Onion Pi: Building a secure hotstop with Tor and Raspberry Pi
The goal of this article is to have an access point that allows clients to navigate anonymously, use cheap hardware and avoid privacy software on our devices.
The list of tools required are:
- Raspberry Pi
- Wifi Dongle (if not using the Raspberry Pi with embedded WIFI)
- Internet connection
Note: A common understanding here is that we must be sure that our access point is secure because there is a chance that it could be listening to your connection even before the connection is delivered to the Tor network. You must be careful with the information stored in your browser and should use a privacy-safe browser and secure device.
I will explain how we will make our access point. We will use a Raspberry Pi as our access point and a wifi dongle in access point mode. For that, we will use hostapd
, keep in mind that you will need a wifi dongle with the necessary driver to set up hostapd
. Then two more things, the tor network itself and dnsmasq
to give the wifi clients an IP address.
Before we start this endeavor, we need to set up the Raspberry Pi and enable SSH. Go to raspbian downloads and download the operating system.
After you have downloaded and burned the operating system into your SD card. You can create an SSH file in the boot folder or use raspi-config
to enable SSH.
Now you can access it with ssh pi@raspberry
and the default password raspberry
. Change the default password, run passwd
, and insert the password for pi
user. Just for the sack of good practices update and upgrade the system.
We need two interfaces to serve the wifi clients and the internet connection. The eth0
interface will be used for our connection to the web and wlan0
to connect our wifi dongle.
Add the following configuration to /etc/network/interfaces
:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.2.4
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1
dns-nameservers 192.168.2.1
allow-hotplug wlan0
iface wlan0 inet static
address 172.24.1.1
netmask 255.255.255.0
network 172.24.1.0
broadcast 172.24.1.255
After this disable the dhcpd with: systemctl disable dhcpcd
. You can bring up the interface with sudo ip link set wlan0 up
and reboot the Raspberry for the network to be in place.
Now we will set up the dnsmasq. Since each user needs an IP address when connected to the access point, the configuration will allow 100 clients connected to the access point.
Install dnsmasq:
$ apt-get install dnsmasq
We just have to change the /etc/dnsmasq.conf
and restart the service.
interface=wlan0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h
The wifi dongle by default is not in AP mode, so you won’t be able to connect clients to the Raspberry. We must set up the wifi dongle as an access point. That’s where hostapd
come in place, with it our dongle will be listening for connections and have an SSID and password for the users. First run apt-get install hostapd
to install the tool. Next, we need to configure the hostapd, edit the configuration file /etc/hostapd/hostapd.conf
and insert the following configuration:
interface=wlan0
driver=nl80211
ssid=AnonAP-Onion
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=1234678900
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
As we are using a custom configuration include DAEMON_CONF="/etc/hostapd/hostapd.conf"
in the /etc/default/hostapd
file. This will say to hostapd that we want to use our configuration file. After all this check if the file was correctly configured with hostapd -dd /etc/hostapd/hostapd.conf
. And finally, restart the service with systemctl restart hostapd
.
At this point, we can connect to our access point and use it as an access point but you won’t have access to the internet. That happens because we need to forward the connection established by the wlan0
to the eth0
.
$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
The iptables
commands described above will forward those connections to the right interface and masquerade them as if it was the eth0
connection. Save and load the iptables rules if you need to reboot the Raspberry. The following two steps will save the configuration and add them to rc.local
.
$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-hostapd-rules
$ sudo vim /etc/rc.local
$ /sbin/iptables-restore < /etc/iptables-hostapd-rules
Finally, we need to enable the IPv4 forwarding. Change the net.ipv4.ip_forward
in the /etc/sysctl.conf
to 1.
We can list the devices connected to the access point with sudo iw dev wlan0 station dump
.
Install TOR
At this point, we can use the AP but we want to go further and let our clients navigate anonymously. Install tor with:
$ apt-get install tor
Now that tor is installed, let’s configure the port where tor will be listening and the necessary configurations needed by the tor proxy, go to /etc/tor/torrc
and put the following config:
SOCKSPort 9040
VirtualAddrNetworkIPv4 10.192.0.0/10
TransListenAddress 172.24.1.1
TransPort 9040
DNSListenAddress 172.24.1.1
DNSPort 53
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
The next step is to set the iptables to route TCP connections to the port we have set and also add rules to keep having DNS and SSH to our Raspberry:
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
Similar to what we did with the other configuration, save the new rules.
$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-tor-rules
$ vim /etc/rc.local
/sbin/iptables-restore < /etc/iptables-tor-rules
Restart and enable tor:
$ systemctl restart tor
$ systemctl enable tor
Connect a device and check if the setup was successful at check.torproject.org. Visit DuckDuckGo and browse anonymously.