gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c8a5e1c19a
secubox-openwrt/package/secubox/secubox-app-tor/README.md
CyberMind-FR 4a0ab9530f feat(mesh): Yggdrasil extended peer discovery + bugfixes 
## New Features
- secubox-app-yggdrasil-discovery: Mesh peer discovery via gossip protocol
  - yggctl CLI: status, self, peers, announce, discover, bootstrap
  - Auto-peering with trust verification (master-link fingerprint)
  - Daemon for periodic announcements

## Bug Fixes
- tor-shield: Fix opkg downloads failing when Tor active
  - DNS over Tor disabled by default
  - Auto-exclude public DNS servers from iptables rules
  - Excluded domains bypass list (openwrt.org, pool.ntp.org, etc.)

- haproxy: Fix portal 503 "End of Internet" error
  - Corrected malformed vhost backend configuration
  - Regenerated HAProxy config from UCI

- luci-app-nextcloud: Fix users list showing empty
  - RPC expect clause was extracting array, render expected object

## Updated
- Bonus feed: All IPKs rebuilt
- Documentation: HISTORY.md, WIP.md, TODO.md updated

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 17:32:41 +01:00

2.0 KiB
Raw Blame History

SecuBox Tor Shield

Tor integration for OpenWrt providing transparent proxy, SOCKS proxy, DNS over Tor, kill switch, hidden services, and bridge support.

Installation

opkg install secubox-app-tor

Configuration

UCI config file: /etc/config/tor-shield

uci set tor-shield.main.enabled='1'
uci set tor-shield.main.mode='transparent'
uci set tor-shield.main.dns_over_tor='1'
uci set tor-shield.main.kill_switch='0'
uci commit tor-shield

Usage

torctl start           # Start Tor service
torctl stop            # Stop Tor service
torctl status          # Show Tor status and circuits
torctl newnym          # Request new Tor identity
torctl bridges         # Manage bridge relays
torctl hidden add      # Create a hidden service
torctl hidden list     # List hidden services
torctl killswitch on   # Enable kill switch (block non-Tor traffic)
torctl killswitch off  # Disable kill switch

Modes

  • Transparent proxy -- All LAN traffic routed through Tor via iptables
  • SOCKS proxy -- SOCKS5 endpoint for per-app Tor usage
  • DNS over Tor -- DNS queries resolved through Tor network
  • Kill switch -- Blocks all non-Tor traffic if Tor goes down

Excluded Domains (System Services Bypass)

When Tor Shield is active, certain system services (opkg, NTP, ACME) need direct internet access. These domains bypass Tor DNS and routing:

  • OpenWrt package repositories (downloads.openwrt.org, mirrors)
  • NTP time servers (pool.ntp.org, time.google.com)
  • Let's Encrypt ACME (acme-v02.api.letsencrypt.org)
  • DNS provider APIs (Gandi, OVH, Cloudflare)

Configure additional exclusions in UCI:

uci add_list tor-shield.trans.excluded_domains='my.example.com'
uci commit tor-shield
/etc/init.d/tor-shield restart

The exclusions are implemented at two levels:

  1. dnsmasq bypass -- DNS queries for excluded domains go directly to upstream
  2. iptables RETURN -- Traffic to resolved IPs bypasses Tor transparent proxy

Dependencies

  • iptables
  • curl
  • jsonfilter
  • socat

License

Apache-2.0