« Gun violence, cybercrime, and alternatives to living in fear | Main | The Still Sad and Deplorable State of Internet Security »

Wednesday, 13 January 2016

How to Turn a NEXX WT3020 Router into a Tor Router

IMG_0914My colleagues Sandro Rosetti and Paolo Dal Checco introduced me to a tiny, inexpensive little wireless router and shared a post that explains how to install Tor on the router. Operating anonymously is ideal for conducting investigations so I bought a NEXX WT3020F, visited the post, and followed the installation. The NEXX is one of many tiny routers to choose for investigating from home, office, or on the road and most can support WiFi, Ethernet and even 3G/4G.

Unfortunately, like many posts, including some of mine I'm sure, the instructions included broken external hyperlinks or mistyped scripts. Fortunately, by reading comments from folks who'd run into similar problems and by consulting with Sandro and Paolo, I was able to get my OnionWRT up and running.

Here's a chronology of how I did this on 13 January 2016. As of this date, the links here work. Your future mileage may vary.

Assumptions and Caveats

You must purchase a NEXX model that has 8 MB RAM. The simplest installation choice for me was to power the WT3020 through a laptop USB, connect the laptop to the WT3020 LAN port using Ethernet, and to connect WT3020 WAN port to my switch/firewall. To do as I did, open a browser window and connect to the NEXX Web interface at http://192.168.8.1 and configure for Internet connectivity using the Home and Work option. (Note: I had limited success using the WiFi repeater alternative. My Internet connection kept dropping.)

Important. I am not aware of any efforts to confirm that the router hasn't been back-doored. If you know, please share. I've elected to use it but use with eyes wide open.

Install openWRT

Once you have an Internet connection, telnet to the WT3020 at 192.168.8.1 using the default Nexx account credentials I show here. I've copied the commands I used and the output from the scripts below:

$ telnet 192.168.8.1
Trying 192.168.8.1...
Connected to 192.168.8.1.
Escape character is '^]'.

(none) login: nexxadmin
Password: y1n2inc.com0755


BusyBox v1.12.1 (2015-02-05 18:04:51 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /tmp
# wget http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/openwrt-15.
05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin
Connecting to downloads.openwrt.org (78.24.191.177:80)
openwrt-15.05-ramips 100% |*******************************| 3328k 00:00:00 ETA
# mtd_write -r write openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin mtd3
Unlocking mtd3 ...
Writing from openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin to mtd3 ... [e]
#reboot

Warning. Your Nexx may force close telnet. Don't panic. Reboot via a power cycle.

At this point, you should be running the openWRT software. Note that openWRT assigns the IP address 192.168.1.1 to the internal LAN port. This is different from what NEXX assigns. If you're still able to connect to 192.168.8.1, something went awry: lather, rinse, repeat.

Install OnionWRT

Telnet to openWRT and change the root password:

$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to openwrt.lan.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------

BusyBox v1.23.2 (2015-07-25 03:03:02 CEST) built-in shell (ash)

-----------------------------------------------------
CHAOS CALMER (15.05, r46767)
-----------------------------------------------------
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
-----------------------------------------------------
root@OpenWrt:/# passwd
Changing password for root
New password: 
Retype password: 
Password for root changed by root
root@OpenWrt:/#

At this point openWRT blocks telnet. You can configure SSH if you haven't logged out (TL;DR and logged out? openWRT warned you... learn to read). You can also use the web interface, LuCI.

Configure your Internet connection via LuCI. Take a moment to admire how superior this interface is compared to the original software.

You'll want to install the OnionWRT software. Kudos to Paolo's students, who posted a link to a working script at http://www.hwupgrade.it/forum/archive/index.php/t-2692919.html

The page is in Italian but simply search for "onionwrt", use Google translate, or learn Italian:-)

At your root prompt enter the following wget command. I've again illustrated the script output below:

root@OpenWrt:/# wget -qO - http://onionwrt.us.to/install | sh -
Installing tor (0.2.5.12-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/packages/tor_0.2.5.12-1_ramips_24kec.ipk.
Installing libevent2 (2.0.22-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/libevent2_2.0.22-1_ramips_24kec.ipk.
Installing libopenssl (1.0.2e-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/libopenssl_1.0.2e-1_ramips_24kec.ipk.
Installing zlib (1.2.8-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/zlib_1.2.8-1_ramips_24kec.ipk.
Installing libpthread (0.9.33.2-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/libpthread_0.9.33.2-1_ramips_24kec.ipk.
Installing librt (0.9.33.2-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/packages/base/librt_0.9.33.2-1_ramips_24kec.ipk.
Configuring libpthread.
Configuring libevent2.
Configuring librt.
Configuring zlib.
Configuring libopenssl.
Configuring tor.
Warning: Unable to locate ipset utility, disabling ipset support
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
Warning: Unable to locate ipset utility, disabling ipset support
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule #7
* Rule #8
* Forward 'lan' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule #7
* Rule #8
* Forward 'lan' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Flushing conntrack table ...
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
root@OpenWrt:/#

You're done. Confirm that you're on the Tor network by visiting https://check.torproject.org/

UsesTOR

I take no credit for any of the brilliance here. I have really smart friends.

I will also take no abuse for broken external links, but if you find one on this page, contact me.

Posted at 12:31 PM in All matters security |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • Cybercrime Reported in April 2025
    In today's Interisle Insights, Colin Strutt looks at cybercrime activity collected at the Cybercrime Information Center for the month of April 2025.We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. Read Cybercrime Reported in April 2025. Interisle Insights is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. Join now!
  • Malware Trends: January - March 2025
    Malware activity reports for the quarter are now posted at the Cybercrime Information Center. Our key statistics show small quarter-over-quarter increases in malicious IP address malware records (Traffic Injectors and Attackware) and unique IPv4 addresses reported as serving or distributing malware, and but meaningful decreases in both endpoint and IoT malware reported. Read Malware Trends: January - March 2025
  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.
  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...

Search

My Photo

Categories