Tor Network Filtering Configuration
Tor Network Filtering Configuration
Overview
The Pimeleon router operates as both a Tor bridge relay and local proxy service, providing anonymous internet access for internal clients while contributing to the Tor network infrastructure.
Service Architecture
Bridge Relay Functionality
The router operates as a Tor bridge relay (not exit relay) on port 4439, helping users in censored regions access the Tor network without exposing local users to exit traffic risks.
Multi-Interface Proxy Access
Tor provides SOCKS proxy services across multiple network interfaces:
- Localhost: Port 9050 for router internal processes
- Main LAN: Port 9100 for 192.168.76.0/24 clients
- Guest VLAN: Port 9100 for 192.168.77.0/24 clients
Transparent Proxy Integration
TransPort functionality on port 9040 enables transparent routing of specific traffic through Tor network without requiring client configuration.
DNS Integration
Tor DNS Resolution
Dedicated DNS service on port 15353 handles .onion domain resolution and provides DNS-over-Tor functionality for enhanced privacy.
dnscrypt-proxy Integration
Tor DNS integrates with DNSCrypt-proxy configuration for .onion domain forwarding, creating seamless hidden service access.
Traffic Isolation
Client Isolation
Each client connection receives isolated circuits preventing correlation between different users or applications:
- IsolateClientAddr: Separate circuits per client IP
- IsolateDestAddr: Separate circuits per destination
- IsolateDestPort: Separate circuits per destination port
Virtual Address Mapping
Virtual network 10.192.0.0/10 handles .onion domain mapping with automatic hostname resolution for hidden services.
Access Control
Network Policy
Restrictive SOCKS policy allows access only from trusted networks:
- Localhost access always permitted
- Private network ranges 192.168.0.0/16 allowed
- All other connections rejected
HTTP Tunnel Access
HTTP tunnel service on ports 9111 (LAN interfaces) provides alternative proxy method for clients requiring HTTP CONNECT functionality:
HTTP Tunnel Configuration
- Port 9111: Available on 192.168.76.1 and 192.168.77.1
- Protocol: HTTP CONNECT tunneling
- Use Case: Legacy applications, corporate firewalls, debugging tools
HTTP Tunnel vs SOCKS5 Comparison
| Feature | SOCKS5 (Port 9100) | HTTP Tunnel (Port 9111) |
|---|---|---|
| Protocol | Binary SOCKS5 | HTTP CONNECT |
| Overhead | Minimal | Higher (HTTP headers) |
| Compatibility | Modern applications | Legacy/restricted environments |
| Performance | Faster | Slightly slower |
| Debugging | Binary protocol | Human-readable HTTP |
| Firewall Compatibility | May be blocked | Usually allowed |
HTTP Tunnel Usage Examples
# Using curl with HTTP tunnel
curl --proxy 192.168.76.1:9111 https://example.com
# Using wget with HTTP tunnel
wget --proxy=on --http-proxy=192.168.76.1:9111 https://example.com
# Browser proxy configuration
# HTTP Proxy: 192.168.76.1
# Port: 9111
When to Use HTTP Tunnel
- Corporate environments: Where SOCKS5 is blocked by firewall
- Legacy applications: That only support HTTP proxy
- Debugging: HTTP headers are visible for troubleshooting
- Compatibility: With older proxy-aware software
Security Considerations
Bridge vs Exit Relay
Bridge relay configuration avoids exit relay responsibilities while still contributing to network:
- No exit traffic handling reduces legal liability
- Helps censored users access Tor network
- Lower resource requirements than exit relay
- Reduced security monitoring concerns
Circuit Isolation
Comprehensive isolation prevents traffic correlation attacks:
- Each destination gets separate circuits
- Client activities cannot be correlated
- Port-level isolation for application separation
- Automatic circuit rotation for additional security
Performance Optimization
Resource Management
Configuration optimized for Raspberry Pi 3B+ constraints:
- IPv4-only operation reduces complexity
- Controlled concurrent connections
- Efficient circuit management
- Balanced relay contribution vs local performance
Network Routing
Integration with Shorewall firewall enables:
- Selective transparent proxy routing
- Port forwarding for bridge functionality
- Traffic filtering for Tor-specific protocols
- Network segment isolation
Filtering Applications
Content Circumvention
Tor access enables bypassing various restrictions:
- Geographic content blocking
- ISP-level filtering
- Government censorship
- Network policy restrictions
Privacy Enhancement
Anonymous browsing capabilities protect user privacy:
- IP address masking
- Traffic pattern obfuscation
- Hidden service access
- Metadata protection
Integration Points
Firewall Configuration
Shorewall rules permit:
- Inbound bridge relay connections on port 4439
- Outbound Tor network connections
- Internal proxy access on designated ports
- DNS forwarding for .onion domains
DNS Resolution Chain
.onion domain handling flow:
- Client DNS query → BIND9 → DNSCrypt-proxy → Tor DNS → Hidden service
Operational Benefits
- Privacy Protection: Anonymous internet access for internal users
- Censorship Circumvention: Access to blocked content and services
- Network Contribution: Supporting global internet freedom
- Service Integration: Seamless .onion domain resolution
- Traffic Isolation: Preventing user correlation and tracking
Troubleshooting
Common HTTP Tunnel Issues
Connection Timeouts
Symptoms: HTTP tunnel connections hang or timeout
# Test HTTP tunnel connectivity
curl --proxy 192.168.76.1:9111 --connect-timeout 10 http://httpbin.org/ip
Causes:
- Tor not fully bootstrapped
- Network connectivity issues
- Firewall blocking outbound connections
Solutions:
- Check Tor bootstrap status:
sudo tail -f /var/log/tor/notices.log - Wait for "Bootstrapped 100%" message
- Verify network connectivity from Pimeleon router
- Check firewall rules for port 9111
HTTP vs HTTPS Tunneling
Issue: Some applications fail with HTTPS through HTTP tunnel Cause: Application doesn't properly handle CONNECT method Solution:
- Use SOCKS5 proxy (port 9100) instead
- Configure application for HTTP tunnel specifically
- Check application documentation for proxy support
Proxy Authentication Errors
Symptoms: 407 Proxy Authentication Required Cause: Application sending authentication when Tor doesn't require it Solution: Configure application to use proxy without authentication
SOCKS5 Proxy Issues
Bootstrap Failures
Symptoms: SOCKS connections fail, Tor logs show bootstrap errors
# Check bootstrap progress
sudo grep "Bootstrapped" /var/log/tor/notices.log | tail -5
Solutions:
- Check internet connectivity
- Try Tor bridges if in censored region
- Restart Tor service:
sudo systemctl restart tor - Check system time accuracy
Circuit Building Problems
Symptoms: Slow connections, frequent timeouts Cause: Network congestion, guard relay issues Monitoring:
# Monitor circuit status
echo 'getinfo circuit-status' | nc 127.0.0.1 9051
Performance Optimization
Stream Isolation Impact
Current configuration uses aggressive isolation:
IsolateClientAddr: Each client IP gets separate circuitsIsolateDestAddr: Each destination gets separate circuitsIsolateDestPort: Each port gets separate circuits
Performance Tuning: To improve performance on RPi 3B+, consider removing IsolateDestPort:
# More performance-oriented configuration
SocksPort 192.168.76.1:9100 IsolateClientAddr IsolateDestAddr
SocksPort 192.168.77.1:9100 IsolateClientAddr IsolateDestAddr
Maintenance Considerations
Regular monitoring ensures optimal performance and security:
- Bridge relay statistics and connectivity
- Circuit establishment success rates
- Resource usage and performance impact
- Security update application
- Configuration optimization based on usage patterns
- HTTP tunnel vs SOCKS5 usage patterns
- Stream isolation effectiveness vs performance trade-offs
Related Services
- Shorewall firewall for traffic routing
- DNSCrypt-proxy for .onion domain forwarding
- BIND9 for DNS zone integration
- Network monitoring for performance tracking
- VPN services for complementary privacy options