This guide is builded to help you to build a Tor Middlebox using a Raspberry Pi (Model B Plus).
- Requirements
- Installing operating system image
- Updating operating system
- Configuring the network
- Configuring the DHCP and its CACHE (dnsmasq)
- Configuring the WLAN-AP-Host (hostapd)
- Enable firewall
- Installing Tor
- Configuring Tor
- Configuring obfs4proxy
- Configuring crontab
- Raspberry Pi (Model B Plus) or higher.
- Micro SD card class 10 at least V30. Example (SanDisk® High Endurance)
- (Optional) USB Wireless WiFi Adapter. Example (USB TP-LINK TL-WN722N Wifi adapter)
Follow the Raspberry Pi instructions to installing operating system images
sudo apt-get update ; sudo apt-get upgrade -y ; sudo apt-get install -y rpi-update ; sudo apt-get dist-upgrade -y
sudo apt-get clean ; sudo apt-get autoclean ; sudo apt-get autoremove
sudo reboot
sudo rpi-update
sudo reboot
Installing the necessary packages using following command:
sudo apt-get install -y hostapd \
dnsmasq dnsutils tcpdump iftop vnstat links2 debian-goodies dirmngr
Don't start dnsmasq automatically after booting the system
sudo update-rc.d dnsmasq disable
Edit the following file:
sudo vi /etc/network/interfaces.wlan0
and put inside
# Localhost
auto lo
iface lo inet loopback
# Ethernet
auto eth0
iface eth0 inet dhcp
# WLAN-Interface
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.222.1
netmask 255.255.255.0
so replace the configurations
sudo cp /etc/network/interfaces /etc/network/interfaces.org
sudo cp /etc/network/interfaces.wlan0 /etc/network/interfaces
Check if the "dhcpcd" is active: "Active: active (running)" using the following command:
sudo systemctl status dhcpcd
or
sudo systemctl status hostapd | grep "active (running)" | wc -l
If the service running, the edit the file
sudo vi /etc/dhcpcd.conf
and add to end file:
# WLAN deny
denyinterfaces wlan0
so reboot the system with the command:
sudo reboot
Check if the WLAN is present
ip l
Edit the file
sudo vi /etc/dnsmasq.conf.torbox
and punt inside:
# DHCP-Server active for WLAN-Interface
interface=wlan0
# DHCP-Server not active for Ethernet
no-dhcp-interface=eth0
# IPv4-address range and Lease-Time
dhcp-range=192.168.222.100,192.168.222.150,24h
# DNS
dhcp-option=option:dns-server,192.168.222.1
# Logging
# **Decommentando** log-queries, i log del di dnsmaq verranno registarti in /var/log/daemon.log
# **Decommentando** log-facility, i log verranno registrati nel file specificato
log-facility=/var/log/dnsmasq.log
log-queries
Managing the dnsmasq log rotation; edit or change the following file using:
sudo vi /etc/logrotate.d/dnsmasq
so replace its content
/var/log/dnsmasq.log {
monthly
missingok
notifempty
delaycompress
sharedscripts
postrotate
[ ! -f /var/run/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq.pid`
endscript
create 0640 dnsmasq dnsmasq
}
Replace the dnsmasq configurations
sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.org
sudo cp /etc/dnsmasq.conf.torbox /etc/dnsmasq.conf
Check the configuration before activate
dnsmasq --test -C /etc/dnsmasq.conf
or test it
dnsmasq -C ./dnsmasq-dhcp-only.conf -d
Restart the dnsmasq and check her status
sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq
Enable dnsmasq to start with the system
sudo systemctl abilita dnsmasq
Edit the file
/etc/hostapd/hostapd.conf
and replace with
# WLAN-Router-Mode
# Interface and driver
interface=wlan0
#driver=nl80211
# WLAN-Configurations-Standard
ssid=grott
hw_mode=g
ieee80211n=1
ieee80211d=1
country_code=FR
wmm_enabled=1
# WLAN-Encoding
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
ignore_broadcast_ssid=0
# WLAN-Configurations-Parameters
channel=11
wpa_passphrase=change-me
and apply the necessary rights using the command:
sudo chmod 600 /etc/hostapd/hostapd.conf
Start manually the hostapd
sudo hostapd -dd /etc/hostapd/hostapd.conf
and check if the output contains
...
wlan0: stato dell'interfaccia COUNTRY_UPDATE-> ENABLED
...
wlan0: AP-ENABLED
...
If this working fine then edit the file
sudo vi /etc/default/hostapd
and add to end
RUN_DAEMON=yes
DAEMON_CONF="/etc/hostapd/hostapd.conf"
Starting the hostapd
sudo systemctl unmask hostapd # Optional
sudo systemctl enable hostapd
sudo systemctl start hostapd
Edit the following file:
sudo vi /etc/network/interfaces.wlan0
and add to end
# IP-Forwarding MUST be disabled
up sysctl -w net.ipv4.ip_forward=0
up sysctl -w net.ipv6.conf.all.forwarding=0
# hostapd and dnsmasq restart
up service hostapd restart
up service dnsmasq restart
so replace the configuration
sudo cp /etc/network/interfaces.wlan0 /etc/network/interfaces
sudo apt-get install -y tor obfs4proxy \
gvfs gvfs-fuse gvfs-backends gvfs-bin \
ipheth-utils libimobiledevice-utils usbmuxd \
wicd wicd-curses \
python3-setuptools ntpdate screen
Edit the file
sudo vi /etc/apt/sources.list
and add to end
deb https://deb.torproject.org/torproject.org stretch main
deb-src https://deb.torproject.org/torproject.org stretch main
so execute the following commands to build last version of tor (this operations can be very long)
gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt-get update
sudo apt-get install -y build-essential fakeroot devscripts
sudo apt build-dep tor deb.torproject.org-keyring
if [ -d debian-packages ] ; then rm -r debian-packages ; fi
mkdir ~/debian-packages; cd ~/debian-packages
apt source tor; cd tor-*
debuild -rfakeroot -uc -us; cd ..
sudo dpkg -i tor_*.deb
# Transport
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 127.0.0.1:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
TransPort 192.168.222.1:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
# DNS (local and wlan interfaces)
DNSPort 127.0.0.1:5353
DNSPort 192.168.222.1:5353
# SOCKS (eth interface)
SocksPort 192.168.1.4:9100
# Control
ControlPort 127.0.0.1:9051
#HashedControlPassword <hashpassword>
# use 'tor --hash-password <password>' to generate
# Debugging
DisableDebuggerAttachment 0
Log notice file /var/log/tor/notices.log
restart tor and testing it
sudo systemctl restart tor
echo -e 'PROTOCOLINFO\r\n' | nc 127.0.0.1 9051
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/obfs4proxy
put the following bash files in the pi home (/home/pi)
iptable-clear.sh
iptable-config.sh
torbox-boot.sh
edit the root crontab
sudo crontab -e
so put inside
@reboot /home/pi/torbox-boot.sh >> /tmp/boot.log 2>&1
reboot the system, the tor middlebox transparent proxy is ready.
sudo reboot