Onion Pi: Building a secure hotstop with Tor and Raspberry Pi


The goal of this article is to have an access point that allows clients to navigate anonymously, use cheap hardware and avoid privacy software on our devices.

The list of tools required are:

  • Raspberry Pi
  • Wifi Dongle (if not using the Raspberry Pi with embedded WIFI)
  • Internet connection

Note: A common understanding here is that we must be sure that our access point is secure because there is a chance that it could be listening to your connection even before the connection is delivered to the Tor network. You must be careful with the information stored in your browser and should use a privacy-safe browser and secure device.

I will explain how we will make our access point. We will use a Raspberry Pi as our access point and a wifi dongle in access point mode. For that, we will use hostapd, keep in mind that you will need a wifi dongle with the necessary driver to set up hostapd. Then two more things, the tor network itself and dnsmasq to give the wifi clients an IP address.

Before we start this endeavor, we need to set up the Raspberry Pi and enable SSH. Go to raspbian downloads and download the operating system. After you have downloaded and burned the operating system into your SD card. You can create an SSH file in the boot folder or use raspi-config to enable SSH.

Now you can access it with ssh pi@raspberry and the default password raspberry. Change the default password, run passwd, and insert the password for pi user. Just for the sack of good practices update and upgrade the system.

We need two interfaces to serve the wifi clients and the internet connection. The eth0 interface will be used for our connection to the web and wlan0 to connect our wifi dongle. Add the following configuration to /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 192.168.2.4
  netmask 255.255.255.0
  network 192.168.2.0
  broadcast 192.168.2.255
  gateway 192.168.2.1
  dns-nameservers 192.168.2.1

allow-hotplug wlan0
iface wlan0 inet static
  address 172.24.1.1
  netmask 255.255.255.0
  network 172.24.1.0
  broadcast 172.24.1.255

After this disable the dhcpd with: systemctl disable dhcpcd. You can bring up the interface with sudo ip link set wlan0 up and reboot the Raspberry for the network to be in place.

Now we will set up the dnsmasq. Since each user needs an IP address when connected to the access point, the configuration will allow 100 clients connected to the access point.

Install dnsmasq:

$ apt-get install dnsmasq

We just have to change the /etc/dnsmasq.conf and restart the service.

interface=wlan0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h

The wifi dongle by default is not in AP mode, so you won’t be able to connect clients to the Raspberry. We must set up the wifi dongle as an access point. That’s where hostapd come in place, with it our dongle will be listening for connections and have an SSID and password for the users. First run apt-get install hostapd to install the tool. Next, we need to configure the hostapd, edit the configuration file /etc/hostapd/hostapd.conf and insert the following configuration:

interface=wlan0
driver=nl80211
ssid=AnonAP-Onion
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=1234678900
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

As we are using a custom configuration include DAEMON_CONF="/etc/hostapd/hostapd.conf" in the /etc/default/hostapd file. This will say to hostapd that we want to use our configuration file. After all this check if the file was correctly configured with hostapd -dd /etc/hostapd/hostapd.conf. And finally, restart the service with systemctl restart hostapd.

At this point, we can connect to our access point and use it as an access point but you won’t have access to the internet. That happens because we need to forward the connection established by the wlan0 to the eth0.

$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

The iptables commands described above will forward those connections to the right interface and masquerade them as if it was the eth0 connection. Save and load the iptables rules if you need to reboot the Raspberry. The following two steps will save the configuration and add them to rc.local.

$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-hostapd-rules

$ sudo vim /etc/rc.local
$ /sbin/iptables-restore < /etc/iptables-hostapd-rules

Finally, we need to enable the IPv4 forwarding. Change the net.ipv4.ip_forward in the /etc/sysctl.conf to 1. We can list the devices connected to the access point with sudo iw dev wlan0 station dump.

Install TOR

At this point, we can use the AP but we want to go further and let our clients navigate anonymously. Install tor with:

$ apt-get install tor

Now that tor is installed, let’s configure the port where tor will be listening and the necessary configurations needed by the tor proxy, go to /etc/tor/torrc and put the following config:

SOCKSPort 9040
VirtualAddrNetworkIPv4 10.192.0.0/10
TransListenAddress 172.24.1.1
TransPort 9040
DNSListenAddress 172.24.1.1
DNSPort 53

AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1

The next step is to set the iptables to route TCP connections to the port we have set and also add rules to keep having DNS and SSH to our Raspberry:

$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040

Similar to what we did with the other configuration, save the new rules.

$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-tor-rules

$ vim /etc/rc.local
/sbin/iptables-restore < /etc/iptables-tor-rules

Restart and enable tor:

$ systemctl restart tor
$ systemctl enable tor

Connect a device and check if the setup was successful at check.torproject.org. Visit DuckDuckGo and browse anonymously.

Programming Atmega328p with Avrdude


Arduino IDE it’s an awesome tool and helps a lot of beginners take the first steps with embedded systems. When you start to have bigger projects you may want to change to another tool, my tool of choice for embedded systems is Vim and with that comes using a makefile when I want to compile my projects.

I’m doing this tutorial to explain to others how to compile your Arduino code without the IDE. This requires you to use a library called AVR Libc from Atmel, which is a C library for Atmel AVR 8-bit RISC microcontrollers. The full documentation can be found here.

Before starting the tutorial we need a set of tools that already come with the Arduino IDE. The two major tools are a compiler and software to upload our binary to the microcontroller.

Installing the tools needed in Macos is fairly easy using homebrew. We need to run the following command:

brew install avrdude avr-gcc avr-objcopy

Our code example is the LED blink and it’s like the hello world of embedded systems. Consists of an LED that blinks at a given frequency. The difference from the implementation that you may be used to is the fact that will be using the AVR Libc.

view raw blink.c hosted with ❤ by GitHub

The implementation of blink.c will turn on and off the LED 13 from your Arduino Uno every two seconds.

As I said before my tool of choice is make. This is a build tool that will execute the compilation and conversion to our binary that late will be uploaded to the microcontroller.

The compilation of this example has three steps, shown here:

  1. Compile the blink.c from C code to an object
  2. Convert the object to an ELF file
  3. Convert the ELF file to a binary HEX file

Of course, as your project gets bigger the Makefile will get more complex. The use of dependencies and compatibility with different microcontrollers will make your code and build steps a new challenge. But meantime we just want to understand how to compile our simple “hello world!”.

all:
avr-gcc -g -Os -mmcu=atmega328p -c blink.c
avr-gcc -g -mmcu=atmega328p -o blink.elf blink.o
avr-objcopy -j .text -j .data -O ihex blink.elf blink.hex
clean:
rm *.o *.elf *.hex
view raw Makefile hosted with ❤ by GitHub

To run the Makefile, you just need to be in the same directory as the Makefile and run the following command:

make

Yeah, now we have our binary file to be uploaded to the microcontroller. To accomplish that, Atmel has the avrdude. Run the following command and parameters:

avrdude -p m328p -P /dev/tty.usbmodem1411 -c arduino -b 115200  -D -U flash:w:blink.hex:i -v

Now you should see your Arduino LED 13 switching on and off every 2 seconds.

> More articles...