OpenWRT & Tor Anonymity
by Funthine - Friday February 14, 2025 at 10:18 PM
#1
Hi-people, after a long time, we're diving back into the topic of op$ec. This time, we're creating a comprehen$ive guide on $ecurity and anonymity. Our only goal here is to avoid becoming bait for the rats. First and foremost, never store your big projects anywhere. -)

And for you—the one reading this—let's touch on a few things: avoid using ready-made systems like Whonix/Tails. Who knows if you're sitting right in the middle of a honeypot? You need to know how to configure your own network, create tunnels, and establish the necessary security. And yes, if you're truly after the big fish, you must approach every step carefully and reinvent yourself here. Don't use a home network. Remember, the buildings around you were built for you. Hack all WiFi networks. Don't use the same writing style here that you use in real life. -)

We'll be using the GL-AR750S with OpenWRT. I'll be open to any questions you may have!
What will we have added after the project is complete?

@ Features
- Complete Tor integration for anonymous internet access
- Network segmentation with VLANs
- Advanced firewall configuration
- Intrusion detection system
- MAC address randomization
- DNS leak prevention
- Multiple isolated WiFi networks
- Emergency procedures for critical situations

You should obtain the GL-AR750S device physically. If possible, buy it second-hand with cash. No personal data should be present online. Who are you? You are no one.

We start by downloading OpenWRT.
https://downloads.openwrt.org/releases/

We must verify the signature using GPG. If you don't know what GPG is used for, you should research it.
gpg --verify openwrt-xxx-xxx-xxx-squashfs-sysupgrade.bin.sig

1. Disable all services on first boot:
/etc/init.d/uhttpd stop /etc/init.d/dropbear stop /etc/init.d/dnsmasq stop

2. Create a strong root password:
passwd

@ Tor Infrastructure Setup & Install required packages:
opkg update opkg install \     tor tor-geoip \     iptables-mod-nat-extra \     kmod-ipt-nat6 \     ip6tables-mod-nat \     luci-app-tor \     obfs4proxy
   
@ Tor service configuration:
cat > /etc/config/tor << EOF config tor 'general'     option enabled '1'     option socksport '9050'     option transportport '9040'     option dnsport '9053'     option datadir '/var/lib/tor'     option strictnodes '1'     option fascistfirewall '1'     option newcircuitperiod '600'     option maxcircuitdirtiness '600'     option enforcedroutingnodes 'StrictNodes 1'     config bridge     option enabled '1'     option type 'obfs4'     option address 'your_bridge_address'     option port 'your_bridge_port'     option cert 'your_bridge_cert' EOF

@ DNS Security (Tor-DNS):
# /etc/config/dhcp config dnsmasq     option port '53'     option noresolv '1'     option nohosts '1'     option localuse '1'     option server '127.0.0.1#9053'     option allservers '1'     option localservice '0'
   
@ Secure DNS Servers (Tor)
list server '/onion/.' list server '/exit/.' list server '/invalid/.'

@ Transparent Proxy Configuration:
# /etc/config/firewall # Tor transparent proxy rules config redirect     option name 'Tor-Redirect'     option src 'lan'     option proto 'tcp'     option target 'DNAT'     option dest_port '9040'
   
# Prevent DNS leaks
config rule     option name 'Block-DNS'     option src 'lan'     option dest_port '53'     option proto 'tcp udp'     option target 'REJECT'
 
# Prevent IPv6 leaks
config rule     option name 'Block-IPv6'     option src 'lan'     option proto 'all'     option family 'ipv6'     option target 'REJECT'
   
@ Tor Security Hardening:
# /etc/tor/torrc # Security settings SafeLogging 1 StrictNodes 1 WarnPlaintextPorts 23,109,110,143,80 RejectPlaintextPorts 25,119,135-139,445,563,1214,4661-4666,6346-6429,6699,6881-6999
# Circuit configuration
CircuitBuildTimeout 60 LearnCircuitBuildTimeout 0 CircuitStreamTimeout 60 CircuitIdleTimeout 60

@ MAC Address and Hostname Hiding:
# /etc/config/system config system     option hostname 'router'     option timezone 'UTC'
   
# /etc/config/wireless config wifi-iface     option macaddr 'random'     option hostname 'router'     option isolate '1'     option hidden '1'
   
@ Network Isolation & VLAN configuration:
config switch     option name 'switch0'     option reset '1'     option enable_vlan '1'
   
config switch_vlan     option device 'switch0'     option vlan '1'     option ports '0t 1'     option vid '1'
 
@ Attack Detection and Prevention:
# Fail2Ban configuration config fail2ban 'default'     option enabled '1'     option bantime '3600'     option findtime '600'     option maxretry '3'     option backend 'auto'     option chain 'INPUT'
   
# Snort IDS installation
opkg install snort

@ Advanced Firewall Rules:
# /etc/config/firewall # Port scan protection config rule     option name 'Port-Scan-Protection'     option src 'wan'     option proto 'tcp udp'     option limit '10/sec'     option limit_burst '50'     option target 'DROP'
   
# SYN-flood protection
config rule     option name 'SYN-flood-protection'     option src 'wan'     option proto 'tcp'     option tcp_flags 'SYN'     option limit '25/sec'     option target 'DROP'
 
@ Monitoring and Maintenance / Security Logs:
# /etc/config/system config system     option log_size '1024'     option log_proto 'tcp'     option log_priority '7'     option conloglevel '8'
   
# Special configuration for Tor logs
config logging     option enabled '1'     option facility 'daemon'     option priority 'notice'
   
@ Automatic Security Checks:
# /etc/crontabs/root # Daily security check 0 4 * * * /usr/bin/security-check.sh # Hourly Tor status check 0 * * * * /usr/bin/tor-status-check.sh


@ Security Checklist:
- [ ] Root password changed and strong
- [ ] SSH key-based authentication active
- [ ] Tor service running and stable
- [ ] No DNS leaks
- [ ] No IPv6 leaks
- [ ] Fail2Ban active and working
- [ ] Firewall rules active
- [ ] MAC address randomized
- [ ] VLAN isolation active
- [ ] Logging system working
- [ ] Automatic updates active
- [ ] Snort IDS active
- [ ] Tor bridges configured
- [ ] Circuit renewal active


@ Security Test Commands:
# Tor connection test
curl --socks5 localhost:9050 https://check.torproject.org/api/ip

# DNS leak test
nslookup check.torproject.org

# Firewall test
nmap -p- localhost

# Tor circuit status
tor-resolve check.torproject.org

# System security status
iptables -L netstat -tupln ps aux | grep tor


@ Important Notes:
1. All configurations should be tested regularly
2. Tor bridges should be changed periodically
3. System logs should be checked regularly
4. Security updates should be monitored
5. New circuits should be created regularly
6. Continuous monitoring for DNS leaks
7. Network traffic should be analyzed
8. Suspicious connections should be monitored


@ Network Segmentation and Isolation:
# /etc/config/network # Tor VLAN config interface 'tor_vlan'     option proto 'static'     option ipaddr '10.10.10.1'     option netmask '255.255.255.0'     option device 'eth0.100'
   
# Isolated VLAN
config interface 'isolated_vlan'     option proto 'static'     option ipaddr '10.20.20.1'     option netmask '255.255.255.0'     option device 'eth0.200'
   
# VLAN Switch Configuration config switch_vlan     option device 'switch0'     option vlan '100'     option ports '0t 1'     option vid '100' config switch_vlan     option device 'switch0'     option vlan '200'     option ports '0t 2'     option vid '200'
   
@ Multiple WiFi Networks:
# /etc/config/wireless # Tor WiFi config wifi-iface 'tor_wifi'     option device 'radio0'     option network 'tor_vlan'     option mode 'ap'     option ssid 'TorNetwork'     option encryption 'psk2'     option key 'strong-password'     option isolate '1'     option disabled '0'
   
# Isolated WiFi config wifi-iface 'isolated_wifi'     option device 'radio0'     option network 'isolated_vlan'     option mode 'ap'     option ssid 'IsolatedNet'     option encryption 'psk2'     option key 'strong-password-2'     option isolate '1'     option disabled '0'
   
@ Advanced Tor Configuration & Country-Based Exit Node Restriction:
# /etc/tor/torrc ExitNodes {se},{no},{fi},{dk},{is} ---- Exit only through Scandinavian countries StrictNodes 1

@ Running as a Bridge Server:
# /etc/config/tor config tor 'relay'     option BridgeRelay '1'     option ORPort '9001'     option PublishServerDescriptor '0'     option AccountingMax '100 GB'     option AccountingStart 'month 1 00:00'     option ContactInfo 'anonymous@example.com'     option Nickname 'OpenWrtBridge'     option ServerTransportPlugin 'obfs4 exec /usr/bin/obfs4proxy'     option ServerTransportListenAddr 'obfs4 0.0.0.0:9002'
 
@ System Hardening & Kernel Parameters:
# /etc/sysctl.conf # TCP/IP Stack Hardening net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 kernel.core_uses_pid = 1 kernel.sysrq = 0

@ Filesystem Security:
# /etc/fstab tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 tmpfs /var/log tmpfs defaults,nodev,nosuid,noexec 0 0

@ Advanced Firewall Configuration & Port Knocking:
# /etc/config/firewall config rule     option name 'Port-Knock-Stage1'     option src 'wan'     option proto 'tcp'     option dport '7000'     option target 'DROP'     option enabled '1' config rule     option name 'Port-Knock-Stage2'     option src 'wan'     option proto 'tcp'     option dport '8000'     option target 'DROP'     option enabled '1'

# Port Knock Success
config rule     option name 'SSH-After-Knock'     option src 'wan'     option proto 'tcp'     option dport '22'     option target 'ACCEPT'     option enabled '1'
@ Security Monitoring and Analysis:
# /etc/snort/snort.conf var HOME_NET [10.0.0.0/8] var EXTERNAL_NET !$HOME_NET

# Special rules for Tor traffic
alert tcp $HOME_NET any -> $EXTERNAL_NET !9001 (msg:"Possible Tor Exit Node Connection"; flow:established; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1000001; rev:1;)

@ Traffic Analysis:
# /etc/config/banip config banip 'general'     option enabled '1'     option ban_proto 'tcp udp'     option ban_blocklist 'tor'     option ban_allowlist 'tor'
   
@ Automatic Security Scripts:
i- Tor Circuit Renewal:
#!/bin/bash # /usr/bin/tor-circuit-refresh.sh while true; do     echo -n "AUTHENTICATE" | nc 127.0.0.1 9051     echo -n "SIGNAL NEWNYM" | nc 127.0.0.1 9051     sleep 900 # Every 15 minutes done

ii- Security Status Check:
#!/bin/bash # /usr/bin/security-check.sh # DNS Leak Check if dig +short myip.opendns.com @208.67.222.222 > /dev/null; then     echo "DNS LEAK DETECTED!" fi # Tor Status if ! pgrep -x "tor" > /dev/null; then     echo "TOR IS NOT RUNNING!"     /etc/init.d/tor restart fi # Firewall Check if ! iptables -C INPUT -p tcp --dport 53 -j DROP &> /dev/null; then     echo "DNS BLOCKING RULE MISSING!" fi

@ Emergency Procedures & Software Destruction Script:
#!/bin/bash # /usr/bin/emergency-kill.sh # Immediately cut all network connections iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP # Disable all network interfaces for iface in $(ip link show | grep -v lo | awk -F: '$0 !~ "^ " {print $2}'); do     ip link set $iface down done # Stop Tor service and delete its configuration /etc/init.d/tor stop rm -rf /var/lib/tor/* # Securely clean RAM echo 3 > /proc/sys/vm/drop_caches dd if=/dev/urandom of=/dev/mem 2>/dev/null || true # Delete all logs and temporary files find /var/log -type f -exec shred -uzn 7 {} \; find /tmp -type f -exec shred -uzn 7 {} \; find /var/tmp -type f -exec shred -uzn 7 {} \; # Delete critical configuration files shred -uzn 7 /etc/config/wireless shred -uzn 7 /etc/config/network shred -uzn 7 /etc/config/firewall shred -uzn 7 /etc/config/tor shred -uzn 7 /etc/tor/torrc # Delete SSH keys find /etc/dropbear/ -type f -exec shred -uzn 7 {} \; # Delete private data if [ -d "/root" ]; then     find /root -type f -exec shred -uzn 7 {} \; fi # Clear NVRAM (warning: this operation is irreversible) mtd erase rootfs_data # Final security measure before restart dd if=/dev/urandom of=/dev/mtdblock0 bs=4096 count=1 2>/dev/null || true # Force system shutdown echo 1 > /proc/sys/kernel/sysrq echo b > /proc/sysrq-trigger

@ Post-Destruction Checklist:
- [ ] All network connections cut
- [ ] All critical files securely deleted
- [ ] RAM cleared
- [ ] NVRAM reset
- [ ] Tor configuration and data deleted
- [ ] Logs cleaned
- [ ] System shut down

Be professional. Remember, there’s no room for the slightest mistake—I know you won’t choose to be confined within four walls. Preparing this project took me 3 days, yes, I tried to cover even the finest details. That's all for today; I’m going to sip my wine now. -) @Funthine
Reply
#2
Very indepth guide I love it, thank you.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  OPSec Anonymity Kit autone 73 3,875 03-28-2026, 07:21 AM
Last Post: mygusohy
  How To Use Tor With Telegram Sythe 15 705 03-28-2026, 07:20 AM
Last Post: mygusohy
  Tor, I2P Zeronet Freenet And Lokinet Iceland 10 679 02-10-2026, 06:48 PM
Last Post: central
  Known NoKYC & Tor friendly network-related services Frontman 45 8,664 01-22-2026, 10:17 AM
Last Post: distort5656
  Techniques to avoid fingerprinting in Tor fkng_b34rr 0 287 04-10-2025, 08:00 AM
Last Post: fkng_b34rr



 Users browsing this thread: 1 Guest(s)