Using the Raspberry Pi as a gateway proxy
Gateway to the World
Extend protection to all of your Internet traffic with a Raspberry Pi minicomputer set up as a cost-effective external proxy server.
The Tor Project offers an option for obfuscating your IP address and thus hiding the most important clue to your identity on the web. When it is installed locally, you need to connect every single client application separately with Tor, which can be complicated. Moreover, the application must be able to communicate via SOCKS. If, instead, you choose to route your entire Internet traffic through the Tor network, your only option is an external router.
The Raspberry Pi (Figure 1) is ideal in this role because the hardware is cheap, and its power consumption is low. This project gained popularity as Onion Pi [1]. But, even as a Tor user, you should not rely on this solution alone for security. After all, obfuscating your IP address is only half the battle and cannot hide your identity on its own (see the "Tor Limits" box).
Tor Limits
Anyone who uses Tor should not consider it an inherently secure option for surfing the web anonymously; you should also consider a number of breaches. For example, active scripts such as Flash and JavaScript, as well as Java, are quite capable of disclosing the web surfer's identity. Additionally, browser add-ons like Amazon's "1Button App" track each request and even send the search key input to servers [2]. The situation is similar with cookies, which provide information about the pages you visit. If you log in to services, such as Google, Facebook, Twitter, etc., this naturally wipes out any anonymity that Tor can offer you. Thus, you must additionally harden the browser with the right plugins and settings – just to be on the safe side.
Another aspect typically overlooked is bad exit nodes. Exit nodes generally act as the final arbiter in the mix cascade, and they transfer data in the clear, unless the requested page uses SSL encryption itself. For operators of exit nodes – which basically anybody can operate – it's really easy to sniff login information or potentially sensitive documents from the data stream. In contrast, you can protect yourself by using only trusted exit nodes, such as those operated by the Chaos Computer Club [3].
You're Off!
This how-to for setting up Onion Pi assumes you have an image such as Raspbian [4] set up on the SD card in your Rasp Pi. All the input and changes listed in the article require root privileges. Additionally, you need a network cable and a wireless stick.
The first step is to configure the Raspberry as an access point and DHCP server. Use the
ifconfig -a
command to check whether the wlan 0
interface is available. If the interface already has an IP address, you can disable it by typing:
ifdown wlan0
The next step is to install the required software components as root with the following command:
apt-get update && apt-get install hostapd isc-dhcp-server tor
Next, edit the /etc/dhcp/dhcpd.conf
DHCP server configuration file in the nano editor and comment out the following lines by adding a hash tag (#
) at the start of each line:
# option domain-name "example.org"; # option domain-name-servers ns1.example.org, ns2.example.org;
Then, remove the comment character to the left of the authoritative;
statement and append the configuration block shown in Listing 1 to the file. You can modify the subnet to match your needs, press Ctrl+O to save the changes, and Ctrl+X to quit the editor.
Listing 1
DHCP Configuration
In the /etc/default/isc-dhcp-server
file, tell the server which interface to use to assign IP addresses in the future using the INTERFACES=
directive. For the present scenario, you need to enter a value of wlan0
and assign a static IP address to the wlan0
interface in the /etc/network/interfaces
file (Listing 2).
Listing 2
WLAN IP Address
Calling ifup wlan0
enables the WLAN interface. For the Onion Pi to act as an access point, you first need to configure the service in the /etc/hostapd/hostapd.conf
file (Listing 3). You will want to change the value of wpa_passphrase
: This password is used to log in to the wireless LAN later on.
Listing 3
Configure Onion Pi Service
For the Upstart daemon to start automatically on distros that use it, enter a value of
DAEMON_CONF="/etc/hostapd/hostapd.conf"
in the /etc/default/hostapd
configuration file. For compatibility with current WLAN sticks, the developers of Onion Pi also recommend an update of hostapd:
wget http://www.adafruit.com/downloads/adafruit_hostapd.zip unzip adafruit_hostapd.zip mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG mv hostapd /usr/sbin chmod 755 /usr/sbin/hostapd
After updating the access point deamon, start the two components by typing:
service hostapd start service isc-dhcp-server start
To load the components automatically, you can type
update-rc.d hostapd enable update-rc.d isc-dhcp-server enable
at system startup.
Redirection
Communication between the wireless subnet and Tor requires some adjustments to the network configuration. The first step is to open the /etc/sysctl.conf
file and append net.ipv4.ip_forward=1
. The sysctl -p
command enables the change. Next, you should adjust the iptables rules [5]. To begin, delete any that exist by calling:
iptables -F iptables -t nat -F
Then, enable the most important rules (Listing 4). To save the configuration, type:
Listing 4
Enable iptables Rules
§§nonumbers iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22 iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sh -c iptables-save > /etc/iptables.ipv4.nat
To allow the system to parse the new rules at the next reboot, open the /etc/network/interfaces
file and add a blank line followed by up iptables-restore < /etc/iptables.ipv4.nat
.
Setting Up Tor
The Tor configuration file is stored in the /etc/tor/torrc
file. You can add the passage from Listing 5 directly after the line ## https://www.torproject.org/docs/faq#torrc
.
Listing 5
Tor Configuration
For Tor to be able to log its messages in the notices.log
file, you first need to create the file and assign the necessary permissions:
touch /var/log/tor/notices.log chown debian-tor /var/log/tor/notices.log chmod 644 /var/log/tor/notices.log
Finally, you can restart Tor by typing service tor start
. For this service to start automatically after reboot, type update-rc.d tor enable
.
To use Tor, you simply need to log on to the new WLAN. To discover whether the setup is working as expected, go to the "Are you using Tor?" site [6] (Figure 2). If successful, the message "Congratulations. Your browser is configured to use Tor" appears.
Buy this article as PDF
(incl. VAT)