[tor-talk] howto: Raspberry Pi as transparent tor proxy

Sven Wolf torproject at fusion-zone.net
Sun Oct 28 17:22:51 UTC 2012


Hi all,

here're some informations how I configured my Raspberry Pi as an 
transparent tor proxy for my home network.

Currently in my opinion the Raspberry Pi is a cheap and flexible 
platform for this task. I thought about to use an
dd-wrt based router as a transparent tor proxy but there a no current 
optware packages for the dd-wrt/openwrt platform and
also there is no final tutorial which describes in detail how to set up 
a transparent tor proxy on the dd-wrt/openwrt platform :(


My configuration is:
- 256 mb Raspberry Pi
- usb wifi adapter TP-Link WL-722N with an external antenna (drivers are 
already included in the current Raspian os)
- 4 port D-Link usb hub DUB-H4
- hama power supply
- sandisk 4 gb sdcard
- Raspian Linux

for other supported hardware please look at:
http://www.elinux.org/RPi_VerifiedPeripherals


For the wirless accesspoint configuration I followed the instruction from:
http://sirlagz.net/2012/08/09/how-to-use-the-raspberry-pi-as-a-wireless-access-pointrouter-part-1/

Here are my steps for the setup. I've installed following additional 
packages:
dnsmasq
dnsutils
hostapd
iw
net-tools
tor

First: create/modify /etc/dnsmasq.conf

interface=wlan0
dhcp-range=10.0.0.2,10.0.0.10,255.255.255.0,24h
dhcp-option=3,10.0.0.1


Second: create/modify /etc/hostap/hostapd

interface=wlan0
driver=nl80211
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=<your ssid>
hw_mode=g
channel=<your channel, e.g. 11>
wpa=2
wpa_passphrase=<your passphrase>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP


For the Tor and iptables configuration I followed the instructions from:
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#AnonymizingMiddlebox
I didn't modify /etc/resolv.conf to 127.0.0.1 because I had problems 
with the network connection directly on the Raspberry Pi.
E.g. it wasn't possible to download Raspian packages or to open websites 
with lynx.


Third: create/modify /etc/torrc

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.0.0.1
DNSPort 53
DNSListenAddress 10.0.0.1

Fourth: create an executable script at /etc/network/if-pre-up.d, e.g. 
/etc/network/if-pre-up.d/iptables.sh with following content

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Fifth: enter the iptables ruleset directly on the shell

iptables -F
iptables -t nat -F

iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT 
--to-ports 53
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT 
--to-ports 9040

Sixth: create /etc/iptables.rules like this
iptables-save > /etc/iptables.rules

In my opionion there is room for improvment. Maybe someone have 
additional ideas or configuration recommendations, e.g. for the firewall.
The missing RTC don't seem to be a problem for this configuration. But 
there is an tutorial how to add an RTC to the Raspberry Pi:
http://www.raspberrypi.org/phpBB3/viewtopic.php?f=44&t=16218


Thanks and best regards,
Sven




More information about the tor-talk mailing list