Using the Raspberry Pi as a gateway proxy

Gateway to the World

Article from Issue 155/2013
Author(s): , Author(s):

Extend protection to all of your Internet traffic with a Raspberry Pi minicomputer set up as a cost-effective external proxy server.

The Tor Project offers an option for obfuscating your IP address and thus hiding the most important clue to your identity on the web. When it is installed locally, you need to connect every single client application separately with Tor, which can be complicated. Moreover, the application must be able to communicate via SOCKS. If, instead, you choose to route your entire Internet traffic through the Tor network, your only option is an external router.

The Raspberry Pi (Figure 1) is ideal in this role because the hardware is cheap, and its power consumption is low. This project gained popularity as Onion Pi [1]. But, even as a Tor user, you should not rely on this solution alone for security. After all, obfuscating your IP address is only half the battle and cannot hide your identity on its own (see the "Tor Limits" box).

Figure 1: Properly configured, the Raspberry Pi, which is hardly larger than a deck of cards, can keep your entire Internet traffic anonymous.

Tor Limits

Anyone who uses Tor should not consider it an inherently secure option for surfing the web anonymously; you should also consider a number of breaches. For example, active scripts such as Flash and JavaScript, as well as Java, are quite capable of disclosing the web surfer's identity. Additionally, browser add-ons like Amazon's "1Button App" track each request and even send the search key input to servers [2]. The situation is similar with cookies, which provide information about the pages you visit. If you log in to services, such as Google, Facebook, Twitter, etc., this naturally wipes out any anonymity that Tor can offer you. Thus, you must additionally harden the browser with the right plugins and settings – just to be on the safe side.

Another aspect typically overlooked is bad exit nodes. Exit nodes generally act as the final arbiter in the mix cascade, and they transfer data in the clear, unless the requested page uses SSL encryption itself. For operators of exit nodes – which basically anybody can operate – it's really easy to sniff login information or potentially sensitive documents from the data stream. In contrast, you can protect yourself by using only trusted exit nodes, such as those operated by the Chaos Computer Club [3].

You're Off!

This how-to for setting up Onion Pi assumes you have an image such as Raspbian [4] set up on the SD card in your Rasp Pi. All the input and changes listed in the article require root privileges. Additionally, you need a network cable and a wireless stick.

The first step is to configure the Raspberry as an access point and DHCP server. Use the

ifconfig -a

command to check whether the wlan 0 interface is available. If the interface already has an IP address, you can disable it by typing:

ifdown wlan0

The next step is to install the required software components as root with the following command:

apt-get update && apt-get install hostapd isc-dhcp-server tor

Next, edit the /etc/dhcp/dhcpd.conf DHCP server configuration file in the nano editor and comment out the following lines by adding a hash tag (#) at the start of each line:

# option domain-name "example.org";
# option domain-name-servers ns1.example.org, ns2.example.org;

Then, remove the comment character to the left of the authoritative; statement and append the configuration block shown in Listing 1 to the file. You can modify the subnet to match your needs, press Ctrl+O to save the changes, and Ctrl+X to quit the editor.

Listing 1

DHCP Configuration

 

In the /etc/default/isc-dhcp-server file, tell the server which interface to use to assign IP addresses in the future using the INTERFACES= directive. For the present scenario, you need to enter a value of wlan0 and assign a static IP address to the wlan0 interface in the /etc/network/interfaces file (Listing 2).

Listing 2

WLAN IP Address

 

Calling ifup wlan0 enables the WLAN interface. For the Onion Pi to act as an access point, you first need to configure the service in the /etc/hostapd/hostapd.conf file (Listing 3). You will want to change the value of wpa_passphrase: This password is used to log in to the wireless LAN later on.

Listing 3

Configure Onion Pi Service

 

For the Upstart daemon to start automatically on distros that use it, enter a value of

DAEMON_CONF="/etc/hostapd/hostapd.conf"

in the /etc/default/hostapd configuration file. For compatibility with current WLAN sticks, the developers of Onion Pi also recommend an update of hostapd:

wget http://www.adafruit.com/downloads/adafruit_hostapd.zip
unzip adafruit_hostapd.zip
mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG
mv hostapd /usr/sbin
chmod 755 /usr/sbin/hostapd

After updating the access point deamon, start the two components by typing:

service hostapd start
service isc-dhcp-server start

To load the components automatically, you can type

update-rc.d hostapd enable
update-rc.d isc-dhcp-server enable

at system startup.

Redirection

Communication between the wireless subnet and Tor requires some adjustments to the network configuration. The first step is to open the /etc/sysctl.conf file and append net.ipv4.ip_forward=1. The sysctl -p command enables the change. Next, you should adjust the iptables rules [5]. To begin, delete any that exist by calling:

iptables -F
iptables -t nat -F

Then, enable the most important rules (Listing 4). To save the configuration, type:

Listing 4

Enable iptables Rules

§§nonumbers
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sh -c iptables-save > /etc/iptables.ipv4.nat

To allow the system to parse the new rules at the next reboot, open the /etc/network/interfaces file and add a blank line followed by up iptables-restore < /etc/iptables.ipv4.nat.

Setting Up Tor

The Tor configuration file is stored in the /etc/tor/torrc file. You can add the passage from Listing 5 directly after the line ## https://www.torproject.org/docs/faq#torrc.

Listing 5

Tor Configuration

 

For Tor to be able to log its messages in the notices.log file, you first need to create the file and assign the necessary permissions:

touch /var/log/tor/notices.log
chown debian-tor /var/log/tor/notices.log
chmod 644 /var/log/tor/notices.log

Finally, you can restart Tor by typing service tor start. For this service to start automatically after reboot, type update-rc.d tor enable.

To use Tor, you simply need to log on to the new WLAN. To discover whether the setup is working as expected, go to the "Are you using Tor?" site [6] (Figure 2). If successful, the message "Congratulations. Your browser is configured to use Tor" appears.

Figure 2: If the settings on your Onion Pi work, this confirmation message appears when you check your Tor setup online.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Real-World Raspberry Pi

    The single-circuit-board Raspberry Pi computer, only as big as a credit card, makes it easy to gain experience with embedded Linux systems. We'll show you some hands-on examples of how to use the Raspberry Pi in an everyday environment.

  • Persistent iptables

    The Linux iptables packet filter lacks an easy way to load rules automatically after restarting a system, but you can automate this process several ways.

  • How to Quickly Configure Wireless WPA Connection on Raspberry Pi
  • Charly's Column

    Some people don’t mind leaving traces of their IP address wherever they go, others prefer to use a tool like The Onion Router.

  • OpenVPN

    Wireless networks are practical but dangerous at the same time.WEP encryption is unlikely to stop an attacker. But help is at hand in the form of add-on security measures such as an encrypted OpenVPN tunnel.

comments powered by Disqus