Tor transparent proxy on a GL.iNet router

Here’s how you can make a PORTAL-like device using the very trendy GL.iNet router. There is nothing new in the post. It’s all based off work done by folks like The Gruqg and Dan Staples: https://disman.tl/2014/09/13/transparent-tor-gateway-on-openwrt.html

April 2015 update:

Ars Technica recently published a story about how using a transparent Tor proxy is “EPICFAIL.” http://arstechnica.com/security/2015/04/op-ed-why-the-entire-premise-of-tor-enabled-routers-is-ridiculous/

The assumption in the story is that the user is using the same computer with the Tor proxy as he/she uses day-to-day. Do not do this. The device you use with a Tor router should be used ONLY on the Tor proxy.

gl.inetWe’re going to configure the router like so:

  • “wan” will be configured with dhcp. Plug this into a place where you can get internet.
  • “lan” will be used for management and configuration only. I picked 192.168.8.0/24 for this.
  • “wlan0″ will be the wifi access point where the devices you want to use with Tor will connect.

1.   Get a router from the Internet.   I ordered from this seller:  http://www.dx.com/p/gl-inet-6416a-micro-usb-powered-smart-router-w-16m-rom-white-335418 (Fun fact: it shipped from The Netherlands). Make sure you get a model 6416A.

2.  Flash it with OpenWrt 14.07

https://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-gl-inet-v1-squashfs-factory.bin

More information here:  http://wiki.openwrt.org/toh/gl-inet/gl-inet

3.  Install TOR

root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
[...]
root@OpenWrt:~# opkg install tor-alpha tor-alpha-fw-helper tor-alpha-geoip
[...]
root@OpenWrt:~# /etc/init.d/tor enable

There will probably be a few dependencies installed also.

4. Edit /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth1'
        option type 'bridge'
        option _orig_ifname 'eth1 radio0.network1'
        option _orig_bridge 'true'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option disable_ipv6 '1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option hostname 'tablet;)'
        option disable_ipv6 '1'

config interface 'tor'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option disable_ipv6 '1'

5. Edit /etc/config/dhcp.

Add the following to the bottom:

config dhcp tor
        option interface    tor
        option start        100
        option limit        150
        option leasetime    1h

6. Edit /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ar933x_wmac'
        list ht_capab 'SHORT-GI-20'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        option txpower '20'
        option country 'CN'
        option channel 'auto'
        option hwmode '11ng'
        option htmode 'HT20'
        option AMPDULim '50000'

config wifi-iface
        option device 'radio0'
        option network 'tor'
        option mode 'ap'
        option encryption 'psk-mixed'
        option wds '1'
        option uapsd '1'
        option ssid 'default'
        option key 'somepassword'
        option disabled '0'

7. Edit /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
                               
config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
                               
config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'        
        option mtu_fix '1'
                          
config zone
        option name 'tor'
        option network 'tor'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option conntrack '1'   
                            

config rule
        option name 'Allow-Tor-DHCP'
        option src 'tor'            
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'  

config rule                         
        option name 'Allow-Tor-DNS' 
        option src 'tor'            
        option proto 'udp'          
        option dest_port '9053'     
        option target 'ACCEPT'      
        option family 'ipv4'        
                                           
config rule                                
        option name 'Allow-Tor-Transparent'
        option src 'tor'                   
        option proto 'tcp'                 
        option dest_port '9040'            
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
config rule                                
        option name 'Allow-Tor-SOCKS'      
        option src 'tor'                   
        option proto 'tcp'                 
        option dest_port '9050'            
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
                                           
config rule                                
        option name 'Allow-DHCP-Renew'     
        option src 'wan'                   
        option proto 'udp'                 
        option dest_port '68'              
        option target 'ACCEPT'             
        option family 'ipv4'               
                                           
config rule                                
        option name 'Allow-Ping'           
        option src 'wan'                   
        option proto 'icmp'                
        option icmp_type 'echo-request'    
        option family 'ipv4'               
        option target 'ACCEPT'

config forwarding                          
        option src 'lan'                   
        option dest 'wan'                  
                                           
config include                             
        option path '/etc/firewall.user'        

8. Edit /etc/firewall.user

enable_transparent_tor() {
  iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 9053
  iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
}
enable_transparent_tor

9. Edit /etc/tor/torrc

Add the following lines to the bottom

AllowUnverifiedNodes middle,rendezvous
AutomapHostsOnResolve 1                                                
SocksPort 9050                                                       
SocksBindAddress 172.16.1.1:9050                                       
VirtualAddrNetwork 10.192.0.0/10                                        
TransPort 9040                                              
TransListenAddress 172.16.1.1
DNSPort 9053                                                       
DNSListenAddress 172.16.1.1          

10. Edit /etc/init.d/tor

I needed to add a sleep to the init script so Tor would start on boot.

        [...]
        sleep 60
        service_start /usr/sbin/tor --PidFile /var/run/tor.pid
        [...]

11. Harden it up a bit. There is probably a lot that could be done here. For example, it’s a good idea to turn off IP forwarding. In /etc/sysctl.conf:

net.ipv4.ip_forward=0
[...]
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.forwarding=0

12. Boot it up, connect to the wifi AP and check if you’re using Tor.

https://check.torproject.org/

PORTAL for Debian

Rockstar hacker and OPSEC aficionado, the grugq, has detailed how to setup a Raspberry Pi as a transparent Tor proxy of sorts.   This has a number of advantages over using something like the Tor browser bundle or manually pointing your applications at Tor.  The main advantage is that it limits your ability to misconfigure the application such that it leaks information or worse, isn’t actually using Tor at all.   By setting up a dedicated captive Tor portal, you can be fairly certain that all TCP traffic is going through Tor. All UDP traffic destined for port 53 (DNS) is redirected to the Tor daemon and everything else is dropped.

His instructions are here:  https://github.com/grugq/PORTALofPi. My instructions are basically verbatim from his build.sh script.

The instructions below use vanilla Debian 7 x86 on an old netbook.  The only extra hardware I used is a USB ethernet adapter (e.g.: MosChip Semiconductor MCS7830 10/100 Mbps Ethernet adapter).   If you’re clever, you could use the internal wifi card to setup a WAP for the captive portal.


April 6, 2014 Update:
@asshurtACKFlags has some instructions that uses a Raspberry Pi and Raspbian.

https://github.com/asshurtmacfags/PORTALofRaspian


March 3, 2014 Update:
There may be an issue when trying to access .onion addresses. Details and a fix are here: https://github.com/grugq/PORTALofPi/issues/16. I cannot replicate the issue. e.g. accessing DDG via the .onion at http://3g2upl4pq6kufc4m.onion/ works on the configuration documented below.

There is also a similar project here: http://learn.adafruit.com/onion-pi/overview. It also uses a Raspberry Pi.

Step 1: Setup the interfaces

eth0: The internets, however you get it. I’d recommend a non-NAT’d IP.
eth1: This is the private captive network.  You can put a wireless access point on this network so you can use a tablet.

Edit /etc/network/interfaces

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
  # Comment out the line below, once you have the network working and tor configured
  # pre-up iptables-restore < /etc/network/iptables.tor.rules
  address 172.16.0.1
  network 172.16.0.0
  netmask 255.255.255.0

Step 2: Install Tor and dnsmasq (for dhcp)

apt-get install tor dnsmasq

Step 3:  Configure Tor

This sets up Tor as a transparent proxy.

cp /etc/tor/torrc /etc/tor/torrc.backup
cat > /etc/tor/torrc << __TORRC__
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
DataDirectory /var/lib/tor
SocksPort 9050
SocksBindAddress 127.0.0.1
SocksBindAddress 172.16.0.1:9050
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
DNSPort 9053
DNSListenAddress 172.16.0.1
__TORRC__

Step 4: Configure dnsmasq

cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup
cat > /etc/dnsmasq.conf << __DNSMASQ__
bogus-priv
filterwin2k
interface=eth1
bind-interfaces
dhcp-range=172.16.0.50,172.16.0.150,12h
__DNSMASQ__

Step 5: Setup IP tables

cat > /etc/network/iptables.tor.rules << __IPTABLES__
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 9053 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT
# The rule below allows SSH access on the external interface, delete this if you don't want that.
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
__IPTABLES__

**** Go and uncomment the pre-up rule in /etc/network/interfaces ****

Step 6: Reboot and plug something into eth1

Remote for SoundBridge on BlackBerry 10 and PlayBook

I recently dusted off a Roku Soundbridge M1001 that had been sitting in a box for a year. The device has been discontinued for quite some time and the software hasn’t been updated in a few years. I plugged it in and it immediately started streaming the last radio station I had listened to before retiring the device. To my surprise, it also found my dlna server and everything just worked. It’s a really nice device with a beautiful display and it’s a shame it sat in a box for this long. Also to my surprise, I found a really nice remote control app for Android that also happens to work perfectly when sideloaded on a Blackberry 10 phone and even a PlayBook.

It’s called “Remote for SoundBridge” and you get get it in the Google Play store and the developers website is here: http://rcforsb.blogspot.ca/

I used http://apps.goodereader.com/apk-2-bar/ to convert the apk to a bar.  Below are some screenshots from a Q10.

 Update:  The developer has given me permission to host the bar file.   de.kompf.android.rokucontrol_v4.5.450.bar

IMG_00000111.resizedIMG_00000115.resized

 

Mac Mini 1,1 A1176 upgrade (Silverlight sucks)

In 2006, I bought an Intel-based Mac Mini. It had 512MB of RAM, 1.67GHz Core Duo (T2300) and an 80GB 5400 rpm drive, blah blah blah. Over the years I put in 2GB of RAM, then an SSD. Lately, one of its main functions has been playing Netflix and it struggled with anything over about 480p-ish. I put in a 2.0GHz Core 2 Duo (T7200) and it still struggles with 480p! This 7 year old machine can play 20Mbs 1080p h.264 with VLC or “1080p” HTML5 off Youtube, but not 480p Netflix. Yay Silverlight!

iPod Touch 4th Gen Repair How Not To

After a few years of use and then an unfortunate accident, both the battery and the screen on the household iPod touch were done like dinner. I looked at the guide on iFixit (not linked for your sanity) and decided that I could fix it. I’ve done stuff like this before. I’ve replaced the battery in a click-wheel iPod and the screen on a Blackberry three times.

Dishes are done, the house is quiet, and the sun is shining in the dining room. It’ll be enjoyable and rewarding. Let’s start.

Nice bright evening!  All ready to go!

Nice bright evening! All ready to go!

Here we are 90 minutes later and I’m about to test it before putting in the screws. Ruh-roh, what’s that? Do you see it? It’s a little ribbon cable, and it’s $%#@#$^ torn!

Game over.  Please don't try again.

Game over. Please don’t try again.

I could probably get a replacement ribbon cable, but I think I’ll follow the Apple way and just throw it all in the garbage.

Fin.

I’m done giving Vantec money

I was in need of a USB 2.5″ HD enclosure and decided on a Vantec case because then I would not have to worry about opening the box and finding one of those stupid USB A to A cables. Wrong. Maybe I’m just behind the times though and this is OK with USB 3.0?   If you would like to avoid this product, it’s a Vantec NexStar CX (NST-200S3-BK).

A fellow turbo-nerd on IRC pointed out that Wikipedia has a nice little matrix of USB connectors and it says that A to A is “non-standard”

usb-spec

Non-standard
existing for specific proprietary purposes, and not interoperable with USB-IF compliant equipment.

My previous issue with a Vantec product is here:  Who let the smoke out

Mini-Box M350 + Intel DQ77KB + i3 2120

I’ve been shopping for a replacement motherboard and CPU for my M350 case for a long time. It had an Atom board in it for a while, but it was such a poor performance/power consumption combination. The Intel DQ77KB fits fairly well, but there are two modifications you need to make. First, the power switch and LED wires are too short to make it to where the headers are located on the mother board. You need to either get new header wires or bust out the soldering iron and make the longer. Second, if you want to use a 2.5″ drive (and not an mSATA drive in the PCIe slot), you need to make some new holes in the hard drive bracket. The stock HSF unit that comes with a standard i3 CPU crowds is slightly too big and there aren’t many options for smaller coolers. The picture below shows where you need to drill. I only have two screws holding the HD on, but it’s very secure. I used some little rubber spacers to prevent the HD from coming into contact directly with the bracket.

This combination of motherboard, cpu, single 8GB dimm, and a 7mm single platter 250GB drive uses 21 watts when idle. I should mention that I’m using an old 90W Dell laptop power supply for this board.

Mounting an encrypted LVM volume in Ubuntu

For whatever reason, finding simple instructions on mounting an encrypted LVM volume with Ubuntu is hard. Setting up encryption at install time and then unlocking the volume at boot time is very simple and transparent. If you take the hard drive out and attempt to mount on another machine, it isn’t so simple (or maybe I’m just doing this wrong).

1. Run fdisk and make sure you can see the partitions. In my case the drive showed up as sdd.

# fdisk -l /dev/sdd
Disk /dev/sdd: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000a29e1

Device Boot Start End Blocks Id System
/dev/sdd1 * 2048 499711 248832 83 Linux
/dev/sdd2 501758 488396799 243947521 5 Extended
/dev/sdd5 501760 488396799 243947520 83 Linux

In a typical Ubuntu installation, the /dev/sdx5 partition is what you want to mount.

2. Run cryptsetup to unlock the volume

# cryptsetup luksOpen /dev/sdd5 olddrive
Enter passphrase for /dev/sdd5:

3. vgscan will show you the volume groups contained in the encrypted volume.

# vgscan
Reading all physical volumes. This may take a while...
Found volume group "dt" using metadata type lvm2

The volume groups you find will likely be the same as your hostname (e.g. johns-laptop)

4. Activate the volumes and mount the old root.

# vgchange -a y
2 logical volume(s) in volume group "dt" now active
# lvscan
ACTIVE '/dev/dt/root' [224.76 GiB] inherit
ACTIVE '/dev/dt/swap_1' [7.88 GiB] inherit
# mkdir /media/olddrive; mount /dev/dt/root /media/olddrive

5. Your old root volume is now available at /media/olddrive.

What’s going on here? Maybe this helps?

# lsblk
[...]
sdd 8:48 0 232.9G 0 disk
├─sdd1 8:49 0 243M 0 part
├─sdd2 8:50 0 1K 0 part
└─sdd5 8:53 0 232.7G 0 part
└─olddrive (dm-1) 252:1 0 232.7G 0 crypt
├─dt-root (dm-2) 252:2 0 224.8G 0 lvm
└─dt-swap_1 (dm-3) 252:3 0 7.9G 0 lvm

All done? Unmount.

# umount /media/olddrive
# vgchange -a n dt
0 logical volume(s) in volume group "dt" now active

At this point you should be able to do the following.

# cryptsetup luksClose olddrive

… however I seem to have run into a bug that reports the device is busy.

Who let the smoke out?

It was the transformer that melted. I took this apart during lunch time and that was a bad idea. The smell was horrible. Before this happened, I did get a few years of daily use out of it at least.

Spot the LED

I finally splurged (an impulse buy, no less) on an LED light bulb.   It’s a Philips VisionLED 10.5-Watt 3000K 800 lumen A19 base LED light bulb.   On the packaging there is a claim to be equivalent to a 60W bulb.   I actually replaced a standard 60W incandescent and it is noticeably brighter.   For $17.88, I’m quite impressed.

 

ʇɟǝl ǝɥʇ ɯoɹɟ pɹıɥʇ