freeflora.net will help you to run an anonymous wireless access point (AP) on a Raspberry Pi.
Tor (The Onion Router) is the largest deployed anonymity network to date.
It's simple: If you combine a Raspberry Pi with Tor then you get an Onion Pi.
miniOnionPi is a ready to use Onion Pi image that is based on MINIBIAN:
https://github.com/floranet/miniOnionPi
Let's take a look at a private network and a typical use case at home:
-
A device connects to a wireless access point (AP) - physically a router
-
The router operates the private network, called LAN (Local Area Network)
-
Networks at home are connected to WAN (Wide Area Network)
Now, the device navigates to a website and will be soon connected to a web server.
The information will pass the AP, through the LAN and will go to the WAN and back.
Tor will use a tunnel instead and will encrypt and send your data to other Tor nodes to provide anonymity.
So far, so good if you just read the information from the internet and don't share cookies or other private information.
In reality all websites have user identification and that's a serious problem for anonymity.
That means it's not private at all! Yes, Onion Pi has these problems, too!
If you want anonymity disable cookies, scripts and ads and run your web browser in private mode.
Don't use your private log in and password on public websites! Don't trust anything. Be aware!
For example: If you log in at some social network site with your private account, seriously, sell your Onion Pi!
Lets begin, sure a Raspberry Pi! There are several Raspberry Pi packages to buy online.
If you get one, please check if you have all that is required to make an onion of it:
-
Raspberry Pi (2) / any model
-
SD Card > 2GB / microSD for Pi 2
-
MircoUSB power supply cable
-
Ethernet cable
-
USB WiFi module (check Pi compatibility and AP capability)
-
A nice case for your Pi (check PI model)
-
USB keyboard for setup only
-
HDMI cable for setup only
The heart of the Onion Pi is the operating system: Raspbian.
Raspbian is a Linux operating system based on Debian and optimized for the Raspberry Pi hardware: https://www.raspbian.org
-
Download the latest Raspbian image from:
-
If you are using Windows, this tool can help you to copy the image to your SD card:
- Win32DiskImager: https://sourceforge.net/projects/win32diskimager
-
Here is a complete installation guide for Mac OS, Linux and Windows:
And of course here is the standard setup:
- Put the SD card (Raspbian image) into your Pi
- Connect the Pi with the Ethernet cable to your router
- Plug in the USB keyboard and the USB WiFi module
- Don't forget the HDMI cable for your screen and power on the Pi
After some seconds you will notice the boot finished on the screen.
-
Expand the file system and change the user password
-
Set the international options: time zone and keyboard layout
-
Advanced Options: Change the host name and enable ssh
Finish it with TAB. It's time for another reboot!
The log in is pi and the password is in your mind.
If you enabled ssh you will find the IP address on the end of the boot.
You can always check the IP address when you are logged in, find eth0:
sudo ifconfig -a
Sometimes you need to reboot your Pi:
sudo reboot
It's always good to have the latest libraries on your system:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
Keep your Onion Pi up to date. Do updates frequently!
sudo ifconfig -a
If you miss a wlan0, shut down the Pi first:
sudo shutdown -h now
Plug in a USB WiFi module and start the Pi.
Make sure that you have wlan0 working before continuing...
A DHCP (Dynamic Host Configuration Protocol) server will manage the IP addresses of your devices when you connect to the AP.
sudo apt-get install hostapd isc-dhcp-server
Don't worry if you get a fail on starting the DHCP server. You need to configure it first:
sudo nano /etc/dhcp/dhcpd.conf
Add a # before a line, so you will comment and ignore it in the configuration. Change these lines:
#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;
To activate a line in the configuration, remove the # in the line:
authoritative;
And at the end of the file add these lines (you can copy and paste it in your ssh client):
subnet 192.168.42.0 netmask 255.255.255.0 {
range 192.168.42.10 192.168.42.50;
option broadcast-address 192.168.42.255;
option routers 192.168.42.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
To save a file in nano, use this combo: CTRL-X --> Y + ENTER
So, save the file and set the DCHP server interfaces to the USB WiFi module:
sudo nano /etc/default/isc-dhcp-server
Write wlan0 at the end of the file:
INTERFACES="wlan0"
Save it. You finished the DHCP server installation and configuration. Congrats!
The wireless access point needs a static IP address, first, you have to shut down the interface:
sudo ifdown wlan0
Change the settings in the interface configuration:
sudo nano /etc/network/interfaces
After the line allow hotplug wlan0 you have to add these lines and remove the rest:
iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0
Save it and start the interface again:
sudo ifconfig wlan0 192.168.42.1
Create a new configuration file for the access point:
sudo nano /etc/hostapd/hostapd.conf
Add these lines that describe the access point configuration:
interface=wlan0
driver=rtl871xdrv
ssid=join freeflora.net
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=YOUR_AP_PASSWORD
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
If you are using another driver, you have to change it, for example: driver=nl80211
It's important to change the wpa_passphrase setting and keep it in your mind.
Change the ssid setting to something like MYNAME freeflora.net if you want to support the Onion Pi community!
Adjust a setting if you know what you are doing.
Don't forget to set the new configuration file for the access point:
sudo nano /etc/default/hostapd
Uncomment the line and add the path to the configuration file:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
Save it.
First, IP forward is needed, open this file:
sudo nano /etc/sysctl.conf
Uncomment this setting and enable IP forward:
net.ipv4.ip_forward=1
Save the file. Change the following IP tables:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
You can check the current IP tables with:
sudo iptables -t nat -S
sudo iptables -S
Next, save the new IP tables:
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
Open the network interface configuration again:
sudo nano /etc/network/interfaces
And add this new line at the bottom to load the saved tables automatically on next boot:
up iptables-restore < /etc/iptables.ipv4.nat
wget http://www.adafruit.com/downloads/adafruit_hostapd.zip
unzip adafruit_hostapd.zip
sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG
sudo mv hostapd /usr/sbin
sudo chmod 755 /usr/sbin/hostapd
sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf
Check if you find the AP running. Use CTRL + C to stop the access point.
Now it's time for another reboot.
You can check the status of the services with:
sudo service hostapd status
sudo service isc-dhcp-server status
And if you need to start the services manually:
sudo service hostapd start
sudo service isc-dhcp-server start
Run the following commands to finish it:
sudo update-rc.d hostapd enable
sudo update-rc.d isc-dhcp-server enable
sudo mv /usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service ~/
Reboot! Your access point is now ready! Next: install Tor!
You can always check the system log for errors:
tail -f /var/log/syslog
sudo apt-get install tor
Change Tor configuration:
sudo nano /etc/tor/torrc
Add these lines at the bottom of the configuration file:
Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.42.1
DNSPort 53
DNSListenAddress 192.168.42.1
Save the file and change the IP tables again:
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
If you need to check the IP tables:
sudo iptables -t nat -L
You have to run the following commands:
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
sudo touch /var/log/tor/notices.log
sudo chown debian-tor /var/log/tor/notices.log
sudo chmod 644 /var/log/tor/notices.log
If you want to see the result of the commands, you can check it:
ls -l /var/log/tor
It's time to start the Tor service:
sudo service tor start
If you forget if the service is running:
sudo service tor status
But don't forget to start Tor on the next boot:
sudo update-rc.d tor enable
Your Onion Pi is ready!
- If you don't know if it's working, check: http://www.ipchicken.com
Please, keep up anonymity in the network and install an Onion Pi!
But keep also in mind that correct behaviour in the net is very important.
Have fun with it!