Transparent access to .onion websites

This is a very basic setup but I’m sharing mine in hopes of saving someone a bunch of googling.

<insert the usual drill about TOR and anonymity and why it’s important>

So my goal was not to anonymize my every move, but rather to be able to key in an *.onion website into the URL bar of any device on the local network and have that delivered transparently. I happen to own a fancy Asus router with AsusWRT-Merlin on board, but the approach should work on pretty much any Linux box that can route traffic.

Step 1: Get TOR installed. Use the package manager available for your router/Linux box. Here’s my config from the router:

SocksPort 9050
Log notice file /tmp/torlog
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.1.1
DNSPort 9053
DNSListenAddress 192.168.1.1
RunAsDaemon 1
DataDirectory /tmp/.tordb
AvoidDiskWrites 1

A client must first request the domain to be resolved through TOR’s DNS (which in our case will be available at 192.168.1.1:9053). TOR will respond with an address from the 10.192.0.0/10 subnet. The browser will then attempt to connect to said IP address, which our router should intercept and redirect to 192.168.1.1:9040.

Step 2: Figure out DNS resolution. We want to resolve *.onion domains through TOR and resolve everything else through our regular DNS server. My router uses dnsmasq, so adding this line to the config file should do the trick:

server=/.onion/192.168.1.1#9053

Kill and restart dnsmasq for this to take effect.

Step 3: Intercept and redirect. Easy:

iptables -t nat -A PREROUTING -d 10.192.0.0/10 -i br0 -p tcp -m tcp -j REDIRECT --to-ports 9040

At this point you should be able to open an *.onion website in your browser and see it just work!

Step 4: Making the changes persistent. This one will depend on how your router firmware handles that. For mine, I created two new files in the persistent partition (a.k.a. JFFS).
/jffs/configs/dnsmasq.conf.add:

server=/.onion/192.168.11.1#9053

/jffs/scripts/nat-start:

#!/bin/sh
iptables -t nat -A PREROUTING -d 10.192.0.0/10 -i br0 -p tcp -m tcp -j REDIRECT --to-ports 9040

And finally:

chmod a+rx /jffs/scripts/*

That’s it. Read more on user scripts in AsusWRT-Merlin here if you feel like it.

One thought on “Transparent access to .onion websites”

  1. Do you have this working on an IPv6 network? With the above configuratin, connecting to .onion sites fails because browsers are searching for AAAA and A DNS records and Tor is returning IPv6 addresses that don’t resolve to anything. IPv4 works fine:

    brody@BRODYS-RTAC3100:/# drill facebookcorewwwi.onion A @192.168.1.1 -p 9053
    ;; ->>HEADER<>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59904
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; facebookcorewwwi.onion. IN AAAA

    ;; ANSWER SECTION:
    facebookcorewwwi.onion. 60 IN AAAA fe8c:bf3e:e12e:dd9:b6e3:e2f5:e14f:577c

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

    ;; Query time: 0 msec
    ;; SERVER: 192.168.1.1
    ;; WHEN: Fri Jan 27 04:42:54 2017
    ;; MSG SIZE rcvd: 68

    Visiting the IP in the A record correctly displays the .onion site, whereas the AAAA host does not exist.

Leave a Reply

Your email address will not be published.