Skip to content

Instantly share code, notes, and snippets.

Created September 3, 2021 01:01
Show Gist options
  • Save fopina/8ca227ca768859f1884e9818ae290ab0 to your computer and use it in GitHub Desktop.
Save fopina/8ca227ca768859f1884e9818ae290ab0 to your computer and use it in GitHub Desktop.
onion-pi setup (reversed, WiFi as WAN)

Walkthrough to setup a raspberry pi as an onion router. Pretty much like onion-pi but WiFi as WAN instead (bonus: no hostapd required).

As a Pi0w or a Pi1 can easily be powered by the laptop USB, this setup makes a TOR-WiFi (bulky) dongle out of a Pi!!

This should (will?) be converted into an ansible playbook (or even pre-cooked image)


  • Download latest raspios
  • Dump it on an sd card, eg:
    sudo dd if=2021-05-07-raspios-buster-armhf-lite.img of=/dev/rdisk2 bs=1m
  • Mount the boot partition of the sd card (if it isn't already) and;
    • create ssh empty file to enable ssh on boot
    • create wpa_supplicant.conf to connect to your local WiFi on boot, eg:
      ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
  • Unmount, plug it in the Pi and boot it. If DHCP hostname resolution is working, raspberrypi should resolve to its IP, otherwise just portscan the network on 22 :)


This all go into a session of ssh pi@raspberrypi (with default password of raspberry) and sudo -s

  • Change pi password (or create a whole new user - onion?)
  • Change hostname (update /etc/hosts and /etc/hostname)
  • Uninstall or disable services that are useless for this
    systemctl disable triggerhappy alsa-state avahi-daemon avahi-daemon.socket
  • Install tor apt install -y tor
  • Edit /etc/tor/torc and add these lines on top
    Log notice file /var/log/tor/notices.log
    AutomapHostsSuffixes .onion,.exit
    AutomapHostsOnResolve 1
  • Set up iptables
    iptables -F
    iptables -t nat -F
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 53
    iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
  • Save rules
    apt install -y iptables-persistent
    iptables-save > /etc/iptables/rules.v4
  • Set static IP on eth0, by adding these lines to /etc/dhcpcd.conf
    interface eth0
    static ip_address=
  • Setup DHCP server (or not, if you don't mind the extra work for reasonable doubt)
    • Install
      apt install -y isc-dhcp-server
    • Bind server to eth0 - edit /etc/default/isc-dhcp-server and set these values:
    • Setup subnet in /etc/dhcp/dhcpd.conf
    subnet netmask {
      option routers;
      option domain-name-servers;


Static IP with dhcpcd5 sucks: it only sets the IP once cable is plugged yet TOR requires IP to be set in order to bind to it - MAKE SURE you always connect the ethernet cable to the powered laptop before turning on the Pi...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment