Tutorial [SOLUTION] Asuswrt-Merlin Tor via Bridge, Device, Browser, Entry (Guard)/Middle (Non-Exit) Relay, and Device/Browser/Relay Hybrid Implementations

[garycnew]

Do the browsers work using 192.168.50.1:9050?
Yes... Microsoft Edge and Firefox work using the proxy. The Tor browser will not. I cannot get the proxy to work IF I am also trying to relay. I never get a listening port at 192.168.50.1:9050.

I'm not sure I understand your statement... "I cannot get the proxy to work IF I am also trying to relay." From your previous netstat output, it shows that 192.168.50.1:9050 is listening and that there are connections.

I will try the relay configuration leaving the socks port statement commented out and see if the relay lists by the end of the week. My ISP is a "new" fiber provider established under the US "internet everywhere" policy that extends internet access into rural areas. There are some quirky things I have noticed that has given me the impression they may not be implementing best practices like upload speed greater than download speed, and it has never reported symmetrical stats (download = upload).

A new Tor instance can take a week or two to ramp-up, so give it some time to show statistics. However, you might want to confirm that your port 9001 (or whatever you configured it to be) is externally available: telnet <Public_IP_Address> 9001.

P.S. What version of Tor is running on your router? You can alternatively install Tor via Entware on the same router for what is likely a more recent version.

 

[Weblee2407]

To clarify, using only the short torrc.postconf to enable browser proxy all the necessary ports were in netstat with the correct IP addresses. However, if I used the longer relay torrc.postconf, I was not getting the relay to work OR getting the browser proxy RouterIPort listening.

I found a short notation on a Tor discussion board, so I gave it a shot.
Changed the torrc ORport entry from: ORPort xxx.xxx.xxx.xxx:443
to simply ORPort 443
Now I have wan-IP:443 in listening status and my torlog shows my relay is attempting to be confirmed but failing. The router LAN IP is listening at 9050 for proxy as well.

Message in the log after 100% bootstrap:
May 04 23:37:55.000 [notice] Now checking whether IPv4 ORPort 10.38.186.106:443 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
May 04 23:57:59.000 [notice] Relays do not publish descriptors until their ORPort and DirPort are reachable

I have a big BAN list in skynet so that is probably the first thing to look into - any recommendations on what to remove and what to keep?

firewall ban country "ru cn kp ir iq sa ae pk af az ba bg hr cu cz eg ee ge va hu id in il kz kw kg lv md om qa ro rs sk si sy tr ua uz"

 

[garycnew]

To clarify, using only the short torrc.postconf to enable browser proxy all the necessary ports were in netstat with the correct IP addresses. However, if I used the longer relay torrc.postconf, I was not getting the relay to work OR getting the browser proxy RouterIPort listening.

I found a short notation on a Tor discussion board, so I gave it a shot.
Changed the torrc ORport entry from: ORPort xxx.xxx.xxx.xxx:443
to simply ORPort 443
Now I have wan-IP:443 in listening status and my torlog shows my relay is attempting to be confirmed but failing. The router LAN IP is listening at 9050 for proxy as well.

Message in the log after 100% bootstrap:
May 04 23:37:55.000 [notice] Now checking whether IPv4 ORPort 10.38.186.106:443 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
May 04 23:57:59.000 [notice] Relays do not publish descriptors until their ORPort and DirPort are reachable

I have a big BAN list in skynet so that is probably the first thing to look into - any recommendations on what to remove and what to keep?

firewall ban country "ru cn kp ir iq sa ae pk af az ba bg hr cu cz eg ee ge va hu id in il kz kw kg lv md om qa ro rs sk si sy tr ua uz"

The inability to confirm your ORPort is listening is definitely the issue. It's typically related to a firewall or nat problem. In your case... I believe it is a firewall issue.

I don't use Skynet, so I can't give you much guidance there.

You may try adding the following to your /jffs/scripts/firewall-start script:

iptables -I INPUT -p tcp --dport 443 -j ACCEPT

That should insure port 443 is allowed through the standard router firewall.

 

[Weblee2407]

May 05 13:28:29.000 [notice] We now have enough directory information to build circuits.
May 05 13:30:00.000 [notice] Self-testing indicates your ORPort 10.38.186.106:443 is reachable from the outside. Excellent. Publishing server descriptor.

YAY!!! The iptables command did the trick!

 

[garycnew]

May 05 13:28:29.000 [notice] We now have enough directory information to build circuits.
May 05 13:30:00.000 [notice] Self-testing indicates your ORPort 10.38.186.106:443 is reachable from the outside. Excellent. Publishing server descriptor.

YAY!!! The iptables command did the trick!

Way to persevere! Thanks for being a Tor Relay operator!

One word of caution... If this is your home network, you might consider converting your Tor Relay to a Tor Bridge (obfs4proxy), so your financial institution, etc doesn't start blocking your access.

It will save you a lot of headaches and pain down the road.

Great Work!

 

[Weblee2407]

I'm listed as a relay, and I'm going to try to get through the new guard process to see how much load this actually generates. If I do get blocked, I will request a new ONT from my ISP, so my IP gets changed. Hopefully that doesn't happen.

Lifecycle of a New Relay

I will look into what needs to be changed to become a bridge. Thanks for all your help. I learned a lot about networking and TOR (more questions than answers on that topic) on this project!

 

[garycnew]

I'm listed as a relay, and I'm going to try to get through the new guard process to see how much load this actually generates. If I do get blocked, I will request a new ONT from my ISP, so my IP gets changed. Hopefully that doesn't happen.

Lifecycle of a New Relay

I will look into what needs to be changed to become a bridge. Thanks for all your help. I learned a lot about networking and TOR (more questions than answers on that topic) on this project!

View attachment 65507

I'm happy to help, anyone who is willing to stick with it. It helps that you seem to be a quick study.

Sounds like a good plan.

Again... Great Work!

 

[Weblee2407]

I'm not going to be able to wait out the new relay lifecycle. Everyone in the family is having login issues - for now just medical entities...so...tell me more about obfs4proxy.

 

[garycnew]

I'm not going to be able to wait out the new relay lifecycle. Everyone in the family is having login issues - for now just medical entities...so...tell me more about obfs4proxy.

Ouch! That was quick! Sorry to hear you're already experiencing the ill effects of becoming a Tor Middle Relay.

You should continue with your original plan:

1. You'll need to install/use the version of tor and obfs4proxy provided by Entware on your Asuswrt-Merlin router. obfs4proxy obscures and bridges the connections to tor. There are a few lines of code in my example postconf file that checks for the default Asuswrt-Merlin tor instance, shuts it down, and starts the Entware version of tor. I believe my obfs4proxy entries are included in the original postconf code snippets. If not... Let me know and I'll provide them to you. As an obfs4proxy bridge, you will become a de-facto guard relay.

2. Once you have obfs4proxy successfully working, you should contact your ISP, and request that they provide you with a new IP Address.

Keep up the great work! I know you can do it!

 

[Weblee2407]

Well, here are my questions after poking around most of the day.
1 - TOR support is divided into Linux flavors. What flavor is Asus Merlin considered?
2 - I installed the opkg obfs4 package, but I cannot get a process to start and establish a listening port. What lines need to be added to torrc.postconf?
In all of my wanderings I have NOT found a single example of a torrc.postconf using this format with $CONFIG

pc_insert "SocksPort 9050" "Nickname DimanASUSWRTMerlinRelay" $CONFIG
pc_insert "Nickname DimanASUSWRTMerlinRelay" "ORPort ${DYNIPADDR}${PORT}" $CONFIG
pc_delete "SocksPort 9050" $CONFIG
pc_insert "ORPort ${DYNIPADDR}${PORT}" "SocksPort 9050" $CONFIG
pc_insert "SocksPort 9050" "ExitRelay 0" $CONFIG
pc_insert "ExitRelay 0" "DirCache 0" $CONFIG

 

[garycnew]

Well, here are my questions after poking around most of the day.
1 - TOR support is divided into Linux flavors. What flavor is Asus Merlin considered?
2 - I installed the opkg obfs4 package, but I cannot get a process to start and establish a listening port. What lines need to be added to torrc.postconf?
In all of my wanderings I have NOT found a single example of a torrc.postconf using this format with $CONFIG

pc_insert "SocksPort 9050" "Nickname DimanASUSWRTMerlinRelay" $CONFIG
pc_insert "Nickname DimanASUSWRTMerlinRelay" "ORPort ${DYNIPADDR}${PORT}" $CONFIG
pc_delete "SocksPort 9050" $CONFIG
pc_insert "ORPort ${DYNIPADDR}${PORT}" "SocksPort 9050" $CONFIG
pc_insert "SocksPort 9050" "ExitRelay 0" $CONFIG
pc_insert "ExitRelay 0" "DirCache 0" $CONFIG

1. The default Tor implementation would be of the Asuswrt-Merlin linux flavor. If you install Entware's Tor, it would be of the Entware linux flavor.

2. As an example, I've included a recent Tor Bridge postconf. I have Nginx installed on my primary router loadbalancing external port 443 to a Tor Bridge Farm, so you won't necessarily need all the following options. However, it should give you a rough idea how to configure the obfs4proxy for a single instance in your torrc.postconf. You will need to change Nickname, ORPorts, and Directory Paths. Refer to the Asuswrt-Merlin documentation on postconf files for the $CONFIG reference.

# cat /jffs/scripts/torrc.postconf
#!/bin/sh
CONFIG=$1
DYNIPADDR=$(/opt/bin/dig +short myip.opendns.com @resolver1.opendns.com)
HOSTIPADDR=$(hostname -i)
HOSTOCTET=$(echo "$HOSTIPADDR" | grep -ioE "([0-9]{1,3})$");
source /usr/sbin/helper.sh

# Tor: A non-exit relay should be able to handle 7000 concurrent connections
#ulimit -n 7168
ulimit -n 65535

if [ "$DYNIPADDR" != "" ] && ! echo "$DYNIPADDR" | grep -ioE "(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)"; then DYNIPADDR="${DYNIPADDR}:"; fi
if [ "$HOSTIPADDR" != "" ]; then HOSTIPADDR="${HOSTIPADDR}:"; fi
if [ "$HOSTOCTET" != "" ]; then if [ $(echo -n "$HOSTOCTET" | wc -c) -eq 3 ]; then HOSTPORT="${HOSTOCTET}"; elif [ $(echo -n "$HOSTOCTET" | wc -c) -eq 2 ]; then HOSTPORT="${HOSTOCTET}0"; else HOSTPORT="${HOSTOCTET}00"; fi fi

pc_insert "SocksPort 9050" "Nickname ChangeMe" $CONFIG
pc_insert "Nickname ChangeMe" "ORPort ${DYNIPADDR}443 NoListen" $CONFIG
pc_insert "ORPort ${DYNIPADDR}443 NoListen" "ORPort ${HOSTIPADDR}9001 NoAdvertise" $CONFIG
pc_delete "SocksPort 9050" $CONFIG
pc_insert "ORPort ${HOSTIPADDR}9001 NoAdvertise" "SocksPort 9050" $CONFIG
pc_insert "SocksPort 9050" "ExtORPort ${HOSTIPADDR}auto" $CONFIG
pc_insert "ExtORPort ${HOSTIPADDR}auto" "BridgeRelay 1" $CONFIG
pc_insert "BridgeRelay 1" "BridgeDistribution settings" $CONFIG
pc_insert "BridgeDistribution settings" "ServerTransportPlugin obfs4 exec /opt/bin/obfs4proxy -enableLogging" $CONFIG
pc_insert "ServerTransportPlugin obfs4 exec /opt/bin/obfs4proxy -enableLogging" "ServerTransportListenAddr obfs4 ${HOSTIPADDR}${HOSTPORT}1" $CONFIG
#pc_insert "ServerTransportListenAddr obfs4 ${HOSTIPADDR}${HOSTPORT}1" "DirCache 1" $CONFIG
pc_insert "ServerTransportListenAddr obfs4 ${HOSTIPADDR}${HOSTPORT}1" "ServerTransportOptions obfs4 iat-mode=2" $CONFIG
pc_insert "ServerTransportOptions obfs4 iat-mode=2" "DirCache 1" $CONFIG
#pc_insert "SocksPort 9050" "DirAuthority Faravahar orport=443 no-v2 v3ident=EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 154.35.175.225:80 CF6D0AAFB385BE71B8E111FC5CFF4B47923733BC" $CONFIG
#pc_insert "SocksPort 9050" "DirAuthority moria1 orport=9101 no-v2 v3ident=D586D18309DED4CD6D57C18FDB97EFA96D330566 128.31.0.34:9131 9695DFC35FFEB861329B9F1AB04C46397020CE31" $CONFIG
#pc_insert "SocksPort 9050" "DirAuthority longclaw orport=443 no-v2 v3ident=23D15D965BC35114467363C165C4F724B64B4F66 199.58.81.140:80 74A910646BCEEFBCD2E874FC1DC997430F968145" $CONFIG
###pc_insert "DirAuthority Faravahar orport=443 no-v2 v3ident=EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 154.35.175.225:80 CF6D0AAFB385BE71B8E111FC5CFF4B47923733BC" "FallbackDir 193.23.244.244:80 orport=443 id=7BE683E65D48141321C5ED92F075C55364AC7123" $CONFIG
###pc_insert "FallbackDir 193.23.244.244:80 orport=443 id=7BE683E65D48141321C5ED92F075C55364AC7123" "DirCache 0" $CONFIG
#pc_insert "DirAuthority Faravahar orport=443 no-v2 v3ident=EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 154.35.175.225:80 CF6D0AAFB385BE71B8E111FC5CFF4B47923733BC" "DirCache 0" $CONFIG
#pc_insert "DirAuthority moria1 orport=9101 no-v2 v3ident=D586D18309DED4CD6D57C18FDB97EFA96D330566 128.31.0.34:9131 9695DFC35FFEB861329B9F1AB04C46397020CE31" "DirCache 0" $CONFIG
#pc_insert "DirAuthority longclaw orport=443 no-v2 v3ident=23D15D965BC35114467363C165C4F724B64B4F66 199.58.81.140:80 74A910646BCEEFBCD2E874FC1DC997430F968145" "DirCache 0" $CONFIG
#pc_insert "SocksPort 9050" "DirCache 0" $CONFIG
pc_insert "DirCache 1" "ExitRelay 0" $CONFIG
pc_insert "ExitRelay 0" "GeoIPFile /opt/share/tor/geoip" $CONFIG
#pc_replace "Log notice file /tmp/torlog" "Log debug file /tmp/torlog" $CONFIG
pc_insert "Log notice file /tmp/torlog" "Log notice syslog" $CONFIG
pc_replace "DataDirectory /tmp/.tordb" "DataDirectory /tmp/tor/torrc.d/.tordb" $CONFIG
#pc_insert "DataDirectory /tmp/tor/torrc.d/.tordb" "AssumeReachable 1" $CONFIG
pc_append "ContactInfo tor-operator@domain.tld" $CONFIG
#pc_append "PublishServerDescriptor 0" $CONFIG

# Note: The default MaxMeminQueues is 3/4 (i.e., 192MB) of Total System Memory (i.e., 256MB)
# Uncomment the following line to limit Tor to use less System Memory (i.e., 128MB)
pc_insert "ExitRelay 0" "MaxMemInQueues 192 MB" $CONFIG
#pc_insert "ExitRelay 0" "MaxAdvertisedBandwidth 2 MB" $CONFIG

# Uncomment the following lines to include the HTTPTunnelPort option
pc_insert "SocksPort 9050" "HTTPTunnelPort 9080" $CONFIG
pc_insert "HTTPTunnelPort 9080" "HTTPTunnelPort ${HOSTIPADDR}9080" $CONFIG

# Uncomment the following line to include the ControlPort option
pc_insert "SocksPort 9050" "ControlPort 9051" $CONFIG

# Uncomment the following line to include the Tor via Browser option
pc_insert "SocksPort 9050" "SocksPort ${HOSTIPADDR}9050" $CONFIG

# Force Merlin Tor to Reload/Start Modified Config
#if ! /usr/bin/killall -HUP Tor; then
#   Tor -f /tmp/torrc --quiet
#fi

# Force Merlin Tor to Exit Cleanly to use Entware tor
/usr/bin/killall Tor

# Force Entware tor to Reload/Start Modified Config
if ! /usr/bin/killall -HUP tor; then
   /opt/sbin/tor -f /tmp/torrc --quiet
fi

#logger "Running /jffs/scripts/torrc.postconf"

Go @Weblee2407!!!

UPDATE:

I noticed that your Nickname is too long and this will prevent Tor from starting. I believe the Nickname is limited to something like 20 characters. When you run into config problems, try starting Tor manually and it should identify any issues with the config.

 

[Weblee2407]

Painful slow progress

Although all documentation I found used this format: capability=+ep I had fat-fingered it into ++ and when it errored out, without thinking I removed 1 of the plus signs!

Format:
setcap 'cap_net_bind_service+ep cap_sys_admin+ep cap_net_raw+ep' /tmp/mnt/SSD9/entware/sbin/obfs4proxy

getcap /tmp/mnt/SSD9/entware/sbin/obfs4proxy
/tmp/mnt/SSD9/entware/sbin/obfs4proxy cap_net_bind_service,cap_net_raw,cap_sys_admin=ep

Still, it doesn't seem to start and open a listening process on the configured port.

 

[Weblee2407]

I never saw the OBFS specific entries in the /tmp/torrc - I dont know how it gets built each time you start Tor. I killed the Tor process and then started from the command line pointing to the SSD version of my torrc - came right up, and I have the obfs4 proxy listening too. Problem is its notated as :::443 and the ORport too. what is the general flow of tor reading files? Tor starts and passes $1 to torrc.postconf which becomes $config? I was under the impression some copy mechanism created an image of the SSD based torrc on /tmp but cant prove it. Any help on that would be great. any pointers to pc_insert and how to use it too. I pressing issue. How do make sure tor always uses the torrc on the SSD or an accurate copy of it on /tmp? Will I drop off the "wanted list" in a few days or should I request a new ONT so my IP changes?

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:43167 0.0.0.0:* LISTEN 19910/Tor
tcp 0 0 0.0.0.0:55535 0.0.0.0:* LISTEN 19910/Tor
tcp 0 0 192.168.51.1:9040 0.0.0.0:* LISTEN 19910/Tor
tcp 0 0 192.168.51.1:9050 0.0.0.0:* LISTEN 19910/Tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 19910/Tor
tcp 0 0 127.0.0.1:9051 0.0.0.0:* LISTEN 19910/Tor
tcp 0 0 :::55535 :::* LISTEN 19910/Tor
tcp 0 0 :::443 :::* LISTEN 19911/obfs4proxy

May 12 01:10:03.000 [warn] Your log may contain sensitive information - you're logging more than "notice". Don't log unless it serves an important reason. Overwrite the l>May 12 01:10:04.000 [notice] Parsing GEOIP IPv4 file /tmp/mnt/SSDv09/entware/share/tor/geoip.
May 12 01:10:05.000 [notice] Parsing GEOIP IPv6 file /opt/share/tor/geoip6.
May 12 01:10:06.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
May 12 01:10:07.000 [notice] Your Tor server's identity key fingerprint is 'AMOBFS4Relay555 ============================'
May 12 01:10:07.000 [notice] Your Tor bridge's hashed identity key fingerprint is 'AMOBFS4Relay555 ======================='
May 12 01:10:07.000 [notice] Your Tor server's identity key ed25519 fingerprint is 'AMOBFS4Relay555 ==========='
May 12 01:10:07.000 [notice] You can check the status of your bridge relay at https://bridges.torproject.org/status/
May 12 01:10:07.000 [notice] Bootstrapped 0% (starting): Starting
May 12 01:10:11.000 [notice] Starting with guard context "default"
May 12 01:10:37.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
May 12 01:10:37.000 [notice] Registered server transport 'obfs4' at '[::]:443' <== YES I have it set to IPvonly

One last thought - after seeing the impact of how my traffic is monitored and filtered and blacklisted and such - I am now committed to being a contributor! So let me know if using a dmz exposed instance of ubuntu or something would be better.

AND now I get a warning Tor is running as root and doesnt need to!

Thanks - I look forward to any answers to my above questions

PS - I lose the capability setting on OBFS4Proxy for some reason; still listed as a relay - status seems slow to update

 

[Weblee2407]

My final summary:
As with every task I take up from this forum, I learned a great deal from working through this tutorial. I will give some advice to the less experienced. Never simply start work, following the instructions step by step of any tutorial. This is not a knock on the author but just good procedure. I knew that, but I broke my own rule and made it harder than it needed to be. In particular, I would advise that when you get a script that has a DOT sourced file, ALWAYS review that file and fully understand the functions it makes available. I knew that, but again I broke my own rule because I was going to "knock it out quick".

The last question is can a GT-AX6000 with 1GB of RAM and a 2 GB fiber connection handle being a Tor relay?

It's kind of asymmetrical in my opinion and Tor seems to think "WOW 2 gig - let's send some traffic!" but the router went into paging about 150 MB and memory use stuck in the 90s and I never saw a drop cache. Maybe if the router had 8 gigs or something, but ya know.

Thanks again Gary.

 

[Weblee2407]

Im official!

 

[Weblee2407]

Houston, I have a problem. Changing from a relay to a bridge with the same nickname etc is causing status problems on the tor website as far as status and such. How can I regenerate a new fingerprint?

 

[Weblee2407]

Houston, I have a problem. Changing from a relay to a bridge with the same nickname etc is causing status problems on the tor website as far as status and such. How can I regenerate a new fingerprint?

Nevermind...figured it out...delete everything in the tordb directory and update the torrc.postconf with a new nickname