Route All Internet Traffic from the LAN to Tor

2026-01-02T21:03:15+08:00

WARNING: Please follow all steps precisely and in order, otherwise you may lose access to LuCI! It is strongly recommended to establish an SSH connection beforehand; should you lose access to LuCI, you will be able to revert the changes.

WARNING: This procedure was tested on the GL.iNet Flint 2 (GL-MT6000), but it is not guaranteed to work universally. If any step appears unusual or unclear, stop immediately and undo all modifications.

WARNING: This guide was written after the author’s router appeared to function correctly. Issues may still exist, and security is not guaranteed, as some traffic may leak. The author takes no responsibility for any consequences arising from following this guide.

This guide explains how to route all Internet traffic from the LAN through Tor. The procedure was tested on OpenWrt 24.10.

With the exception of the Tor configuration, all steps can be performed through LuCI, and SSH is not required.

Step 1: Install and Configure Tor

Begin by installing Tor on your router:

# opkg update

# opkg install tor

Configure Tor according to your requirements, but ensure that your torrc contains at least the following:

TransPort 0.0.0.0:9040
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1

For improved security, you may alternatively use the IP address of your router on the lan interface for TransPort, provided you have only one interface to forward.

Step 2: Set Up DNSCrypt

I configured DNSCrypt using the guide found here. The five commands listed under Using the command line worked correctly for me, although LuCI may also be used for configuration.

Open System -> Software, search for dnscrypt-proxy2, and install it. Then go to Network -> DHCP and DNS -> Forwards -> DNS Forwards and add 127.0.0.53. Afterwards, open System -> Startup and restart dnsmasq.

If you do not wish to use DNSCrypt, you must add DNSPort to your torrc and configure it in DNS Forwards. I have not tested this method, and using DNSCrypt is recommended.

Step 3: Add Firewall Rules (IMPORTANT — FOLLOW PRECISELY)

Open Firewall -> IP sets and create the following IP set:

• Name: tor_bypass
• Family: IPv4
• Packet Field Match: dest_ip
• IPs/Networks/MACs:
  • The router’s IP address on your interface
  • 192.168.10.1/16
  • 10.0.0.0/8
  • 172.16.0.0/12
  • 127.0.0.1/32
• Leave all other fields unchanged

Open Firewall -> Port Forwards and add this rule:

• General Settings:
  • Name: tor-trans-forward (or any name you prefer)
  • Restrict to address family: IPv4 only
  • Protocol: TCP
  • Source zone: lan (or another zone whose traffic you wish to redirect)
  • External port: 1–65535
  • Destination zone: lan (must match the Source zone)
  • Internal IP address: the router’s IP address on your interface
  • Internal port: 9040
• Advanced Settings:
  • Use ipset: !tor_bypass (DO NOT OMIT THE EXCLAMATION MARK)
  • Leave all other fields unchanged

Open Firewall -> Traffic Rules and add this rule:

• General Settings:
  • Name: Block non-TCP traffic (or a name of your choice)
  • Protocol: UDP, ICMP, IGMP, IPSEC-ESP
  • Source zone: lan (must match your Port Forward Source zone)
  • Destination zone: wan
  • Action: reject
  • Leave all other fields unchanged
• Advanced Settings:
  • Leave all fields unchanged

If your device has IPv6 enabled, you must disable or block it. Open Firewall -> Traffic Rules and add this rule:

• General Settings:
  • Name: Block IPv6 (or a name of your choice)
  • Protocol: Any
  • Source zone: lan
  • Destination zone: wan
  • Action: reject
  • Leave all other fields unchanged
• Advanced Settings:
  • Restrict to address family: IPv6 only
  • Leave all other fields unchanged

Repeat this step for any additional interfaces whose traffic should be routed via Tor.

Step 4: Save and Verify the Configuration

Click Save & Apply.

Visit https://check.torproject.org/ and/or https://myip.wtf/ to verify that your traffic is being correctly routed.

Visit https://ipv6.myip.wtf/ to confirm that IPv6 is properly blocked.

Check that LuCI remains accessible.

If everything appears to be functioning correctly, the configuration is complete.

If not, revert your changes in /etc/config/firewall using a text editor. It is recommended to seek help in #openwrt on Libera.Chat.