Thoughts upfront
The following is not for a high-level of anonymity and privacy; if anonymity is really crucial please look for more secure solutions like Tails or Whonix instead. Using Tor will effectively only hide your IP address, i.e. no-one can see your traffic as it leaves your location, however, starting from the Tor Exit the IP traffic looks the same as without Tor – just coming from the Tor-Exit and not from your IP address directly. Any private data included in your traffic itself will still be visible (to everyone if not encrypted, i.e. using http and the website provider if using https encrypted traffic). Keep in mind that although many sites (seem) to use https they are in fact hosted by companies like Cloudflare which terminated the https tunnel and have full access to everything sent to the website. Also your specific browser can be identified easily (although not related to you in person) via so-called fingerprinting principles.
What you will need: Raspberry Pi 3 (comes with WLAN included), a LAN cable, a SD card and a computer to prepare the SD card and then configure the Raspberry Pi. How to setup the Raspberry Pi as a mini-server (i.e. headless, without a display) is described in a separate article and is a prerequisite for the following.
Enable WLAN (Access Point with DHCP)
First, we shutdown the WLAN interface while we configure it in the next steps:
sudo ifdown wlan0
Disable the DHCP Client on WLAN
Normally the dhcpcd daemon (DHCP client) will search the network for a DHCP server to assign a IP address to wlan0. This is disabled by editing the configuration file:
sudo nano /etc/dhcpcd.conf
We tell the DHCP client that on the wlan0 interface we have a static IP address and it should not configure anything else on it. This is achieved by adding at the very end of the config file:
interface wlan0
static ip_address=192.168.200.1/24
nohook wpa_supplicant
and then restart the service so the new config is loaded:
sudo systemctl restart dhcpcd
Enable the Access-Point Server
Install the WiFi Access-Point server:
sudo apt install hostapd
Create a new config file for the access point:
sudo nano /etc/hostapd/hostapd.conf
Paste the below – and change the country code, the WLAN name (SSID) and the WLAN password before saving the file:
interface=wlan0 driver=nl80211 country_code=FR ssid=Your-WLAN-Name hw_mode=g channel=6 ieee80211n=1 wmm_enabled=1 ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40] macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=Your-WLAN-Password wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP
The channel could be set to either 1, 6 or 11 depending on other wireless networks in your area. If you don’t know just take one by chance. Next, point the server to the right config file:
sudo nano /etc/default/hostapd
DAEMON_CONF="/etc/hostapd/hostapd.conf"
And then ensure the service is started:
sudo systemctl start hostapd sudo systemctl status hostapd sudo systemctl enable hostapd
Enable the DHCP Server
Start out by installing dnsmasq with the following command
sudo apt install -y dnsmasq
and then make a backup of the initial standard configuration for later reference before enabling the new config:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.backup
We will put the DHCP configuration in the file dnsmasq.dhcp.conf and edit it with:
sudo nano /etc/dnsmasq.d/dnsmasq.dhcp.conf
The new configuration should be something similar to the following, however with the ip address information and things like the MAC addresses changed to your local setup:
# Configuration file for dnsmasq (DHCP part) # Extra logging for DHCP: log all the options sent to DHCP clients and the tags # used to determine them. #log-dhcp # Suppress logging of the routine operation of these protocols. Errors and problems # will still be logged. quiet-dhcp and quiet-dhcp6 are over-ridden by log-dhcp. quiet-dhcp # This is our local network to be served as DHCP on wlan0 dhcp-range=wlan0,192.168.200.20,192.168.200.199,255.255.255.0,24h # This is the only DHCP-server for wlan0 dhcp-authoritative # This is your local domain name. It will tell the DHCP server which # host to give out IP addresses for. domain=alpha # Set the Gateway IP address dhcp-option=option:router,192.168.200.1 # Set the DNS server dhcp-option=option:dns-server,192.168.200.1 # Set the NTP time server address dhcp-option=option:ntp-server,192.168.200.1 # adapted for a typical dnsmasq installation where the host running # dnsmasq is also the host running samba. # you may want to uncomment some or all of them if you use # Windows clients and Samba. dhcp-option=19,0 # option ip-forwarding off for clients dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) dhcp-option=45,0.0.0.0 # netbios datagram distribution server dhcp-option=46,8 # netbios node type # Always allocate the same DHCP IP address based on the MAC address dhcp-host=00:25:a5:34:af:e7, Ethernet-Bridge, 192.168.200.20, infinite dhcp-host=84:cf:bf:89:9b:fd, Mobile, 192.168.200.120, infinite
To test if the config for dnsmasq is free of errors check the syntax with:
sudo dnsmasq --test
DNS Server and Cache
We put the DNS server configuration in a separate file (both DHCP and DNS is the same dnsmasq software and the config could well be in one file; but it’s a bit easier to read that way):
sudo nano /etc/dnsmasq.d/dnsmasq.dns.conf
and paste in the following
# Configuration file for dnsmasq (DNS part) # For debugging, log each DNS query as it passes through dnsmasq. #log-queries # Listen on these IP addresses for DNS requests (always include localhost): listen-address=127.0.0.1,192.168.200.1,10.80.0.1 # Where to send DNS request to which can't be resolved locally. # Here we use the local Tor service listening on port 5300 (see /etc/tor/torrc) server=127.0.0.1#5300 # The bind-interfaces directive instructs dnsmasq to bind only to # the network interface specified in the listen-address directive. bind-interfaces # The no-hosts directive instructs dnsmasq not to read hostnames # from /etc/hosts. no-hosts # Read hostname information from this file in addition addn-hosts=/etc/dnsmasq.hosts # Never forward plain names (without a dot or domain part) upstream domain-needed # Never forward addresses in the non-routed address spaces. bogus-priv # If you don't want dnsmasq to read /etc/resolv.conf or any other # file, getting its servers from this file instead, then uncomment this. no-resolv # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv # files for changes and re-read them then uncomment this. no-poll # Set this if you want to have a domain # automatically added to simple names in a hosts-file. expand-hosts # Number of hostnames being cached in RAM for DNS lookups cache-size=10000 # Do not cache negative responses no-negcache # Resolve these domains locally only, don't send upstream local=/alpha/ local=/local/ # Some simple domain blocking (doesn't block the IP, just domain-name) address=/doubleclick.net/0.0.0.0 address=/google-analytics.com/0.0.0.0 address=/analytics.google.com/0.0.0.0 address=/amazon-adsystem.com/0.0.0.0 address=/analytics.yahoo.com/0.0.0.0 address="cn"0.0.0.0
To resolve the hostname of this server we need to provide it in a separate host-file:
sudo nano /etc/dnsmasq.hosts
and just list the local hostname and its IP address on the WLAN:
192.168.200.1 MyTorGateway
so can use its name on other devices on the WLAN (instead of the IP address).
To test if the above config for dnsmasq is free of errors run:
sudo dnsmasq --test
If everything is fine, start the dnsmasq service and check its status with:
sudo service dnsmasq start sudo service dnsmasq status
To see the listening ports, check with:
sudo netstat -tulpn | grep dnsmasq
Enable a Time Server (NTP via chrony)
Since the aim is to route all traffic from the wireless network through Tor we need to provide the time to the WLAN since this can’t be done over Tor. The best ntp server for our purpose seems to be chrony. It’s installed via:
sudo apt install -y chrony
and then we configure it (after saving the initial config for later reference):
sudo mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.default sudo nano /etc/chrony/chrony.conf
and paste in the following:
# Welcome to the chrony configuration file. See chrony.conf(5) for more # information about usuable directives. # The time server where we get our time from; here the internet router server 192.168.178.1 iburst #pool pool.ntp.org iburst # Time server for the following subnet allow 192.168.200.0/24 # Listen on this interface for client ntp requests bindaddress 192.168.200.1 # This directive specify the file into which chronyd will store the rate # information. driftfile /var/lib/chrony/chrony.drift # Uncomment the following line to turn logging on. #log tracking measurements statistics # Log files location. logdir /var/log/chrony # The hardware clock (rtc) is always UTC rtconutc # This directive enables kernel synchronisation of the real-time clock. rtcsync # Step the system clock instead of slewing it if the adjustment is larger than # one second, but only in the first three clock updates. makestep 1 3
If the devices on the WLAN don’t pick up time after a few minutes it might be necessary to list the ntp server 192.168.200.1 in the /etc/ntp.conf (or similar) config files of those devices.
Data Forwarding (WLAN ↔ LAN)
Only in case you want to access servers on your LAN (the one directly attached to the internet) from the Raspberry WLAN you need to allow IP4 forwarding on the Raspberry:
sudo nano /etc/sysctl.conf
Set the forwarding option to 1:
net.ipv4.ip_forward=1
and then reload the configuration:
sudo sysctl -p
You can double-check that it worked with:
sudo sysctl net.ipv4.ip_forward
The WLAN is now setup and we only need to enable the interface:
sudo ifconfig wlan0 up sudo reboot
Now you should test it – you should be able to connect to the new WLAN just defined and if IP4 forwarding was enabled you should have access to the Internet (no Tor yet though).
Install and configure Tor
Getting Tor up and running is really easy (including the recommended package to keep the key updated):
sudo apt install -y tor
Keep the initial config file for reference before changing it:
sudo mv /etc/tor/torrc /etc/tor/torrc.default sudo nano /etc/tor/torrc
Log notice file /var/log/tor/tor.log AvoidDiskWrites 1 ExitRelay 0 ExitPolicy reject *:* TransPort 127.0.0.1:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort DNSPort 127.0.0.1:5300 TransPort 192.168.200.1:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort DNSPort 192.168.200.1:5300 TransPort 10.80.0.1:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort DNSPort 10.80.0.1:5300 AutomapHostsOnResolve 1 AutomapHostsSuffixes .onion,.exit VirtualAddrNetworkIPv4 10.12.0.0/16 ExitNodes 9EAD5B2D3DBD96DBC80DCE423B0C345E920A758D, 85D4088148B1A6954C9BFFFCA010E85E0AA88FF0
Check that Tor is happy with the config file and there are no issues with it:
sudo -u debian-tor tor --verify-config
The last line should say that everything looks fine. Then reload the new Tor config:
sudo systemctl reload tor.service
Check the logs for what Tor does and if it complains about anything – the following commands might be useful to check for any errors:
sudo systemctl status tor.service sudo cat /var/log/tor/tor.log journalctl | grep 'Tor'
In case of issues with tor one could increase the level of logging temporarily – in the tor config file /etc/tor/torrc replace the ‚log …‘ configuration with debug, info, notice, warn, or err. For example a ‚log info…‘ statement will provide more details. In the long run the log-level of ’notice‘ should be the best choice.
If anonymity and privacy is not your major concern but rather useability you might want to specify one or more Exit nodes to be used for all your traffic. This will ensure for example that you can specify the country where you seem to be coming from. To do that, just add to torrc config file something like:
ExitNodes 85D4088148B1A6954C9BFFFCA010E85E0AA88FF0
Enable the Firewall
First install the firewall frontend and enable the firewall:
sudo apt install nftables -y sudo systemctl enable nftables.service
Enable the following firewall rules, starting with a config file in your home directory
nano ~/nftables.conf
and paste in
#!/usr/sbin/nft -f
flush ruleset
define wireguard_port = 40042
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iif lo accept
ct state related,established accept
ct state invalid drop
ip saddr {192.168.178.0/24, 192.168.200.0/24} tcp dport ssh ct state new accept
ip saddr {192.168.178.0/24, 192.168.200.0/24} icmp type echo-request accept
udp dport $wireguard_port accept # might not be needed
iifname {"wlan0", "wg0"} udp dport domain accept
iifname {"wlan0", "wg0"} tcp dport domain accept
iifname {"wlan0", "wg0"} udp dport {ntp, bootps} accept
iifname {"wlan0", "wg0"} tcp dport 9040 accept
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
ct state related,established accept
ct state invalid drop
iifname "wlan0" ip daddr 192.168.178.0/24 accept
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
oif lo accept
ct state related,established accept
ct state invalid drop
skuid "debian-tor" accept
udp dport ntp accept
ip daddr 127.0.0.1 accept
ip daddr {192.168.178.0/24, 192.168.200.0/24, 255.255.255.255} accept
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
iifname "wlan0" udp dport domain redirect to :53
iifname "wlan0" tcp dport domain redirect to :53
iifname "wlan0" udp dport ntp redirect to :123
iifname "wlan0" ip daddr {192.168.178.0/24, 192.168.200.0/24} accept
iifname "wlan0" tcp flags & (fin|syn|rst|ack) == syn redirect to :9040
iifname "wg0" udp dport domain redirect to :53
iifname "wg0" tcp flags & (fin|syn|rst|ack) == syn redirect to :9040
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
oifname "eth0" ip saddr 192.168.200.0/24 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
skuid "debian-tor" accept
ip daddr {192.168.178.0/24, 192.168.200.0/24} accept
tcp flags & (fin|syn|rst|ack) == syn redirect to :9040
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iif lo counter accept
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
oif lo counter accept
counter reject
}
}
and activate these firewall rules with
sudo nft -f nftables.conf
In case something goes horribly wrong (e.g. you lock ssh sessions) you can hard reboot the server and will start without the firewall rules.
To list the active rules applied by nft currently just check with:
sudo nft list ruleset
Note that nft uses its own matching of service names to port numbers – to see the list simply type in:
nft describe tcp dport
Once you’re happy with them working make them permanent with copying them to the standard place (enabled on reboot):
mv ./nftables.conf /etc/nftables.conf
Note on Firefox configuration
If you’re using firefox as browser you also need to change its config as by standard firefox is blocking access to services residing on tor (onion services). To do so, type
about:config
in the field at the top (where you would type in e.g. a web-address usually) then search for „onion“ at the top and change the value for network.dns.blockDotOnion to „false“ by a double-click on it. Btw, Chrome and Edge aren’t blocking tor by default and they will work right away with the standard configuration. Test access to onion-services by browsing to e.g. „https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion“.
If you don’t use WebRTC services then it’s recommended to disable media.peerconnection.enabled in about:config. Otherwise your local IP address will be visible to everyone on the internet (also while connected via Tor).
Just to minimize unnecessary DNS traffic and if you don’t use IPv6, then change in about:config the value for network.dns.disableIPv6 to false.
It might be good to also minimize the tracking via fingerprinting. One example is to enable privacy.resistfingerprinting by setting to true. Also one should disable plugin.expose_full_path and dom.battery.enabled by setting them both to false.
Optional but highly recommended is to install the „Privacy Pass“ Firefox add-on; it helps to avoid many of the annoying challenges one has to complete when using Tor. Additionally, and also optional it might be wise to install the „uBlock Origin“ add-on as well to avoid advertisements, malware, etc. which would otherwise cause additional traffic and would increases tracking capabilities.
Additional recommended add-ons for Firefox are: „Cloud Firewall“, „HTTPS Everywhere“, „Privacy Badger“, „LocalCDN“ and „ClearURLs“.
Some Improvements and Hardening
IP Forwarding WLAN ↔ LAN
If no connection between WLAN and LAN is required one should remove IPv4 forwarding – this can be done in two ways (one is sufficient, two are safer):
sudo nano /etc/sysctl.conf
net.ipv4.ip_forward=0
sudo sysctl -p
or remove the rule for the forwarding filter rule of ferm.
Add the official Tor Repository
We add the official repository on the Tor network of the tor-project for Debian (as outlined at www.torproject.org/docs/debian.html.en):
sudo nano /etc/apt/sources.list.d/torproject.org.list
and put in the following:
# Tor onion-site replacement for: # deb http://deb.torproject.org/torproject.org stretch main deb http://sdscoq7snqtznauu.onion/torproject.org stretch main
However, Debian is not supporting anonymous and safe software repos by standard, so we need to enable it first – create a new apt config file:
sudo nano /etc/apt/apt.conf.d/80onion-repos
and put in just one line:
Acquire::BlockDotOnion "false";
Now finally update and upgrade the system with:
sudo apt update sudo apt upgrade -y
Automatic updates for Tor
It’s also recommended to get the tor software upgraded automatically. Assuming that the package ‚unattended-upgrades‘ is installed already, we simply need to add the updates from the torproject to the config:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
and add the line with the TorProject repository:
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=TorProject,codename=${distro_codename}";
};
Sidenote: information about the ‚origin‘ and other parameters can be found in the files /var/lib/apt/lists/*_InRelease.
Block many sites (adservers)
If you want to have a much more extensive ad-blocking done by dnsmasq one could just download the latest quite complete adserver list from pgl.yoyo.org/adservers/ (formated to be used with dnsmasq as plain text file) and save it as e.g. dnsmasq.adservers.conf in the folder /etc/dnsmasq.d/.
This can be even automated with a little script like the following – it must be run with root priviliges (e.g. with sudo) as it needs to install the new adblocking file in /etc:
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root (use sudo)"
exit 1
fi
curl -o adservers 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&mimetype=plaintext'
# Do some work on the file:
# Now remove MS-DOS carriage returns, replace 127.0.0.1 with 0.0.0.0 (much faster),
# clean up trailing blanks,
# Pass all this through sort with the unique flag to remove duplicates and save the result
sed -e 's/\r//' -e 's/127\.0\.0\.1/0\.0\.0\.0/' -e 's/[ \t]*$//' < adservers | sort -u > /etc/dnsmasq.d/dnsmasq.new-adservers.conf
rm adservers
# Seems like the dnsmasq configtest doesn't work (always returns success)
if ! /usr/sbin/dnsmasq --test; then
printf '%s\n' 'dnsmasq configtest failed!' >&2
rm /etc/dnsmasq.d/dnsmasq.new-adservers.conf
exit 1
fi
mv --force /etc/dnsmasq.d/dnsmasq.new-adservers.conf /etc/dnsmasq.d/dnsmasq.adservers.conf
/bin/systemctl reload dnsmasq.service
Save this file in the /root folder (home folder for root) and add it as a cron-job for root:
sudo crontab -e
adding at the end something similar to:
15 04 * * * /root/adservers.sh > /root/adservers.log 2>&1
to run it each night at 4:15. The only thing which doesn’t seem to work is to check the dnsmasq config to be valid (the check always returns a successful check).
Keep in mind though that is only blocking DNS lookups, not IP addresses. Any direct connection to an IP address is not blocked with the above (that requires a blocking within the netfilter part; ipset is the command to look for to achieve something on the IP level).
Remote Access (VPN) via WireGuard
First install the software:
sudo apt install wireguard
then:
sudo mkdir /etc/wireguard cd /etc/wireguard
Configure the server
First create the keys:
umask 077 wg genkey > private.key wg pubkey < private.key > public.key
Add a new interface for WireGuard and assign an IP address to it:
sudo ip link add dev wg0 type wireguard sudo ip address add dev wg0 10.80.0.1/24
Configure the new interface:
sudo nano /etc/wireguard/wg0.conf
and add something along the lines of:
[Interface] Address = 10.80.0.1/24 ListenPort = 40042 PrivateKey = xxxxx [Peer] # Smartphone PublicKey = <PEER_PUBLIC_KEY> AllowedIPs = 10.80.0.20/32 [Peer] # Laptop PublicKey = <PEER_PUBLIC_KEY> AllowedIPs = 10.80.0.24/32
and finally enable it:
sudo ip link set up dev wg0
To check the status you can use the following commands:
sudo ip addr show dev wg0 sudo wg showconf wg0 sudo networkctl status wg0
To permanently enable the wireguard server (e.g. on reboot) run the following command on the shell:
sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 sudo systemctl status wg-quick@wg0
Configure the client (e.g. smartphone)
Probably the easiest way to configure your wireguard app on the smartphone is to use a QR code – just generate it on the server command line with:
qrencode -t ansiutf8 < /etc/wireguard/client/client.conf
which shots a QR code that can be scanned from within the Wireguard app and configuring it fully right away
To manually install the WireGuard VPN (e.g. on a laptop without the QR code scanning option) create a config file on that device:
nano /etc/wireguard/wg0.conf
with something along the lines of
[Interface] PrivateKey = <LOCAL-PRIVATE-KEY> Address = 10.80.0.24/32 DNS = 10.80.0.1 [Peer] PublicKey = <SERVER-PUBLIC-KEY> Endpoint = <HOST-NAME>:40042 AllowedIPs = 0.0.0.0/0, ::/0
To start and stop the VPN use:
sudo wg-quick down wg0 sudo wg-quick up wg0
If there are issues also don’t forget to check that traffic forwarding is allowed by linux and the firewall and that the wireguard traffic is allowed by the firewall (cf. above).
