Make an anonymous access point based on Raspberry Pi and TOR
Hi, Habr!
From the use of the TOR network, I was deterred by the need to deal with the program settings every time, I wanted some more general solution that was made outside of the used PC. The other day I came across this project and realized that he would solve all my difficulties. But since the project was frozen , in order to experiment, the idea came to create such an access point yourself.
Now this Raspberry Pi (well, little red!) Is giving away an anonymous internet connection within my apartment:
')
In this article I will tell you how I taught my “raspberry” to perform the functions of an access point with the direction of all TCP traffic through the TOR network. I ask under the cat.
So, what do we need:
I bought my Raspberry Pi here , but the delivery to the Russian Federation was denied with reference to “too unpredictable post service”, so for many it would be more convenient to use the following store or find something third.
The WiFi adapter was chosen like this - Nano WiFi Dongle .
Let's start the setup based on the fact that Raspbian OS is already installed on the “raspberry”. You can always get a pre-installed image on the device’s official website or you can go through the whole process from scratch by downloading the installer .
First of all, we connect the device to the wired network and install the necessary software, other packages are either already installed in the system, or will be installed according to dependencies:
This preparatory part is completed.
Physically we connect the WiFi adapter and add the following lines to the / etc / network / interfaces file:
We configure hostapd - the demon who turns our device into an access point. First, specify the path to the configuration file in / etc / default / hostapd :
Next, fill in the configuration file itself, /etc/hostapd/hostapd.conf :
A slightly non-trivial activation of the 802.11n standard, which this adapter supports:
Simply changing the hw_mode parameter to “n” resulted in a negative result; the wireless connection did not rise after the restart:
It turns out that hw_mode should be left in the value of “g”, but add the line “ieee80211n = 1”, which we do, restarting the daemon along the way:
Next, we configure DHCP by editing the /etc/dhcp/dhcpd.conf file:
Do not forget to restart the service:
Very simple, because we do not use the device as an exit point or relay-server, we only enter the TOR network. To do this, we bring the file / etc / tor / torrc to the following form:
Quickly activate forvarding at the kernel level:
We configure iptables to route all client tcp traffic to the TOR network, leaving SSH access and DNS requests:
Strictly speaking, there are other configuration options. So, you can configure the access point for simple forwarding packets to the “normal” network while maintaining access to pseudo-domains in the ".onion" zone. Read more here .
After a purely formal reboot, our device will be ready to distribute anonymous Internet:
Now we will try to connect from a laptop, phone or tablet, and a visit to this page will determine whether everything is configured correctly, here is an example of a success message:
It should be noted that in reality, the TOR verification service is likely to additionally offer you to install the Tor Browser Bundle and this is not accidental. It is important to understand that the use of the TOR network by itself will not give a full guarantee of anonymity and browsers such as IE, Chrome and Safari may well continue to send any information about the user.
In addition, this method in no way guarantees complete protection, for a more reliable anonymization, you should study this selection of articles.
I hope the recipe will be useful, I will be glad to add!
From the use of the TOR network, I was deterred by the need to deal with the program settings every time, I wanted some more general solution that was made outside of the used PC. The other day I came across this project and realized that he would solve all my difficulties. But since the project was frozen , in order to experiment, the idea came to create such an access point yourself.
Now this Raspberry Pi (well, little red!) Is giving away an anonymous internet connection within my apartment:
')
In this article I will tell you how I taught my “raspberry” to perform the functions of an access point with the direction of all TCP traffic through the TOR network. I ask under the cat.
Training
So, what do we need:
- 1 x Raspberry Pi
- 1 x USB WiFi adapter
I bought my Raspberry Pi here , but the delivery to the Russian Federation was denied with reference to “too unpredictable post service”, so for many it would be more convenient to use the following store or find something third.
The WiFi adapter was chosen like this - Nano WiFi Dongle .
Let's start the setup based on the fact that Raspbian OS is already installed on the “raspberry”. You can always get a pre-installed image on the device’s official website or you can go through the whole process from scratch by downloading the installer .
First of all, we connect the device to the wired network and install the necessary software, other packages are either already installed in the system, or will be installed according to dependencies:
apt-get update # - #apt-get upgrade -y apt-get install -y tor isc-dhcp-server hostapd iptables-persistent This preparatory part is completed.
Configure the access point
Physically we connect the WiFi adapter and add the following lines to the / etc / network / interfaces file:
auto wlan0 iface wlan0 inet static address 192.168.55.1 netmask 255.255.255.0 We configure hostapd - the demon who turns our device into an access point. First, specify the path to the configuration file in / etc / default / hostapd :
DAEMON_CONF="/etc/hostapd/hostapd.conf" Next, fill in the configuration file itself, /etc/hostapd/hostapd.conf :
interface=wlan0 # ssid=anonymous_ap hw_mode=g # channel=11 # MAC- macaddr_acl=0 # 1 wpa=0 #wpa_key_mgmt=WPA-PSK #wpa_pairwise=TKIP CCMP #wpa_ptk_rekey=600 # , #wpa_passphrase=hidemyass A slightly non-trivial activation of the 802.11n standard, which this adapter supports:
# iwgetid --protocol wlan0 wlan0 Protocol Name:"IEEE 802.11bgn" Simply changing the hw_mode parameter to “n” resulted in a negative result; the wireless connection did not rise after the restart:
# /etc/init.d/hostapd restart [ ok ] Stopping advanced IEEE 802.11 management: hostapd. [FAIL] Starting advanced IEEE 802.11 management: hostapd failed! # tail /var/log/syslog | grep 'anonymous-ap' Oct 21 09:31:37 anonymous-ap ifplugd(mon.wlan0)[7490]: Link beat lost. Oct 21 09:31:38 anonymous-ap ifplugd(mon.wlan0)[7490]: Exiting. Oct 21 09:31:38 anonymous-ap ifplugd(wlan0)[1684]: Link beat lost. Oct 21 09:31:48 anonymous-ap ifplugd(wlan0)[1684]: Executing '/etc/ifplugd/ifplugd.action wlan0 down'. Oct 21 09:31:49 anonymous-ap ifplugd(wlan0)[1684]: Program executed successfully. It turns out that hw_mode should be left in the value of “g”, but add the line “ieee80211n = 1”, which we do, restarting the daemon along the way:
\echo -e "\nieee80211n=1" >> /etc/hostapd/hostapd.conf service hostapd restart Next, we configure DHCP by editing the /etc/dhcp/dhcpd.conf file:
# option domain-name "anonymous-ap.local"; # subnet 192.168.55.0 netmask 255.255.255.0 { range 192.168.55.10 192.168.55.100; option domain-name-servers 8.8.4.4, 8.8.4.4; option routers 192.168.55.1; interface wlan0; } Do not forget to restart the service:
/etc/init.d/isc-dhcp-server restart TOR setting
Very simple, because we do not use the device as an exit point or relay-server, we only enter the TOR network. To do this, we bring the file / etc / tor / torrc to the following form:
VirtualAddrNetwork 172.16.0.0/12 AutomapHostsSuffixes .onion,.exit AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 192.168.55.1 DNSPort 53 DNSListenAddress 192.168.55.1 Configuring packet forwarding
Quickly activate forvarding at the kernel level:
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sysctl -p We configure iptables to route all client tcp traffic to the TOR network, leaving SSH access and DNS requests:
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22 iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables-persistent, iptables-save > /etc/iptables/rules.v4 Strictly speaking, there are other configuration options. So, you can configure the access point for simple forwarding packets to the “normal” network while maintaining access to pseudo-domains in the ".onion" zone. Read more here .
Completion and verification
After a purely formal reboot, our device will be ready to distribute anonymous Internet:
shutdown -r now Now we will try to connect from a laptop, phone or tablet, and a visit to this page will determine whether everything is configured correctly, here is an example of a success message:
It should be noted that in reality, the TOR verification service is likely to additionally offer you to install the Tor Browser Bundle and this is not accidental. It is important to understand that the use of the TOR network by itself will not give a full guarantee of anonymity and browsers such as IE, Chrome and Safari may well continue to send any information about the user.
In addition, this method in no way guarantees complete protection, for a more reliable anonymization, you should study this selection of articles.
I hope the recipe will be useful, I will be glad to add!
Source: https://habr.com/ru/post/241257/
All Articles