Gargoyle Forum

A forum to discuss the Gargoyle web interface for Openwrt
https://www.gargoyle-router.com/phpbb/

Not working TOR client mode "Hidden Service Access Only"

https://www.gargoyle-router.com/phpbb/viewtopic.php?t=7360

Page 1 of 1

Not working TOR client mode "Hidden Service Access Only"

Posted: Wed Jul 29, 2015 11:10 am
by Spine
Not working TOR client mode "Hidden Service Access Only"

When selecting mode "Hidden Service Access Only" DNS for websites * .onion not working.
hidden-tor.gif
hidden-tor.gif (10.02 KiB) Viewed 4197 times
hidden-dns.gif
hidden-dns.gif (6.3 KiB) Viewed 4197 times
If you select operating mode "Enabled For All Hosts" then DNS is working correctly.
all-dns.gif
all-dns.gif (5.74 KiB) Viewed 4197 times
What needs to be fixed to properly use the TOR mode "Hidden Service Access Only"?

Router: TP-Link TL-WDR4300, Gargoyle 1.7.2
Network config:
WAN IP Address:10.7.19.107
WAN Netmask:255.255.0.0
WAN Gateway IP:10.7.19.1
WAN DNS Server(s):10.7.19.1

LAN IP Address:192.168.1.1
LAN Netmask:255.255.255.0

Re: Not working TOR client mode "Hidden Service Access Only"

Posted: Wed Jul 29, 2015 4:24 pm
by nworbnhoj
I can confirm this behaviour on TL-WDR3600 : Gargoyle 1.7.2

[solved] TOR client mode "Hidden Service Access Only"

Posted: Thu Jul 30, 2015 8:46 am
by Spine
Problem solved.
The reason is that revision of 45423 completely removed support layer7 filter. https://dev.openwrt.org/changeset/45423
File tor.firewall use this feature.
To fix this, you want to change two lines in the file /etc/tor.firewall
find

Code: Select all

iptables -t nat -A tor_client -p udp --dport 53  -m layer7 --l7proto oniondns -j REDIRECT --to-ports $dns_port
iptables -t nat -A tor_client -p tcp --dport 53  -m layer7 --l7proto oniondns -j REDIRECT --to-ports $dns_port
replaced by

Code: Select all

 iptables -t nat -A tor_client -p tcp --dport 53  -m string --hex-string '|056f6e696f6e00|' --algo bm -j REDIRECT --to-ports  $dns_port
iptables -t nat -A tor_client -p udp --dport 53  -m string --hex-string '|056f6e696f6e00|' --algo bm -j REDIRECT --to-ports  $dns_port
I do not know exist TOR site names in upper-case or not.
If there are names like * .ONION or * .OnIoN you'll have to use the more common pattern in which DNS queries for myonionsite.com the same will be forwarded to the TOR.

more common pattern

Code: Select all

iptables -t nat -A tor_client -p tcp --dport 53  -m string --icase --string "onion" --algo bm -j REDIRECT --to-ports $dns_port
iptables -t nat -A tor_client -p udp --dport 53  -m string --icase --string "onion" --algo bm -j REDIRECT --to-ports $dns_port

Re: [solved] TOR client mode "Hidden Service Access Only"

Posted: Thu Jul 30, 2015 3:17 pm
by nworbnhoj
Spine wrote:Problem solved.
The reason is that revision of 45423 completely removed support layer7 filter. https://dev.openwrt.org/changeset/45423
File tor.firewall use this feature.
To fix this, you want to change two lines in the file /etc/tor. find .....
Thanks @ spine - well done.

This also means that the Layer 7 filtering options in QOS can now be removed from the Gargoyle GUI - as the Gargoyle doco preemts ...

http://www.gargoyle-router.com/wiki/doku.php?id=qos under the heading L7 Pattern Matching
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited