Onion Pi hotspot
The goal of this article is to have an access point that allows a set of clients to navigate anonymously, use cheap hardware and we don’t want to install privacy software on our devices.
The list of tools required are:
- Raspberry Pi
- Wifi Dongle (if not using the raspberry pi with embedded WIFI)
- Internet connection
Note: A common understanding here is that we must be sure that our access point is secure because there is the chance that it could be listening to your connection even before the connection is delivered to the tor network. You must be careful with the information stored in your browser and should use a privacy safe browser and secure device.
First things first, I will explain how we will do our access point. We will use a raspberry pi as our access point and a wifi dongle in access point mode. For that we will use
hostapd, have in mind that you will need a wifi dongle that has the necessary driver to setup
hostapd. Then two more things, the tor network itself and
dnsmasq to give the wifi clients an IP address.
Before we start this endeavour, we need to setup the raspberry pi and enable ssh. Go to raspbian downloads and download the operating system.
After you have downloaded and burned the operating system to your ssd card. You can create a ssh file in the boot folder or use
raspi-config to enable ssh.
Now you can access it with
ssh pi@raspberry and the default password
raspberry. Change the default password, run
passwd and insert the password for
pi user. Just for sack of good pratices update and upgrade the system.
We need two interfaces to serve the wifi clients and the internet connection. The
eth0 interface will be used for our connection to the web and
wlan0 to connect our wifi dongle.
Add the following configuration the the
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.2.4 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 gateway 192.168.2.1 dns-nameservers 192.168.2.1 allow-hotplug wlan0 iface wlan0 inet static address 172.24.1.1 netmask 255.255.255.0 network 172.24.1.0 broadcast 172.24.1.255
After this disable the dhcpd with:
systemctl disable dhcpcd. You can bring up the interface with
sudo ip link set wlan0 up and reboot the raspberry for the network to be in place.
Now we will setup the dnsmasq. Since each user needs an ip address when connected to the access point, the configuration will allow 100 clients connected to the access point.
$ apt-get install dnsmasq
We just have to change the
/etc/dnsmasq.conf and restart the service.
interface=wlan0 listen-address=172.24.1.1 bind-interfaces server=188.8.131.52 domain-needed bogus-priv dhcp-range=172.24.1.50,172.24.1.150,12h
The wifi dongle by default is not in AP mode, so you won’t be able to connect clients to the raspberry. We must setup the wifi dongle as an access point. That’s where
hostapd come in place, with it our dongle will be listening for connections and have an SSID and password for the users. First run
apt-get install hostapd to install the tool. Next we need to configure the hostapd, edit the configuration file
/etc/hostapd/hostapd.conf and insert the following configuration:
interface=wlan0 driver=nl80211 ssid=AnonAP-Onion hw_mode=g channel=6 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=1234678900 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP ctrl_interface=/var/run/hostapd ctrl_interface_group=0
As we are using a custom configuration include
DAEMON_CONF="/etc/hostapd/hostapd.conf" in the
/etc/default/hostapd file. This will say to hostapd that we want to use our configuration file. After all this check if the file was correctly configured with
hostapd -dd /etc/hostapd/hostapd.conf. And finally restart the service with
systemctl restart hostapd.
At this point we can connect to our access point and use it as an access point but you won’t have access to the internet. That happens because we need to forward the connection established by the
wlan0 to the
$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE $ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT $ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables commands shown above will forward those connections to the right interface and masquerade them as it was the
eth0 connection. Save and load the iptables rules in case you need to reboot the raspberry. The following two steps will save the configuration and add them to the
$ iptables-save > saved-iptables-rules $ cp saved-iptables-rules /etc/iptables-hostapd-rules $ sudo vim /etc/rc.local $ /sbin/iptables-restore < /etc/iptables-hostapd-rules
Finally we need to enable the IPv4 forwarding. Change the
net.ipv4.ip_forward in the
/etc/sysctl.conf to 1.
We can list the devices connected to the access point with
sudo iw dev wlan0 station dump.
At this point we can use the AP but we want to go further let our clients to navigate anomnimously. Install tor with:
$ apt-get install tor
Now that tor is intalled, let’s configure the port where tor will be listening and the necessary configurations needed by the tor proxy, go to
/etc/tor/torrc and put the following config:
SOCKSPort 9040 VirtualAddrNetworkIPv4 10.192.0.0/10 TransListenAddress 172.24.1.1 TransPort 9040 DNSListenAddress 172.24.1.1 DNSPort 53 AutomapHostsSuffixes .onion,.exit AutomapHostsOnResolve 1
The next step is setup the iptables to route TCP connection to the port we have setup and also add rules to keep having DNS and ssh to our raspberry:
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22 $ sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53 $ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
As we did with the other configuration, let’s save the new rules.
$ iptables-save > saved-iptables-rules $ cp saved-iptables-rules /etc/iptables-tor-rules $ vim /etc/rc.local /sbin/iptables-restore < /etc/iptables-tor-rules
Restart and enable tor:
$ systemctl restart tor $ systemctl enable tor
Connect a device and check if the setup was made with sucess at check.torproject.org. Visit DuckDuckGo and browse anonymously.