Tor Relay Proxy TL-WR710N

Leave a reply

So I took some time on my sunday to hack my TL-WR710N(US) edition, and I had a lot of fun. The first thing I got to do was take it apart! I was able to find the serial headers too, just a little soldering to make it work!

So opening the unit wasn’t a treat, I don’t really know how I could open it without messing up the case, oh well.

This is what the board looks like popped out of the case.

IMG_0158

Flipping it over revealed the TP_IN and TP_OUT ports.
IMG_0163

A quick Google search revealed those were serial port connections… I am going to to lie I got a bit giddy!

I soldered some wires on.
IMG_0164

I then slowly but surely put it all back together, I clipped a bit of the plastic power light off to fit the wires out of the case.
IMG_0166

IMG_0167

I then had to hot glue the light in place (I have mad hot glue gun skills):
IMG_0167

Then put the case on top but first I had to slightly modify the piece that goes down the center:
IMG_0169

IMG_0170

Using my spark fun ftdi I booted the machine using 115200 8n1 first try was a success!
IMG_0171

IMG_0172

I had no idea what the password was, so I just headed straight to openwrt to get one of those images.

http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-tl-wr710n-v1-squashfs-sysupgrade.bin

I used the default tp-link upgrader to upgrade, but I watched in the console to see what happened.

IMG_0175

IMG_0175

It then magically rebooted into openwrt!

IMG_0177

That was all fun and stuff, but I wanted to do something interesting. I toyed around with a few ideas, one was building an iBeacon out of TP-Link:

Cool that was fun, but what would be more fun? How about Tor!

I was familiar with this project: https://github.com/grugq/portal but my WR710N(US) edition wasn’t supported… Damn.. So I tried installing tor,

opkg install tor

and I couldn’t figure out why the system kept crashing and rebooting (thus removing everything), Since I got a few seconds of leeway before the crash I got real fast, and typed top, I saw tor keep filling up all avalible ram. AH HA! I had it, so what was I to do? Well the TP-Link has a USB connector on the bottom for 3G/4G etc, I decided to make some swap space for the device on the memory stick. Now in short I present you running openwrt on the TP-Link TL-WR710N(US)

This is assuming that you have connected to the internet port on the LAN/WAN connectionIMG_0178

opkg update
opkg install swap-utils
opkg install zram-swap
opkg install kmod-usb-storage
opkg install kmod-usb-storage-extras
opkg install usbutils
 
modprobe sd_mod
modprobe usb-storage

At this point you can connect your USB device, and it should pop up and say the device name. in my case is was sda1

Screen Shot 2015-01-25 at 6.53.14 PM

WARNING: THE FOLLOWING COMMANDS WILL WIPE YOU USB DRIVE

mkswap /dev/sda1
swapon /dev/sda1

Alright we now have enough to install tor:

opkg install tor

Now we need to make it so anything that connects to wifi is automatically on Tor.

first we edit the network file and add these lines to the bottom

vi /etc/config/network
config interface 'tor'
    option proto 'static'
    option ipaddr '172.16.1.1'
    option netmask '255.255.255.0'

Now we need to edit the radio file, unfortunately on the WL710N it only has one radio some models have 2 and 2.4 and a 5ghz, so we could put tor on one and regular access on another. Oh well anyways!

vi /etc/config/wireless

The Whole file will contain this:

config wifi-device  radio0
        option type     mac80211
        option channel  11
        option hwmode   11g
        option path     'platform/ar933x_wmac'
        option htmode   HT20
 
config wifi-iface
        option device   radio0
        option network  tor   
        option mode     ap 
        option ssid     'The Dark Web!'
        option encryption none

Now we need to make our firewall rules.

vi /etc/config/firewall

The whole file will look like this:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
 
config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'
 
config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan'
 
config zone
    option name 'tor'
    option network 'tor'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option conntrack '1'
 
config rule
    option name 'Allow-Tor-DHCP'
    option src 'tor'
    option proto 'udp'
    option dest_port '67'
    option target 'ACCEPT'
    option family 'ipv4'
 
config rule
    option name 'Allow-Tor-DNS'
    option src 'tor'
    option proto 'udp'
    option dest_port '9053'
    option target 'ACCEPT'
    option family 'ipv4'
 
config rule
    option name 'Allow-Tor-Transparent'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9040'
    option target 'ACCEPT'
    option family 'ipv4'
 
config rule
    option name 'Allow-Tor-SOCKS'
    option src 'tor'
    option proto 'tcp'
    option dest_port '9050'
    option target 'ACCEPT'
    option family 'ipv4'
 
config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'
 
config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'
 
config forwarding
    option dest 'wan'
    option src 'lan'
 
config include
    option path '/etc/firewall.user'

Now we edit the user script for some custom rules.

vi /etc/firewall.user

The whole file will look like this

iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040

Now we need to edit the tor config file:

vi /etc/tor/torrc

This goes at the end of the file:

DNSPort 9053
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
DNSListenAddress 172.16.1.1
TransPort 9040
TransListenAddress 172.16.1.1

Last thing is restarting some services:

/etc/init.d/network restart
ifup wlan0
/etc/init.d/firewall restart
/etc/init.d/tor restart

After that go to your computer/phone whatever and select “The Dark Web!” first site to hit is:
https://check.torproject.org

If it worked you should get something like this:

Screen Shot 2015-01-25 at 6.59.39 PM

Screen Shot 2015-01-25 at 6.59.33 PM

That’s it your on tor, we ONLY redirected DNS and TCP, so most of UDP is not sent over the tor network.

The speed seemed ok to me, probably not something I would use all the time, but it was a fun Sunday experiment!

Have Fun!

John “Hide it” Hass

P.S. an untested way to backup the firmware

cat /dev/mtd5 > /tmp/firmware.bin

Of course if you’re out of space you can send it over scp:

dd if=/dev/mtd5 | ssh user@x.x.x.x 'dd of=~/firmware.bin'

Restore by first copying the firmware to /tmp/ and executing

mtd -r write /tmp/firmware.bin linux

I don’t plan on keeping tor as my main usage for this device.

Leave a Reply

Your email address will not be published. Required fields are marked *