Building a TOR wireless router with a Raspberry Pi

Over the summer I stayed with a really close friend’s family in Dallas, and instead of buying the Mother flowers I decided to build her a wireless TOR router because she’s a bit of a conspiracy theorist (her family says that, not me), she uses a Ipad which doesn’t support TOR, and I really wanted to do something that was personal that had meaning and thought behind it.  This router will allow her to browse the net anonymously (without big brother watching), I also fully encrypted the hard drive (in case they come after her), added libre office (open source microsoft office), and even changed the wallpaper to her daughter’s debutante photo (I’ll be hearing about this if she still reads my blog.)  I hope that she actually uses it because it adds legitimacy to TOR because it’s for everyone (she is the sweetest lady, BTW) not just the intelligence community, criminals, and drug dealers.

It took me a while to gather the parts to put it together, as I went through a couple wifi adapters before I found one with the right chip set.  Once you have the right parts, installation and setup are easy using this tutorial that I used.  They used nano in the tutorials, but you can use any editor that you feel comfortable with.  I used the following parts:

Setting the Pi as an access point

I used this tutorial.  From the terminal run the following (I ssh’d into the pi from my mac) to install the software:

sudo apt-get install hostapd isc-dhcp-server

Then you need to edit the file for the DHCP server by running

sudo nano /etc/dhcp/dhcpd.conf

The change a couple lines by adding #, and then remove a # from a line so they look like this:
#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

Then add this to the bottom:

subnet 192.168.42.0 netmask 255.255.255.0 {
range 192.168.42.10 192.168.42.50;
option broadcast-address 192.168.42.255;
option routers 192.168.42.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

Next, we change the interfaces by running

sudo nano /etc/default/isc-dhcp-server

changing the last line to look like this

INTERFACES="wlan0"

Then we set the wireless to have a static IP by running

sudo nano /etc/network/interfaces

making the file read like (change addresses where applicable, I did)

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0

iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0

#iface wlan0 inet manual
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet dhcp

up iptables-restore < /etc/iptables.ipv4.nat

Then tell the wireless adapter it’s address by running

sudo ifconfig wlan0 192.168.42.1

Configure the Access point by a using

sudo nano /etc/hostapd/hostapd.conf

put the following into the file

interface=wlan0
driver=rtl871xdrv
ssid=Pi_AP
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=Raspberry
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

be sure to [especially change the ssid (name of the router) and wpa-passphrase (password) and anything else that’s applicable to changes you made early or preferences.

We now need to add a line to file in the editor

sudo nano /etc/default/hostapd

pasting in the following

DAEMON_CONF="/etc/hostapd/hostapd.conf"

You now need to configure the network address by first changing another file

Run sudo nano /etc/sysctl.conf

adding

net.ipv4.ip_forward=1

then run the following to activate the file

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

Finally, to make the ethernet (eth0) and wireless (wlan0) communicate, you need to run the follow commands

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

so you don’t have to manually do it everytime you reboot, run

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Now all we need to do to get the access point working is running the hostapd software using the following commands

wget http://www.adafruit.com/downloads/adafruit_hostapd.zip
unzip adafruit_hostapd.zip
sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG
sudo mv hostapd /usr/sbin
sudo chmod 755 /usr/sbin/hostapd

Your access point should now be working. To have all the software start on reboot run

sudo service hostapd start
sudo service isc-dhcp-server start
sudo update-rc.d hostapd enable
sudo update-rc.d isc-dhcp-server enable

Reboot you Pi by running

sudo reboot

Installing TOR

First install the TOR software using this code

sudo apt-get install tor

edit the config file by running

sudo nano /etc/tor/torrc

and paste in

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.42.1
DNSPort 53
DNSListenAddress 192.168.42.1

Now we change our routing tables by running

sudo iptables -F
sudo iptables -t nat -F

Then we set-up for ssh routing in the future (I don’t want to give up a precious monitor)

sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22

now when you want to ssh into the pi you have to add a -p 22 to the command. Like this

ssh -l pi -p 22 192.168.1.100

Now do the other ports

sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040

Now run the following to activate

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

The following will create log files for debugging

sudo touch /var/log/tor/notices.log
sudo chown debian-tor /var/log/tor/notices.log
sudo chmod 644 /var/log/tor/notices.log

Finally, we start TOR manually running

sudo service tor start

Then make it start on every reboot

sudo update-rc.d tor enable

You’re done! You should now be able to connect to TOR wifi using the ssid and passphrase you used early.

The final product is about half the size of a normal router and looks like this:

photo 2

*I was going to post a pic of the desktop (with the debutante photo) but I decided that I value my life… hahhahaha

QED

 

 

-update

I did some speed testing on the router last night, and I discovered that you end up with about 25% of the speed that you would through regular wifi.

 

Advertisements

2 thoughts on “Building a TOR wireless router with a Raspberry Pi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s