Safeplug is a special router that creates an anonymous connection to the Internet through the Tor network (i.e. Tor?); it costs $50 — but you can make your own with a Raspberry Pi and USB WiFi.

In truth, you won’t be saving much: the cost of the Pi plus a suitable WiFi adapter will set you back about $50 or more. But do-it-yourself is fun, we’ll learn a lot, and you probably already have a pi sitting around, gathering dust.


Shopping list

  • Raspberry Pi (Model B)
  • SD card at least 4 gigabytes
  • network cable
  • Compatible USB Wifi adapter — this means it can work in structural mode with the hostapd package (for example, based on the RT5370 chipset)
  • Micro USB power adapter

shopping list


We will set up the Raspberry Pi to act as a router: it will connect to the Ethernet port on your existing internet router like any other device, but it will also connect to the anonymous Tor network. You can read our complete guide to Tor to learn more, but it essentially works by sending your internet requests through multiple computers — redirecting them all over the world — making you virtually untrackable. The Pi will broadcast the WiFi network just like your router probably does, so any WiFi traffic will be sent to the internet via Tor. In fact, if you don’t already have a WiFi enabled router and want to get one, just follow the first part of this tutorial.

This of course reduces the speed both through the routing element and through the actual Tor network.

However, be careful: browsing only through Tor will not completely anonymize your session. Your browser is full of cached files and cookies that can be used to determine your presence on a website (what is a cookie? a cookie is a cookie). Make sure they’re disabled and blocked (use incognito mode) — and obviously don’t start logging into websites.


Write a fresh copy of the latest Raspian Wheezy image to your SD card; plug in power, ethernet, usb wifi adapter and boot up. You don’t need an attached monitor or keyboard — we’ll do it all from the command line.

Use an IP scanner. to find out the IP address of your Raspberry Pi (IP Scanner for OS X works fine for me) then SSH into it from the command line (how to use SSH on Windows) with the command:

ssh pi@xxxx 

where xxxx is the IP address of your Pi. The default password is «raspberry»

Type of:

 sudo raspi-config 

run the graphics setup utility. Expand the file system, then exit the setup utility and restart. You must have the same IP address — go ahead and SSH back again.

Check if the Pi can access the internet by typing


from your SSH session (not on your local machine). You should see something like this:


Click ctrl-c, to stop him. Now check if your WiFi adapter is recognized by typing:

 ifconfig -a 

If you see wlan0 in list, all is well. If not, then your wireless adapter is not even recognized, let alone AP structure/mode capability.

wlan0 identified

Let’s update the system and install some software. Start the next one in line, going through the hints as needed. In the second step, we remove wolfram engine, to fix a bug in the math core — in the process we also save 450 megabytes.

 sudo apt-get update sudo apt-get remove wolfram-engine sudo apt-get install hostapd isc-dhcp-server 


Here we have set up a DHCP server so that WiFi clients can automatically obtain an IP address. Ignore the error — it just means we haven’t actually set it up yet.

 sudo nano /etc/dhcp/dhcpd.conf 

Comment out (add # to start) the following lines:

 option domain-name ""; option domain-name-servers,; 

Uncomment (remove #) word authoritative from these lines:

 # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; 

Now scroll down and paste:

 subnet netmask { range; option broadcast-address; option routers; default-lease-time 600; max-lease-time 7200; option domain-name "local"; option domain-name-servers,; } 

Save with CTRL-X -> Y -> input .

Next enter:

 sudo nano /etc/default/isc-dhcp-server 

Change the last line to read:



This means that our DHCP server must be listening on the wireless interface in order to issue IP addresses. And finally:

 sudo nano /etc/network/interfaces 

Replace everything after (leaving this line in):

 allow-hotplug wlan0 

With this:

 iface wlan0 inet static address netmask 
 #iface wlan0 inet manual #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf #iface default inet dhcp 


Exit and save (CTRL-X, Y, type — remember, I won’t talk anymore!) . We have now defined a static IP address for the wireless network and told the DHCP server to assign IP addresses to clients. Stunning. Next enter:

 sudo ifconfig wlan0 

To define our access point, edit the HostAP configuration file as follows.

 sudo nano /etc/hostapd/hostapd.conf 

Add the following lines by editing ssid (WiFi network name) and wpa_passphrase, if you want to.

 interface=wlan0 driver=nl80211 ssid=PiTest hw_mode=g channel=6 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=raspberry wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP 

Now we need to tell the Pi where our config file is located.

 sudo nano /etc/default/hostapd 

Replace this line:




Finally, we need to set up NAT. NAT, or Network Address Translation, is the process of converting internal network IP addresses to a single external IP address and routing accordingly.

 sudo nano /etc/sysctl.conf 

At the very bottom add:


Save. Run all of the following commands — feel free to paste them all at once. This is where we set up the routing tables, which basically just connect our ethernet adapter and WiFi.

 sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT sudo sh -c "iptables-save > /etc/iptables.ipv4.nat" 

Finally, run:

 sudo nano /etc/network/interfaces 

and add:

 up iptables-restore < /etc/iptables.ipv4.nat 

until the very end. To test, we run:

 sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf 

Your network PiTest should be broadcasting now if you haven't changed the title. Try to connect from another computer or mobile device and you should see some debug information on the screen, like this:

WiFi debugging

Now click ctrl-c, to cancel the program and let's make sure it starts as a service on restart. Run these commands:

 sudo service hostapd start sudo service isc-dhcp-server start sudo update-rc.d hostapd enable sudo update-rc.d isc-dhcp-server enable 

start dhcp-on-reload

Now we've got the routing part set up, but we still need to add Tor to the equation - we've literally just created a router for now.

Install Tor

 sudo apt-get install tor sudo nano /etc/tor/torrc 

Copy and paste this right at the top. Skip everything else and save:

 Log notice file /var/log/tor/notices.log VirtualAddrNetwork AutomapHostsSuffixes .onion,.exit AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress DNSPort 53 DNSListenAddress 


Get rid of our old routing tables and add an exception for SSH so we can log in again. We add a DNS lookup pass; and directing all TCP traffic (control signals) to 9040.

 sudo iptables -F sudo iptables -t nat -F sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22 sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53 sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040 

You can check entries like this:

 sudo iptables -t nat -L 

Save the file so that it loads on reboot.

 sudo sh -c "iptables-save > /etc/iptables.ipv4.nat" 

Enable it to run on boot, then restart so we can test it.

 sudo update-rc.d tor enable sudo shutdown -r now 

You can create a log file and customize it with the following (this is not required, but might be useful for debugging if you have problems).

 sudo touch /var/log/tor/notices.log sudo chown debian-tor /var/log/tor/notices.log sudo chmod 644 /var/log/tor/notices.log tail -f /var/log/tor/notices.log 

Go to and make sure your IP is not from your ISP:


Or use :


You may find that Google asks to check with captcha quite often - this is because Tor is often used by spammers, and there is nothing you can do about it.

Google spammer check

Congratulations, you are anonymous and can now access hidden Tor websites with the domain .onion (How to find active Onion sites?). Just don't do stupid things like start a bitcoin drug site or use your real name anywhere and you'll be fine. Let us know if you have any problems and I will try to help.

Похожие записи