Skip to content

Instantly share code, notes, and snippets.

@fopina

fopina/onion_pi.md

Created September 3, 2021 01:01
Show Gist options
  • Save fopina/8ca227ca768859f1884e9818ae290ab0 to your computer and use it in GitHub Desktop.
Save fopina/8ca227ca768859f1884e9818ae290ab0 to your computer and use it in GitHub Desktop.
Download ZIP
onion-pi setup (reversed, WiFi as WAN)
Raw
onion_pi.md

Walkthrough to setup a raspberry pi as an onion router. Pretty much like onion-pi but WiFi as WAN instead (bonus: no hostapd required).

As a Pi0w or a Pi1 can easily be powered by the laptop USB, this setup makes a TOR-WiFi (bulky) dongle out of a Pi!!

This should (will?) be converted into an ansible playbook (or even pre-cooked image)

SDCard

  • Download latest raspios
  • Dump it on an sd card, eg: 
    sudo dd if=2021-05-07-raspios-buster-armhf-lite.img of=/dev/rdisk2 bs=1m
  • Mount the boot partition of the sd card (if it isn't already) and;
    • create ssh empty file to enable ssh on boot
    • create wpa_supplicant.conf to connect to your local WiFi on boot, eg: 
      ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
network={
    ssid="myHome"
    psk="mynetworkpassword"
    key_mgmt=WPA-PSK
}
  • Unmount, plug it in the Pi and boot it. If DHCP hostname resolution is working, raspberrypi should resolve to its IP, otherwise just portscan the network on 22 :)

Setup

This all go into a session of ssh pi@raspberrypi (with default password of raspberry) and sudo -s

  • Change pi password (or create a whole new user - onion?)
  • Change hostname (update /etc/hosts and /etc/hostname)
  • Uninstall or disable services that are useless for this 
    systemctl disable triggerhappy alsa-state avahi-daemon avahi-daemon.socket
  • Install tor apt install -y tor
  • Edit /etc/tor/torc and add these lines on top 
    Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 192.168.42.1:9040
DNSPort 192.168.42.1:53
  • Set up iptables 
    iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
  • Save rules 
    apt install -y iptables-persistent
iptables-save > /etc/iptables/rules.v4
  • Set static IP on eth0, by adding these lines to /etc/dhcpcd.conf 
    interface eth0
static ip_address=192.168.42.1/24
  • Setup DHCP server (or not, if you don't mind the extra work for reasonable doubt)
    • Install 
      apt install -y isc-dhcp-server
    • Bind server to eth0 - edit /etc/default/isc-dhcp-server and set these values:
    INTERFACESv4="eth0"
INTERFACESv6=""
    • Setup subnet in /etc/dhcp/dhcpd.conf
    subnet 192.168.42.0 netmask 255.255.255.224 {
  range 192.168.42.10 192.168.42.20;
  option routers 192.168.42.1;
  option domain-name-servers 192.168.42.1;
}

Issues

Static IP with dhcpcd5 sucks: it only sets the IP once cable is plugged yet TOR requires IP to be set in order to bind to it - MAKE SURE you always connect the ethernet cable to the powered laptop before turning on the Pi...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment