Network Security

DIY Onion Pi

Step-by-step guide to make your own wireless tor router using an old Raspberry Pi.

Required materials:

  • Raspberry Pi (I had an old Pi B)
  • SD Card (at least 4 gigabytes)
  • Network cable (<—This long—>)
  • Compatible USB Wifi adapter (I recommend anything with the RT5370 chipset)
  • Micro USB power adapter

You won’t be needing a keyboard or monitor for this guide as i will be programming the Pi with command (putty). To speed things up while you read on please download a copy of Raspian and install onto your SD card.

Now plug your SD card into the Pi, plug the Ethernet and the USB WiFi adapter. Now power up your Pi.

To remote onto your Pi you will need to find the IP address your Pi, if you have access to your DHCP server/home router IP table find your Pi and make a note of its IP address. Otherwise you will need to use an IP Scanner tool of some description, personally i still use Look@Lan, but you can google for one.

Load up putty and log onto the Pi.
At the login prompt username is “pi” password by default is “raspberry”, first thing let’s quickly change that. After logging in in the prompt type in:
passwd
It will prompt for current password then enter your new one twice. You will have to close and re-open your putty session.

Now quickly ping google to make sure that you can reach the internet and you also need to make sure that your WiFi adapter is recognised, type in:

ping google.co.uk

Diagnose if you can’t ping google otherwise carry on and type in the command:

ifconfig -a

Your looking for wlan0, if you don’t see it then you will need to make sure the usb WiFi is connected or you need to find yourself a new wireless adapter.

We need to install updates and add a few required packages.

sudo apt-get update && sudo apt-get install hostapd isc-dhcp-server

 

You will have an error, it’s simply saying DHCP isn’t configured. That’s what we will do now, open up the dhcpd.conf using text editor like Vim, nano…

sudo nano /etc/dhcp/dhcpd.conf

Comment out the following lines by putting a # in front

option domain-name “example.org”;
option domain-name-server ns1.example.org, ns2.example.org;

Now uncomment the word authoritative:

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

Now scroll right down the bottom and paste in:

subnet 192.168.10.0 netmask 255.255.255.0 { 
range 192.168.10.10 192.168.10.50; 
option broadcast-address 192.168.10.255; 
option routers 192.168.10.1; 
default-lease-time 600; 
max-lease-time 7200; 
option domain-name "local"; 
option domain-name-servers 8.8.8.8, 8.8.4.4; 
}

Save the edits (hint- CTRL + X then Y then enter).

Next, type in:

sudo nano /etc/default/isc-dhcp-server

add wlan0 between the quotes on INTERFACES=

INTERFACES=”wlan0″

Type in:

sudo nano /etc/network/interfaces

Replace everything after alow-hotplug wlan0 With this:

iface wlan0 inet static

address 192.168.10.1

netmask 255.255.255.0

Exit and save.

We need to assign the IP address for the AP so type in:

sudo ifconfig wlan0 192.168.10.1

Now we have defined a static IP address for the wireless network, and we’ve configured the DHCP server to assign IP addresses to any client connecting.

Now to configure the AP, edit the HostAP config file by typing in:

sudo nano /etc/hostapd/hostapd.conf

copy in the following lines. At this point you can edit the ssid and change the wpa_passphrase.

interface=wlan0
driver=nl80211
ssid=OnionPi
hw_mode=g
channel=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=YummyOnionPi
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Now we need to tell the Pi where the config file is.

sudo nano /etc/default/hostapd

Update line – DAEMON_CONF=””

with:

DAEMON_CONF=”/etc/hostapd/hostapd.conf

Finally, we need to configure the NAT rules. Type:

sudo nano /etc/sysctl.conf

At the end add:

net.ipv4.ip_forward=1

Exit and save.

Next we will update the routing tables so we connect our Ethernet and WiFi adapter together.

sudo sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

Lastly for setting up the AP:

sudo nano /etc/network/interfaces

add this at the end:

up iptables-restore < /etc/iptables.ipv4.net

To test run:

sudo /usr/sbin/hostapd/etc/hostapd/hostapd.conf

Your SSID (OnionPi) network should be broadcasting. Try to connect from another machine or mobile phone you should see some debug information displayed on the screen.

Exit (CTRL-C), assuming you was able to connect and some debug data was displayed we can go-ahead and make sure its run as a service on startup. Run these commands:

sudo service hostapd start

sudo service isc-dhcp-server start

sudo update-rc.d hostapd enable

sudo update-rc.d isc-dhcp-server enable

If you get an error, try rebooting your Pi and re-run the commands.

Congratulations, your Pi is now a router. Next we will go through installing tor and configuring it.

Install Tor

type in:

sudo apt-get install tor

run:

sudo nano /etc/tor/torrc

Copy and paste this right at the top of the page.

Log notice file /var/log/tor/notices.log 
VirtualAddrNetwork 10.192.0.0/10 
AutomapHostsSuffixes .onion,.exit 
AutomapHostsOnResolve 1 
TransPort 9040 
TransListenAddress 192.168.10.1 
DNSPort 53 
DNSListenAddress 192.168.10.1

Get rid of our old routing tables and add an exception for SSH so we can still log back in. We’re adding a passthrough for DNS lookups; and directing all TCP traffic (control signals) to 9040.

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp –dport 22 -j REDIRECT –to-ports 22
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp –dport 53 -j REDIRECT –to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp –syn -j REDIRECT –to-ports 9040

Save the file so it’s loaded on reboot.

sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

Enable it to start at boot, then restart so we can test it.

sudo update-rc.d tor enable
sudo shutdown -r now

Now, for a test. On mobile or another computer connect to your SSID and input your password

Check you can browse the web, If so head over to check.torproject.org

 

Congratulation, your now anonymous on the web. Well, Kinda.

To keep that the case you have to follow some simple rules.

DON’T USE WINDOWS: Life rule, just don’t. Windows is simply not the best choice of OS when using Tor. No point using Tor when using an OS with as many security bugs and vulnerabilities as Windows. Would be like robbing a shop with mask, but making sure you have a name badge showing.

SOLE PURPOSE TOR LAPTOP: Bit extreme i know, but if your seriously not wanting anyone to track you or know who you are. When ever you browse the web your consistently leaving finger prints and picking up cookies along the way.

DON’T LOG IN: Simply, why would you want to use Facebook from the Tor network? It’s SLOW and Tor works best when you don’t leave any evidence.

NEW ME: If you want to use your favorite site a be using Tor then create a new you. It’s still a thing, just create yourself a handle. If your names Jo Smith, why not become lucid dreamer. Never will the two meet, or even like each other. Split personality, it’s not just a condition, It’s a way of life.

DISABLE JavaScript, Flash and Java: Might make some websites that bit more unattractive but Tor cannot protect your data with active content such as JavaScript, Adobe Flash, Java, QuickTime, ActiveX… because these applications run with your user account’s privileges, and may get access to and share your data.

NOT 24/7: OK, we just made a Onion Pi that’s connected to the Tor network by default. That DOES NOT! replace your home router. To remain truly anonymous you will need to limit the amount of time you spend using Tor at any single location. While MI5 / FBI correlation attacks do take some time, they could be completed in as little as 24 hours. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location. After that, consider it burned and go elsewhere.

KEEP UP TO DATE PEOPLE!! IT’S NOT HARD (that’s what she said): Some of the more “famous” cases of Tor users being cough where because they didn’t patch.

DON’T GOOGLE IT: Google are well-known for openly and covertly collecting information on users’ browsing and search data to help the growth of its ads revenue. Use DuckDuckGo (http://3g2upl4pq6kufc4m.onion) this and several other search engines are anonymity-compliant services, they offer search results without logging your IP address and storing cookies on your computer. WIN WIN

 

If you have any other tips for others on browsing anonymously please post a comment.

 

STAY SAFE, WHO EVER YOU ARE?!

Leave a Reply

Your email address will not be published. Required fields are marked *