RealX

Gadgets world

Build Your Own: Safeplug (Tor Proxy Box)

Create your own: Safeplug (Tor Proxy Box)

Safeplug is a special router that creates an anonymous connection to the Internet through the Tor network (i.e. Tor?); it costs $50 — but you can make your own with a Raspberry Pi and USB WiFi.

In truth, you won’t be saving much: the cost of the Pi plus a suitable WiFi adapter will set you back about $50 or more. But do-it-yourself is fun, we’ll learn a lot, and you probably already have a pi sitting around, gathering dust.

safeplug

Shopping list

  • Raspberry Pi (Model B)
  • SD card at least 4 gigabytes
  • network cable
  • Compatible USB Wifi adapter — this means it can work in structural mode with the hostapd package (for example, based on the RT5370 chipset)
  • Micro USB power adapter

shopping list

Theory

We will set up the Raspberry Pi to act as a router: it will connect to the Ethernet port on your existing internet router like any other device, but it will also connect to the anonymous Tor network. You can read our complete guide to Tor to learn more, but it essentially works by sending your internet requests through multiple computers — redirecting them all over the world — making you virtually untrackable. The Pi will broadcast the WiFi network just like your router probably does, so any WiFi traffic will be sent to the internet via Tor. In fact, if you don’t already have a WiFi enabled router and want to get one, just follow the first part of this tutorial.

This of course reduces the speed both through the routing element and through the actual Tor network.

However, be careful: browsing only through Tor will not completely anonymize your session. Your browser is full of cached files and cookies that can be used to determine your presence on a website (what is a cookie? a cookie is a cookie). Make sure they’re disabled and blocked (use incognito mode) — and obviously don’t start logging into websites.

Beginning

Write a fresh copy of the latest Raspian Wheezy image to your SD card; plug in power, ethernet, usb wifi adapter and boot up. You don’t need an attached monitor or keyboard — we’ll do it all from the command line.

Use an IP scanner. to find out the IP address of your Raspberry Pi (IP Scanner for OS X works fine for me) then SSH into it from the command line (how to use SSH on Windows) with the command: 

ssh pi@xxxx

where xxxx is the IP address of your Pi. The default password is «raspberry»

Type of: 

 sudo raspi-config

run the graphics setup utility. Expand the file system, then exit the setup utility and restart. You must have the same IP address — go ahead and SSH back again.

Check if the Pi can access the internet by typing 

 ping google.com

from your SSH session (not on your local machine). You should see something like this:

ping-google

Click ctrl-c, to stop him. Now check if your WiFi adapter is recognized by typing: 

 ifconfig -a

If you see wlan0 in list, all is well. If not, then your wireless adapter is not even recognized, let alone AP structure/mode capability.

wlan0 identified

Let’s update the system and install some software. Start the next one in line, going through the hints as needed. In the second step, we remove wolfram engine, to fix a bug in the math core — in the process we also save 450 megabytes. 

 sudo apt-get update sudo apt-get remove wolfram-engine sudo apt-get install hostapd isc-dhcp-server

error-setup-dhcp-server

Here we have set up a DHCP server so that WiFi clients can automatically obtain an IP address. Ignore the error — it just means we haven’t actually set it up yet. 

 sudo nano /etc/dhcp/dhcpd.conf

Comment out (add # to start) the following lines: 

 option domain-name "example.org"; option domain-name-servers ns1.example.org, ns2.example.org;

Uncomment (remove #) word authoritative from these lines: 

 # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative;

Now scroll down and paste: 

 subnet 192.168.42.0 netmask 255.255.255.0 { range 192.168.42.10 192.168.42.50; option broadcast-address 192.168.42.255; option routers 192.168.42.1; default-lease-time 600; max-lease-time 7200; option domain-name "local"; option domain-name-servers 8.8.8.8, 8.8.4.4; }

Save with CTRL-X -> Y -> input .

Next enter: 

 sudo nano /etc/default/isc-dhcp-server

Change the last line to read: 

 INTERFACES="wlan0"

dhcp-server-config

This means that our DHCP server must be listening on the wireless interface in order to issue IP addresses. And finally: 

 sudo nano /etc/network/interfaces

Replace everything after (leaving this line in): 

 allow-hotplug wlan0

With this: 

 iface wlan0 inet static address 192.168.42.1 netmask 255.255.255.0 
 #iface wlan0 inet manual #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf #iface default inet dhcp

network-interfaces

Exit and save (CTRL-X, Y, type — remember, I won’t talk anymore!) . We have now defined a static IP address for the wireless network and told the DHCP server to assign IP addresses to clients. Stunning. Next enter: 

 sudo ifconfig wlan0 192.168.42.1

To define our access point, edit the HostAP configuration file as follows. 

 sudo nano /etc/hostapd/hostapd.conf

Add the following lines by editing ssid (WiFi network name) and wpa_passphrase, if you want to. 

 interface=wlan0 driver=nl80211 ssid=PiTest hw_mode=g channel=6 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=raspberry wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP

Now we need to tell the Pi where our config file is located. 

 sudo nano /etc/default/hostapd

Replace this line: 

 #DAEMON_CONF=""

With: 

 DAEMON_CONF="/etc/hostapd/hostapd.conf"

Finally, we need to set up NAT. NAT, or Network Address Translation, is the process of converting internal network IP addresses to a single external IP address and routing accordingly. 

 sudo nano /etc/sysctl.conf

At the very bottom add: 

 net.ipv4.ip_forward=1

Save. Run all of the following commands — feel free to paste them all at once. This is where we set up the routing tables, which basically just connect our ethernet adapter and WiFi. 

 sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Finally, run: 

 sudo nano /etc/network/interfaces

and add: 

 up iptables-restore < /etc/iptables.ipv4.nat

until the very end. To test, we run: 

 sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf

Your network PiTest should be broadcasting now if you haven't changed the title. Try to connect from another computer or mobile device and you should see some debug information on the screen, like this:

WiFi debugging

Now click ctrl-c, to cancel the program and let's make sure it starts as a service on restart. Run these commands: 

 sudo service hostapd start sudo service isc-dhcp-server start sudo update-rc.d hostapd enable sudo update-rc.d isc-dhcp-server enable

start dhcp-on-reload

Now we've got the routing part set up, but we still need to add Tor to the equation - we've literally just created a router for now.

Install Tor 

 sudo apt-get install tor sudo nano /etc/tor/torrc

Copy and paste this right at the top. Skip everything else and save: 

 Log notice file /var/log/tor/notices.log VirtualAddrNetwork 10.192.0.0/10 AutomapHostsSuffixes .onion,.exit AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 192.168.42.1 DNSPort 53 DNSListenAddress 192.168.42.1

torrc

Get rid of our old routing tables and add an exception for SSH so we can log in again. We add a DNS lookup pass; and directing all TCP traffic (control signals) to 9040. 

 sudo iptables -F sudo iptables -t nat -F sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22 sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53 sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040

You can check entries like this: 

 sudo iptables -t nat -L

Save the file so that it loads on reboot. 

 sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Enable it to run on boot, then restart so we can test it. 

 sudo update-rc.d tor enable sudo shutdown -r now

You can create a log file and customize it with the following (this is not required, but might be useful for debugging if you have problems). 

 sudo touch /var/log/tor/notices.log sudo chown debian-tor /var/log/tor/notices.log sudo chmod 644 /var/log/tor/notices.log tail -f /var/log/tor/notices.log

Go to whatismyipaddress.com and make sure your IP is not from your ISP:

what-is-my-ip-address

Or use check.torproject.org :

Congrats-tor-it-works

You may find that Google asks to check with captcha quite often - this is because Tor is often used by spammers, and there is nothing you can do about it.

Google spammer check

Congratulations, you are anonymous and can now access hidden Tor websites with the domain .onion (How to find active Onion sites?). Just don't do stupid things like start a bitcoin drug site or use your real name anywhere and you'll be fine. Let us know if you have any problems and I will try to help.

Похожие записи

How to Make an Ethernet Crossover Cable

How to make a pulsating Arduino LED that looks like it’s from the future

Build a Motion Capture Security System Using Raspberry Pi