TorPi - Raspberry Pi Tor Access Point🔗
Intro🔗
Totally Wireless TorPi 
Raspberry 2 Model B
2x Edimax N150 WiFi USB Adapters
Miracase 5x 5000mAh Power Bank
Hardware Support List:
| Raspberry Model | Cable to WiFi | Cable/WiFi to WiFi |
|---|---|---|
| Raspberry 1 | 1 WiFi USB Adapters | 2x WiFi USB Adapters |
| Raspberry 2 | 1 WiFi USB Adapters | 2x WiFi USB Adapters |
| Raspberry 3 | --- | 1 WiFi USB Adapters |
| Raspberry 4 | --- | 1 WiFi USB Adapters |
- Native Wifi Chipset Support
- Realtek 8188 (rtl8188cus)
- MediaTek RT5370
Network Flow🔗
Installing Headless Minimal Raspberry Pi OS🔗
Download Raspberry Pi OS Minimal image from: raspberrypi.org It's a headless os - Without GUI
Burn Raspberry Pi OS Minimal image to SD-Card that will be used in this project for TorPi.
Since we don't won't to use external screen or keyboard, we need to allow an SSH access to the Raspberry Pi OS on the first boot.
After we created our bootable SD card we need to mount it and add a file called “ssh” inside a boot partition.
This will enable and start ssh daemon on pi at boot.
To continue the setup we will need a Ethernet Cable with DHCP and Internet Connection.
Insert the SD card and the Ethernet cable and boot your pi by connecting power.
At this point the pi should boot the new OS from the SD card and get a DHCP address.
Find the new address your pi just got from your dhcp server. You can do it inside your router's ui or use nmap tp find it on the network.
If you can't find the new address you can allows connect it to external screen and keyboard - use default credentials to login and 'ip addr' command
SSH to the Raspberry Pi Default credentials:
- User: pi
- Password: raspberry
Change the default password for the Pi user
passwd
Let's run system updates and cleanup
sudo apt update && sudo apt full-upgrade -y
Optional: Use simple: Update Script
Optional: SSH Hardening with RSA Keys
Optional: Fix bash local error
Optional: Set System Time With NTP
Optional Install Oh My Zsh
Follow this to Disable IPv6 on Raspberry Pi Os
Change the Hostname to 'torPi' or any one you like
sudo raspi-config
Select: 2.Network Options -> N1 Hostname
torPi
Install some usefully utils if missing
sudo apt install -y net-tools curl wget traceroute htop
Reboot The Pi for the first time
sudo reboot
RaspAP WiFi Configuration Web Portal Installation🔗
Many thanks to billz for his project RaspAP
We will use raspap-webgui package to Manage our WiFi connections with simple Web-ui
Let's use the Quick Interactive RaspAP Install script
curl -sL https://install.raspap.com | bash
| Question | Answer |
|---|---|
| lighttpd root: /var/www/html? | Y |
| Complete installation with these values? | Y |
| Enable HttpOnly for session cookies (Recommended)? | Y |
| Enable RaspAP control service (Recommended)? | Y |
| Install ad blocking and enable list management? | n |
| Install OpenVPN and enable client configuration? | n |
| The system needs to be rebooted as a final step. Reboot now? | y |
After the reboot at the end of the installation the wireless network will be configured as an access point as follows:
Default SSID Information
SSID: raspi-webgui
IP address: 10.3.141.1
DHCP range: 10.3.141.50 to 10.3.141.255
Password: ChangeMe
Default WEB-UI Information
Web-Ui: http://10.3.141.1/
Username: admin
Password: secret
For this guide we will use the default gateway address of 10.3.141.1 and the gateway DHCP range Login to the Web-Ui: http://10.3.141.1/.
Warning
Change the Default web-ui Credentials
Configuration with One Wireless Interface
If you raspberry pi as only one wireless interface the default RaspAP configuration of the host sport is great.
The only think you should to in the interface is to change the SSD, PSK
Configuration with Two Wireless Interface
If you raspberry pi as only two wireless interface we need to set
wlan1 as Hotspot
wlan0 as WiFi Client
Set the Hotspot with interface wlan1
Connect to known WiFi make sure the interface is set to wlan0
Tor Service🔗
Install tor service
sudo apt install -y tor
delete the default torrc config
sudo rm -rf /etc/tor/torrc
Create new torrc and edit it
sudo nano /etc/tor/torrc
Add the lines below to torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 10.3.141.1:9040
TransListenAddress 10.3.141.1
DNSPort 10.3.141.1:53
DNSListenAddress 10.3.141.1
Optional add this to rotate the exit node every 10 seconds
CircuitBuildTimeout 10
LearnCircuitBuildTimeout 0
MaxCircuitDirtiness 10
Start and enable Tor Service a boot
sudo systemctl start tor.service
sudo systemctl enable tor.service
make sure the tor service started currently as in screen bellow:
sudo netstat -plnt
Bug
There is a bug that Tor Service won't load at boot because of all the interfaces changes.
The solution is to install Monit. Monit Will load the tor Tor Service as soon as it can.
It will also reload it if it will crash
Install Monit
sudo apt install monit
Edit Monit Config
sudo nano /etc/monit/monitrc
Add those lines to the end of the config:
check process gdm with pidfile /var/run/tor/tor.pid
start program = "/etc/init.d/tor start"
stop program = "/etc/init.d/tor stop"
Reload and add Monit to startup:
sudo systemctl restart monit
sudo systemctl enable monit
Warning
Be Patient!!!
With my Pi2 full startup may take up to 3 minutes
Configure iptables firewall rules🔗
Its time to firewall the traffic to specific port
- Allow port 22,80 from any interface to allow access to ssh and the web-ui
- Route all DNS traffic from wlan1 to internal port 53
- Route all other wlan1 tcp traffic via tor proxy on port 9040
Bug
There is a bug that Raspap overwrites iptables rules at boot.
The solution is to install make a bash script with iptables rules
to Run on startup with delay of 30 seconds.
lets create the script iptablesOnBoot.sh
sudo nano /iptablesOnBoot.sh
Copy One of the following config files:
Config for One Wireless Interface with Hotspot on wlan0
#!/bin/bash
sudo iptables -F && sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
Config for Two Wireless Interface with Hotspot on wlan1
#!/bin/bash
sudo iptables -F && sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
Make the script executable
sudo chmod +x /iptablesOnBoot.sh
Now lets add it to Crontab to execute after login
sudo crontab -e
Add to the end of crontav file
@reboot sleep 20 && /iptablesOnBoot.sh
After reboot iptables rules should be like this
sudo iptables -t nat -L
Testing🔗
Warning
Be Patient!!!
Start up after reboot may take up to 3 minutes for everything to work as it should
Well Thats about it, you should be able to connect the the Hotspot and gain tor network.
You can test that you are on the Tor network at https://check.torproject.org/
Buy Us a Beer
Few Beers...
Specify the amount you would like to donate