Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@schamp

schamp/onionchip.md

Last active December 24, 2016 20:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save schamp/3957a1bc202ec92e3cfe28e14fbf5379 to your computer and use it in GitHub Desktop.
Save schamp/3957a1bc202ec92e3cfe28e14fbf5379 to your computer and use it in GitHub Desktop.
Download ZIP
How to make an OnionCHIP, a Tor transparent proxy access point for Next Thing Co's C.H.I.P.
Raw
onionchip.md

0. Initial Setup

0.0 Connect with USB Serial

Connect your CHIP to your PC with a USB data cable, then login:

$ ls /dev/tty.usb*
/dev/tty.usbmodem201413
$ screen /dev/tty.usbmodem201413
Debian GNU/Linux 8 chip ttyGS0

chip login: root
Password:
Last login: Thu Jan  1 00:01:46 UTC 1970 on ttyGS0
Linux chip 4.4.13-ntc-mlc #1 SMP Tue Dec 6 21:38:00 UTC 2016 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@chip:~#

0.1 Make sure your CHIP's firmware to at least 4.4.13-ntc-mlc:

chip@chip:~$ uname -a
Linux chip 4.4.13-ntc-mlc #1 SMP Tue Dec 6 21:38:00 UTC 2016 armv7l GNU/Linux

If you need to update it, use the C.H.I.P. Flasher, then start over from the beginning.

0.2 Change Passwords

Remember, the default username/password is chip/chip, the root credentials are root/chip. Log in and change them immediately:

root@chip:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@chip:~# passwd chip
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@chip:~#

0.3 Set terminal configuration

On my Macbook, the default $TERM setting was vt102, which caused garbled text when running the nmtui later:

chip@chip:~$ echo $TERM
vt102

Set it to ANSI to prevent problems with the networking UI text later:

chip@chip:~$ echo "TERM=ansi" >> ~/.bashrc
chip@chip:~$ cat ~/.bashrc
TERM=ansi
chip@chip:~$ bash
chip@chip:~$ echo $TERM
ansi

Do this for root also:

chip@chip:~$ sudo sh -c "echo TERM=ansi >> /root/.bashrc"
chip@chip:~$ sudo cat /root/.bashrc
TERM=ansi

0.4 Set up networking

This upstanding human being said it pretty well, so I'm just going to copy it in:

At this point you'll probably feel an urge to put on fingerless gloves and mutter "i'm in", but we have work to do here. First order of business is to connect to the internet. Type nmtui to open up network manager's curses based interface.

┌─┤ NetworkManager TUI ├──┐
│                         │
│ Please select an option │
│                         │
│ Edit a connection       │
│ Activate a connection   │
│ Set system hostname     │
│                         │
│ Quit                    │
│                         │
│                    <OK> │
│                         │
└─────────────────────────┘

> Pretty nifty eh? You can move your cursor around with the arrow keys and select with the enter key. Chose Activate a connection and then select your network from the list. You will then be prompted to enter the password. Exit out of nmtui and open it back up again, this time selecting edit a connection. You'll see lots of scary options, but the important ones are at the bottom. Scroll down the whole way using the arrow buttons.
> ```
> ┌───────────────────────────┤ Edit Connection ├───────────────────────────┐
> │                                                                        ↑│
> │ │               Mode <Client>                                          ▒│
> │ │                                                                      ▒│
> │ │           Security <WPA & WPA2 Personal>                             ▒│
> │ │           Password *************___________________________          ▒│
> │ │                    [ ] Show password                                 ▒│
> │ │                                                                      ▒│
> │ │              BSSID ________________________________________          ▒│
> │ │ Cloned MAC address ________________________________________          ▒│
> │ │                MTU __________ (default)                              ▒│
> │ └                                                                      ▒│
> │                                                                        ▒│
> │ ═ IPv4 CONFIGURATION <Automatic>                              <Show>   ▒│
> │ ═ IPv6 CONFIGURATION <Automatic>                              <Show>   ▒│
> │                                                                        ▒│
> │ [X] Automatically connect                                              ▒│
> │ [X] Available to all users                                             ▒│
> │                                                                        ▒│
> │                                                           <Cancel> <OK>▮│
> │                                                                        ↓│
> └─────────────────────────────────────────────────────────────────────────┘

the important options are the ones that say [X] Automatically connect and [X] Available to all users Make sure both are connected and you are done. The CHIP will automatically connect to the proper network and the password will be saved.

0.5 Install tooling

chip@chip:~$ sudo apt-get update && sudo apt-get install aptitude vim

0.6 Update system

chip@chip:~$ sudo aptitude safe-upgrade

1. Set up DHCP Server

This fine person said it best, but I'm going to copy the relevant part here for simplicity:

Install dnsmasq:

sudo apt-get install dnsmasq

the file /etc/default/dnsmasq has the enable flag for running as daemon, if needed. Create a configure file to restrict DHCP injections on client network interface. With this wlan0 becomes a way to connect to a network, and wlan1 becomes CHIPs access point.

sudo nano /etc/dnsmasq.d/access_point.conf

add the lines

#If you want dnsmasq to listen for DHCP and DNS requests only on
#specified interfaces (and the loopback) give the name of the
#interface (eg eth0) here.
#Repeat the line for more than one interface.
interface=wlan1
#Or you can specify which interface not to listen on
except-interface=wlan0

> we also want to set the range and time of leases:
> ```
> #Uncomment this to enable the integrated DHCP server, you need
> #to supply the range of addresses available for lease and optionally
> #a lease time. If you have more than one network, you will need to
> #repeat this for each network on which you want to supply DHCP
> #service.
> dhcp-range=172.20.0.100,172.20.0.250,1h

Create a file to set up a static IP for the access point:

sudo nano /etc/network/interfaces

and have the contents like so:

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
  
  source-directory /etc/network/interfaces.d
  
  auto wlan1
  
  iface wlan1 inet static
	address 172.20.0.1
	netmask 255.255.255.0

> Confirm that the static IP is assigned:
>
> `sudo ifup wlan1`
>
> `ip addr show wlan1`
>
> and you'll see the address listed
>
> `inet 172.20.0.1`
>
> now restart the DHCP server that dnsmasq provides
>
> `sudo /etc/init.d/dnsmasq restart`
>
> We have just tested the IP configuration portion.
> Now we can configure the WiFi access point on wlan1.
> Create a config file:
>
> `sudo nano /etc/hostapd.conf`
>
> and add the lines:

Now I'm going to interject here, because the [Adafruit Instructions for OnionPi here](https://learn.adafruit.com/onion-pi/install-tor) I think have a better access point configuration:

interface=wlan1 ssid= hw_mode=g channel=6 macaddr_acl=0 auth_algs=1

don't require clients to know SSID (i.e., broadcast it)

set this value to 1 if you want to send empty SSID and ignore probe requests

ignore_broadcast_ssid=0 wpa=2 wpa_passphrase= wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP ctrl_interface=/var/run/hostapd


Now back to the other instructions:
> then we can start the access point with
>
> `sudo hostapd /etc/hostapd.conf`
>
> You'll see the network come up on another device, like your laptop or tablet or phone:
>
> `<Your SSID>`
>
> Now we would like to configure CHIP to create the access point automatically on boot.
> We can setup a systemd service to do our bidding. We give the service a unique name, so it doesn't conflict with the systemV stuff in init.d:
>
> `sudo nano /lib/systemd/system/hostapd-systemd.service`
>
> Fill the service file with these contents:
> ```
> [Unit]
> Description=hostapd service
> Wants=network-manager.service
> After=network-manager.service
> Wants=module-init-tools.service
> After=module-init-tools.service
> ConditionPathExists=/etc/hostapd.conf
> 
> [Service]
> ExecStart=/usr/sbin/hostapd /etc/hostapd.conf
> 
> [Install]
> WantedBy=multi-user.target

Disable the existing systemV script for booting hostapd:

sudo update-rc.d hostapd disable

Now we can setup the systemd service with these commands:

sudo systemctl daemon-reload

sudo systemctl enable hostapd-systemd

Reboot or test with these commands:

sudo systemctl start hostapd-systemd

systemctl status hostapd-systemd

The access point and DHCP server should be accessible from other devices!

2. Set up Tor

Install tor:

chip@chip:~$ sudo aptitude install tor

Now here's Adafruit again:

Edit the tor config file by running

sudo nano /etc/tor/torrc

and copy and paste the text into the top of the file, right below the the FAQ notice.

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.20.0.1
DNSPort 9053
DNSListenAddress 172.20.0.1

...
> Next we'll create our log file (handy for debugging) with
> ```
> sudo touch /var/log/tor/notices.log
> sudo chown debian-tor /var/log/tor/notices.log
> sudo chmod 644 /var/log/tor/notices.log

Check it with

ls -l /var/log/tor

Start the tor service manually

sudo service tor start

Check its really running (you can run this whenever you're not sure, it something is wrong you'll see a big FAIL notice

sudo service tor status

Finally, make it start on boot

sudo update-rc.d tor enable

3. Set up IP Forwarding

3.1 Prepare for making rules persistent

Life is easier if we use the iptables-persistent package:

chip@chip:~$ sudo aptitude install iptables-persistent

It will ask you about saving the current rules, select "no" for IPv4 and IPv6 (we'll do that later):

Package configuration


 ��������������������Ĵ Configuring iptables-persistent ��������������������Ŀ
 �                                                                           �
 � Current iptables rules can be saved to the configuration file             �
 � /etc/iptables/rules.v4. These rules will then be loaded automatically     �
 � during system startup.                                                    �
 �                                                                           �
 � Rules are only saved automatically during package installation. See the   �
 � manual page of iptables-save(8) for instructions on keeping the rules     �
 � file up-to-date.                                                          �
 �                                                                           �
 � Save current IPv4 rules?                                                  �
 �                                                                           �
 �                    <Yes>                       <No>                       �
 �                                                                           �
 �����������������������������������������������������������������������������

3.2 Set up forwarding rules

Again, here's adafruit (updated to use wlan1 instead of wlan0):

Time to change our ip routing tables so that connections via the wifi interface (wlan0) will be routed through the tor software. Type the following to flush the old rules from the ip NAT table

sudo iptables -F
sudo iptables -t nat -F

> If you want to be able to ssh to your Pi after this, you'll need to add an exception for port 22 like this (not shown in the screenshot below)
> 
> `sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 22 -j REDIRECT --to-ports 22`

Note that at this stage, you might get an error:

`iptables: No chain/target/match by that name`

If you do, you need to install the nf_nat_redirect kernel module.  Follow [these instructions](https://bbs.nextthing.co/t/ready-made-chip-image-with-nat-ip-table-support/11609/30):

sudo bash cd /lib/modules/4.4.13-ntc-mlc/kernel/net wget https://dl.dropboxusercontent.com/u/48891705/chip/4.4.13-ntc-mlc/netfilter.tar tar -xf netfilter.tar rm netfilter.tar depmod

> 
> Type the following to route all DNS (UDP port 53) from interface wlan0 to internal port 53 (DNSPort in our torrc)
> 
> `sudo iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 9053`
> 
> Type the following to route all TCP traffic from interface wlan0 to port 9040 (TransPort in our torrc)
> 
> `sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040`
> 
> Next you can check that the ip tables are right with
> 
> `sudo iptables -t nat -L`
> 

## 3.3 Save the rules so they will be installed at boot (from [AskUbuntu](http://askubuntu.com/questions/117155/do-i-need-to-restore-iptable-rules-everytime-on-boot):

chip@chip:$ sudo sh -c "iptables-save > /etc/iptables/rules.v4" chip@chip:$ sudo sh -c "ip6tables-save > /etc/iptables/rules.v6"


# 4 Testing

# References
 * https://bbs.nextthing.co/t/setting-up-chip-as-a-headless-server-with-minimal-tools/1505
 * https://slack-files.com/T02GVC9G6-F0H7G3WCT-25e7dfb781
 * https://bbs.nextthing.co/t/ready-made-chip-image-with-nat-ip-table-support/11609/30
 * http://askubuntu.com/questions/117155/do-i-need-to-restore-iptable-rules-everytime-on-boot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment