The goal of this article is to have an access point that allows a set of clients to navigate anonymously, use cheap hardware and we don’t want to install privacy software on our devices.

The list of tools required are:

  • Raspberry Pi
  • Wifi Dongle (if not using the raspberry pi with embedded WIFI)
  • Internet connection

Note: A common understanding here is that we must be sure that our access point is secure because there is the chance that it could be listening to your connection even before the connection is delivered to the tor network. You must be careful with the information stored in your browser and should use a privacy safe browser and secure device.

First things first, I will explain how we will do our access point. We will use a raspberry pi as our access point and a wifi dongle in access point mode. For that we will use hostapd, have in mind that you will need a wifi dongle that has the necessary driver to setup hostapd. Then two more things, the tor network itself and dnsmasq to give the wifi clients an IP address.

Before we start this endeavour, we need to setup the raspberry pi and enable ssh. Go to raspbian downloads and download the operating system. After you have downloaded and burned the operating system to your ssd card. You can create a ssh file in the boot folder or use raspi-config to enable ssh.

Now you can access it with ssh pi@raspberry and the default password raspberry. Change the default password, run passwd and insert the password for pi user. Just for sack of good pratices update and upgrade the system.

We need two interfaces to serve the wifi clients and the internet connection. The eth0 interface will be used for our connection to the web and wlan0 to connect our wifi dongle. Add the following configuration the the /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 192.168.2.4
  netmask 255.255.255.0
  network 192.168.2.0
  broadcast 192.168.2.255
  gateway 192.168.2.1
  dns-nameservers 192.168.2.1

allow-hotplug wlan0
iface wlan0 inet static
  address 172.24.1.1
  netmask 255.255.255.0
  network 172.24.1.0
  broadcast 172.24.1.255

After this disable the dhcpd with: systemctl disable dhcpcd. You can bring up the interface with sudo ip link set wlan0 up and reboot the raspberry for the network to be in place.

Now we will setup the dnsmasq. Since each user needs an ip address when connected to the access point, the configuration will allow 100 clients connected to the access point.

Install dnsmasq:

$ apt-get install dnsmasq

We just have to change the /etc/dnsmasq.conf and restart the service.

interface=wlan0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h

The wifi dongle by default is not in AP mode, so you won’t be able to connect clients to the raspberry. We must setup the wifi dongle as an access point. That’s where hostapd come in place, with it our dongle will be listening for connections and have an SSID and password for the users. First run apt-get install hostapd to install the tool. Next we need to configure the hostapd, edit the configuration file /etc/hostapd/hostapd.conf and insert the following configuration:

interface=wlan0
driver=nl80211
ssid=AnonAP-Onion
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=1234678900
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

As we are using a custom configuration include DAEMON_CONF="/etc/hostapd/hostapd.conf" in the /etc/default/hostapd file. This will say to hostapd that we want to use our configuration file. After all this check if the file was correctly configured with hostapd -dd /etc/hostapd/hostapd.conf. And finally restart the service with systemctl restart hostapd.

At this point we can connect to our access point and use it as an access point but you won’t have access to the internet. That happens because we need to forward the connection established by the wlan0 to the eth0.

$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

The iptables commands shown above will forward those connections to the right interface and masquerade them as it was the eth0 connection. Save and load the iptables rules in case you need to reboot the raspberry. The following two steps will save the configuration and add them to the rc.local.

$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-hostapd-rules

$ sudo vim /etc/rc.local
$ /sbin/iptables-restore < /etc/iptables-hostapd-rules

Finally we need to enable the IPv4 forwarding. Change the net.ipv4.ip_forward in the /etc/sysctl.conf to 1. We can list the devices connected to the access point with sudo iw dev wlan0 station dump.

Install TOR

At this point we can use the AP but we want to go further let our clients to navigate anomnimously. Install tor with:

$ apt-get install tor

Now that tor is intalled, let’s configure the port where tor will be listening and the necessary configurations needed by the tor proxy, go to /etc/tor/torrc and put the following config:

SOCKSPort 9040
VirtualAddrNetworkIPv4 10.192.0.0/10
TransListenAddress 172.24.1.1
TransPort 9040
DNSListenAddress 172.24.1.1
DNSPort 53

AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1

The next step is setup the iptables to route TCP connection to the port we have setup and also add rules to keep having DNS and ssh to our raspberry:

$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040

As we did with the other configuration, let’s save the new rules.

$ iptables-save > saved-iptables-rules
$ cp saved-iptables-rules /etc/iptables-tor-rules

$ vim /etc/rc.local
/sbin/iptables-restore < /etc/iptables-tor-rules

Restart and enable tor:

$ systemctl restart tor
$ systemctl enable tor

Connect a device and check if the setup was made with sucess at check.torproject.org. Visit DuckDuckGo and browse anonymously.