Skip to content

TorPi - Raspberry Pi Tor Access Point🔗

Intro🔗

TorPi - Raspberry Pi Tor Access Point

Hardware Support List:

Raspberry Model Cable to WiFi Cable/WiFi to WiFi
Raspberry 1 1 WiFi USB Adapters 2x WiFi USB Adapters
Raspberry 2 1 WiFi USB Adapters 2x WiFi USB Adapters
Raspberry 3 --- 1 WiFi USB Adapters
Raspberry 4 --- 1 WiFi USB Adapters
  • Native Wifi Chipset Support
    • Realtek 8188 (rtl8188cus)
    • MediaTek RT5370

Network Flow🔗

Tor-Pi Network Flow

Installing Headless Minimal Raspberry Pi OS🔗

Download Raspberry Pi OS Minimal image from: raspberrypi.org It's a headless os - Without GUI

TorPi

Burn Raspberry Pi OS Minimal image to SD-Card that will be used in this project for TorPi.
Since we don't won't to use external screen or keyboard, we need to allow an SSH access to the Raspberry Pi OS on the first boot.

After we created our bootable SD card we need to mount it and add a file called “ssh” inside a boot partition.
This will enable and start ssh daemon on pi at boot.

TorPi

To continue the setup we will need a Ethernet Cable with DHCP and Internet Connection.
Insert the SD card and the Ethernet cable and boot your pi by connecting power.
At this point the pi should boot the new OS from the SD card and get a DHCP address.
Find the new address your pi just got from your dhcp server. You can do it inside your router's ui or use nmap tp find it on the network.
If you can't find the new address you can allows connect it to external screen and keyboard - use default credentials to login and 'ip addr' command

SSH to the Raspberry Pi Default credentials:

  • User: pi
  • Password: raspberry

Change the default password for the Pi user

passwd

Let's run system updates and cleanup

sudo apt update && sudo apt full-upgrade -y

Optional: Use simple: Update Script

Optional: SSH Hardening with RSA Keys

Optional: Fix bash local error

Optional: Set System Time With NTP

Optional Install Oh My Zsh

Follow this to Disable IPv6 on Raspberry Pi Os

Change the Hostname to 'torPi' or any one you like

sudo raspi-config

Select: 2.Network Options -> N1 Hostname

torPi

Install some usefully utils if missing

sudo apt install -y net-tools curl wget traceroute htop

Reboot The Pi for the first time

sudo reboot

RaspAP WiFi Configuration Web Portal Installation🔗

Many thanks to billz for his project RaspAP

We will use raspap-webgui package to Manage our WiFi connections with simple Web-ui

Let's use the Quick Interactive RaspAP Install script

curl -sL https://install.raspap.com | bash
Question Answer
lighttpd root: /var/www/html? Y
Complete installation with these values? Y
Enable HttpOnly for session cookies (Recommended)? Y
Enable RaspAP control service (Recommended)? Y
Install ad blocking and enable list management? n
Install OpenVPN and enable client configuration? n
The system needs to be rebooted as a final step. Reboot now? y

After the reboot at the end of the installation the wireless network will be configured as an access point as follows:

Default SSID Information

SSID: raspi-webgui
IP address: 10.3.141.1
DHCP range: 10.3.141.50 to 10.3.141.255
Password: ChangeMe

Default WEB-UI Information

Web-Ui: http://10.3.141.1/
Username: admin
Password: secret

For this guide we will use the default gateway address of 10.3.141.1 and the gateway DHCP range Login to the Web-Ui: http://10.3.141.1/.

Warning

Change the Default web-ui Credentials

webui-authentication

Configuration with One Wireless Interface

If you raspberry pi as only one wireless interface the default RaspAP configuration of the host sport is great.
The only think you should to in the interface is to change the SSD, PSK

wlan0 hotspot

Configuration with Two Wireless Interface

If you raspberry pi as only two wireless interface we need to set
wlan1 as Hotspot
wlan0 as WiFi Client

Set the Hotspot with interface wlan1

wlan1 hotspot

Connect to known WiFi make sure the interface is set to wlan0

wlan0 hotspot

Tor Service🔗

Install tor service

sudo apt install -y tor

delete the default torrc config

sudo rm -rf /etc/tor/torrc

Create new torrc and edit it

sudo nano /etc/tor/torrc

Add the lines below to torrc

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 10.3.141.1:9040
TransListenAddress 10.3.141.1
DNSPort 10.3.141.1:53
DNSListenAddress 10.3.141.1

Optional add this to rotate the exit node every 10 seconds

CircuitBuildTimeout 10
LearnCircuitBuildTimeout 0
MaxCircuitDirtiness 10
torrc

Start and enable Tor Service a boot

sudo systemctl start tor.service
sudo systemctl enable tor.service

make sure the tor service started currently as in screen bellow:

sudo netstat -plnt
netstat tor

Bug

There is a bug that Tor Service won't load at boot because of all the interfaces changes.
The solution is to install Monit. Monit Will load the tor Tor Service as soon as it can.
It will also reload it if it will crash

Install Monit

sudo apt install monit

Edit Monit Config

sudo nano /etc/monit/monitrc

Add those lines to the end of the config:

check process gdm with pidfile /var/run/tor/tor.pid
   start program = "/etc/init.d/tor start"
   stop program = "/etc/init.d/tor stop"

Reload and add Monit to startup:

sudo systemctl restart monit
sudo systemctl enable monit

Warning

Be Patient!!!
With my Pi2 full startup may take up to 3 minutes

Configure iptables firewall rules🔗

Its time to firewall the traffic to specific port

  • Allow port 22,80 from any interface to allow access to ssh and the web-ui
  • Route all DNS traffic from wlan1 to internal port 53
  • Route all other wlan1 tcp traffic via tor proxy on port 9040

Bug

There is a bug that Raspap overwrites iptables rules at boot.
The solution is to install make a bash script with iptables rules
to Run on startup with delay of 30 seconds.

lets create the script iptablesOnBoot.sh

sudo nano /iptablesOnBoot.sh

Copy One of the following config files:

Config for One Wireless Interface with Hotspot on wlan0

#!/bin/bash

sudo iptables -F && sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Config for Two Wireless Interface with Hotspot on wlan1

#!/bin/bash

sudo iptables -F && sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Make the script executable

sudo chmod +x /iptablesOnBoot.sh

Now lets add it to Crontab to execute after login

sudo crontab -e

Add to the end of crontav file

@reboot sleep 20 && /iptablesOnBoot.sh

After reboot iptables rules should be like this

sudo iptables -t nat -L
iptables

Testing🔗

Warning

Be Patient!!!
Start up after reboot may take up to 3 minutes for everything to work as it should

Well Thats about it, you should be able to connect the the Hotspot and gain tor network.
You can test that you are on the Tor network at https://check.torproject.org/

Buy Us a Beer

Few Beers...

Specify the amount you would like to donate

Comments