In this guide I will show you how to set up an Onion Pi that you connect to the ethernet port on your computer instead of setting up a wireless access point. We will be using Wi-Fi for our source network connection, but you can use a USB ethernet cable if you want to with some modifications (change wlanX to ethX). When you connect a network cable from your computer to the Raspberry Pi, you will receive an IP address from the DHCP server and all your traffic will be routed through the TOR network.
I have been using the following sources with some modifications to make this work:
https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
https://learn.adafruit.com/onion-pi/install-tor
Feel free to check them out!
Flash Raspbian Lite (https://downloads.raspberrypi.org/raspbian_lite_latest
) to the SDcard on your Raspberry Pi
Log into the Raspberry Pi via SSH or with a keyboard and screen.
You have to expand your filesystem, or else you might run out of space!
Type in the command sudo raspi-config
to:
- Expand the root filesystem
- Configure the right keyboard map and timezone
- Go to Advanced, choose Memory Split and change it to 16Mb (the minimum)
- You might also want to consider overclocking your RPi to Moderate
- Reboot
Alright! Now we can start by configuring the network interface. Remember, we will use the Wireless interface (wlan0/wlan1) as the source interface. The first thing to do is to check if your interface is recognised in Raspbian with iwconfig
You will most likely see this message:
wlan0 unassociated Nickname:"<WIFI@REALTEK>"
Mode:Auto Frequency=2.412 GHz Access Point: Not-Associated `
Sensitivity:0/0 `
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
This means that your wireless interface is named wlan0
.
Some Atheros cards (ath9k_htc/ath9k) might identify themselves as wlan1, if you are using this card, change all references to wlan0 in this guide to wlan1.
Raspbian uses WPA_supplicant to connect to wireless networks, edit the configuration file with
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf
Add these lines to the bottom:
network={
ssid="YOUR ESSID"
psk="YOUR WIFI PASSWORD"
}
Save the file with CTRL+X and choose Y
You will have to change the SSID and password to your own values. Remember, these are character sensitive.
WPA-supplicant will automatically detect changes to the configuration file, wait about 15 seconds and type iwconfig
again to see if your connection was successful. You might want to restart your Raspberry pi with:
sudo reboot
We will be using isc-dhcp-server for allocating IP adresses to the client. You will also be able to connect the Raspberry Pi to a ethernet switch if you want to use the TOR service on multiple computers at once.
Update your package lists and install isc-dhcp-server
sudo apt-get update
sudo apt-get install isc-dhcp-server
Now we will edit the configuration file for isc-dhcp-server
sudo nano /etc/dhcp/dhcpd.conf
Comment out these lines with #
#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;
Uncomment this line (Remove the #)
authoritative;
And add these lines to the bottom of the configuration file:
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.10 192.168.10.50;
option broadcast-address 192.168.10.255;
option routers 192.168.10.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
Now you want to make the DHCP server run on your ethernet card, edit this file:
sudo nano /etc/default/isc-dhcp-server
Go to INTERFACES=""
and update it to say INTERFACES="eth0"
- Save the file with CTRL+X and Y
Now you will have to set a static IP for the interface eth0. The Wi-Fi interface should be dynamic so you can easily carry the Onion Pi with you and change networks easily.
Edit this file:
sudo nano /etc/default/interfaces
Change the values for eth0 to:
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
Save the file with CTRL-X and Y (as usual)
Now you want to reload the wireless interface AND set the static IP manually with:
sudo ifdown eth0
sudo ifup eth0
sudo ifconfig eth0 192.168.10.1
Also, I had some issues with Raspbian not setting the static IP to 192.168.10.1 at boot, so we will also edit the /etc/rc.local file with:
sudo nano /etc/rc.local
Add these lines to the file BEFORE exit 0
# Change IP for eth0
sudo ifconfig eth0 192.168.10.1
We will have to configure NAT for packet forwarding, or else you will not be able to access the internet on the eth0 interface. Edit the /etc/sysctl.conf file with:
sudo nano /etc/sysctl.conf
Find the line #net.ipv4.ip_forward=1
and uncomment it, it should look like this:
net.ipv4.ip_forward=1
Save and close with CTRL+X and Y
Also, run this line to activate forwarding immediately:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Now we will configure the firewall to accept network traffic from the wlan0 interface to the eth0 interface, so we can access the internet.
Enter these lines:
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
To save these settings and make them persistent, we will use iptables-persistent. Install them with this following command:
sudo apt-get install iptables-persistent
The installation will ask you if you want to save your existing tables (IPv4 and IPv6), answer yes to both of them. When you are done, make iptables-persistent start at boot with:
sudo systemctl enable netfilter-persistent
Now we will test the DHCP server to make sure it's working as it should. First we will start the service and check the status.
sudo service isc-dhcp-server start
sudo service isc-dhcp-server status
If the service is running without any issues (active, running), make the DHCP server run at boot with:
sudo update-rc.d isc-dhcp-server enable
Reboot your Raspberry Pi with:
sudo reboot
After reboot, connect a network cable to your Raspberry Pi, you should now be able to connect to the internet. Now we will be installing TOR.
Now you have a functioning Raspberry Pi router, but we want to relay all traffic through the TOR network. Install TOR with:
sudo apt-get update
sudo apt-get install tor
Now we want to edit the TOR configuration file with:
sudo nano /etc/tor/torrc
Paste the following into the file, right below the FAQ notice:
Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.10.1
DNSPort 53
DNSListenAddress 192.168.10.1
Save the file with CTRL+X and Y
TOR needs some additional IPtables rules to route your traffic through the TOR network, run these commands:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
Since we installed iptables-persistent, save the rules with:
sudo netfilter-persistent save
We'll create our log file (handy for debugging) with:
sudo touch /var/log/tor/notices.log
sudo chown debian-tor /var/log/tor/notices.log
sudo chmod 644 /var/log/tor/notices.log
We have configured TOR. Now it's time to test it out. Start the TOR service and check status with:
sudo service tor start
sudo service tor status
If TOR is running with no issues (active, running), activate it at boot with:
sudo update-rc.d tor enable
Type in the following command to restart your Raspberry Pi:
sudo reboot
Plug in the network cable to your Raspberry Pi, and all your traffic will be relayed through the TOR network. I hope you enjoyed this guide, and please leave a comment if you have any suggestions or questions regarding this guide.
How can i ..unlock" vnc connections through eth0?