An ethernet Tor box

You are without doubt already familiar with the Tor project. The Tor browser is already a very handy tool to surf anonymously, but what if we had an entire network’s traffic forwarded through Tor via a special gateway? Let’s transform a tiny router in a transparent Tor proxy, a portable wifi access point redirecting all traffic to the Tor network!


Let’s begin with a short presentation of one of my favorite hackable network devices: the TL-MR3020.

The portable 3G/4G wireless N router TL-MR3020 from TP-Link
The portable 3G/4G wireless N router TL-MR3020 from TP-Link

Despite being marketed as a portable 3G/4G wireless N router, it does not possess any kind of mobile telecommunication interface. Instead, it’s a very small and cheap router featuring a 802.11n 150Mbps wifi interface, a 100Mbps ethernet port, and a USB port. It is powered over a mini-B USB port and it has an extremely low power consumption with an average current draw around 120mA at 5V, i.e. 600mW. Its hardware is pretty limited: an Atheros AR9331 SoC with a 400MHz MIPS processor, 32MB of RAM, and 4MB of flash memory.

The preliminary step for our Tor box is to install OpenWRT (this example uses Barrier Breaker) so we have a full-featured Linux system on it. Once OpenWRT is installed, connect to its wifi network and ssh into the router.

Tor software is available as a package for opkg, OpenWRT’s package manager. However, the 4MB flash memory is way too small to install it, so we need to get more space for packages installation. The easiest way to do so is to move the root file system overlay on an external device, e.g. a USB key.

First, format a USB key as ext4 on another computer and plug it in the router. We can then mount the filesystem (we need to install some packages for the proper kernel modules) and copy the overlay partition content there:

# opkg update
# opkg install kmod-usb-storage kmod-fs-ext4 block-mount
# mkdir /mnt/usb
# mount /dev/sda1 /mnt/usb
# tar -cf -C /overlay - . | tar -xf -C /mnt/usb -

Using tar to copy entire filesystems is always a good habit to keep everyting intact, e.g. permissions and links. What tar actually does here basically boils down to converting the entire filesystem in a stream of bytes, then converting the stream of bytes in a filesystem. Then, modify /etc/config/fstab by adding a new entry for the USB key:

Eventually, reboot the system, so the USB key will be mounted on /overlay:
# reboot

We can now install Tor:
# opkg update
# opkg install tor

We first configure the wireless interface:

Then we set up the network. The LAN uses the address range and the router interface uses

Then we modify the firewall to disable forwarding between LAN and WAN:

We need to add two custom iptables lines in /etc/firewall.user to redirect DNS requests and TCP connections from the LAN to the Tor daemon. Other kinds of traffic, for instance other protocols over UDP, won’t be routed to the WAN, and will simply be rejected. This restrictive configuration prevents attacks like WebRTC leak. However, don’t expect non purely TCP-based protocols like VoIP or BitTorrent to work behind the Tor box.

Eventually, we have to configure the Tor daemon itself in /etc/tor/torrc:

Everything is now ready, let’s enable the Tor daemon and reboot! For some strange reason the daemon won’t start with /etc/init.d/tor enable, so the easiest way is to start it from /etc/rc.local:

# reboot

After a short while, you can surf through Tor with any device simply by connecting to the wifi network. If something is wrong, check /var/log/tor/notices.log. Hidden services and .onion addresses are available, of course.

Remember that you are responsible for what you do, and that anonymity is not garanteed just by using Tor. At least, be sure you’re not logged in on web services, use private mode, enable TLS whenever possible, and stay paranoid. Just because you’re paranoid doesn’t mean they’re not after you!

3 thoughts on “An ethernet Tor box”

  1. hi mate,

    nice post about to put this service on small toy from TP-LINK.

    one small questions for you.

    if i put usb flash drive in to usb port as extra storage and if i want to make 3G internet connection to use it over this device, how i can then connect USB 3G modem to this device at same time with this usb based storage?

    did you try to use any small usb hub and connect usb flash drive and 3G modem at same time to this device? if is possible can you review it and update this nice post ?

    Thanks in advance.

  2. why are you specifying a nickname, Relaybandwidthrate and Exitpolicy?
    none of that is necessary unless you configure tor as a relay (which is not the case in your setup)

    1. You are right. At first I used a relay configuration but then removed the ORPort directive, so I guess the remaining configuration is useless now. It can’t hurt, though.

Leave a Reply

Your email address will not be published. Required fields are marked *