Skip to content

TorPi - Raspberry Pi Tor Access Point🔗

Tor-Pi Network Flow
TorPi - Raspberry Pi Tor Access Point

Totally Wireless TorPi 👆

Raspberry 2 Model B
2x Edimax N150 WiFi USB Adapters
Miracase 5x 5000mAh Power Bank

Hardware Support List:

Raspberry Model Cable to WiFi Cable/WiFi to WiFi
Raspberry 1 1 WiFi USB Adapters 2x WiFi USB Adapters
Raspberry 2 1 WiFi USB Adapters 2x WiFi USB Adapters
Raspberry 3 --- 1 WiFi USB Adapters
Raspberry 4 --- 1 WiFi USB Adapters
  • Native Wifi Chipset Support
    • Realtek 8188 (rtl8188cus)
    • MediaTek RT5370

Update: This Guide Is Deprecated - Moved to TorBox🔗

Use TorBox Project

If you still need information form the original guide is hidden below:

Deprecated Guide Archive

Installing Headless Minimal Raspberry Pi OS🔗

Download Raspberry Pi OS Minimal image from: raspberrypi.org It's a headless os - Without GUI

TorPi
Burn Raspberry Pi OS Minimal image to SD-Card that will be used in this project for TorPi.
Since we don't won't to use external screen or keyboard, we need to allow an SSH access to the Raspberry Pi OS on the first boot. After we created our bootable SD card we need to mount it and add a file called “ssh” inside a boot partition.
This will enable and start ssh daemon on pi at boot.
TorPi
To continue the setup we will need a Ethernet Cable with DHCP and Internet Connection.
Insert the SD card and the Ethernet cable and boot your pi by connecting power.
At this point the pi should boot the new OS from the SD card and get a DHCP address.
Find the new address your pi just got from your dhcp server. You can do it inside your router's ui or use nmap tp find it on the network.
If you can't find the new address you can allows connect it to external screen and keyboard - use default credentials to login and 'ip addr' command SSH to the Raspberry Pi Default credentials: - User: pi - Password: raspberry 
ssh [email protected]
Change the default password for the Pi user 
passwd
Let's run system updates and cleanup 
sudo apt update && sudo apt full-upgrade -y
Optional: Use simple: Update Script Optional: Fix bash local error Optional: Set System Time With NTP Optional Install Oh My Zsh Follow this to Disable IPv6 on Raspberry Pi Os Change the Hostname to 'torPi' or any one you like 
sudo raspi-config
Select: 2.Network Options -> N1 Hostname 
torPi
Install some usefully utils if missing 
sudo apt install -y net-tools curl wget traceroute htop
``
Reboot The Pi for the first time
```bash
sudo reboot

RaspAP WiFi Configuration Web Portal Installation🔗

Many thanks to billz for his project RaspAP We will use raspap-webgui package to Manage our WiFi connections with simple Web-ui Let's use the Quick Interactive RaspAP Install script 

curl -sL https://install.raspap.com | bash

lighttpd root: /var/www/html? - Y 
Complete installation with these values? - Y
Enable HttpOnly for session cookies (Recommended)? - Y
Enable RaspAP control service (Recommended)? = Y
Install ad blocking and enable list management? - n
Install OpenVPN and enable client configuration? - n
The system needs to be rebooted as a final step. Reboot now? - Y
After the reboot at the end of the installation the wireless network will be configured as an access point as follows:

Default SSID Information

SSID: raspi-webgui  
IP address: 10.3.141.1  
DHCP range: 10.3.141.50 to 10.3.141.255  
Password: ChangeMe

Default WEB-UI Information

Web-Ui: [http://10.3.141.1/](http://10.3.141.1/){target=_blank}  
Username: admin  
Password: secret  
For this guide we will use the default gateway address of **10.3.141.1** and the gateway **DHCP range**
Login to the Web-Ui: [http://10.3.141.1/](http://10.3.141.1/){target=\_blank}.

warning

Change the Default web-ui Credentials

webui-authentication

Configuration with One Wireless Interface

If you raspberry pi as only **one wireless** interface the default RaspAP configuration of the host sport is great.  
The only think you should to in the interface is to change the SSD, PSK
wlan0 hotspot

Configuration with Two Wireless Interface

If you raspberry pi as only two wireless interface we need to set
wlan1 as Hotspot
wlan0 as WiFi Client
Set the Hotspot with interface wlan1

wlan1 hotspot
Connect to known WiFi make sure the interface is set to wlan0
wlan0 hotspot

Tor Service🔗

Install tor service 

sudo apt install -y tor
delete the default torrc config 
sudo rm -rf /etc/tor/torrc
Create new torrc and edit it 
sudo nano /etc/tor/torrc
Add the lines below to torrc 
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 10.3.141.1:9040
TransListenAddress 10.3.141.1
DNSPort 10.3.141.1:53
DNSListenAddress 10.3.141.1
Optional add this to rotate the exit node every 10 seconds 
CircuitBuildTimeout 10
LearnCircuitBuildTimeout 0
MaxCircuitDirtiness 10
torrc
Start and enable Tor Service a boot 
sudo systemctl start tor.service
sudo systemctl enable tor.service
make sure the tor service started currently as in screen bellow: 
sudo netstat -plnt
netstat tor

Bug

There is a bug that Tor Service won't load at boot because of all the interfaces changes.  
The solution is to install **Monit**. Monit Will load the tor Tor Service as soon as it can.  
It will also reload it if it will crash
### Install Monit
```bash
sudo apt install monit
Edit Monit Config 
sudo nano /etc/monit/monitrc
Add those lines to the end of the config: 
check process gdm with pidfile /var/run/tor/tor.pid
   start program = "/etc/init.d/tor start"
   stop program = "/etc/init.d/tor stop"
Reload and add Monit to startup: 
sudo systemctl restart monit
sudo systemctl enable monit

warning

Be Patient!!!  
With my Pi2 full startup may take up to 3 minutes

Configure iptables firewall rules🔗

Its time to firewall the traffic to specific port - Allow port 22,80 from any interface to allow access to ssh and the web-ui - Route all DNS traffic from wlan1 to internal port 53 - Route all other wlan1 tcp traffic via tor proxy on port 9040

Bug

There is a bug that Raspap overwrites iptables rules at boot.  
The solution is to install make a bash script with iptables rules  
to Run on startup with delay of 30 seconds.
lets create the script iptablesOnBoot.sh 
sudo nano /iptablesOnBoot.sh
Copy One of the following config files:

Config for One Wireless Interface with Hotspot on wlan0

#!/bin/bash
sudo iptables -F && sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Config for Two Wireless Interface with Hotspot on wlan1

#!/bin/bash
sudo iptables -F && sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
Make the script executable 
sudo chmod +x /iptablesOnBoot.sh
Now lets add it to Crontab to execute after login 
sudo crontab -e
Add to the end of crontav file 
@reboot sleep 20 && /iptablesOnBoot.sh
After reboot iptables rules should be like this 
sudo iptables -t nat -L
iptables

Testing🔗

warning

Be Patient!!!
Start up after reboot may take up to 3 minutes for everything to work as it should Well Thats about it, you should be able to connect the the Hotspot and gain tor network.
You can test that you are on the Tor network at https://check.torproject.org/

Comments