Rockstar hacker and OPSEC aficionado, the grugq, has detailed how to setup a Raspberry Pi as a transparent Tor proxy of sorts. This has a number of advantages over using something like the Tor browser bundle or manually pointing your applications at Tor. The main advantage is that it limits your ability to misconfigure the application such that it leaks information or worse, isn’t actually using Tor at all. By setting up a dedicated captive Tor portal, you can be fairly certain that all TCP traffic is going through Tor. All UDP traffic destined for port 53 (DNS) is redirected to the Tor daemon and everything else is dropped.
His instructions are here: https://github.com/grugq/PORTALofPi. My instructions are basically verbatim from his build.sh script.
The instructions below use vanilla Debian 7 x86 on an old netbook. The only extra hardware I used is a USB ethernet adapter (e.g.: MosChip Semiconductor MCS7830 10/100 Mbps Ethernet adapter). If you’re clever, you could use the internal wifi card to setup a WAP for the captive portal.
April 6, 2014 Update:
@asshurtACKFlags has some instructions that uses a Raspberry Pi and Raspbian.
March 3, 2014 Update:
There may be an issue when trying to access .onion addresses. Details and a fix are here: https://github.com/grugq/PORTALofPi/issues/16. I cannot replicate the issue. e.g. accessing DDG via the .onion at http://3g2upl4pq6kufc4m.onion/ works on the configuration documented below.
There is also a similar project here: http://learn.adafruit.com/onion-pi/overview. It also uses a Raspberry Pi.
Step 1: Setup the interfaces
eth0: The internets, however you get it. I’d recommend a non-NAT’d IP.
eth1: This is the private captive network. You can put a wireless access point on this network so you can use a tablet.
auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static # Comment out the line below, once you have the network working and tor configured # pre-up iptables-restore < /etc/network/iptables.tor.rules address 172.16.0.1 network 172.16.0.0 netmask 255.255.255.0
Step 2: Install Tor and dnsmasq (for dhcp)
apt-get install tor dnsmasq
Step 3: Configure Tor
This sets up Tor as a transparent proxy.
cp /etc/tor/torrc /etc/tor/torrc.backup cat > /etc/tor/torrc << __TORRC__ AllowUnverifiedNodes middle,rendezvous Log notice syslog DataDirectory /var/lib/tor SocksPort 9050 SocksBindAddress 127.0.0.1 SocksBindAddress 172.16.0.1:9050 VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 172.16.0.1 DNSPort 9053 DNSListenAddress 172.16.0.1 __TORRC__
Step 4: Configure dnsmasq
cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup cat > /etc/dnsmasq.conf << __DNSMASQ__ bogus-priv filterwin2k interface=eth1 bind-interfaces dhcp-range=172.16.0.50,172.16.0.150,12h __DNSMASQ__
Step 5: Setup IP tables
cat > /etc/network/iptables.tor.rules << __IPTABLES__ *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 -A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 9050 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 9040 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 9053 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT # The rule below allows SSH access on the external interface, delete this if you don't want that. -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -j REJECT --reject-with icmp-proto-unreachable COMMIT __IPTABLES__
**** Go and uncomment the pre-up rule in /etc/network/interfaces ****
Step 6: Reboot and plug something into eth1