Overview
Looking to browse the internet “anonymously” using off-the-shelf hardware? Heading down to your local coffee shop to “borrow” wifi to upload the latest ISIS targets is no longer a viable option. Learn how to browse the internet using tor. Tor is short for The Onion Router. It’s premise is that your traffic is bounced through several relays that are operated by tor’s volunteers.
To start browsing anonymously by way of a Raspberry Pi Tor router, you will need the following:
- Raspberry pi
- SD card
- Wifi dongle
- USB to ethernet adapter (optional)
- Power supply
Setup
First, download and extract the latest raspbian image. Once that completes, insert the SD card to your computer to copy the .img file over to the SD card. I am using command line on my Mac. If you are using Windows, you can visit this guide for software that will do this for you.
In my case, the SD card is disk3. Using rdisk with dd is about 20 times faster because you are accessing the disk raw. Read more about why this is the case here.
1
2
3
4
5
$ sudo dd if=2014-06-20-wheezy-raspbian.img of=/dev/rdisk3
Password:
5785600+0 records in
5785600+0 records out
2962227200 bytes transferred in 2540.229143 secs (1166126 bytes/sec)
Once the copy is complete, install the SD card in your raspberry pi and connect a power source, monitor, and keyboard. Note that you can also use a usb to serial adapter connected to the GPIO pins. From here, you will be guided through a quick install process. Choose the first option in the menu to expand the filesystem. It’s also a good idea to create a new password for the “pi” user. Lastly, reboot the pi to complete the install.
After the pi has rebooted, you should be able to connect using an ssh client. Check the local IP while you still have the monitor and keyboard connected.
Installation
Now that we have a working install of raspbian, we can start installing the needed packages. For this install, we are configuring the pi as an access point. Run the following commands as root to update the repo and install the needed packages:
1
2
# apt-get update && apt-get upgrade
# apt-get install vim tor hostapd isc-dhcp-server
Note that after the install is complete, isc-dhcp-server will likely fail to start. This is ok, since we have not yet configured it. Open up /etc/dhcp/dhcpd.conf in vi. Two lines need to be commented out, one needs to be uncommented, and a DCHP configuration needs to be added. Diff output from the changes made are below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# diff dhcpd.conf.orig dhcpd.conf
13,14c13,14
< option domain-name "example.org";
< option domain-name-servers ns1.example.org, ns2.example.org;
---
> #option domain-name "example.org";
> #option domain-name-servers ns1.example.org, ns2.example.org;
21c21
< #authoritative;
---
> authoritative;
107a108,117
>
> subnet 192.168.70.0 netmask 255.255.255.0 {
> range 192.168.70.10 192.168.70.50;
> option broadcast-address 192.168.70.255;
> option routers 192.168.70.1;
> default-lease-time 600;
> max-lease-time 7200;
> option domain-name "local";
> option domain-name-servers 8.8.8.8, 8.8.4.4;
> }
#
We need to bind the DHCP server to the wlan0 interface. This is the interface that will be listening for incoming DHCP requests. If you are using a usb to ethernet dongle, use the appropriate eth# interface instead. Edit the /etc/default/isc-dhcp-server file and configure the interface on the last line.
1
INTERFACES="wlan0"
Next is to configure an IP address for the wlan0 interface. Open /etc/network/interfaces. Set the wlan0 interface to static instead of dhcp, give it an IP of 192.168.70.1 with a /24 netmask. Also comment out the last three lines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# cat /etc/network/interfaces
auto lo
iface lo inet loopback
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.ipv4.nat
iface wlan0 inet static
address 192.168.70.1
netmask 255.255.255.0
allow-hotplug wlan0
#iface wlan0 inet manual
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet dhcp
Now we are going to configure the access point with some encryption. Create a new file /etc/hostapd/hostapd.conf and paste in the following config, modifying to your liking. If you are using the usb to ethernet dongle, you do not need to install hostapd.
1
2
3
4
5
6
7
8
9
10
11
12
13
interface=wlan0
driver=rtl871xdrv
ssid=Pi_AP
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=supers$cret
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
I should note that the version of hostapd installed with apt was not compatible with the RealTek chipset in my wireless adapter. You will have to roll your own version of hostapd with your specific hardware drivers or find one pre-built. This link from Adafruit is one that I found to be compatible with my chipset.
Next, edit /etc/default/hostapd to specify the previously created configuration file. Uncomment DAEMON_CONF and add the filename.
1
DAEMON_CONF="/etc/hostapd/hostapd.conf"
To allow forwarding of traffic, we need to edit /etc/sysctl.conf. Open in vi and look for the following line and uncomment it.
1
net.ipv4.ip_forward=1
Also run the following to activate forwarding:
1
# echo 1 > /proc/sys/net/ipv4/ip_forward
The following iptables rules create a network translation between eth0 and wlan0 and also save the configuration. If you are using a usb to ethernet dongle, switch wlan0 for eth1 or equivalent.
1
2
3
4
5
6
7
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables-save > /etc/iptables.ipv4.nat
Add the following lines to the bottom of /etc/tor/torrc:
1
2
3
4
5
6
7
8
Log notice file /var/log/tor_notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.70.1
DNSPort 53
DNSListenAddress 192.168.70.1
Create a log file and set the permissions for tor to use, useful for troubleshooting.
1
2
3
4
# cd /var/log
# touch tor_notices.log
# chown debian-tor tor_notices.log
# chmod 644 tor_notices.log
With the install complete, reboot the pi gracefully. Once it comes back online, check for a new wireless network called Pi_AP in my case. Check the following link to determine if you are browsing over Tor: https://check.torproject.org/
Safe browsing.