We make an anonymous access point based on Raspberry Pi and TOR

Hi, Habr!

The need to deal with software settings every time kept me from using the TOR network, I wanted some more general solution that was rendered outside the PC used. The other day I came across this project and realized that he would solve all my difficulties. But since the project was frozen , the idea came up with the idea of ​​creating such an access point myself.

Now this Raspberry Pi (well, little red one!) Is distributing anonymous Internet as part of my apartment:

In this article I will tell how I taught my “raspberries” to act as an access point with the direction of all TCP traffic through the TOR network. I ask for cat.


So, what do we need:
  • 1 x Raspberry Pi
  • 1 x USB WiFi adapter

I bought my Raspberry Pi here , but delivery to the Russian Federation was refused with a link to the “too unpredictable post service”, so for many it would be more convenient to use the next store or find something third.

The WiFi adapter was chosen here like this - Nano WiFi Dongle .

Let's start the configuration based on the fact that Raspbian OS is already installed on the “raspberry”. You can always get a pre-installed current image on the device’s official website or go through the whole process from scratch by downloading the installer .

First of all, we connect the device to the wired network and install the necessary software, other packages are either already installed in the system, or will be installed according to the dependencies:

apt-get update
# При желании - актуализируем ОС
#apt-get upgrade -y
apt-get install -y tor isc-dhcp-server hostapd iptables-persistent

On this the preparatory part is completed.

Access Point Setup

Physically connect the WiFi adapter and add the lines to the / etc / network / interfaces file :

auto wlan0
iface wlan0 inet static

Configure hostapd, a daemon that turns our device into an access point. First, specify the path to the configuration file in / etc / default / hostapd :


Next, fill out the settings file itself, /etc/hostapd/hostapd.conf :

# имя нашей беспроводной сети
# Предварительно рекомендуется выявить минимально загруженный канал
# Фильтрация по MAC-адресам в данном примере отключена
# Для организации закрытой сети следует выставить эту опцию в значение 1 и раскомментировать нижеследующие строки
#wpa_pairwise=TKIP CCMP
# Собственно, задаем пароль

A little non-trivial activation of the 802.11n standard is performed, which this adapter supports:

# iwgetid --protocol wlan0
wlan0     Protocol Name:"IEEE 802.11bgn"

A simple change of the hw_mode parameter to the value “n” led to a negative result, the wireless connection did not rise after the restart:

# /etc/init.d/hostapd restart
[ ok ] Stopping advanced IEEE 802.11 management: hostapd.
[FAIL] Starting advanced IEEE 802.11 management: hostapd failed!
# tail /var/log/syslog | grep 'anonymous-ap'
Oct 21 09:31:37 anonymous-ap ifplugd(mon.wlan0)[7490]: Link beat lost.
Oct 21 09:31:38 anonymous-ap ifplugd(mon.wlan0)[7490]: Exiting.
Oct 21 09:31:38 anonymous-ap ifplugd(wlan0)[1684]: Link beat lost.
Oct 21 09:31:48 anonymous-ap ifplugd(wlan0)[1684]: Executing '/etc/ifplugd/ifplugd.action wlan0 down'.
Oct 21 09:31:49 anonymous-ap ifplugd(wlan0)[1684]: Program executed successfully.

It turns out that hw_mode should be left in the value "g", but add the line "ieee80211n = 1", which we do by restarting the daemon along the way:

\echo -e "\nieee80211n=1" >> /etc/hostapd/hostapd.conf
service hostapd restart

Next, configure DHCP by editing the file /etc/dhcp/dhcpd.conf :

# Домен нашей сети
option domain-name "anonymous-ap.local";
# Параметры подсети
subnet netmask {
  option domain-name-servers,;
  option routers;
  interface wlan0;

Do not forget to restart the service:

/etc/init.d/isc-dhcp-server restart

TOR setting

Very simple, because we do not use the device as an exit point or relay server, we only log on to the TOR network. To do this, we bring the file / etc / tor / torrc to this form:

AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53

Configuring packet forwarding

We quickly activate kernel level forwarding:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p

We configure iptables to direct all tcp client traffic to the TOR network, leaving access via SSH and DNS queries:

iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Сохраняем правила в ранее установленный iptables-persistent, который сохранит их после перезагрузки
iptables-save > /etc/iptables/rules.v4

Strictly speaking, there are other configuration options. So, you can configure the access point to simply forward packets to a “normal” network while maintaining access to pseudo-domains in the ".onion" zone. More details here .

Completion and verification

After a purely formal reboot, our device will be ready to distribute anonymous Internet:

shutdown -r now

Now let's try to connect from a laptop, phone or tablet, and a visit to this page will determine if everything is configured correctly, here is an example of a success message:

It should be noted that in reality, the TOR verification service will most likely additionally offer you to install the Tor Browser Bundle and it is no coincidence. It is important to understand that the use of the TOR network alone will not give a full guarantee of anonymity and browsers such as IE, Chrome and Safari may well continue to send any information about the user.

In addition, such a method in no way guarantees complete protection; for a more reliable anonymization, you should study this selection of articles.

I hope the recipe will be useful, I will be happy with the additions!

Also popular now: