Create a wifi access point for a wifi router
Many modern home routers are essentially a mini-computer - which isn’t that there is a monitor or mouse / keyboard. However, given the purpose of these very pieces of iron, the latter is not a problem at all.
As a rule, in the base firmware, the router can distribute the Internet to one or several LAN ports, as well as maintain its own wireless network. More advanced models often include one or more USB ports where you can connect, for example, a printer or a flash drive with files.
However, all the richness of the possibilities of this hardware is revealed when using open firmware. For beginners - dd-wrt, for more advanced ones - the open-wrt series and other wrt-based.
This article focuses on setting up an anonymized wifi point based on an Asus RT-N16 router with dd-wrt firmware and optware.
')
The original idea is not new - it has been in the air for a long time, and one of the implementations was even somehow announced at Habré. However, with regard to the details - they are usually not found. I did not find this in the private "how-to", but obviously a knowledgeable guru, apparently, had no time for writing such instructions. So I had to figure it out for myself. Well, at the same time to record what was done - for the future.
So, we have a router with stitched dd-wrt. This specific model, alas, does not have Open-wrt support (or, at least, did not have it at the time when it was required. Now the beta has appeared, but it does not yet claim stability).
What else is needed? If we confine ourselves only to tor, then perhaps nothing. You can do without all optware and even without an external flash drive. You just need to find where to pack about 1.5 MB of binary into the router. I, however, raised not only an access point, but a full-fledged home server, the main task of which was to maintain the network (basic services - DNS, DHCP), distribute the Internet, contain a small (500 gigabytes that way) file manager with access to NFS (well, make no mistake. I don’t use Windows, so SAMBA is not needed), replenish this file with new torrents on my own, host several web pages for various handicrafts (all stuffing: - lighttpd, php, mysql and even sphinx) for booting Ubuntu over the network (so that when needed in a “dead body” all ulation is not a flash card with the image, and a network cable). And, apparently, everything (and maybe forgot what). In order to externally everything was beautiful and with a minimum of wires - a 640GB hard disk for all our plans was placed right inside the router, and the free space was significantly increased. And tor on the router was placed, rather, out of curiosity. However, it took root and works stably.
To install and configure, you need access to the router via telnet or (which is much safer) via ssh. Access can be arranged (or peeped) in the dd-wrt web interface.
First install tor:
Then we govern its config. In the case of optware, it is located in / opt / etc / torrc. Again, I note that the path to the default configuration is not at all mandatory. The program can always be started with a different configuration file, but it will have to be explicitly specified in the launch options. In this regard, the default path is still easier, as long as the launch of the program makes it more concise.
The default config is well commented, and the basic configuration can be made just by reading these comments, without any third-party manuals. In my case, the router serves the home network 192.168.1.0/24. In it, I decided to make a classic tor with access like a proxy socks5 on port 9100. In addition, I decided to make an anonymized access point that will allow users to the network 192.168.2.0/24, where all communication with the outside world will be only through tor (transparent proxy ), or just chopped off. In other words - we have a wifi-point, connecting to which we will not get either to neighbors from the same network (192.168.2.0/24), nor to my home network (192.168.1.0/24), nor to the local services of the router. And we can only get on the Internet, and only in an anonymous way (via tor).
For this, the following local parameters are specified in the config:
For home network:
In essence, this means that in order to go anonymously to the Internet, I must configure the browser to connect through socks5 proxy with the specified address (this is the internal address of the router).
For anonymous network:
In an anonymous network, clients will not connect anywhere, and the specified ports and address are needed only to configure iptables rules.
In addition to these settings, it also makes sense to assign a virtual network address:
This address is necessary in case of transition to internal anonymous services (so-called 'hidden service') of the tor-net. These are addresses of sites located in the .onion domain. There is no such domain in real life; however, being in tor, their own DNS recognizes such addresses and takes you to the right resource hidden somewhere in the depth of the network. At the same time, the actual IP address of such a site is hidden, and it is impossible to recognize it. In this case, for programs that first resolve the host address via DNS, and then connect to the received ip address, the tor daemon creates a temporary address from the specified virtual network mask. In other words, when you try to connect to some superpuper.onion node, it will “resolve” to the address, for example, 10.192.0.1. And the program, connecting to this address, will reach the necessary resource through the “onion layers” of tor-encryption.
As for setting the “public” part of the config, everything is there, according to the comments in the file itself.
As a result of these settings, we will get a daemon that
1) is proxy-socks with the address 192.168.1.5:9100
2) is a transparent proxy with the address 192.168.2.1, and besides tcp-traffic it can handle DNS requests.
With local socks proxy, everything is clear. Simply configure any browser in your home network to access the Internet through the specified proxy - and everything works.
Accessing from a remote machine is no more difficult (we also have an ssh-console on the router, which means that nothing prevents you from simply forwarding the port:
- and after that on that machine it will earn Socks5 at the address localhost: 9100.
Now configure the access point.
To do this, go to the wireless tab in gui dd-wrt and add a virtual interface there. Think up your own name (I called it ingenuously: tor_network). The network configuration is unbridged (i.e., the point has no connection with other interfaces and forms its own closed world, as it were). We also prohibit masquerading and multicast in the same place and assign the network address: 192.168.2.1/255.255.255.0. Then, on the wireless security tab, configure, if necessary, access to the point. In my case, I set “disabled”, i.e. created an open point.
Thus, we have two different networks working at the same time on the router: home (protected by WPA2) and the newly created tor_network, which is initially open. However, it does not give anyone any privileges, because by connecting to this open network, we will not get anywhere :)
Moving on. On the Setup / Networking tab, we are looking at the very bottom of the DHCPD section and add an entry for the wl0.1 interface (this is, in fact, the iron name of the new virtual wifi interface) to assign addresses from the 192.168.2.0/24 subnet. Let's say 50 addresses starting with 100 are enough.
Now connecting to our open point, we get an internal ip-address.
It remains only to connect this point to the transparent tor.
This is done using iptables:
What are we doing?
1. Redirect all udp traffic to port 53 (dns) to the port of our daemon.
2. We skip calmly all udp traffic to port 67 (dhcp hangs there)
3. All other traffic to the internal open network, no matter where it comes from, is cut off.
4. Redirect all tcp traffic to the transparent proxy port of our daemon.
5. We cut off all the rest of the open network traffic.
This script can be inserted into Administration / commands and saved as a firewall script.
We check the work: we connect to the tor_network point and open the address check.torproject.org/ . We should see a green bulb and congratulations on a successful setup. Next - try to open the address duskgytldkxiuqc6.onion/ . If everything is in order, then after some delay the address will open. In this case, absolutely no settings on the client side are required; we simply connect to the open tor_network wifi network and thereby automatically find ourselves hidden behind a multi-layer proxy anonymizer.
As an added bonus, initially increased anonymity, since the daemon running on the iron router by default does not write any logs anywhere and leaves no traces in the system.
As a rule, in the base firmware, the router can distribute the Internet to one or several LAN ports, as well as maintain its own wireless network. More advanced models often include one or more USB ports where you can connect, for example, a printer or a flash drive with files.
However, all the richness of the possibilities of this hardware is revealed when using open firmware. For beginners - dd-wrt, for more advanced ones - the open-wrt series and other wrt-based.
This article focuses on setting up an anonymized wifi point based on an Asus RT-N16 router with dd-wrt firmware and optware.
')
The original idea is not new - it has been in the air for a long time, and one of the implementations was even somehow announced at Habré. However, with regard to the details - they are usually not found. I did not find this in the private "how-to", but obviously a knowledgeable guru, apparently, had no time for writing such instructions. So I had to figure it out for myself. Well, at the same time to record what was done - for the future.
So, we have a router with stitched dd-wrt. This specific model, alas, does not have Open-wrt support (or, at least, did not have it at the time when it was required. Now the beta has appeared, but it does not yet claim stability).
What else is needed? If we confine ourselves only to tor, then perhaps nothing. You can do without all optware and even without an external flash drive. You just need to find where to pack about 1.5 MB of binary into the router. I, however, raised not only an access point, but a full-fledged home server, the main task of which was to maintain the network (basic services - DNS, DHCP), distribute the Internet, contain a small (500 gigabytes that way) file manager with access to NFS (well, make no mistake. I don’t use Windows, so SAMBA is not needed), replenish this file with new torrents on my own, host several web pages for various handicrafts (all stuffing: - lighttpd, php, mysql and even sphinx) for booting Ubuntu over the network (so that when needed in a “dead body” all ulation is not a flash card with the image, and a network cable). And, apparently, everything (and maybe forgot what). In order to externally everything was beautiful and with a minimum of wires - a 640GB hard disk for all our plans was placed right inside the router, and the free space was significantly increased. And tor on the router was placed, rather, out of curiosity. However, it took root and works stably.
To install and configure, you need access to the router via telnet or (which is much safer) via ssh. Access can be arranged (or peeped) in the dd-wrt web interface.
First install tor:
root@DD-WRT:~# ipkg install tor
Then we govern its config. In the case of optware, it is located in / opt / etc / torrc. Again, I note that the path to the default configuration is not at all mandatory. The program can always be started with a different configuration file, but it will have to be explicitly specified in the launch options. In this regard, the default path is still easier, as long as the launch of the program makes it more concise.
The default config is well commented, and the basic configuration can be made just by reading these comments, without any third-party manuals. In my case, the router serves the home network 192.168.1.0/24. In it, I decided to make a classic tor with access like a proxy socks5 on port 9100. In addition, I decided to make an anonymized access point that will allow users to the network 192.168.2.0/24, where all communication with the outside world will be only through tor (transparent proxy ), or just chopped off. In other words - we have a wifi-point, connecting to which we will not get either to neighbors from the same network (192.168.2.0/24), nor to my home network (192.168.1.0/24), nor to the local services of the router. And we can only get on the Internet, and only in an anonymous way (via tor).
For this, the following local parameters are specified in the config:
For home network:
SockListenAddress 192.168.1.5:9100
In essence, this means that in order to go anonymously to the Internet, I must configure the browser to connect through socks5 proxy with the specified address (this is the internal address of the router).
For anonymous network:
TransPort 9040
TransListenAddress 192.168.2.1
DNSPort 9053
DNSListenAddress 192.168.2.1
In an anonymous network, clients will not connect anywhere, and the specified ports and address are needed only to configure iptables rules.
In addition to these settings, it also makes sense to assign a virtual network address:
VirtualAddrNetwork 10.192.0.0/10
This address is necessary in case of transition to internal anonymous services (so-called 'hidden service') of the tor-net. These are addresses of sites located in the .onion domain. There is no such domain in real life; however, being in tor, their own DNS recognizes such addresses and takes you to the right resource hidden somewhere in the depth of the network. At the same time, the actual IP address of such a site is hidden, and it is impossible to recognize it. In this case, for programs that first resolve the host address via DNS, and then connect to the received ip address, the tor daemon creates a temporary address from the specified virtual network mask. In other words, when you try to connect to some superpuper.onion node, it will “resolve” to the address, for example, 10.192.0.1. And the program, connecting to this address, will reach the necessary resource through the “onion layers” of tor-encryption.
As for setting the “public” part of the config, everything is there, according to the comments in the file itself.
As a result of these settings, we will get a daemon that
1) is proxy-socks with the address 192.168.1.5:9100
2) is a transparent proxy with the address 192.168.2.1, and besides tcp-traffic it can handle DNS requests.
With local socks proxy, everything is clear. Simply configure any browser in your home network to access the Internet through the specified proxy - and everything works.
Accessing from a remote machine is no more difficult (we also have an ssh-console on the router, which means that nothing prevents you from simply forwarding the port:
ssh -L localhost:9100:192.168.1.5:9100 homerouter
- and after that on that machine it will earn Socks5 at the address localhost: 9100.
Now configure the access point.
To do this, go to the wireless tab in gui dd-wrt and add a virtual interface there. Think up your own name (I called it ingenuously: tor_network). The network configuration is unbridged (i.e., the point has no connection with other interfaces and forms its own closed world, as it were). We also prohibit masquerading and multicast in the same place and assign the network address: 192.168.2.1/255.255.255.0. Then, on the wireless security tab, configure, if necessary, access to the point. In my case, I set “disabled”, i.e. created an open point.
Thus, we have two different networks working at the same time on the router: home (protected by WPA2) and the newly created tor_network, which is initially open. However, it does not give anyone any privileges, because by connecting to this open network, we will not get anywhere :)
Moving on. On the Setup / Networking tab, we are looking at the very bottom of the DHCPD section and add an entry for the wl0.1 interface (this is, in fact, the iron name of the new virtual wifi interface) to assign addresses from the 192.168.2.0/24 subnet. Let's say 50 addresses starting with 100 are enough.
Now connecting to our open point, we get an internal ip-address.
It remains only to connect this point to the transparent tor.
This is done using iptables:
CRNET="192.168.2.0/24"
TORCMD="iptables -t nat -A PREROUTING -i wl0.1"
TORPORT="9040"
TORDNS="9053"
# transparent tor for tor_network wireless
$TORCMD -p udp --dport 53 -j REDIRECT --to-ports $TORDNS
$TORCMD -p udp --dport 67 -j RETURN
$TORCMD -d $CRNET -j DROP
$TORCMD -p tcp --syn -j REDIRECT --to-ports $TORPORT
$TORCMD -j DROP
What are we doing?
1. Redirect all udp traffic to port 53 (dns) to the port of our daemon.
2. We skip calmly all udp traffic to port 67 (dhcp hangs there)
3. All other traffic to the internal open network, no matter where it comes from, is cut off.
4. Redirect all tcp traffic to the transparent proxy port of our daemon.
5. We cut off all the rest of the open network traffic.
This script can be inserted into Administration / commands and saved as a firewall script.
We check the work: we connect to the tor_network point and open the address check.torproject.org/ . We should see a green bulb and congratulations on a successful setup. Next - try to open the address duskgytldkxiuqc6.onion/ . If everything is in order, then after some delay the address will open. In this case, absolutely no settings on the client side are required; we simply connect to the open tor_network wifi network and thereby automatically find ourselves hidden behind a multi-layer proxy anonymizer.
As an added bonus, initially increased anonymity, since the daemon running on the iron router by default does not write any logs anywhere and leaves no traces in the system.
Source: https://habr.com/ru/post/129603/
All Articles