Skip to content

Instantly share code, notes, and snippets.

@kremalicious

kremalicious/tor-openvpn.sh

Last active March 12, 2025 14:38
Show Gist options
  • Save kremalicious/4c333c8c54fced00ab10c0a892a2304d to your computer and use it in GitHub Desktop.
Save kremalicious/4c333c8c54fced00ab10c0a892a2304d to your computer and use it in GitHub Desktop.
Download ZIP
Install and configure Tor as proxy for all OpenVPN server traffic
Raw
tor-openvpn.sh
# what we want:
# client -> OpenVPN -> Tor -> Internet
# Install & configure OpenVPN
# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
# assumed OpenVPN configuration
# 10.8.0.1/24-Subnet
# tun0-Interface
# Install & configure Tor
sudo apt install tor
sudo vi /etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
DNSPort 10.8.0.1:53530
TransPort 10.8.0.1:9040
sudo service tor restart
# Check ports
sudo netstat -tulpen | grep tor
tcp 0 0 10.8.0.1:9040 0.0.0.0:* LISTEN 0 3964140 1525/tor
tcp 0 0 127.0.0.1:9051 0.0.0.0:* LISTEN 0 3964141 1525/tor
udp 0 0 10.8.0.1:53530 0.0.0.0:* 0 3964139 1525/tor
# Config IPtables to route all traffic trough Tor proxy
export IPTABLES=/sbin/iptables
export OVPN=tun0
# transparent Tor proxy
$IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:53530
$IPTABLES -t nat -A PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
$IPTABLES -t nat -A PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination 10.8.0.1:9040
@piqle
Copy link

piqle commented Apr 9, 2018

Quick question,

Is there a way to enable/disable this? As if I want to use just the OpenVPN connection without tor? Or is this permanent?
I'd like to be able to quickly turn the Tor routing on/off as needed.

Thanks!

@psiie
Copy link

psiie commented Sep 18, 2018

Anyone throw this into a docker container yet? I've been struggling for a while and wanted to know if someone got it working well.

@piqle, working on a docker image. Sharing a volume with the same config would mean you can have two image. One with tor and one without. Same config on your devices.

@queeup
Copy link

queeup commented May 23, 2020

I made a script for my self.#!/bin/bash

#!/bin/bash

if [ $(whoami) != "root" ]; then
    echo "Must be run as root"
    exit 1
elif ( ! dpkg-query --list openvpn | grep -q "ii"); then
    echo "Please install OpenVPN to your system."
    exit 1
elif ( ! dpkg-query --list tor | grep -q "ii"); then
    echo "Please install Tor to your system."
    exit 1
elif ( ! systemctl is-active --quiet openvpn 2>/dev/null); then
    echo "OpenVPN server is not running. Please start OpenVPN service and try again!"
    exit 1
fi

IPTABLES=$(which iptables)  # /sbin/iptables
OVPN=$(ip r | grep "tun" | awk '{print $3}')  # tun0
VPN_IP=$(ip r | grep "tun" | awk '{print $9}')  # 10.8.0.1

function route() {
    local arg=$1
    # Config IPtables to route all traffic trough Tor proxy
    # transparent Tor proxy
    $IPTABLES $arg INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
    $IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:53530
    $IPTABLES -t nat $arg PREROUTING -i $OVPN -p tcp -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:9040
    $IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:9040

    ## Transproxy leak blocked:
    # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#WARNING
    $IPTABLES $arg OUTPUT -m conntrack --ctstate INVALID -j DROP
    $IPTABLES $arg OUTPUT -m state --state INVALID -j DROP
    $IPTABLES $arg OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
    $IPTABLES $arg OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
}

if ($IPTABLES --check INPUT -i $OVPN -s 10.8.0.0/24 -m state --state NEW -j ACCEPT 2>/dev/null); then
    echo "Stoping Tor and remove iptables routes"
    systemctl stop tor
    route "-D"
else
    echo "Starting Tor and adding iptables routes"
    systemctl start tor
    sleep 3
    route "-A"
    echo "Now you can connect to your VPN and surf on the TOR network"
fi

@tufail431
Copy link

tufail431 commented May 24, 2021
edited
Loading

Could you tell me, if is it possible to access .onion's websites via client connected to OVPN with your configuration?
My browser is configured with Tor but not able to access .onion site check many onion sites but not able to access sites.
Normal sites are accessible but onion sites are not accessible.

I also Add AutomapHostsSuffixes .onion,.exit in the torrc file but no luck.

@Nathan9745354
Copy link

Could you tell me, if is it possible to access .onion's websites via client connected to OVPN with your configuration?
My browser is configured with Tor but not able to access .onion site check many onion sites but not able to access sites.
Normal sites are accessible but onion sites are not accessible.

I also Add AutomapHostsSuffixes .onion,.exit in the torrc file but no luck.

Hi Tufail431,

If you config Tor and iptables well . all openvpn traffic will through Tor exit node.

For example 10.8.0.0 / 24 that mean 10.8.0.1 - 10.8.0.255 will go TransPort 10.8.0.1:9040 and this gateway listening by tor.

if you successful config. you can connect your openvpn client and check the ip address is it Tor exit node. if it correct.

you could browse any onion site as well as possible. for me is worked with anything

@sitsaz
Copy link

sitsaz commented Sep 6, 2021

hello i am getting this error while i am trying to run the script

bash ovtotor.sh

gives me this :

ovtotor.sh: line 2: $'\r': command not found
ovtotor.sh: line 6: syntax error near unexpected token `elif'
'vtotor.sh: line 6: `elif ( ! dpkg-query --list openvpn | grep -q "ii"); then

@biscwii
Copy link

biscwii commented Feb 19, 2022
edited
Loading

Thanks for this, it helped me a lot !

I have a raspberry pi with AdGuard Home on it (which is a DNS blocker in order to block ads), I would like to configure my openVPN server to use it before routing the traffic through Tor. Do you have an idea where I should put the ip address of my DNS blocker?

EDIT : This is always after asking a question after several days of research that I find myself the answer :
I use @queeup 's script which is really useful (thank you), and replaced this line

$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination $VPN_IP:53530

with these lines :

$IPTABLES -t nat $arg PREROUTING -i $OVPN -p udp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination *AdGuard_Home_IP*
$IPTABLES -t nat $arg PREROUTING -i $OVPN -p tcp --dport 53 -s 10.8.0.0/24 -j DNAT --to-destination *AdGuard_Home_IP*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment