Hey there,
as I am completely new here, I might do something against the netiquette here
in the mailing lists, so correct me if I am wrong and I will try to adjust.
I am trying to set up a transparent Tor proxy on OpenBSD with pf(4), but I
couldnt find any helpful resources in the FAQ or the mailings lists (there
was some post from 2008, but it wasnt really helpful) or the man pages.
The current configuration looks like this:
>/etc/tor/torrc
User _tor
DataDirectory /var/tor
AutomapHostsOnResolve 1
TransProxyType pf-divert
TransPort 9040 IsolateClientProtocol IsolateDestPort IsolateDestAddr
SocksPort 9050 IsolateClientProtocol IsolateDestPort IsolateDestAddr
DNSPort 53 IsolateClientProtocol IsolateDestPort IsolateDestAddr
Schedulers KISTLite
>/etc/pf.conf
block all
non_tor = "{ 192.168.1.0/24 192.168.0.0/24 }"
match all scrub (no-df random-id reassemble tcp)
antispoof for egress inet
block return log on egress all
pass in quick on lo1 inet proto tcp all flags S/SA modulate state
divert-to 127.0.0.1 port 9040
pass in quick on lo1 inet proto udp to port domain divert-to 127.0.0.1
port domain
pass quick on { lo0 lo1 }
block return in on ! lo0 proto tcp to port 6000:6010
pass out quick inet proto tcp user _tor flags S/SA modulate state
pass out quick inet proto udp to port domain route-to lo1
pass out quick inet to $non_tor
pass out inet proto tcp all route-to lo1
>/etc/dhclient.conf
supersede domain-name-servers 127.0.0.1;
>/etc/hostname.lo1
inet 127.0.0.2
Thats it, "rcctl start tor" works flawlessly, "sh /etc/netstart" too, and
"pfctl -f /etc/pf.conf" does not spit out any warnings or errors either,
so I first assumed it would work just as flawlessly then, but apparently
it doesnt, because I cant ping any domain or wget any webpage, when I
start the webbrowser it says it cant resolve the domain. Because all of
that I thought I might have set the DNSPort settings wrong, so I changed
it to 5353, but it didnt work either. I couldnt find any working
configuration for that matter and I would really appreciate it if somebody
took the time and helped me.
Thanks in advance,
distantpath
