Tutorial: RaspPI Tor Wifi Access Point Without Logging


3 years ago
This step-by-step tutorial explains how to install Raspbian with Tor on a Raspberry PI remotely (without connecting a keyboard/monitor to the Raspberry PI).
It is based on the Onion PI tutorial from Adafruit but has many changes and additions. Every step needed to make it work is mentioned in the tutorial.

The system functions as a wireless access point which physically isolates the wireless computers from the rest of the network.
This means that the computers connecting to it through wifi can only connect to the internet through Tor.
The wireless computers will not be able to connect to other computers in the local network.

You can also use it as a Tor proxy through the local network provided by your router, but the computer will not be physically isolated from the rest of the local network/internet in that case.

It is assumed that you have a router which is connected to the internet and automatically assigns an IP address to the Raspberry PI when you connect it with a cable.
With a few modifications it should be possible to connect a 3G modem or another wireless card to connect to mobile internet, but that is not covered by this tutorial.

The system is not a transparent proxy which tunnels all connections from the wireless computers through Tor. That could potentially provide an attacker with too much information.
Instead it only forwards connections which specifically use the Tor/Privoxy proxies running on the Raspberry PI.

If you are Edward Snowden, then you should take extra care about the computers you connect to the wireless access point. That is not covered by this tutorial.
Generally the laptop should have been bought anonymously with cash and never have been connected to the internet through your local network.

The setup should look like this:

Clean laptop -> Raspberry PI wifi adapter -> Tor/Privoxy running on Raspberry PI -> Raspberry PI ethernet cable -> router -> internet


Features:

* Uses latest development version of Tor
* Privoxy HTTP proxy which can only connect to the Tor socks proxy
* Iptables firewall which restricts input from all network interfaces and impedes SSH brute forcing
* Logging is diverted to a ram disk - after powering off the Raspberry PI it will not be visible how often computers connected to the Raspberry PI or which MAC address they used
* Swap is disabled to prevent swapping memory to the SD card
* Fetches time using tlsdate (secure parasitic rdate replacement coded by one of the Tor developers)

Skill needed:
Using the command line a lot. No graphical interface will be used during the installation. You don't really need to understand what you are doing however, as long as you exactly follow the instructions.

Requirements:

* Raspberry PI Model B preferably with case
* Micro-USB charger/power supply
* Wifi dongle - this tutorial is specifically made with the Edimax EW-7811Un wifi adapter in mind, Onion PI wifi adapters will work too
* SD card reader
* 4GB SD card, preferably with 20-30mb/s reading speed
* Router with RJ-45 network cable port and connection to the internet
* Computer with wireless or cable connection to the router
* Network cable (RJ-45)

Instead of purchasing all parts seperately you could buy an Onion PI bundle from Adafruit:

Onion PI with mini wifi dongle
https://www.adafruit.com/products/1410

Onion PI with wifi antenna dongle
https://www.adafruit.com/products/1406


DISCLAIMER: This tutorial is work in progres. Do not rely on it for strong security. If you aren't Edward Snowden it may be secure enough however. While it doesn't prevent traffic correlation this system provides more security than the Onion PI tutorial.

Date: 29.09.2013

3 years ago
1. Download files

Download the latest version of win32diskimager:
http://sourceforge.net/projects/win32di ... t/download

If you don't use Windows you need to Google how to write the .img file to the SD card.

Download the latest version of Raspbian:
http://downloads.raspberrypi.org/raspbian_latest
or
http://downloads.raspberrypi.org/raspbi ... st.torrent

If you're using Windows download Putty (SSH client):
http://the.earth.li/~sgtatham/putty/lat ... /putty.exe


2. Writing Raspbian OS to SD card

Unzip the Win32 Disk Imager and Raspbian ZIP files.

Start Win32 Disk Imager, select the Raspbian IMG file and select the proper device (SD card).
Click Write to write the image to the SD card.

When writing is finished put the SD card into the Raspberry PI.
Use the ethernet cable to connect the Raspberry PI to your router.
Do not connect the wifi dongle yet.
Power on the Raspberry PI by connecting it to the USB power supply and wait 30 seconds.

3. Find out the IP address of the Raspberry PI

Now you have to find out the IP address which was assigned to the Raspberry PI by your router.
You can probably do this by using the web interface of your router, or you can guess it by looking at the LAN IP address of your desktop computer.

Press Windows key + R and enter "cmd.exe".
At the DOS prompt enter "ipconfig".

You should see a line like this, which shows the IP address of your computer in the local network.
IPv4 Address 192.168.0.101

Now you can send a ping request to random IP addresses in your local network and see if any of them sends an answer. You may have to allow it in your firewall or turn the firewall off.
If you don't have any other devices connected to your router, then the Raspberry IP address may be , e.g. 192.168.0.102.

Enter "ping 192.168.0.102" and wait a few seconds.
If you get a "Reply from 192.168.0.102" response, then that is the IP address of your Raspberry PI.

If there is no reply, press CTRL-c and enter "ping 192.168.0.103". Keep incrementing the last number until you get a ping reply.

If that fails, then you can also use other tools to detect the IP addresses of devices connected to your router, e.g. Fing:
http://www.overlooksoft.com/download
If this doesn't help then Google is your friend. Search for "how do i find out the ip address raspberry pi remotely" or ask in the forum.

When you found out the IP address write it down so you don't forget it later.


3. Connect with SSH

To setup the Raspberry PI without keyboard and monitor it is necessary to use SSH.

If you're using Windows, start Putty.exe, enter the IP address you wrote down as host name and click Open.

If you're using Linux, open a terminal and enter "ssh pi@192.168.0.101", replace the IP address with the correct address.

If you got the right IP address then you should see a login prompt ("login as:").
Enter "pi" and use "raspberry" as password.

You should see command prompt
pi@raspberrypi ~ $

Enter this command to start the Raspbian configuration tool:

sudo raspi-config


Press enter to Expand Filesystem, so the SD card partition will be enlarged.
Use cursor keys to navigate the menu to Change User Password.
Press enter and enter your new password 2 times. The password should not be guessable and not in a dictionary. 8 characters or more is recommended.
Select "Finish" by using the cursor keys and press enter.
Press enter again to reboot now.

Wait a minute, then start Putty.exe again with the same IP address as before. This time use your new password for logging in.

3 years ago
4. Installing and updating packages

4.1. Changing/adding package sources

When you're at the command prompt again enter


sudo nano /etc/apt/sources.list



Look at the line
deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi

"wheezy" is the current default repository of Raspbian, this may change in the future.
Change wheezy to jessie if it isn't set to jessie already. This is needed to install tlsdate later.

Navigate to the end of the text file with the cursors keys.
Paste these 2 lines by copying them to your clipboard and pressing the right mouse button in the Putty window:


deb-src http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org experimental-jessie main


Press CTRL-x to save the changes, enter y and press enter to confirm the filename


4.2. Updating packages

At the command prompt enter
sudo apt-get update && sudo apt-get dist-upgrade -y


This can take a 20 inutes to complete. If you get a message about restarting services select Yes.
If you get an error about dependencies enter
apt-get -f install



4.3. Compiling and setting up Tor

Because the torproject repository doesn't currently seem to provide correct packages for the Raspberry PI it is necessary to compile the latest version of Tor.
Don't worry, you don't need to understand anything about programming to do this. Simply follow the instructions.

At the command prompt enter

sudo apt-get install build-essential fakeroot devscripts -y


This will take a few minutes to complete.
When the command prompt is visible again paste these lines


gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

sudo apt-get update
sudo apt-get install deb.torproject.org-keyring -y
sudo apt-get build-dep tor -y


When the command prompt is visible again enter


cd
mkdir debian-packages
cd debian-packages
apt-get source tor


Wait until the download is finished then enter


cd tor-*
debuild -rfakeroot -uc -us


The latest development version of Tor will now get compiled. This will take about 45 minutes to complete.
When the command prompt is visible again enter the following lines to install Tor:


cd ..
sudo dpkg -i tor_*.deb
sudo dpkg -i tor-geo*


To replace the Raspbian fake clock with tlsdate and install the relay monitor enter the next 2 lines. Tlsdate does pretty much the same as the fake clock, but it's more secure.

sudo apt-get install tor-arm tlsdate -y
sudo apt-get remove fakehw-clock -y


Tor-arm is the anonymous relay monitor command line tool which provides similar functionality as Vidalia.

Next edit the Tor configuration file:
nano /etc/tor/torrc


Paste these lines into the editor:


SocksPort 9050
SocksPort 0.0.0.0:9001
SocksPort 0.0.0.0:9002 IsolateDestAddr IsolateDestPort
StrictNodes 1
AvoidDiskWrites 1
DisableDebuggerAttachment 0
EntryNodes {us}


The SocksPort 0.0.0.0* lines will trigger warnings when starting Tor, but this is not a problem, as it will get restricted by iptables later.
Change the "us" in the Entrynodes {us} line to your country code, so Tor will only use entry guards in your country.
The country codes are not top level domains. Have a look at this is a list to find the country code you have to use: http://dev.maxmind.com/geoip/legacy/codes/iso3166/


You could also use bridges instead of the EntryNodes line.

Press CTRL-X to save the changes, enter y and press enter to confirm the filename


4.4. Privoxy

Tor is not a HTTP proxy, so to connect to Tor with a browser we need to install a proxy which uses the Tor socks proxy.

At the command prompt enter

sudo apt-get install privoxy -y


Find the lines which says "listen-address localhost:8118" and change it to "listen-address :8118".

Scroll down to the end of the text file and enter
forward-socks5 / 127.0.0.1:9050 .


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

3 years ago
4.5. DHCP server and access point

To automatically assign IP addresses to wireless computers connecting to the Raspberry PI access point it is necessary to install a DHCP server.

At the command prompt enter

sudo apt-get install hostapd isc-dhcp-server -y


4.5.1 DHCP server

Edit the DHCP config file by entering

sudo nano /etc/dhcp/dhcpd.conf


Find the lines that say

option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

and change them to add a # in the beginning so they say

#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;

Find the lines that say

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

and remove the # so it says

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

Then scroll down to the bottom of the text file and paste the following lines


subnet 10.0.42.0 netmask 255.255.255.0 {
range 10.0.42.10 10.0.42.50;
option broadcast-address 10.0.42.255;
option routers 10.0.42.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 10.0.42.1;
option ntp-servers 10.0.42.1;
}


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter the next line to edit the DHCP server parameters:

sudo nano /etc/default/isc-dhcp-server


Scroll down to INTERFACES="" and update it to say INTERFACES="wlan0".

Press CTRL-X to save the changes, enter y and press enter to confirm the filename


4.5.2. Wifi adapter configuration

Enter the next line to edit the wifi adapter configuration:


sudo nano /etc/network/interfaces


Find the line with "iface wlan0" and add a # in front of the line, and in front of every line afterwards.

Then add the lines


iface wlan0 inet static
address 10.0.42.1
netmask 255.255.255.0
up iptables-restore < /etc/iptables.rules


Press CTRL-X to save the changes, enter y and press enter to confirm the filename


4.5.3. Access point

Enter

nano /etc/hostapd/hostapd.conf


Paste the following in, you can change the text after ssid= to another name, that will be the network broadcast name. The password can be changed with the text after wpa_passphrase=


interface=wlan0
driver=rtl871xdrv
ssid=NSA_GCHQ
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=snowden23
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP


Make sure each line has no extra spaces or tabs at the end or beginning - this file is pretty picky!
If you don't use the Edimax wifi dongle or the Onion PI then you may have to change the driver= line. This is not covered by this tutorial.

Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter

nano /etc/default/hostapd


Find the line #DAEMON_CONF="" and edit it so it says DAEMON_CONF="/etc/hostapd/hostapd.conf"
Don't forget to remove the # in front to activate it!

Press CTRL-X to save the changes, enter y and press enter to confirm the filename


4.5.4. Download access point software from Adafruit

If you use the Edimax EW-7811Un wifi dongle or the Adafruit Onion PI then you'll have to use a special version of the access point software:

Enter these lines:

cd; mkdir downloads; cd downloads
wget http://www.adafruit.com/downloads/adafruit_hostapd.zip
unzip adafruit_hostapd.zip
sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG
sudo mv hostapd /usr/sbin
sudo chmod 755 /usr/sbin/hostapd
sudo reboot


Wait 30 seconds and connect to the PI again with Putty. You can connect the wifi dongle now or later.

3 years ago
5. Prevent logging to SD card

To increase the lifetime of the SD card and to not disclose informations about which MAC addresses connected to the Raspberry PI logging has to be diverted to the ram disk.
After rebooting the Raspberry PI no informations of previous connections will be left. Simply turning off the Raspberry PI may reveal the data since last reboot in a cold boot attack however.

Enter
sudo su

and enter your password.

You are now logged in as root (admin).

5.1. Stop and disable services

Enter these lines to stop the services and disable them from starting too early at boot time:

/etc/init.d/tor stop
/etc/init.d/privoxy stop
/etc/init.d/isc-dhcp-server stop

update-rc.d tor disable
update-rc.d privoxy disable
update-rc.d isc-dhcp-server disable


5.2. Create ram disk

Enter the next lines to erase the tor logfile and create a mount point for a ram disk.


rm -f /var/log/tor/log
mkdir /mnt/ramdisk


Enter the next line to edit the fstab file which automatically mounts disks at boot time:

nano /etc/fstab



Use the cursor keys to get to the bottom of the text file and paste these lines:

none /tmp ramfs defaults 0 0
none /mnt/ramdisk ramfs defaults 0 0
none /var/log/tor ramfs defaults 0 0
none /var/log/privoxy ramfs defaults 0 0
none /var/log/apt ramfs defaults 0 0
none /var/lib/dhcp ramfs defaults 0 0


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter the next lines to mount the ram disks, move the current syslog to the ramdisk and uninstall the swap file package:


mount -a
mv /var/log/syslog /mnt/ramdisk/syslog; ln -s /mnt/ramdisk/syslog /var/log/syslog
mv /var/log/messages /mnt/ramdisk/messages; ln -s /mnt/ramdisk/messages /var/log/messages

apt-get remove dphys-swapfile -y



5.3. Startup script

Edit the rc.local script which gets executed at boot time by entering


nano /etc/rc.local


Before the last line ("exit 0") enter the following lines, which will start Tor, DHCP and access point after changing some folder permissions:


chmod 777 /var/log/tor && /etc/init.d/tor restart
chmod 777 /var/log/privoxy && /etc/init.d/privoxy restart
chmod 1777 /tmp

touch /var/lib/dhcp/dhcpd.leases && /etc/init.d/isc-dhcp-server restart


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

3 years ago
6. Firewall

The system should by quite secure, but it doesn't hurt to add some extra security with an iptables firewall.
It will prevent all unnecessary incoming connections from all network interfaces and makes sure it would take a very long time to successfully brute force the SSH server.

If an unauthorized person gets your access point password they won't be able to do anything except connecting to Tor and trying to very slowly brute force the SSH server.

You are probably still logged in as root, so enter "exit".

Enter the next 2 lines to change to the pi home directory and create a firewall script:

cd
nano firewall


Paste the following script into the editor:


##################################
#
# CHANGE THE NEXT LINE BEFORE RUNNING THE FIREWALL SCRIPT

LOCALNET=192.168.0.0

# this should be the local network of your router
#
##################################

iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT # dns response from ethernet
iptables -A INPUT -i wlan0 -p udp --dport 67 -j ACCEPT # dhcp requests from wifi
iptables -A INPUT -i wlan0 -p udp --dport 123 -j ACCEPT # time requests from wifi

# accept privoxy and ssh connections from wifi and local network
iptables -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i wlan0 -p tcp --dport 8118 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s $LOCALNET/24 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s $LOCALNET/24 --dport 8118 -j ACCEPT

# accept tor socks connections from wifi and local network
iptables -A INPUT -i wlan0 -p tcp --dport 9000:9020 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s $LOCALNET/24 --dport 9000:9020 -j ACCEPT

# allow only 2 connections to SSH per minute to make brute forcing useless
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP

# probably not necessary: drop privoxy connections through ethernet
iptables -A OUTPUT -o eth0 ! -d $LOCALNET/24 -j DROP -m owner --uid-owner privoxy

iptables -L -v


Note the line LOCALNET=. You have to change this to point at your local network IP range.
If the IP address of the Raspberry PI is 192.168.0.something then you can leave the line as it is.
If the IP address of the PI is 172.168.0.something then you have to change the line to LOCALNET=172.168.0.0.
Basically you simply replace the last number of the Raspberry PI IP address with a 0.

If you don't get this right then you will lock yourself out of the Raspberry PI until the next reboot.

Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter the next 2 lines to make the firewall script executable and activate it:

chmod +x firewall
sudo ./firewall


If you still have a connection to the Raspberry PI at this point, then everything went well and you have to edit the firewall script again.
If you get disconnected from the PI at this point then you have to restart it and make sure you enter the right IP range in the LOCALNET= line.

Enter
nano firewall


Scroll down to the end of the text file and enter in a new line:
iptables-save > /etc/iptables.rules


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Again enter
sudo ./firewall


This will save the firewall rules to a file in the /etc folder which will get applied automatically when the network interfaces start up.

3 years ago
7. Using the system

The installation is now complete. Reboot the Raspberry PI by entering "sudo reboot" and boot your laptop.

Connect the laptop to the right access point ("NSA_GCHQ" if you didn't change the name) and enter the access point password ("snowden" if you didn't change it).
Go to the network configuration in your web browser and enter 10.0.42.1 port 8118 as proxy server.
If you want to use it as a Tor proxy from within your local network (connected through the router) then you have to replace 10.0.42.1 with the Raspberry PI IP addresse, e.g. 192.168.0.101.
Connecting to it through the router does not provide physical isolation however.

If you are using the Tor Browser Bundle then you have to prevent Vidalia from starting up. This is not covered by this tutorial.

If you need to use an application with socks5 proxy support (IRC, Pidgin, ...) you can use 10.0.42.1 port 9001 or port 9002.
Socks port 9001 will use the same Tor circuit for all connections for 10 minutes or so.
Socks port 9002 will use a different Tor circuit for every new connection.

If you want to manually create a new circuit (like "new identity" in Vidalia) then you'll have to connect to the Raspberry PI with SSH first. This will work from the laptop.
Enter "arm" at the command prompt and press "n" to get a new circuit, or "m" for a menu.

When James Clapper and General Alexander are knocking on your door while you're using the Raspberry PI enter "sudo reboot" in the terminal. This should clear the log files from the RAM.
Simply turning off the Raspberry PI may leave some residue in the memory chips.

3 years ago
stub

3 years ago
By making these changes to the system you can turn your Raspberry PI into a transparent Tor hotspot.

When someone connects to the PI and starts their browser it will redirect them to a landing page where they have to agree to the terms of service.
After they agreed it will route all their traffic transparently through Tor. If they don't agree they can still use the Tor proxy as it is described in the above tutorial.

You could change the ssid= line in /etc/hostapd/hostapd.conf to something like "Free Inet - password: snowden23" to let everyone in range connect to it.
Instead of announcing the password you could also remove the encryption options in /etc/hostapd/hostapd.conf to make it an obviously public hotspot without password and encryption.

You could hide it somewhere near a public hotspot and attach a solar power battery pack and another wifi dongle to it to provide free anonymous internet for everyone.
The MAC addresses which connected to it will be logged in the ram disk for 1 day only, as the PI will automatically reboot daily.

It is assumed that you have already set up the Raspberry PI according to the above tutorial in this thread. If you did not, then you have to make further changes to your system.

The method is partly based on the captive portal tutorial from here: http://aryo.info/labs/captive-portal-us ... ables.html

Disclaimer:
Making the hotspot password public may create some attack possibilities for scriptkiddies, e.g. they could try to DoS the webserver.
Though the webserver itself probably can't be hacked to gain root access to the system, unless you add more webpages to it.
If you installed Privoxy on your system you should uninstall it, because it displays too much information when trying to access a non-existing URL.


############################################################################################################


1. Dnsmasq and Lighttpd

First we install Dnsmasq which will answer all DNS requests with the IP of the Raspberry PI wifi interface.

Enter the following lines to install Dnsmasq and configure it:


apt-get install dnsmasq -y
sudo nano /etc/dnsmasq.conf


Scroll down to the end of the text file and paste


address=/#/10.0.42.1
interface=wlan0
no-resolv
no-hosts


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

To provide a landing page and change firewall rules for users who accepted the TOS we need a webserver with PHP support.


sudo apt-get install lighttpd -y
sudo apt-get install php5-common php5-cgi php5 -y
sudo lighty-enable-mod fastcgi-php
sudo rm /var/www/*


To have the landing page displayed to users starting their browser it is necessary to create a 404 error handler which redirects users.

Enter

sudo nano /etc/lighttpd/lighttpd.conf


Scroll down to the end of the text file and paste

server.error-handler-404 = "/404.php"
server.tag = "NSA Web Server"
dir-listing.activate = "disable"

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/nsa.pem"
}

$HTTP["scheme"] == "https" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "http://%0$0")
}
}


Change 'server.errorlog = "/var/log/lighttpd/error.log"'
to server.errorlog = "/tmp/serror.log"

Press CTRL-X to save the changes, enter y and press enter to confirm the filename

To redirect users whose browser tries to connect to a HTTPS URL we have to create a SSL certificate.

Enter
sudo mkdir /etc/lighttpd/ssl
sudo chmod 755 /etc/lighttpd/ssl
cd /etc/lighttpd/ssl
sudo openssl req -new -x509 -keyout nsa.pem -out nsa.pem -days 9001 -nodes


Press enter to accept default values or change them

Enter
sudo chmod 400 nsa.pem


To allow the webserver to change the firewall rules it needs to get added to sudoers:


sudo visudo


Scroll down to the end of the text file and paste

www-data ALL=NOPASSWD: /sbin/iptables -t nat -I PREROUTING -j MARK*


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

To prevent the webserver to get started before /tmp (ram disk) permissions allow it to create a logfile it needs to get removed from rc.d and added to rc.local

sudo update-rc.d lighttpd disable
sudo nano /etc/rc.local


Before "exit 0" add

/etc/init.d/lighttpd restart


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

############################################################################################################

2. Create the webserver landing pages

Users connecting to the hotspot will automatically get redirected to this landing page when they start their browser.
The landing page will get their MAC address so it can get added to the firewall rules if they accept the TOS.

Enter

sudo nano /var/www/index.php


Paste this into the editor:


Hello? Yes, this is NSA!
// capture their IP address
$ip = $_SERVER['REMOTE_ADDR'];

// execute the arp command to get their mac address
$mac = shell_exec("arp -an " . $ip);
preg_match('/..:..:..:..:..:../',$mac , $matches);

$mac = @$matches[0];

// if MAC Address couldn't be identified.
if( $mac === NULL) {
echo "Access Denied.";
exit;
}
?>

This is a service which provides connection to the internet through the Tor anonymity network.

You are not directly connected to the internet, instead the connection gets routed through random nodes in various countries.
Connections can sometimes be slow. If a connection times out simply reload the webpage.

###################################################################################################################

Do not use this service for illegal activity
Do not send sensitive data unless you are 100% sure the connection to the webserver is encrypted
Do not use this service for filesharing or puppies will die

###################################################################################################################

Before using this free service you have to agree to sell your soul.

Do you accept the deal?


<form method="post" action="process.php">
<input type="hidden" name="mac" value="<?php echo $mac; ?>" />
<input type="hidden" name="ip" value="<?php echo $ip; ?>" />
<input type="submit" value="YAY!" style="padding:10px 20px;" />
</form>



Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter

sudo nano /var/www/process.php


Paste this into the editor:



if( isset($_POST['ip'] ) && isset ( $_POST['mac'] ) ) {
$ip = $_POST['ip'];
$mac = $_POST['mac'];
exec("sudo iptables -t nat -I PREROUTING -j MARK --set-mark 42 -i wlan0 -m mac --mac-source $mac");
} else {
echo "Access Denied";
exit;
}
?>

Your computer is now connected to the internet through the Tor anonymity network.

Optionally you can connect to .onion websites ("Darknet").
You can find Onion links on Reddit:
http://www.reddit.com/r/onions

With best regards,

Keith the General Alexander



Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter

sudo nano /var/www/404.php


and paste


header("Location: http://10.0.42.1/", TRUE, 303);
exit;
?>



Press CTRL-X to save the changes, enter y and press enter to confirm the filename


Enter

sudo chown -R www-data:www-data /var/www


to make sure the webserver is the owner of the .php files.

############################################################################################################

3. Tor configuration

Tor needs some additional configuration options to transparently tunnel all connections from wifi clients through Tor.

Enter

sudo nano /etc/tor/torrc


Scroll down to the end of the text file and paste these lines:


VirtualAddrNetwork 10.23.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.0.42.1
DNSPort 5553
DNSListenAddress 10.0.42.1


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

############################################################################################################

4. Firewall

The firewall script needs some additional lines to accept DNS and http connections from the wifi clients.
It will redirect every data packet marked with 42 to the transparent Tor proxy.
The process.php script we created earlier marks all connections from those MAC addresses which accepted the TOS with 42.

Enter

nano /home/pi/firewall


Below "iptables -F" add

iptables -t nat -F


Before "iptables -L -v" paste these lines:


iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT # connections to lighttpd
iptables -A INPUT -i wlan0 -p udp --dport 53 -j ACCEPT # connections to dnsmasq
iptables -A INPUT -p udp --dport 5553 -j ACCEPT # connections to Tor DNSPort
iptables -A INPUT -p tcp --dport 9040 -j ACCEPT # connections to Tor TransPort

# redirect DNS requests and TCP traffic from wifi clients which accepted the TOS (mark 42)
iptables -t nat -A PREROUTING -i wlan0 -p udp -m mark --mark 42 --dport 53 -j REDIRECT --to-ports 5553
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m mark --mark 42 --syn -j REDIRECT --to-ports 9040

# prevent flooding of lighttpd - allow 5 new connections per IP in 10 seconds
iptables -I INPUT -p tcp --dport 80 -i wlan0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i wlan0 -m state --state NEW -m recent --update --seconds 10 --hitcount 5 -j DROP

# prevent flooding of dnsmasq/Tor DNS - allow 20 new connections per IP in 10 seconds
iptables -I INPUT -p udp -m multiport --dports 53,5553 -i wlan0 -m state --state NEW -m recent --set
iptables -I INPUT -p udp -m multiport --dports 53,5553 -i wlan0 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP

# probably not necessary: drop dnsmasq connections through ethernet
iptables -A OUTPUT -o eth0 ! -d $LOCALNET/24 -j DROP -m owner --uid-owner dnsmasq

# drop connections to lighttpd from users who accepted TOS
iptables -I INPUT -i wlan0 -p tcp -m mark --mark 42 -m state --state NEW -m multiport --dports 80,443 -j DROP


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter this line to update the firewall

sudo /home/pi/firewall


############################################################################################################

5. Daily reboot

To clear the previously connected MAC addresses from the ram disk we automatically reboot the Raspberry PI daily.

Enter
sudo nano /etc/cron.daily/reboot


and paste


#!/bin/sh
reboot


Press CTRL-X to save the changes, enter y and press enter to confirm the filename

Enter
sudo chmod 755 /etc/cron.daily/reboot


############################################################################################################

6. Done

If you want to provide public access to Tor you should remove the Privoxy proxy, because it can display too much information about the system when someone connects to it.
Enter

sudo apt-get remove privoxy


Enter
sudo reboot


to reboot the Raspberry PI. After 30 seconds you can connect your laptop via wifi and test the connection.

2 years ago
Hy :D

Nice approach, but why don't you use the [1] Transparent Proxy Function provided by Tor?

[1] https://trac.torproject.org/projects/to ... arentProxy

I have configured some routers, including my own one, with this function and it is working very nicely :)

last year
Hey NSA: Thanks for putting the Step-by-Step, wo/man... BTW... 'just doing sanity checks after following most of your steps as I'm still getting "The proxy server isn't responding" errmsg.

Goal: Pass-through all LAN/hard-wired data traffic through Tor installed on Raspberry Pi

Here are the steps I went through, per your instructions (see attached JPG). Any ideas on why my connection to my Tor-Rpi is failing?

Thanks again!


last year
Wanna try Car Audio?
Here are best quality for men selling and all of them are of good quality and low price.

Reply

You are not logged in. Login or register to reply on this thread.