I had a few friends ask if they could buy a cheap travel router that protects their internet activity as they travel around the globe. So my criteria:
- Cheap (<$20.00)
- Portable (ideally pocket size)
I knew I wanted a little travel router that supports OpenWRT and has enough RAM and storage to install TOR. There were a few routers that I liked but the NEXX WT3020H. There are a couple models that look the same. except for the "A" model all the other ones are the same. Don't get the A model it does not have enough resources to run Luci & TOR. Pictures below are for my WT3020H. I purchased mine from Aliexpress link
There are a few getting started articles online that explain how to install OpenWRT on this device and how to install TOR. Everything i seen so far is incomplete. It either allows for DNS leaks or don't allow .onion URLs. This is why I wanted to write this post and help anyone else that is trying to do the same. The script is agnostic of the hardware so should be able to install on other OpenWRT devices.
Installing OpenWRT Chaos Calmer on the device
Connect your computer to the LAN port on the device and follow along:
$ telnet 192.168.8.1 Trying 192.168.8.1... Connected to 192.168.8.1. Escape character is '^]'. (none) login: nexxadmin Password: y1n2inc.com0755 BusyBox v1.12.1 (2016-11-14 18:04:51 HKT) built-in shell (ash) Enter 'help' for a list of built-in commands. # cd /tmp # wget http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin Connecting to downloads.openwrt.org (78.24.191.177:80) openwrt-15.05-ramips 100% |*******************************| 3328k 00:00:00 ETA # mtd_write -r write openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin mtd3 Unlocking mtd3 ... Writing from openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin to mtd3 ... [e] #reboot
The device should reboot and at this point you should be running OpenWRT 15.05. Release renew your computer's DHCP lease. Ensure you have an IP in the range of 192.168.0.0/24 (probably 192.168.0.100).
$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to openwrt.lan. Escape character is '^]'. === IMPORTANT ============================ Use 'passwd' to set your login password this will disable telnet and enable SSH ------------------------------------------ BusyBox v1.23.2 (2016-11-14 03:03:02 CEST) built-in shell (ash) ----------------------------------------------------- CHAOS CALMER (15.05, r46767) ----------------------------------------------------- * 1 1/2 oz Gin Shake with a glassful * 1/4 oz Triple Sec of broken ice and pour * 3/4 oz Lime Juice unstrained into a goblet. * 1 1/2 oz Orange Juice * 1 tsp. Grenadine Syrup ----------------------------------------------------- [email protected]:/# passwd Changing password for root New password: Retype password: Password for root changed by root [email protected]:/#
Installing TOR and configuring IPTABLE
SSH in to your device and complete the steps below:
$ ssh [email protected] $ wget http://pastebin.com/raw/Yd5mXksr $ mv Yd5mXksr setup.sh $ sh ./setup.sh $ reboot
After the device reboots login to Luci (http://192.168.1.1).
- Browse to Network -> Interfaces
- Click the "Edit" button for "LAN"
- Scroll down to the "DHCP Server" section and click on "Advanced Settings"
- Add an entry to "DHCP-Options "6,1.2.3.4" (without the quotes)
- Click Save and Apply (may take a couple of minutes)
- Reboot the router.
That's all the device will now intercept any TCP traffic and UDP DNS traffic on the LAN interface and route it through TOR. Making eves dropping impossible.
Please let me know what your thoughts are and if you have any questions. The script will be on http://pastebin.com/Yd5mXksr. Spend the $20 stay secure :)