create a tor-only VLAN with a Raspberry Pi


I’m a big fan of the Tor Project. It’s really encouraging to see more people using it, and more people setting up bridges, relays, and exit nodes.

What I’d like to see more of is publicly available networks that transparently redirect clients’ Internet connectivity through Tor. My first step here is going to be aimed more at someone with the means by which to set up many wireless access points on a campus, like perhaps an office building or a University. In these environments, it is typical for wireless networks to be created on different VLANs, with multiple SSID’s advertised, and each SSID being linked to a different VLAN. Often you might have a staff SSID and a guest SSID.

But because the host is concerned about bad behavior or misuse of the guest network coming back to haunt them, access is extremely locked down. Perhaps they only allow simple web browsing and nothing more. And access is not granted without knowing a guest network password, or having to go through a captive portal.

Let’s dispense with all of that and use an inexpensive Raspberry Pi Model B to create a Tor-only guest VLAN.

I’m going to make a few assumptions up front:

  1. You’ve already got a Raspbian base image installed on your Pi.
  2. It’s plugged into an ethernet switch where untagged traffic transits on a trusted network, and has a route to the public Internet. For the sake of this blog post, we’ll call that vlan1 and assume its native network is 192.168.1.0/24.
  3. There is a second VLAN configured on this switch, we’ll call it vlan2, and its native network is 192.168.2.0/24. This is an isolated VLAN with no transit to the Internet.
  4. You’ve already walked through the initial setup menu when logging into your Raspberry Pi for the first time.

OK let’s get started:

  • run sudo apt-get update to update the index of available packages
  • run sudo apt-get dist-upgrade to upgrade to the latest versions of installed packages
  • run sudo apt-get install tor to install tor. This will start the tor daemon automatically, which we’re not quite ready for yet.
  • sudo /etc/init.d/tor stop to stop the tor daemon for now
  • sudo apt-get install vlan will give us the ability to set up a tagged vlan interface
  • sudo modprobe 8021q

to enable the kernel module for tagged vlan support

  • sudo echo 8021q >> /etc/modules to persist this change across reboots
  • pi@raspberrypi ~ $ sudo vconfig add eth0 2
    Added VLAN with VID == 2 to IF -:eth0:-
  • sudo ifconfig eth0.2 192.168.2.1/24 sets the IP address on the new VLAN interface.
  • Let’s make this permanent. Run sudo vi /etc/network/interfaces and add this:
    auto eth0.2
    iface eth0.2 inet static
     address 192.168.2.1
     netmask 255.255.255.0
  • Outstanding. Let’s go ahead and adjust tor’s configuration to handle transparent proxying for us. Go ahead and sudo vi /etc/tor/torrc and add the following lines to the end of the file:
    VirtualAddrNetworkIPv4 10.192.0.0/10
    AutomapHostsOnResolve 1
    TransPort 9040
    TransListenAddress 192.168.2.1
    DNSPort 53
    DNSListenAddress 192.168.2.1
  • Go ahead and start tor. sudo /etc/init.d/tor start (but we’re still not done)
  • We’ve got both networks up. We’ve got tor configured to transparently proxy all TCP traffic and DNS queries. But we don’t have anything funneling TCP traffic into tor yet, nor do we have a DHCP server on the VLAN. Let’s continue.
  • Let’s build our Firewall rules. Go ahead and sudo vi /etc/iptables.up.rules and paste the following lines into it:
    *nat
    :PREROUTING ACCEPT [9:3009]
    :INPUT ACCEPT [1:141]
    :OUTPUT ACCEPT [5:372]
    :POSTROUTING ACCEPT [5:372]
    -A PREROUTING -i eth0.2 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
    -A PREROUTING -i eth0.2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
    COMMIT
    *filter
    :INPUT ACCEPT [5:616]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i eth0.2 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    -A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i eth0 -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -j ACCEPT
    COMMIT
  • Let’s make the firewall rules persistent. sudo vi /etc/network/if-pre-up.d/iptables
    #!/bin/sh
    /sbin/iptables-restore < /etc/iptables.up.rules
  • And this new script needs to be executable: sudo chmod +x /etc/network/if-pre-up.d/iptables
  • We still need a DHCP server. sudo apt-get install isc-dhcp-server
  • Then we have to configure it. sudo vi /etc/default/isc-dhcp-server and change the last line:
    INTERFACES="eth0.2"
  • Blank out the dhcpd.conf file: sudo cat /dev/null > /etc/dhcp/dhcpd.conf
  • sudo vi /etc/dhcp/dhcpd.conf
    ddns-update-style none;
    default-lease-time 600;
    max-lease-time 7200;
    authoritative;
    log-facility local7;
    subnet 192.168.2.0 netmask 255.255.255.0 {
      range 192.168.2.2 192.168.2.254;
      option routers 192.168.2.1;
      option domain-name-servers 192.168.2.1;
    }
  • sudo /etc/init.d/isc-dhcp-server start
  • For good measure, since we grabbed updates earlier in this process, it’s probably not a bad idea to sudo reboot
  • Wait until the Raspberry Pi is back up. Try plugging a laptop into a switch port that is untagged on vlan2. You should get a DHCP lease on the 192.168.2.0/24 network. Go ahead and open a web browser. You should be able to surf.
  • Try going to a site like http://www.whatismyip.com/ and see what IP you’re coming from. I just did and it says I’m in Bucharest (I’m really in Raleigh).

Remember, this isn’t perfect anonymity. Your browser cookies, your browsing habits, the plugins you use, etc. can easily give away your identity. The main point of this is to give a clever option for providing guest WiFi services with a lower risk to the service host. This also gives the guests a better shot at reclaiming their privacy and anonymity.

Most ICMP traffic is going to get dropped on the floor with this system, as well as almost all UDP. DNS queries will get captured and redirected through tor. A hidden bonus of this arrangement is that guests can browse .onion hidden services without installing anything on their end. Tor is really a tcp-only network, so forget about running BitTorrent here, or playing your favorite games (which more often than not depend on UDP).

Now that you have a privacy-enhanced VLAN configured, with transit to the Internet handled transparently through Tor, I’ll leave it to you to add one or more wireless access points to this VLAN so that you might share it with others.

Advertisements

3 comments

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s