Thursday, December 17, 2020

Raspberry Pi Wireless Wi-Fi TOR Anonymizer Gateway (Yet Another Post)

Tor-logo-2011-flat.svg

Many tutorials are floating around with instructions to make a raspberry pi into a wifi wireless access point that will direct all client traffic through the onion ring anonymizer network, for example here and here. They all seem to be various versions of some initial document somewhere, and none actually clearly call out everything that is needed.

The pi this runs on has an internet connection via copper from physical LAN port to ISP router. Also, I use ufw as the pi's firewall and so ufw rules are included below.

So here are my working configuration files, including those for the tor, hostapd, dnsmasq and ufw daemons. This pi reports kernel 4.19.60 and /etc/issue says "Raspbian GNU/Linux 10".


/etc/network/interfaces.d/wlan0

I prefer to keep /etc/network/interfaces empty and have individual files for network adapters in /etc/network/interfaces.d. Here is /etc/network/interfaces.d/wlan0:

allow-hotplug wlan0
iface wlan0 inet static
    address 192.168.5.1
    netmask 255.255.255.0
    network 192.168.5.0
    broadcast 192.168.5.255

Note: a couple of online tutorials I saw forgot to mention that the wlan0 IP network has to match the IPs that dnsmasq DHCP server and tor transport and DNS server addresses bind to, as you will see below in torrc.


/etc/hostapd/hostapd.conf

Adjust ssid and password to your preference.

interface=wlan0
ssid=ONION
hw_mode=g
channel=11
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=SOMEPASSWORDHERE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP


/etc/dnsmasq.conf

no-resolv
interface=wlan0
dhcp-range=192.168.5.100,192.168.5.199,255.255.255.0,6h
# Cloudflare free dns
server=1.1.1.1


/etc/tor/torrc

Log notice syslog
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 192.168.5.1:59040
DNSPort 192.168.5.1:53


/etc/ufw/before.rules

You need to already have IP forwarding enabled in the kernel (check /etc/sysctl.conf and set net.ipv4.ip_forward=1), and add the following nat rules for all DNS and TCP traffic on wlan0 to be passed through tor. This makes any wireless clients connecting to your wifi access point use tor for traffic.

This is my entire before.rules file, including other unrelated stuff. You only need the tor-related nat table rules at the top to drop into the existing before.rules installed with ufw. (Unrelated, but this specific pi also happens to host a simh VAX that acts as the DECnet router for my real MicroVAX 3100-80, nodename MARIAH.)

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# **********
# NAT table rules
# **********
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# ---
# Flush the table first, otherwise UFW keeps adding the rules if reloaded
# ---
-F

# ---
# Incoming connections port forwardings
# ---
# TELNET to MARIAH with rate limiting
-A PREROUTING -i br-ip -p tcp --dport 23 -j DNAT --to-destination 10.3.100.80 -m limit --limit 1/minute --limit-burst 1

# TOR | All DNS traffic from wlan0 to TOR (see /etc/tor/torrc)
-A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
# TOR | All TCP traffic from wlan0 to TOR (see /etc/tor/torrc)
-A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 59040

# ---
# Forward outgoing traffic from MARIAH through br-ip to the internet
# ---
-A POSTROUTING -o br-ip -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT

# **********
# End NAT table rules
# **********

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


UFW Rules

And finally, add UFW firewall rules to allow DNS and tor transport traffic from the command line:

# ufw allow in on wlan0 to any port 53 proto udp comment "dns for wireless clients"

# ufw allow in on wlan0 to any port 59040 proto tcp comment "tor transport for wireless clients"


That's it. Restart all affected daemons, including ufw (disable and enable it), connect a computer to the wireless hotspot and visit a website that will report the IP address it sees the browser request coming from (e.g. https://whoer.net/). Apparently I am currently accessing the internet from a tor exit point somewhere in Austria.



No comments:

Post a Comment

"SEO" link builders: move on, your spam link will not get posted.

Note: Only a member of this blog may post a comment.