I'm a principal software engineer at @Talkdesk. Interested in embedded systems, infosec and distributed systems.

Onion Pi hotspot

The goal of this article is to have an access point that allows a set of clients to navigate anonymously, use cheap hardware and we don’t want to install privacy software on our devices.

The list of tools required are:

  • Raspberry Pi
  • Wifi Dongle (if not using the raspberry pi with embedded WIFI)
  • Internet connection

Note: A common understanding here is that we must be sure that our access point is secure because there is the chance that it could be listening to your connection even before the connection is delivered to the tor network. You must be careful with the information stored in your browser and should use a privacy safe browser and secure device.

First things first, I will explain how we will do our access point. We will use a raspberry pi as our access point and a wifi dongle in access point mode. For that we will use hostapd, have in mind that you will need a wifi dongle that has the necessary driver to setup hostapd. Then two more things, the tor network itself and dnsmasq to give the wifi clients an IP address.

Before we start this endeavour, we need to setup the raspberry pi and enable ssh. Go to raspbian downloads and download the operating system. After you have downloaded and burned the operating system to your ssd card. You can create a ssh file in the boot folder or use raspi-config to enable ssh.

Now you can access it with ssh pi@raspberry and the default password raspberry. Change the default password, run passwd and insert the password for pi user. Just for sack of good pratices update and upgrade the system.

We need two interfaces to serve the wifi clients and the internet connection. The eth0 interface will be used for our connection to the web and wlan0 to connect our wifi dongle. Add the following configuration the the /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 192.168.2.4
  netmask 255.255.255.0
  network 192.168.2.0
  broadcast 192.168.2.255
  gateway 192.168.2.1
  dns-nameservers 192.168.2.1

allow-hotplug wlan0
iface wlan0 inet static
  address 172.24.1.1
  netmask 255.255.255.0
  network 172.24.1.0
  broadcast 172.24.1.255

After this disable the dhcpd with: systemctl disable dhcpcd. You can bring up the interface with sudo ip link set wlan0 up and reboot the raspberry for the network to be in place.

Now we will setup the dnsmasq. Since each user needs an ip address when connected to the access point, the configuration will allow 100 clients connected to the access point.

Install dnsmasq:

$ apt-get install dnsmasq

We just have to change the /etc/dnsmasq.conf and restart the service.

interface=wlan0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h

The wifi dongle by default is not in AP mode, so you won’t be able to connect clients to the raspberry. We must setup the wifi dongle as an access point. That’s where hostapd come in place, with it our dongle will be listening for connections and have an SSID and password for the users. First run apt-get install hostapd to install the tool. Next we need to configure the hostapd, edit the configuration file /etc/hostapd/hostapd.conf and insert the following configuration:

interface=wlan0
driver=nl80211
ssid=AnonAP-Onion
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=1234678900
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

As we are using a custom configuration include DAEMON_CONF="/etc/hostapd/hostapd.conf" in the /etc/default/hostapd file. This will say to hostapd that we want to use our configuration file. After all this check if the file was correctly configured with hostapd -dd /etc/hostapd/hostapd.conf. And finally restart the service with systemctl restart hostapd.

At this point we can connect to our access point and use it as an access point but you won’t have access to the internet. That happens because we need to forward the connection established by the wlan0 to the eth0.

$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

The iptables commands shown above will forward those connections to the right interface and masquerade them as it was the eth0 connection. Save and load the iptables rules in case you need to reboot the raspberry. The following two steps will save the configuration and add them to the rc.local.

$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-hostapd-rules

$ sudo vim /etc/rc.local
$ /sbin/iptables-restore < /etc/iptables-hostapd-rules

Finally we need to enable the IPv4 forwarding. Change the net.ipv4.ip_forward in the /etc/sysctl.conf to 1. We can list the devices connected to the access point with sudo iw dev wlan0 station dump.

Install TOR

At this point we can use the AP but we want to go further let our clients to navigate anomnimously. Install tor with:

$ apt-get install tor

Now that tor is intalled, let’s configure the port where tor will be listening and the necessary configurations needed by the tor proxy, go to /etc/tor/torrc and put the following config:

SOCKSPort 9040
VirtualAddrNetworkIPv4 10.192.0.0/10
TransListenAddress 172.24.1.1
TransPort 9040
DNSListenAddress 172.24.1.1
DNSPort 53

AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1

The next step is setup the iptables to route TCP connection to the port we have setup and also add rules to keep having DNS and ssh to our raspberry:

$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040

As we did with the other configuration, let’s save the new rules.

$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-tor-rules

$ vim /etc/rc.local
/sbin/iptables-restore < /etc/iptables-tor-rules

Restart and enable tor:

$ systemctl restart tor
$ systemctl enable tor

Connect a device and check if the setup was made with sucess at check.torproject.org. Visit DuckDuckGo and browse anonymously.


Programming Atmega328p with Avrdude

Arduino IDE it’s an awesome tool and helps a lot of beginners to give the first steps with embedded systems. When you start to have bigger projects you may want to change to another tool, my tool of choice for embedded systems is vim and with that comes using a makefile when I want to compile my projects.

I’m doing this tutorial to explain others how to compile your arduino code without the IDE. This requires you to use a library called AVR Libc from Atmel, it is an C library for Atmel AVR 8-bit RISC microcontrollers. The full documentation can be found here.

Before starting the tutorial we need a set of tools that already come with the arduino IDE. The two major tools are a compiler and a software to upload our binary to the microcontroller.

Installing the tools needed in macos is fairly easy using homebrew. We just need to run the following command:

brew install avrdude avr-gcc avr-objcopy

Our code example is the led blink and it’s like the hello world of embedded systems. Consists on a led that blinks at a given frequency. The difference from the implementation that you may be used to is the fact that will be used the AVR Libc.

The implementation of blink.c will turn on and off the led 13 from your arduino uno every two seconds.

As I said before my tool of choice is make. This is a build tool that will execute the compilation and conversion to our binary that late will be uploaded to the microcontroller.

The compilation of this example has three steps, shown here:

  1. Compile the blink.c from C code to an object
  2. Convert the object to an ELF file
  3. Convert the ELF file to a binary HEX file

Of course, as your project gets bigger the Makefile will get more complex. The use of dependencies and compatibility with different microcontrollers will make your code and build steps a new challenge. But meantime we just want to understand how to compile our simple “hello world!”.

To run the Makefile, you just need to be in the same directory as the Makefile and run the following command:

make

Yeah, now we have our binary file to be uploaded to the microcontroller. To accomplish that, Atmel has the avrdude. Run the following command and parameters:

avrdude -p m328p -P /dev/tty.usbmodem1411 -c arduino -b 115200  -D -U flash:w:blink.hex:i -v

Now you should see your arduino led 13 switching on and off every 2 seconds.


Hi there from Turkana IV

Hello World,

I will start this blog to pass things that I learn or find. I want to create a blog where I can express myself and give my honest opinion about random stuff.

My goal is to have tutorials, things that I find by luck and stuff discovered during my researchs. I hope some of those posts can be useful to other geeks.

Meanwhile, I’m still setting up and preparing some contents, so bear with me and read about me and/or subscribe to my RSS.