Not working TOR client mode "Hidden Service Access Only"

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Post Reply
Spine
Posts: 12
Joined: Thu Apr 23, 2015 2:28 am
Location: Belarus

Not working TOR client mode "Hidden Service Access Only"

Post by Spine »

Not working TOR client mode "Hidden Service Access Only"

When selecting mode "Hidden Service Access Only" DNS for websites * .onion not working.
hidden-tor.gif
hidden-tor.gif (10.02 KiB) Viewed 4196 times
hidden-dns.gif
hidden-dns.gif (6.3 KiB) Viewed 4196 times
If you select operating mode "Enabled For All Hosts" then DNS is working correctly.
all-dns.gif
all-dns.gif (5.74 KiB) Viewed 4196 times
What needs to be fixed to properly use the TOR mode "Hidden Service Access Only"?

Router: TP-Link TL-WDR4300, Gargoyle 1.7.2
Network config:
WAN IP Address:10.7.19.107
WAN Netmask:255.255.0.0
WAN Gateway IP:10.7.19.1
WAN DNS Server(s):10.7.19.1

LAN IP Address:192.168.1.1
LAN Netmask:255.255.255.0
Last edited by Spine on Wed Jul 29, 2015 5:28 pm, edited 1 time in total.
WDR-4300, WR-740n
Experience increases in proportion to the number of broken equipment.
Top
nworbnhoj
Posts: 916
Joined: Mon Jul 21, 2014 10:08 am
Location: Australia
Contact:
Contact nworbnhoj

Re: Not working TOR client mode "Hidden Service Access Only"

Post by nworbnhoj »

I can confirm this behaviour on TL-WDR3600 : Gargoyle 1.7.2
Can you help someone else get Gargoyle up and running?
TL-WDR3600 : Gargoyle 1.9.0 : NBN FixedWireless
TL-WR1043ND-V2 : Gargoyle 1.8.0 : 3G Huawei E160E
Top
Spine
Posts: 12
Joined: Thu Apr 23, 2015 2:28 am
Location: Belarus

[solved] TOR client mode "Hidden Service Access Only"

Post by Spine »

Problem solved.
The reason is that revision of 45423 completely removed support layer7 filter. https://dev.openwrt.org/changeset/45423
File tor.firewall use this feature.
To fix this, you want to change two lines in the file /etc/tor.firewall
find

Code: Select all

iptables -t nat -A tor_client -p udp --dport 53  -m layer7 --l7proto oniondns -j REDIRECT --to-ports $dns_port
iptables -t nat -A tor_client -p tcp --dport 53  -m layer7 --l7proto oniondns -j REDIRECT --to-ports $dns_port
replaced by

Code: Select all

 iptables -t nat -A tor_client -p tcp --dport 53  -m string --hex-string '|056f6e696f6e00|' --algo bm -j REDIRECT --to-ports  $dns_port
iptables -t nat -A tor_client -p udp --dport 53  -m string --hex-string '|056f6e696f6e00|' --algo bm -j REDIRECT --to-ports  $dns_port
I do not know exist TOR site names in upper-case or not.
If there are names like * .ONION or * .OnIoN you'll have to use the more common pattern in which DNS queries for myonionsite.com the same will be forwarded to the TOR.

more common pattern

Code: Select all

iptables -t nat -A tor_client -p tcp --dport 53  -m string --icase --string "onion" --algo bm -j REDIRECT --to-ports $dns_port
iptables -t nat -A tor_client -p udp --dport 53  -m string --icase --string "onion" --algo bm -j REDIRECT --to-ports $dns_port
WDR-4300, WR-740n
Experience increases in proportion to the number of broken equipment.
Top
nworbnhoj
Posts: 916
Joined: Mon Jul 21, 2014 10:08 am
Location: Australia
Contact:
Contact nworbnhoj

Re: [solved] TOR client mode "Hidden Service Access Only"

Post by nworbnhoj »

Spine wrote:Problem solved.
The reason is that revision of 45423 completely removed support layer7 filter. https://dev.openwrt.org/changeset/45423
File tor.firewall use this feature.
To fix this, you want to change two lines in the file /etc/tor. find .....
Thanks @ spine - well done.

This also means that the Layer 7 filtering options in QOS can now be removed from the Gargoyle GUI - as the Gargoyle doco preemts ...

http://www.gargoyle-router.com/wiki/doku.php?id=qos under the heading L7 Pattern Matching
Can you help someone else get Gargoyle up and running?
TL-WDR3600 : Gargoyle 1.9.0 : NBN FixedWireless
TL-WR1043ND-V2 : Gargoyle 1.8.0 : 3G Huawei E160E
Top
Post Reply

Return to “Network / Wireless Issues”