Tutorial [SOLUTION] Asuswrt-Merlin Tor via Bridge, Device, Browser, Entry (Guard)/Middle (Non-Exit) Relay, and Device/Browser/Relay Hybrid Implementations

garycnew · Jun 14, 2021

What is Advanced Settings > VPN > Tor on Asuswrt-Merlin?

1. Although obscurely placed in the VPN section... Tor is NOT a Virtual Private Network (VPN)
2. Tor is an Anonymizing SOCKS Proxy Network developed & maintained by the Tor Project
3. Isn't Tor EVIL? Tor is a tool and like any tool it can be used for Good and Evil. We'll focus on using Tor for Good (RE: Tor Overview)

Requirements/Assumptions:

1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
4. Entware installed on USB 3.0 Interface Device via Asuswrt-Merlin Terminal Menu (AMTM) with Swap File created
5. Capable of Editing the following User Scripts:
/jffs/scripts/torrc.postconf
/jffs/configs/init-start
/jffs/scripts/nat-start (Optional)

Asuswrt-Merlin Tor Options:

1. Tor via Bridge - Route all client traffic for a given network through the Tor network (Best Security - Low Performance: Not Recommended for most networks)
2. Tor via Device - Route all client traffic for a given device (MAC Address) through the Tor network (Better Security - Low Performance: Better than the Bridge option)
3. Tor via Browser - Route all client traffic for a given browser through the Tor network (Good Security - Good Performance: Recommend Tor Browser with SOCKS Proxy Settings)
4. Tor via an Entry (Guard)/Middle (Non-Exit) Relay - Route all server traffic as a Tor relay through the Tor network (Good Security - Good Performance: Congratulations! You're a Tor Contributor)
5. Tor via a Device/Browser/Relay Hybrid - Route device, browser, and relay traffic through the Tor network (Good Security - Good Performance: This is How We Do It!)

Implementing Tor Options:

1. Tor via Bridge option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "LAN(br0)" for "Redirect all user from." Click "Apply." That's it! All client traffic for a given network is routing through the Tor network.

2. Tor via Device option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "Only Specified MAC's" for "Redirect all user from." Select a device from the list of "MAC" addresses. Click "Add." Click "Apply." That's it! All client traffic for a given device (MAC address) is routing through the Tor network.

3. Tor via Browser option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "Only Specified MAC's" for "Redirect all user from." Add the placeholder MAC address "00:00:00:00:00:00" to the list of "MAC" addresses. Click "Add." Click "Apply." Now, create the following torrc.postconf file:

Code:

# vi /jffs/scripts/torrc.postconf
#!/bin/sh
CONFIG=$1

HOSTIPADDR=$(hostname -i)
source /usr/sbin/helper.sh

if [ "$HOSTIPADDR" != "" ]; then HOSTIPADDR="${HOSTIPADDR}:"; fi

pc_insert "SocksPort 9050" "SocksPort ${HOSTIPADDR}9050" $CONFIG

Code:

# chmod 755 /jffs/scripts/torrc.postconf
# service restart_tor
Done.
# hostname -i
192.168.0.1

Lastly, configure the Proxy Settings of a Browser, on your LAN, with the SOCKS Host: 192.168.0.1 and Port: 9050. When necessary, this configuration provides an additional level of anonymity for regular browsers. However, when available, we still recommend using Tor Browser as it provides a greater level of anonymity.

That's it! All client traffic for a given Browser is routing through the Tor network.

4. Tor via an Entry (Guard)/Middle (Non-Exit) Relay option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "Only Specified MAC's" for "Redirect all user from." Add the placeholder MAC address "11:11:11:11:11:11" to the list of "MAC" addresses. Click "Add." Click "Apply." Now, create the following torrc.postconf file:

Code:

# vi /jffs/scripts/torrc.postconf
#!/bin/sh
CONFIG=$1
#DYNIPADDR=$(ip addr show vlan2 | grep -ioE "inet\s(.+)\/[0-9]{1,2}" | sed -E "s/inet\s//g; s/\/[0-9]{1,2}//g;")
DYNIPADDR=$(/opt/bin/dig +short myip.opendns.com @resolver1.opendns.com)
HOSTIPADDR=$(hostname -i)
PORT="443"
source /usr/sbin/helper.sh

# Tor: A non-exit relay should be able to handle 7000 concurrent connections
ulimit -n 7168

#if [ "$DYNIPADDR" = "xxx.xxx.xxx.xxx" ]; then DYNIPADDR="192.168.2.254"; PORT="9001"; fi
if [ "$DYNIPADDR" != "" ]; then DYNIPADDR="${DYNIPADDR}:"; fi
if [ "$HOSTIPADDR" != "" ]; then HOSTIPADDR="${HOSTIPADDR}:"; fi

# Note: The default ORPort 9001 is blocked by our ISP, so we opted to use ORPort 443
pc_insert "SocksPort 9050" "Nickname ASUSWRTMerlinRelay" $CONFIG
pc_insert "Nickname ASUSWRTMerlinRelay" "ORPort ${DYNIPADDR}${PORT}" $CONFIG
pc_delete "SocksPort 9050" $CONFIG
pc_insert "ORPort ${DYNIPADDR}${PORT}" "SocksPort 9050" $CONFIG
pc_insert "SocksPort 9050" "ExitRelay 0" $CONFIG
pc_insert "ExitRelay 0" "DirCache 0" $CONFIG
pc_insert "DirCache 0" "GeoIPFile /opt/share/tor/geoip" $CONFIG
pc_replace "DataDirectory /tmp/.tordb" "DataDirectory /tmp/tor/torrc.d/.tordb" $CONFIG
pc_append "ContactInfo tor-operator@your-emailaddress-domain" $CONFIG

# Note: By default, Tor will try to pick a reasonable MaxMemInQueues based on your system's physical memory
# Uncomment the following line to limit the MaxMemInQueues that Tor can use based on your physical memory
#pc_insert "DirCache 0" "MaxMemInQueues 192 MB" $CONFIG
# Start by setting your MaxMemInQueues to 3/4 (i.e., 192MB) your system's total physical memory (i.e., 256MB)

# Uncomment the following line to include the Tor via Browser option
#pc_insert "SocksPort 9050" "SocksPort ${HOSTIPADDR}9050" $CONFIG

Code:

#vi /jffs/scripts/init-start
#!/bin/sh

# Note: Tor DataDirectory requires a lot of disk space, so we symlinked to our USB 3.0 Interface Device
if [ ! -d "/tmp/tor" ]; then
   ln -s /tmp/mnt/SanDiskSDHC/tmp/tor /tmp/tor
fi

Code:

# opkg update
# opkg install bind-dig
# opkg install tor-geoip
# echo $(/opt/bin/dig +short myip.opendns.com @resolver1.opendns.com)
xxx.xxx.xxx.xxx
# chmod 755 /jffs/scripts/torrc.postconf
# chmod 755 /jffs/scripts/init-start
# mkdir -p /tmp/mnt/SanDiskSDHC/tmp/tor/torrc.d
# /jffs/scripts/init-start
# service restart_tor
Done.

Code:

# cat /tmp/torrc
Nickname ASUSWRTMerlinRelay
ORPort xxx.xxx.xxx.xxx:443
SocksPort 9050
SocksPort 192.168.0.1:9050
ExitRelay 0
DirCache 0
GeoIPFile /opt/share/tor/geoip
Log notice file /tmp/torlog
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.0.1:9040
DNSPort 192.168.0.1:9053
RunAsDaemon 1
DataDirectory /tmp/tor/torrc.d/.tordb
AvoidDiskWrites 1
User tor

Congratulations! You're a Tor Contributor!

4a. [Optional] Asuswrt-Merlin Tor with Dual WAN: Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config Anytime the nat-start Script is Executed

Code:

# vi /jffs/scripts/nat-start
...
# Force Asuswrt-Merlin Tor (upper-case T) to Reload Modified Config
. /jffs/scripts/torrc.postconf

Code:

# vi /jffs/scripts/torrc.postconf
...
# Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config
if ! /usr/bin/killall -HUP Tor; then
   Tor -f /tmp/torrc --quiet
fi

4b. [Optional] Install/Use Entware tor: Force Asuswrt-Merlin to use Entware installation of tor (lower-case T)

Code:

# opkg update
# opkg install tor

Code:

# vi /jffs/scripts/torrc.postconf
...
# Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config
#if ! /usr/bin/killall -HUP Tor; then
#   Tor -f /tmp/torrc --quiet
#fi

# Force Asuswrt-Merlin Tor (upper-case T) to Exit Cleanly to use Entware tor
/usr/bin/killall Tor

4c. [Optional] Entware tor with Dual WAN: Force Entware tor (lower-case T) to Reload/Start Modified Config Anytime the nat-start Script is Executed

Code:

# vi /jffs/scripts/nat-start
...
# Force Entware tor (lower-case T) to Reload Modified Config
. /jffs/scripts/torrc.postconf

Code:

# vi /jffs/scripts/torrc.postconf
...
# Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config
#if ! /usr/bin/killall -HUP Tor; then
#   Tor -f /tmp/torrc --quiet
#fi

# Force Asuswrt-Merlin Tor (upper-case T) to Exit Cleanly to use Entware tor
/usr/bin/killall Tor

# Force Entware tor (lower-case T) to Reload/Start Modified Config
if ! /usr/bin/killall -HUP tor; then
   /opt/sbin/tor -f /tmp/torrc --quiet
fi

5. Tor via a Device/Browser/Relay Hybrid option: Is Tor via Device (Tor Option #2), Tor via Browser (Tor Option #3), and Tor via an Entry (Guard)/Middle (Non-Exit) Relay (Tor Option #4) steps all combined. Simply select a device from the list of "MAC" addresses and/or uncomment the Tor via Browser option within the torrc.postconf file:

Code:

# vi /jffs/scripts/torrc.postconf
...
# Uncomment the following line to include the Tor via Browser option
pc_insert "SocksPort 9050" "SocksPort ${HOSTIPADDR}9050" $CONFIG

That's it! All client traffic for a given device (MAC address) and/or Browser is routing through the Tor network and You're a Tor Contributor!

Within 48 hours of successful implementation, using a 100Mb/s fiber Internet link and Asus RT-AC66U (256MB) model router, our Tor via an Entry (Guard)/Middle (Non-Exit) Relay is showing up in the Tor Metrics - Relay Search database (search for your Tor "Nickname" or "Fingerprint") as having potential for a Fast-Middle Relay. We'll see where we end up after the 90-day lifecycle.

Enjoy this Tutorial? Checkout some of my other Tutorials:
Tutorial: [SOLUTION] OpenVPN Client Split Tunnel for BitTorrent Traffic
Tutorial: [SOLUTION] OpenVPN Client Split Tunnel Reverse Proxy Web Traffic using Nginx, DNSMasq, and IPTables

joe scian · Jun 19, 2021

garycnew said:
What is Advanced Settings > VPN > Tor on Asuswrt-Merlin?

1. Although obscurely placed in the VPN section... Tor is NOT a Virtual Private Network (VPN)
2. Tor is an Anonymizing SOCKS Proxy Network developed & maintained by the Tor Project
3. Isn't Tor EVIL? Tor is a tool and like any tool it can be used for Good and Evil. We'll focus on using Tor for Good (RE: Tor Overview)

Requirements/Assumptions:

1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
4. Entware installed on USB 3.0 Interface Device via Asuswrt-Merlin Terminal Menu (AMTM) with Swap File created
5. Capable of Editing the following User Scripts:
/jffs/scripts/torrc.postconf
/jffs/configs/init-start
/jffs/scripts/nat-start (Optional)

Asuswrt-Merlin Tor Options:

1. Tor via Bridge - Route all client traffic for a given network through the Tor network (Best Security - Low Performance: Not Recommended for most networks)
2. Tor via Device - Route all client traffic for a given device (MAC Address) through the Tor network (Better Security - Low Performance: Better than the Bridge option)
3. Tor via Browser - Route all client traffic for a given browser through the Tor network (Good Security - Good Performance: Recommend Tor Browser with SOCKS Proxy Settings)
4. Tor via an Entry (Guard)/Middle (Non-Exit) Relay - Route all server traffic as a Tor relay through the Tor network (Good Security - Good Performance: Congratulations! You're a Tor Contributor)
5. Tor via a Device/Browser/Relay Hybrid - Route device, browser, and relay traffic through the Tor network (Good Security - Good Performance: This is How We Do It!)

Implementing Tor Options:

1. Tor via Bridge option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "LAN(br0)" for "Redirect all user from." Click "Apply." That's it! All client traffic for a given network is routing through the Tor network.

2. Tor via Device option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "Only Specified MAC's" for "Redirect all user from." Select a device from the list of "MAC" addresses. Click "Add." Click "Apply." That's it! All client traffic for a given device (MAC address) is routing through the Tor network.

3. Tor via Browser option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "Only Specified MAC's" for "Redirect all user from." Add the placeholder MAC address "00:00:00:00:00:00" to the list of "MAC" addresses. Click "Add." Click "Apply." Now, create the following torrc.postconf file:

Code:

# vi /jffs/scripts/torrc.postconf HOSTIPADDR=$(hostname -i) source /usr/sbin/helper.sh if [ "$HOSTIPADDR" != "" ]; then HOSTIPADDR="${HOSTIPADDR}:"; fi pc_insert "SocksPort 9050" "SocksPort ${HOSTIPADDR}9050" $CONFIG

Code:

# chmod 755 /jffs/scripts/torrc.postconf # service restart_tor Done. # hostname -i 192.168.0.1

Lastly, configure the Proxy Settings of a Browser, on your LAN, with the SOCKS Host: 192.168.0.1 and Port: 9050. When necessary, this configuration provides an additional level of anonymity for regular browsers. However, when available, we still recommend using Tor Browser as it provides a greater level of anonymity.

That's it! All client traffic for a given Browser is routing through the Tor network.

4. Tor via an Entry (Guard)/Middle (Non-Exit) Relay option: Under Advanced Settings > VPN > Tor - Enable "TOR" and select "Only Specified MAC's" for "Redirect all user from." Add the placeholder MAC address "11:11:11:11:11:11" to the list of "MAC" addresses. Click "Add." Click "Apply." Now, create the following torrc.postconf file:

Code:

# vi /jffs/scripts/torrc.postconf #!/bin/sh CONFIG=$1 #DYNIPADDR=$(ip addr show vlan2 | grep -ioE "inet\s(.+)\/[0-9]{1,2}" | sed -E "s/inet\s//g; s/\/[0-9]{1,2}//g;") DYNIPADDR=$(/opt/bin/dig +short myip.opendns.com @resolver1.opendns.com) HOSTIPADDR=$(hostname -i) PORT="443" source /usr/sbin/helper.sh # Tor: A non-exit relay should be able to handle 7000 concurrent connections ulimit -n 7168 #if [ "$DYNIPADDR" = "xxx.xxx.xxx.xxx" ]; then DYNIPADDR="192.168.2.254"; PORT="9001"; fi if [ "$DYNIPADDR" != "" ]; then DYNIPADDR="${DYNIPADDR}:"; fi if [ "$HOSTIPADDR" != "" ]; then HOSTIPADDR="${HOSTIPADDR}:"; fi # Note: The default ORPort 9001 is blocked by our ISP, so we opted to use ORPort 443 pc_insert "SocksPort 9050" "Nickname ASUSWRTMerlinRelay" $CONFIG pc_insert "Nickname ASUSWRTMerlinRelay" "ORPort ${DYNIPADDR}${PORT}" $CONFIG pc_delete "SocksPort 9050" $CONFIG pc_insert "ORPort ${DYNIPADDR}${PORT}" "SocksPort 9050" $CONFIG pc_insert "SocksPort 9050" "ExitRelay 0" $CONFIG pc_insert "ExitRelay 0" "DirCache 0" $CONFIG pc_insert "DirCache 0" "GeoIPFile /opt/share/tor/geoip" $CONFIG pc_replace "DataDirectory /tmp/.tordb" "DataDirectory /tmp/tor/torrc.d/.tordb" $CONFIG pc_append "ContactInfo tor-operator@your-emailaddress-domain" $CONFIG # Uncomment the following line to include the Tor via Browser option #pc_insert "SocksPort 9050" "SocksPort ${HOSTIPADDR}9050" $CONFIG

Code:

#vi /jffs/scripts/init-start #!/bin/sh # Note: Tor DataDirectory requires a lot of disk space, so we symlinked to our USB 3.0 Interface Device if [ ! -d "/tmp/tor" ]; then ln -s /tmp/mnt/SanDiskSDHC/tmp/tor /tmp/tor fi

Code:

# opkg update # opkg install bind-dig # opkg install tor-geoip # echo $(/opt/bin/dig +short myip.opendns.com @resolver1.opendns.com) xxx.xxx.xxx.xxx # chmod 755 /jffs/scripts/torrc.postconf # chmod 755 /jffs/scripts/init-start # mkdir -p /tmp/mnt/SanDiskSDHC/tmp/tor/torrc.d # /jffs/scripts/init-start # service restart_tor Done.

Code:

# cat /tmp/torrc Nickname ASUSWRTMerlinRelay ORPort xxx.xxx.xxx.xxx:443 SocksPort 9050 SocksPort 192.168.0.1:9050 ExitRelay 0 DirCache 0 GeoIPFile /opt/share/tor/geoip Log notice file /tmp/torlog VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 192.168.0.1:9040 DNSPort 192.168.0.1:9053 RunAsDaemon 1 DataDirectory /tmp/tor/torrc.d/.tordb AvoidDiskWrites 1 User tor

Congratulations! You're a Tor Contributor!

4a. [Optional] Asuswrt-Merlin Tor with Dual WAN: Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config Anytime the nat-start Script is Executed

Code:

# vi /jffs/scripts/nat-start ... # Force Asuswrt-Merlin Tor (upper-case T) to Reload Modified Config . /jffs/scripts/torrc.postconf

Code:

# vi /jffs/scripts/torrc.postconf ... # Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config if ! /usr/bin/killall -HUP Tor; then Tor -f /tmp/torrc --quiet fi

4b. [Optional] Install/Use Entware tor: Force Asuswrt-Merlin to use Entware installation of tor (lower-case T)

Code:

# opkg update # opkg install tor

Code:

# vi /jffs/scripts/torrc.postconf ... # Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config #if ! /usr/bin/killall -HUP Tor; then # Tor -f /tmp/torrc --quiet #fi # Force Asuswrt-Merlin Tor (upper-case T) to Exit Cleanly to use Entware tor /usr/bin/killall Tor

4c. [Optional] Entware tor with Dual WAN: Force Entware tor (lower-case T) to Reload/Start Modified Config Anytime the nat-start Script is Executed

Code:

# vi /jffs/scripts/nat-start ... # Force Entware tor (lower-case T) to Reload Modified Config . /jffs/scripts/torrc.postconf

Code:

# vi /jffs/scripts/torrc.postconf ... # Force Asuswrt-Merlin Tor (upper-case T) to Reload/Start Modified Config #if ! /usr/bin/killall -HUP Tor; then # Tor -f /tmp/torrc --quiet #fi # Force Asuswrt-Merlin Tor (upper-case T) to Exit Cleanly to use Entware tor /usr/bin/killall Tor # Force Entware tor (lower-case T) to Reload/Start Modified Config if ! /usr/bin/killall -HUP tor; then /opt/sbin/tor -f /tmp/torrc --quiet fi

5. Tor via a Device/Browser/Relay Hybrid option: Is Tor via Device (Tor Option #2), Tor via Browser (Tor Option #3), and Tor via an Entry (Guard)/Middle (Non-Exit) Relay (Tor Option #4) steps all combined. Simply select a device from the list of "MAC" addresses and/or uncomment the Tor via Browser option within the torrc.postconf file:

Code:

# vi /jffs/scripts/torrc.postconf ... # Uncomment the following line to include the Tor via Browser option pc_insert "SocksPort 9050" "SocksPort ${HOSTIPADDR}9050" $CONFIG

That's it! All client traffic for a given device (MAC address) and/or Browser is routing through the Tor network and You're a Tor Contributor!

Within 48 hours of successful implementation, using a 100Mb/s fiber Internet link and Asus RT-AC66U (256MB) model router, our Tor via an Entry (Guard)/Middle (Non-Exit) Relay is showing up in the Tor Metrics database as having potential for a Fast-Middle Relay. We'll see where we end up after the 90-day lifecycle.

Enjoy this Tutorial? Checkout some of my other Tutorials:
Tutorial: [SOLUTION] OpenVPN Client Split Tunnel for BitTorrent Traffic
Tutorial: [SOLUTION] OpenVPN Client Split Tunnel Reverse Proxy Web Traffic using Nginx, DNSMasq, and IPTables

Within 48 hours of successful implementation, using a 100Mb/s fiber Internet link and Asus RT-AC66U (256MB) model router, our Tor via an Entry (Guard)/Middle (Non-Exit) Relay is showing up in the Tor Metrics database as having potential for a Fast-Middle Relay. We'll see where we end up after the 90-day lifecycle.

Hi which tab do you use in Tor Metrics to verify your comments above please. Thanks

garycnew · Jun 19, 2021

joe scian said:
Within 48 hours of successful implementation, using a 100Mb/s fiber Internet link and Asus RT-AC66U (256MB) model router, our Tor via an Entry (Guard)/Middle (Non-Exit) Relay is showing up in the Tor Metrics database as having potential for a Fast-Middle Relay. We'll see where we end up after the 90-day lifecycle.

Hi which tab do you use in Tor Metrics to verify your comments above please. Thanks

@joe scian Search for your Tor "Nickname" or "Fingerprint" using the Tor Metrics - Relay Search

Please let me know your experience with this tutorial; especially, whether I've missed any steps, aren't clear in certain parts, etc.

Thanks!

heysoundude · Jun 20, 2021

@garycnew I've been pondering setting this up on my router because I use Brave as my desktop browser which includes Tor functionality (in fact, all 3 "desktops" (and 2 iPhones) here use Brave, but other users don't have the patience I do), and having the browser default to using Tor.
do you have any experience with this, and if so, can you advise about what to be mindful of in setting it up? ROFLMAO - clicking the link in your first post opens a new Tor instance of Brave, and the YouTube video there won't play.
(wondering about my kodi machine as well...)
can I assume that the machine I make into a Tor "Terminal" won't use my unbound DNS or diversion adblocking? Does Tor work over IPv6? can I use DDNS for my router with Tor set up on it?
I think I need to ponder more carefully here...

garycnew · Jun 20, 2021

heysoundude said:
@garycnew I've been pondering setting this up on my router because I use Brave as my desktop browser which includes Tor functionality (in fact, all 3 "desktops" (and 2 iPhones) here use Brave, but other users don't have the patience I do), and having the browser default to using Tor.
do you have any experience with this, and if so, can you advise about what to be mindful of in setting it up? ROFLMAO - clicking the link in your first post opens a new Tor instance of Brave, and the YouTube video there won't play.
(wondering about my kodi machine as well...)
can I assume that the machine I make into a Tor "Terminal" won't use my unbound DNS or diversion adblocking? Does Tor work over IPv6? can I use DDNS for my router with Tor set up on it?
I think I need to ponder more carefully here...

@heysoundude Great to hear another "Very Senior Member" of this forum is interested in this tutorial. As for experience and advice as what to be mindful of, it really depends on what Tor option(s) you're interested in implementing. I don't have any experience with Brave Browser, but a cursory search shows that it is built to provide a private browsing experience (integrating Tor Browser in 2018). I assume it provides a similar browsing experience as Tor Browser, which comes with its own Tor Client Service (i.e., 127.0.0.1:9050). I'm sure you could configure Brave Browser's Proxy Settings per the #3 Tor via Browser option (i.e., 192.168.0.1:9050). You then have the opportunity to further configure your router with the #4 Tor via Entry (Guard)/Middle (Non-Exit) Relay or #5 Tor via Hybrid options, which I highly recommend. As for DNS, I configure my router with my VPN Service's no-logging DNS Servers just in case something slips through the cracks. This tutorial is meant to be configured with DYNIP/DDNS, which is how my router is currently configured. Finally, Tor does work with IPv6; though, this tutorial is based on an IPv4 implementation.

I hope that helps answer some of your questions. Your best bet is to set it up and find out first hand what it is or isn't capable of.

Enjoy!

Gary

heysoundude · Jun 20, 2021

garycnew said:
@heysoundude Great to hear another "Very Senior Member" of this forum is interested in this tutorial. As for experience and advice as what to be mindful of, it really depends on what Tor option(s) you're interested in implementing. I don't have any experience with Brave Browser, but a cursory search shows that it is built to provide a private browsing expressive (integrating Tor Browser in 2018). I assume it provides a similar browsing experience as Tor Browser, which comes with its own Tor Client Service (i.e., 127.0.0.1:9050). I'm sure you could configure Brave Browser's Proxy Settings per the #3 Tor via Browser option. You then have the opportunity to further configure your router with the #4 Tor via Entry (Guard)/Middle (Non-Exit) Relay or #5 Tor via Hybrid options, which I highly recommend. As for DNS, I configure my router with my VPN Service's no logging DNS Servers just in case something slipped through the cracks. This trial is meant to be configured with DDNS (my system is using DDNS). Finally, Tor does work with IPv6; although, the tutorial is based on a IPv4 configuration.

I hope that helps answer some of your questions. You're best bet is to set it up and find out first hand what it is or isn't capable of.

Enjoy!

Gary

first, I'm NOT of the fist-shaking, get-off-my-lawn-you-pesky-kids variety of "Very Senior Member" lol.
Yes, I'm guessing I'd need the whole stack of options for my proposed setup.
What I'm not sure about is whether the AC86 I use is up to the task of it all, especially since I'm also getting close to setting up a WireGuard server on it for me to connect to when I'm away from home...
This would be a weekend project when I have the network to myself.

Stay tuned

garycnew · Jun 21, 2021

heysoundude said:
first, I'm NOT of the fist-shaking, get-off-my-lawn-you-pesky-kids variety of "Very Senior Member" lol.
Yes, I'm guessing I'd need the whole stack of options for my proposed setup.
What I'm not sure about is whether the AC86 I use is up to the task of it all, especially since I'm also getting close to setting up a WireGuard server on it for me to connect to when I'm away from home...
This would be a weekend project when I have the network to myself.

Stay tuned

@heysoundude I'm glad to hear you're more of the wave-hi, come-check-out-my-swimming-pool type of 'Very Senior Member.' I'd like to consider myself a Senior Member of the Networking Community, but I'm relatively new to the Asuswrt-Merlin platform. However, Linux is Linux and Networking is Networking, so it makes it amenable in implementing some of my preferred industry leading networking practices at home for a fraction of the cost. I just have to figure out the nuances of Asuswrt-Merlin, which is hands-down the best alternative wireless router firmware that I've used (and I've used most of the notable flavors available).

As for performance, I'm using an Asus RT-AC66U_B1 with 256MB RAM and I've been able to maintain around 800 concurrent Tor circuits, so far. Moreover, I'm running multiple Split-Tunnel VPN's that send/receive between 40-80GB/day, a Reverse Proxy Server, Time Machine, and a BotFarm that makes use of the heavily underutilized resources of my AiMesh Nodes (25GB/day). Eventually, I'd like to implement something like onionbalance to offload Tor circuits to my AiMesh Nodes as TorNodes and build a TorFarm. I have to figure out packaging my own Entware packages prior to that, though, which is where I'm currently stalled. I want a clean way to bring up a new TorNode without having to compile from source all the time.

Well... There's my wave-hi, come-check-out-my-swimming-pool invitation. I hope it provides some clarity, prospective as to where I'd like to take my Asuswrt-Merlin adventures.

Respectfully,

Gary

P.S. If you have the patience to run Brave Browser as your default browser, you should consider working as a *nix Administrator or Network Engineer (if you aren't already).

heysoundude · Jun 21, 2021

garycnew said:
@heysoundude I'm glad to hear you're more of the wave-hi, come-check-out-my-swimming-pool type of 'Very Senior Member.' I'd like to consider myself a Senior Member of the Networking Community, but I'm relatively new to the Asuswrt-Merlin platform. However, Linux is Linux and Networking is Networking, so it makes it amenable in implementing some of my preferred industry leading networking practices at home for a fraction of the cost. I just have to figure out the nuances of Asuswrt-Merlin, which is hands-down the best alternative wireless router firmware that I've used (and I've used most of the notable flavors available).

As for performance, I'm using an Asus RT-AC66U_B1 with 256MB RAM and I've been able to maintain around 800 concurrent Tor circuits, so far. Moreover, I'm running multiple Split-Tunnel VPN's that send/receive between 40-80GB/day, a Reverse Proxy Server, Time Machine, and a BotFarm that makes use of the heavily underutilized resources of my AiMesh Nodes (25GB/day). Eventually, I'd like to implement something like onionbalance to offload Tor circuits to my AiMesh Nodes as TorNodes and build a TorFarm. I have to figure out packaging my own Entware packages prior to that, though, which is where I'm currently stalled. I want a clean way to bring up a new TorNode without having to compile from source all the time.

Well... There's my wave-hi, come-check-out-my-swimming-pool invitation. I hope it provides some clarity, prospective as to where I'd like to take my Asuswrt-Merlin adventures.

Respectfully,

Gary

P.S. If you have the patience to run Brave Browser as your default browser, you should consider working as a *nix Administrator or Network Engineer (if you aren't already).

You're much more deserving of the title "Very Senior" than I am, then...and no, I'm not an admin or engineer in any formal way; I've garnered just enough knowledge/understanding to be dangerous to myself and anyone who thinks I know what I'm doing. You'll be a valuable contributor around here. (I want to hear about your botfarm and using AiMesh node resources - but that may be more appropriately one for DMs - )
For Entware, you'll want to follow (if theyre still active here) @ryzhov_al - I believe they're the lead or go-to. maybe easier to communicate with them on their Telegram group (https://t.me/entware)...actually, just check out the GitHub and that will take you closer to the places/people you seem to want/need to go

garycnew · Jun 21, 2021

@heysoundude Patient and modest. You've obviously earned the "Very Senior Member" title for good reason. Your forum posts seem very logical, well thought-out, and well written. I don't know that @RMerlin would bestow such accolades to someone who was dangerous. As for me, I have very specific goals with Asuswrt-Merlin; thus, only an "Occasional Visitor." However, I will try to contribute to the Asuswrt-Merlin Community within those specific goals.

The BotFarm is a collection of bot-scripts written in shell (for portability), distributed across a number of AiMesh Nodes, using an executable NFS mount, built to scale inexpensively ($20 per RT-AC66U_B1), that monitor availability, pricing, etc of essentially anything of interest (Think... Bruce Wayne's NOC in Batman vs Superman). The BotFarm itself isn't necessarily clandestine more than its subversion techniques, which is more appropriately a DM discussion. Perhaps, now, you can better understand my specific goal of going down the Tor-hole?

As for Entware, I've noticed that @ryzhov_al seems to be the resident Entware guru and tried tagging them in a relavent post, but haven't received a response, yet. I tried submitting an Entware bug report on GitHub, but it was quickly dismissed as being not the kind of support they provide (RE: Building Entware Tools Fails Dependancy python 2.7). No worries... Like you, I have an inordinate amount of patience and will ultimately prevail. Patience, persistence, and an eye for detail are key attributes for the makings of a quality *nix Administrator, Network Engineer, or Architect, and the reason I suggest you might pursue one of those directions.

Let me know what you decide about your Tor implementation and if/how it goes.

Respectfully,

Gary

P.S. What kind of sound dude are you? I'm more of a lighting guy myself. ;-)

heysoundude · Jun 22, 2021

garycnew said:
@heysoundude Patient and modest. You've obviously earned the "Very Senior Member" title for good reason. Your forum posts seem very logical, well thought-out, and well written. I don't know that @RMerlin would bestow such accolades to someone who was dangerous. As for me, I have very specific goals with Asuswrt-Merlin; thus, only an "Occasional Visitor." However, I will try to contribute to the Asuswrt-Merlin Community within those specific goals.

The BotFarm is a collection of bot-scripts written in shell (for portability), distributed across a number of AiMesh Nodes, using an executable NFS mount, built to scale inexpensively ($20 per RT-AC66U_B1), that monitor availability, pricing, etc of essentially anything of interest (Think... Bruce Wayne's NOC in Batman vs Superman). The BotFarm itself isn't necessarily clandestine more than its subversion techniques, which is more appropriately a DM discussion. Perhaps, now, you can better understand my specific goal of going down the Tor-hole?

As for Entware, I've noticed that @ryzhov_al seems to be the resident Entware guru and tried tagging them in a relavent post, but haven't received a response, yet. I tried submitting an Entware bug report on GitHub, but it was quickly dismissed as being not the kind of support they provide (RE: Building Entware Tools Fails Dependancy python 2.7). No worries... Like you, I have an inordinate amount of patience and will ultimately prevail. Patience, persistence, and an eye for detail are key attributes for the makings of a quality *nix Administrator, Network Engineer, or Architect, and the reason I suggest you might pursue one of those directions.

Let me know what you decide about your Tor implementation and if/how it goes.

Respectfully,

Gary

P.S. What kind of sound dude are you? I'm more of a lighting guy myself. ;-)

I'm in audio post production...tv/film work, some advertising/webstuff, but occasionally I still get called to drive big PA systems in performance venues/festivals, and I have mixed on a broadcast truck. (if you've seen me cross swords with people in the ntpMerlin threads, it's because I am fairly well versed in clocking as it pertains to systems and sync/throughput...making 24Hz video and 48kHz audio match up correctly require particular attention to this detail)
You're very kind in your estimations of me. Titles are bestowed here by the server/software based on post activity. @RMerlin probably doesn't have much to do with that...and I'm trying to keep my post count down - being part of the furniture is fine, but I don't want to be imagined as smelly or lumpy.
My thinking as far as getting a convo with entware people - try the Telegram chat group. I'd bet that it's much more direct/immediate. I suspect I understand what you're doing with your bots, and I applaud your desire to be both disruptive and clandestine.

I'll try to make an attempt at Tor-ing up my self this weekend...I think I'll have the place to myself for a few hours, or maybe I can burn some midnight oil like the old days.

garycnew · Jun 23, 2021

heysoundude said:
I'm in audio post production...tv/film work, some advertising/webstuff, but occasionally I still get called to drive big PA systems in performance venues/festivals, and I have mixed on a broadcast truck. (if you've seen me cross swords with people in the ntpMerlin threads, it's because I am fairly well versed in clocking as it pertains to systems and sync/throughput...making 24Hz video and 48kHz audio match up correctly require particular attention to this detail)
You're very kind in your estimations of me. Titles are bestowed here by the server/software based on post activity. @RMerlin probably doesn't have much to do with that...and I'm trying to keep my post count down - being part of the furniture is fine, but I don't want to be imagined as smelly or lumpy.
My thinking as far as getting a convo with entware people - try the Telegram chat group. I'd bet that it's much more direct/immediate. I suspect I understand what you're doing with your bots, and I applaud your desire to be both disruptive and clandestine.

I'll try to make an attempt at Tor-ing up my self this weekend...I think I'll have the place to myself for a few hours, or maybe I can burn some midnight oil like the old days.

@heysoundude It sounds like you and I majored and minored in the opposite fields of study. I knew there was a reason you and I have gotten on so well. I can see clearer where you've developed your patience and how you've applied it, too. Mad Respect! As a hobby, I've done some post-production a/v work of my own. You can check out some samples at... https://www.gymclubdjs.com

As for the Matrix bestowing titles, since you put it that way, I am a bit concerned for the future of this forum.

I've made some progress with the Entware tools build. I've cleared all the library (except the python2 check that I commented out) and development header dependencies, but, now, I'm stuck at a bzcat | tar change mode issue that I think requires some busybox love. If worse comes to worse I'll checkout the Telegram chat group.

As for the BotFarm, another analogy might be having a Virtual Alfred Pennyworth keeping tabs on and notify Bruce Wayne first of anything that Bruce Wayne deems important 24/7/365. However, it can come at a cost (i.e., getting permanently suspended from a well known auction site, etc). Good times.

Look for an update to this Asuswrt-Merlin Tor Tutorial, as I've encountered some issues with router system resources becoming taxed with Tor ramping-up load in week two and competing with other, existing router services. Spoiler: It's a stable, happy ending.

Respectfully,

Gary

garycnew · Jun 23, 2021

UPDATE: During Week 2, of the New Relay Lifecycle, Tor has continued to ramp-up load to our ASUSWRTMerlinRelay that is starting to cause router degradation as it competes with existing network services and stresses the router.

Fortunately, Tor has provided a directive to tune and limit the MaxMemInQueues. Should you encounter similar issues, we recommend setting your MaxMemInQueues to 3/4 (i.e., 192MB) your system's total physical memory (i.e., 256MB) and increase/decrease based on router performance. Some routers will have more/less load based on existing network services.

Code:

# vi /jffs/scripts/torrc.postconf
...
# Note: By default, Tor will try to pick a reasonable MaxMemInQueues based on your system's physical memory
# Uncomment the following line to limit the MaxMemInQueues that Tor can use based on your physical memory
pc_insert "DirCache 0" "MaxMemInQueues 192 MB" $CONFIG
# Start by setting your MaxMemInQueues to 3/4 (i.e., 192MB) your system's total physical memory (i.e., 256MB)

This tuning option has effectively remedied the router degradation issues that we were experiencing and regained stability.

@joe scian @joegreat @CaptnDanLKW @heysoundude @L&LD

heysoundude · Jun 24, 2021

I guess you're running a swap on your entware drive?

garycnew · Jun 24, 2021

heysoundude said:
I guess you're running a swap on your entware drive?

@heysoundude Correct... I'm running the recommended 2GB swap file. The goal is to never have to use it, though.

BTW... I was finally successful with [SOLUTION] Cross-Compile Torsocks Entware Package via Debian Live DVD. Now, the real fun begins.

heysoundude · Jun 24, 2021

garycnew said:
@heysoundude Correct... I'm running the recommended 2GB swap file. The goal is to never have to use it, though.

BTW... I was finally successful with [SOLUTION] Cross-Compile Torsocks Entware Package via Debian Live DVD. Now, the real fun begins.

I'll be following along with great interest...dunno if I'm up to the task of compiling stuff however. probably need my hand held as I wade in.

garycnew · Dec 24, 2021

Tor via Transparent Proxy - @SomeWhereOverTheRainBow brought to my attention an additional method for configuring Tor, which should be compatible within an Asuswrt-Merlin implementation. Thanks!

SomeWhereOverTheRainBow · Dec 24, 2021

garycnew said:
Tor via Transparent Proxy - @SomeWhereOverTheRainBow brought to my attention an additional method for configuring Tor, which should be compatible within an Asuswrt-Merlin implementation. Thanks!

it is pretty compatible

. The proxy can even be used across openvpn or wireguard.

Here is a great guide for setting up a transparent proxy.

TransparentProxy · Wiki · Legacy / Trac · GitLab

Welcome to The Tor Project's Gitlab

gitlab.torproject.org

If following this guide, it is best to adapt any ip-addresses and interfaces used in the iptable rules to your setup.

diman82 · Apr 6, 2022

@garycnew @joe scian When running './torrc.postconf' (file attached) I get:

Code:

./torrc.postconf: line 25: can't create : nonexistent directory

What seems to be the problem? I want to setup a non-exit relay on my Asus wrt router..

garycnew · Apr 7, 2022

diman82 said:
@garycnew @joe scian When running './torrc.postconf' (file attached) I get:

Code:

./torrc.postconf: line 25: can't create : nonexistent directory

What seems to be the problem? I want to setup a non-exit relay on my Asus wrt router..

@diman82

I don't see an attached torrc.postconf.

From the error message, it seems the torrc.postconf is referencing a non-existent directory.

Make sure you're referencing valid directories in your torrc.postconf.

Regards,

Gary

diman82 · Apr 8, 2022

@garycnew ok, first of all - attaching 'torrc.postconf'
I've incorrectly run it - I needed to provide a 'torrc' file as an $1 input.
Anyway, now I have 2 'torrc' files (/tmp/torrc & /tmp/tor/torrc), both are the same, attaching them as well.
Now, I've run 'service restart_tor' command, but I can't find the tor process when I run 'ps | grep tor', nor I can see any files under /tmp/tor/torrc.d/ and there is no download/upload traffic, so I would guess tor doesn't work.
What seems to be the problem?
original files available at: https://filebin.net/94x2kajxz2yx4e5o

Thread starter	Title	Forum	Replies	Date
C	Is there any easy solution in Merlin for a VPN server that is hard to block/detect?	Asuswrt-Merlin	13	Jun 11, 2024
	[SOLUTION] WAN_Connection: ISP's DHCP did not function properly	Asuswrt-Merlin	6	Apr 19, 2024
M	Internal or External Captive Portal Solution	Asuswrt-Merlin	8	Mar 8, 2024
	Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices	Asuswrt-Merlin	22	Yesterday at 11:56 AM
B	Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14	Asuswrt-Merlin	1	Oct 27, 2024
F	Several Questions Re:Asuswrt-Merlin Feature Implementation	Asuswrt-Merlin	2	Oct 16, 2024
	How to enable port randomization in Asuswrt-Merlin?	Asuswrt-Merlin	4	Oct 12, 2024
	Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices	Asuswrt-Merlin	70	Oct 12, 2024
J	Does Asuswrt-Merlin support AiMesh over Wifi?	Asuswrt-Merlin	4	Oct 5, 2024
	Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2)	Asuswrt-Merlin	5	Oct 4, 2024

Tutorial [SOLUTION] Asuswrt-Merlin Tor via Bridge, Device, Browser, Entry (Guard)/Middle (Non-Exit) Relay, and Device/Browser/Relay Hybrid Implementations

Senior Member

Very Senior Member

Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Senior Member

Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Occasional Visitor

Senior Member

Occasional Visitor

Attachments

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest