So, you want anonymity when browsing the Internet? This is proving to be quite a hit now that ISPs are en route to being allowed to sell your traffic history (or do whatever they want with it). There has also been a noticeable surge in VPN service offerings all over the Internet, however; we must be very careful when selecting such service to make sure it does actually work in our favor. Simply by performing a google search one will hit an overwhelming number of VPNs available – some of them asking for no fees at all to get them up and running. Especially with this (free) type of VPNs there is a danger that they are not really hiding you from anything, but are just using the fact that the service is free to get customers and trick them into thinking they will be safe from the eyes of “Big Brothers”. So, when (if) you do choose a VPN service, try to read what exactly the service is offering and how that applies to keeping your traffic and/or location off the grid. More on how to choose a VPN can be read here since this is not the focal point of this post.
What this post is concerned with is much more exciting than figuring out what VPN you should use. I will introduce a recipe for creating your own access point (AP) leveraging your home WiFi, capable of using onion routing as the weapon to keep your traffic unreadable by ISPs. The AP will use Tor’s software for providing anonymity as well as a hardware component – Raspberry Pi, to make it work. This is a super fun and cool little project that anyone can do on their own if they simply follow this guide. While the process is a bit complex if you are not used to dealing with networks/Linux/Tor, I am making the effort to present it in a somewhat transparent, easy-to-follow fashion. By the end of the guide you will be able to connect to this AP with any of your devices and ensure that your traffic stays yours and yours only.
A bit of a preview into how your location will look like after going through this guide:
The IP location tracking website IP2Location.net is saying that my IP is located in Ukraine. I have never been there, in fact I am halfway across the world right now! To learn more about Tor and how it works you can visit my previous blog post, or Tor’s webpage .
Prepping the Pie
Every recipe starts with the necessary ingredients, this one is no different:
- Raspberry Pi (I’m using model 3, should work on any)
- an SD card, preloaded with an OS (Raspbian)
- miniUSB charger
- Ethernet cable (to connect the Pi to your router)
Alright, let’s start with the fun. First, we will set up our Pi. Make sure your “pi” user does NOT have the default password associated with it. While changing default passwords is something we should do as soon as we buy a device, a lot of people fail to do so which makes them easy targets for adversaries fishing for lazy targets on the Internet. Once you are logged in as the user, type in “passwd” command to change the password associated with the current user. Hint, hint: your root user does not come with a password, so if you are enabling root login through SSH (you really shouldn’t), then please make sure you have given it a password.
You will want to be connected to your home WiFi or, preferably, directly to the router. If you are doing all this via CLI and not GUI, use the command:
sudo su -c 'wpa_passphrase "" "" >> /etc/wpa_supplicant/wpa_supplicant.conf'
Note a couple of things: text between “<>” should be replaced with your WiFi name and the password, you have to use two “>” to make sure the text is appended to the file and does not override the configuration, and you will be required to run this command using “sudo” (unless you are logged in as root user, but you really shouldn’t be). What this does is it simply creates a tokenized output that your pi will use for establishing a connection with the specified network. Alternatively, if the above for some reason does not work, you can simply
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf
to get into the configuration file and change the input to match your network configuration, however; I do recommend using wpa_passphrase to avoid plaintext inscription of your password. Ensure connectivity by executing “ifconfig” which should display the network you are connected to (assuming the process was successful). You can also do all this in a GUI in case you are using the regular Raspbian, or running NOOBS that comes with some distributions of the OS. For further help, Adafruit has a comprehensive guide on this process – the link will download a pdf.
Baking the Pie
Now that the Pi can talk to the Internet, we will start downloading the required components.
- You should always start with
sudo apt-get update
to make sure your components are up-to-date. If there is anything missing, or if you misconfigured any steps, they may be corrected with –fix-missing flag appended to the first command and the name of the component.
sudo apt-get tor
will download Tor installation package.
- We will need to make sure our iptables (Ubuntu’s default firewall) is functional and present on the system, so just to make sure, run:
sudo apt-get install iptables-persistent
or use the –update flag.
- To make the transformation of the AP easier on ourselves we will download a script from GitHub later, for which we will need to install git:
sudo apt-get install git
- Optional: if you care about which text editor you use – download it. I am used to Vim, hence:
sudo apt-get install vim
If you want to use the default editor (nano) then simply replace every command in this guide to say nano instead of vim.
Transformation Into an AP
If you feel adventurous or if you know your way around creating and configuring APs, skip the next step and do your own thing. Otherwise, since this can be a bit of a confusing and long process, we will use a script posted on GitHub by a user harryallerston. This will allow us to blaze through a number of manual configurations and transform the Pi into an AP in no time. Call it cheating if you will.
Note: at this point your Pi should be connected to your router through an Ethernet port.
Before attempting to use this script, visit https://github.com/harryallerston/RPI-Wireless-Hotspot to learn about what it does specifically.
- Clone the user’s repository on your device:
- Hop inside the downloaded (cloned) directory:
- To initiate the configuration automation process, run:
This script will attempt to do a couple of different things and will prompt for a response every time. Answer the prompts as follows:
- Y to agree to the program making changes to the Pi
- Y to use a preconfigured DNSalternative DNS server
- N to chromecast support
- Y to OpenDNS
- N for the WiFi default configuration; it will ask you for new AP name and password. MEMORIZE THESE!
After a little while, the configuration will be complete and the Pi should restart. You will be notified of that so wait for the reboot to complete, and voila! Your Pi is now acting as an access point! To access the configuration of the access point, you can find the config file under “/etc/hostapd/hostapd.conf“.
Throw in Those Onions
Cool, now that we have the AP up and running, let’s get Tor installed on our machine. We have downloaded it earlier, so all we have to do now is install it.
sudo apt-get install tor
and wait for the magic to happen. You may have to agree to allocating some extra space for the downloaded files.
Next, some configuring will take place to make sure Tor does what we want. Tor will always look at a file called torrc, which we will now tailor to fit our style.
sudo vim /etc/tor/torrc
will open the mentioned config file, which will require you to input the following at the end of the file (feel free to copy paste, but port numbers can be arbitrarily chosen if you prefer):
Log notice file /var/log/tor/torlogs.log VirtualAddrNetwork 10.192.0.0/10 AutomapHostsSuffixes .onion,.exit AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 192.168.42.1 DNSPort 5353 DNSListenAddress 192.168.42.1
I know – what the hell is this. Not to go too deep, but basically we are configuring the transparency of our DNS resolving, as well as routing for “.onion” and “.exit” TLDs. More about this process and what follows can be read here .
Next, let’s create a log file for Tor:
sudo vim /var/log/tor/torlogs.log
Make sure only tor is able to modify it by changing its owner:
sudo chown debian-tor /var/log/tor/torlogs.log
Set permissions to read/write only:
sudo chmod 644 /var/log/tor/torlogs.log
The next step is to make sure our firewall knows how to act when different traffic types tries to communicate. For that to happen, we will first get rid of the old iptables rules:
sudo iptables -F
sudo iptables -t nat -F
Now we have to establish a new rule set. If you wish to add custom rules, check out iptables documentation to see how. The ports are specified in torrc file above.
- We must ensure there are no DNS leaks, so to route udp traffic through port 5353:
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 5353 -j REDIRECT --to-ports 5353
- TCP traffic will go through port 9040:
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
- Finally, to ensure SSH working properly when you try to connect to the Pi remotely, we need to add an exception for that (port 22 = conventionally used as SSH port):
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
Awesome, now type in:
sudo iptables -t nat -L
to check your newly established rules. Unless you applied a different set of rules, they should look similar to this (note that I am using port 53 for DNS, not 5353):
Save the rules:
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
Start Tor service:
sudo service tor start
The operation should be successful, but in case you are not sure you can run
sudo service tor status
which should not display any ERROR messages and should look like this:
You should also enable the service to start on reboot to avoid having to do so manually:
sudo update-rc.d tor enable
Now try restarting the pi with the “sudo reboot” command to see if all of your settings were applied correctly.
When the device turns back on, run “sudo service tor status” again to make sure it is up and running.
Serving the Pie
How can we be sure this works? There are a couple of ways to check, but really the simplest way is to connect to the AP with a device, open a browser on it, and query google with “my ip location”. It should be something very abstract and usually not your current location – also likely to be on the other side of the world. If your IP remained unchanged, then something most likely went wrong in the configuration and you may want to retrace the steps.
Now you can connect to your AP and browse the internet anonymously! Of course, I do have to explain that providing a complete sense of anonymity and security would be somewhat utopic. Let’s discuss what may go wrong – this is after all “just” software.
How Can the Pie Go Bad
With great power comes great responsibility. Since you are now playing a god of disguising you will need to know a couple of things to make sure you do not compromise your newly obtained super powers.
In my previous blog post I discussed the principles of Tor’s functionality. One them is that Tor is a volunteer-based network, thus the nodes operating on the network will work towards common good if the intentions of their owner are also aligned with Tor’s goals. This means that despite the efforts to govern the nodes and the way they operate, there is a very small chance that you will somehow be routed through 3 nodes owned by the same entity. If that’s the case, correlations determining your traffic and its destination are possible. I do want to emphasize that a chance of this happening is very low.
You may want to be careful with the plugins you enable, or the security settings you configure Tor to run with. One of the ways your traffic can distinguish itself among the rest of the billion bits running through Tor (despite it all being encrypted), is when you cause it to stand out among the crowd. Think of this as you putting on 10 different jackets when it gets cold and walking down a street – even if it’s busy, you will get noticed (and laughed at).
Equipping your AP with Tor’s software will enable you to contact Hidden Services (.onion TLDs). Now, this is pretty important: do not go too crazy accessing these domains. In fact, I would say do not do it at all. If you do want to do that, set up a VM, nest a couple of VPNs, use a Tor bridge, and make sure Privoxy encrypts the data stream exiting the VC. If you do not know what this means, then you have nothing to worry about since there is unlikely to be an instance where you come across .onion TLDs.
If you are logged in services that tend to track your history (such as your Google account), then Google will still likely track your steps. Log out and you are good to go!
Cleaning up the Dishes
Alright, this was a bit of a longer post, but I did want to make sure it is thorough and that it captures all the important details of setting up an access point leveraging Tor and what to keep in mind when using it. I hope you were able to follow the steps presented and make your own cool little anonymizing pie 😊. If you ran into any issues or would want to talk about anything – feel free to reach out!
Thank you for your time!