Using the Raspberry Pi as a gateway proxy

Gateway to the World

Article from Issue 155/2013
Author(s): , Author(s):

Extend protection to all of your Internet traffic with a Raspberry Pi minicomputer set up as a cost-effective external proxy server.

The Tor Project offers an option for obfuscating your IP address and thus hiding the most important clue to your identity on the web. When it is installed locally, you need to connect every single client application separately with Tor, which can be complicated. Moreover, the application must be able to communicate via SOCKS. If, instead, you choose to route your entire Internet traffic through the Tor network, your only option is an external router.

The Raspberry Pi (Figure 1) is ideal in this role because the hardware is cheap, and its power consumption is low. This project gained popularity as Onion Pi [1]. But, even as a Tor user, you should not rely on this solution alone for security. After all, obfuscating your IP address is only half the battle and cannot hide your identity on its own (see the "Tor Limits" box).

Figure 1: Properly configured, the Raspberry Pi, which is hardly larger than a deck of cards, can keep your entire Internet traffic anonymous.

Tor Limits

Anyone who uses Tor should not consider it an inherently secure option for surfing the web anonymously; you should also consider a number of breaches. For example, active scripts such as Flash and JavaScript, as well as Java, are quite capable of disclosing the web surfer's identity. Additionally, browser add-ons like Amazon's "1Button App" track each request and even send the search key input to servers [2]. The situation is similar with cookies, which provide information about the pages you visit. If you log in to services, such as Google, Facebook, Twitter, etc., this naturally wipes out any anonymity that Tor can offer you. Thus, you must additionally harden the browser with the right plugins and settings – just to be on the safe side.

Another aspect typically overlooked is bad exit nodes. Exit nodes generally act as the final arbiter in the mix cascade, and they transfer data in the clear, unless the requested page uses SSL encryption itself. For operators of exit nodes – which basically anybody can operate – it's really easy to sniff login information or potentially sensitive documents from the data stream. In contrast, you can protect yourself by using only trusted exit nodes, such as those operated by the Chaos Computer Club [3].

You're Off!

This how-to for setting up Onion Pi assumes you have an image such as Raspbian [4] set up on the SD card in your Rasp Pi. All the input and changes listed in the article require root privileges. Additionally, you need a network cable and a wireless stick.

The first step is to configure the Raspberry as an access point and DHCP server. Use the

ifconfig -a

command to check whether the wlan 0 interface is available. If the interface already has an IP address, you can disable it by typing:

ifdown wlan0

The next step is to install the required software components as root with the following command:

apt-get update && apt-get install hostapd isc-dhcp-server tor

Next, edit the /etc/dhcp/dhcpd.conf DHCP server configuration file in the nano editor and comment out the following lines by adding a hash tag (#) at the start of each line:

# option domain-name "example.org";
# option domain-name-servers ns1.example.org, ns2.example.org;

Then, remove the comment character to the left of the authoritative; statement and append the configuration block shown in Listing 1 to the file. You can modify the subnet to match your needs, press Ctrl+O to save the changes, and Ctrl+X to quit the editor.

Listing 1

DHCP Configuration

subnet 192.168.42.0 netmask 255.255.255.0 {
  range 192.168.42.10 192.168.42.50;
  option broadcast-address 192.168.42.255;
  option routers 192.168.42.1;
  default-lease-time 600;

In the /etc/default/isc-dhcp-server file, tell the server which interface to use to assign IP addresses in the future using the INTERFACES= directive. For the present scenario, you need to enter a value of wlan0 and assign a static IP address to the wlan0 interface in the /etc/network/interfaces file (Listing 2).

Listing 2

WLAN IP Address

iface lo inet loopback
iface eth0 inet dhcp
allow-hotplug wlan0
iface wlan0 inet static
  address 192.168.42.1
  netmask 255.255.255.0

Calling ifup wlan0 enables the WLAN interface. For the Onion Pi to act as an access point, you first need to configure the service in the /etc/hostapd/hostapd.conf file (Listing 3). You will want to change the value of wpa_passphrase: This password is used to log in to the wireless LAN later on.

Listing 3

Configure Onion Pi Service

interface=wlan0
driver=rtl871xdrv
ssid=OnionPi
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=<password>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

For the Upstart daemon to start automatically on distros that use it, enter a value of

DAEMON_CONF="/etc/hostapd/hostapd.conf"

in the /etc/default/hostapd configuration file. For compatibility with current WLAN sticks, the developers of Onion Pi also recommend an update of hostapd:

wget http://www.adafruit.com/downloads/adafruit_hostapd.zip
unzip adafruit_hostapd.zip
mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG
mv hostapd /usr/sbin
chmod 755 /usr/sbin/hostapd

After updating the access point deamon, start the two components by typing:

service hostapd start
service isc-dhcp-server start

To load the components automatically, you can type

update-rc.d hostapd enable
update-rc.d isc-dhcp-server enable

at system startup.

Redirection

Communication between the wireless subnet and Tor requires some adjustments to the network configuration. The first step is to open the /etc/sysctl.conf file and append net.ipv4.ip_forward=1. The sysctl -p command enables the change. Next, you should adjust the iptables rules [5]. To begin, delete any that exist by calling:

iptables -F
iptables -t nat -F

Then, enable the most important rules (Listing 4). To save the configuration, type:

Listing 4

Enable iptables Rules

§§nonumbers
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sh -c iptables-save > /etc/iptables.ipv4.nat

To allow the system to parse the new rules at the next reboot, open the /etc/network/interfaces file and add a blank line followed by up iptables-restore < /etc/iptables.ipv4.nat.

Setting Up Tor

The Tor configuration file is stored in the /etc/tor/torrc file. You can add the passage from Listing 5 directly after the line ## https://www.torproject.org/docs/faq#torrc.

Listing 5

Tor Configuration

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.42.1
DNSPort 53
DNSListenAddress 192.168.42.1

For Tor to be able to log its messages in the notices.log file, you first need to create the file and assign the necessary permissions:

touch /var/log/tor/notices.log
chown debian-tor /var/log/tor/notices.log
chmod 644 /var/log/tor/notices.log

Finally, you can restart Tor by typing service tor start. For this service to start automatically after reboot, type update-rc.d tor enable.

To use Tor, you simply need to log on to the new WLAN. To discover whether the setup is working as expected, go to the "Are you using Tor?" site [6] (Figure 2). If successful, the message "Congratulations. Your browser is configured to use Tor" appears.

Figure 2: If the settings on your Onion Pi work, this confirmation message appears when you check your Tor setup online.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Real-World Raspberry Pi

    The single-circuit-board Raspberry Pi computer, only as big as a credit card, makes it easy to gain experience with embedded Linux systems. We'll show you some hands-on examples of how to use the Raspberry Pi in an everyday environment.

  • Charly's Column

    Some people don’t mind leaving traces of their IP address wherever they go, others prefer to use a tool like The Onion Router.

  • Tor and Privoxy

    Internet users typically reveal their IP addresses, and this lets companies compile a profile of your Internet activities. Tor and Privoxy can help protect your privacy.

  • TorK

    If you're worried about eavesdroppers, connect to the Tor network with KDE's handy TorK configuration tool.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia