WAN interface is vtnet0, LAN is vtnet1

DNS leak test
- tcpdump -nni vtnet0 port 53
test nslookup and web browsing from the test VM. succeeds. should be none in the packet capture. the traffic is on vtnet1 but never leaks onto vtnet0

ICMP leak test
- tcpdump -nni vtnet0 icmp
test ping to the Internet. fails. should be none.

UDP leak (TOR does only tcp with udp 53 for DNS) (remember to use VPN if you need UDP)
- tcpdump -nni vtnet0 proto 17 and port 443
Install Chrome browser, use chrome://flags to Enable Experimental QUIC protocol, relaunch Chrome and visit google.com
The firewall will log drops but nothing will show in the packet capture.
Print
Go Up Pages1
User actions