Delivery-Date: Mon, 18 Jan 2016 17:11:48 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 1E8DD1E3060;
	Mon, 18 Jan 2016 17:11:46 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 9F05A38BF5;
	Mon, 18 Jan 2016 22:11:42 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 4BA1738BBE
 for <tor-talk@lists.torproject.org>; Mon, 18 Jan 2016 22:11:39 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id eCreIxAAm6vz for <tor-talk@lists.torproject.org>;
 Mon, 18 Jan 2016 22:11:39 +0000 (UTC)
Received: from imirhil.fr (mail.imirhil.fr [IPv6:2001:bc8:3f23:100::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "imirhil.fr", Issuer "CAcert Class 3 Root" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 1E71238BBA
 for <tor-talk@lists.torproject.org>; Mon, 18 Jan 2016 22:11:39 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by imirhil.fr (Postfix) with ESMTPSA id 0131880F37;
 Mon, 18 Jan 2016 23:11:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=imirhil.fr; s=mail;
 t=1453155095; bh=74ZMQ2+opDOzXGpuB3XqfCnmi/oz7qNH2lXYDVxLu+Q=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=RhW9o1KCzzeiORyoybZECRpS+ADkKRM/jcqsI7iP7sGG7/fmA7V/ydcU35UVzjcrf
 7OK+P1i1TcHiNuVZrw4HVdvHwxMGnkja1YtyDmVrYy9r4W2pZli3PnMiV9isVH+CCI
 o10/jto/23CjrBgFXM1MYjAyKLSr34uOnNqzn0AU=
From: Aeris <aeris+tor@imirhil.fr>
To: Rob van der Hoeven <robvanderhoeven@ziggo.nl>
Date: Mon, 18 Jan 2016 23:11:30 +0100
Message-ID: <3626394.Wf5Ln1OSlE@home>
In-Reply-To: <1453150903.28962.25.camel@pentium.freedom.box>
References: <CAAstKWCnHJEtm6Ujvfqjupez0rEo0wU8z3PAGX6yRf0UQqzQEQ@mail.gmail.com>
 <1465048.GSfjGkMYoi@pc452> <1453150903.28962.25.camel@pentium.freedom.box>
MIME-Version: 1.0
Cc: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] transparent tor routers
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7596479927601777285=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

--===============7596479927601777285==
Content-Type: multipart/signed; boundary="nextPart1583801.jXrUsdWV0S"; micalg="pgp-sha512"; protocol="application/pgp-signature"

--nextPart1583801.jXrUsdWV0S
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

> Besides some extra torrc entries, only a few simple firewall rules are
> needed.

Not so simple firewall rules.

You must avoid Tor inside Tor (worse privacy than Tor only), so if one of t=
he=20
user already use Tor (Tor browser or native client), you don=E2=80=99t want=
 to re-
torify his traffic.
Only feasible with 2 access points (1 for naked client, 1 for already Tor=20
user), or better (avoid explanation/rtfm for the users) with ipset rules to=
=20
discriminate traffic.
And if ipset, need some smart script (python + stem) to regenerate rules=20
regularly from Tor consensus.

AFAIK, small router (as Olimex) don=E2=80=99t have RTC, so your clock is bo=
rked at=20
boot time and must be set manually if you want your Tor client be able to=20
connect (don=E2=80=99t support clock drift more than few hours).
And then, for a fully automated not-savy user targeted device, and more=20
difficult if you want no no-Tor traffic at all (NTP forbidden because of UD=
P),=20
you need some others tricks like htpdate or inotify, requiring perl and=20
python.

> I can also assure you that Tor works quite well on the router hardware
> mentioned above. I'm only playing with the hardware but I have not
> encountered any problems yet. Performance is OK too.

Problem is not to have working Tor client with transparent proxying, but=20
**correct** working Tor client with **correct** transparent proxying.
Or you=E2=80=99re just doing a yet-another-anonabox-craps.

With few MB of memory and MHz of CPU, you just have enough to run a standal=
one=20
Tor client, all others things (ipset, python, stem, perl, ca-certificates, =
web=20
server for webUI config=E2=80=A6) can=E2=80=99t fit inside.

And you have problem for Tor upgrade too (not possible on OpenWRT without t=
ech=20
skills and reflash).

Regards,
=2D-=20
Aeris
Individual crypto-terrorist group self-radicalized on the digital Internet
https://imirhil.fr/

Protect your privacy, encrypt your communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://caf=C3=A9-vie-priv=C3=A9e.fr/
--nextPart1583801.jXrUsdWV0S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iQIcBAABCgAGBQJWnWMSAAoJECAWrwIKfDZosUsP/iLXiEEudLM6LMO7Nw+s2qmT
A8GJU6eaP5NRzIbTCti+PHXH8wdEHDKlZyIhuaP1Hjs+TBoZyQFSbylTWnF494uO
g7IKCIM+vlNAnUpXxngv+ob4ipzjbUm7EnL9HgIus1wWziNaJ+z3pKREDiIIS96Q
F2odGxsjVfyUAqkR0FCb9tlC8fLfdINsTgVt/Y06RpPb0lv8oaxbSq9bvI37vsUg
1XALToL3IVJmoextbMzDLFaQKGxRXTx6S1EqAOVmKtrQKH5HGPmIX11GZYRSDG0q
e83aj1lXTQC2x9nw1k+4Run8QpBpI+jHiekLijnNP9+G0qyrhOHVuJKNPW9k1pIO
d+p+SvFFAg4Y1hdI6Njns24df2aLt1hd/9fxDT6tpkjRmB7rmGGMsL5F0l+/Zb8K
bg+ojcsdIL5yBVQhkDSz+s0pAUZsdt9z5e7YnW2hSOmSfqUM5HuS8phZQYcRLR8I
Qtwi9ucHobZDXvHoiDtzhJyUY227pLDalrQRRYpFCYxQLpwP0q/2kp/8gox+RVfK
VJb0OeUU938fFC+7vlHBPUn9dry3GpDZCdBeFjLWzP9lzLjZE6PbvebD33H+EAKc
te+RNaJM7r3nvUKeE8UmaQTz2T6zZSwp99uXWVYvo0uKkW1xCIsHN7DSR9fvj7CF
8IsrGgWoeFuFPe+mykns
=YdEO
-----END PGP SIGNATURE-----

--nextPart1583801.jXrUsdWV0S--


--===============7596479927601777285==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============7596479927601777285==--

