Change Your Raspberry Pi Into A TOR Router

With TOR you can make your internet traffic a bit more anonymous. Thanks to TOR your internet traffic can no longer be traced back to you. However this doesn't mean that you can do whatever you want though. Logging in to most services on the internet, either knowingly or unknowingly, can still reveal your identity.
This page is not a tutorial on how to stay anonymous on the internet. It is more a description of how to setup a TOR router, using your Raspberry Pi as the router hardware.

With such a router you create a separate network on which you can surf the internet through the TOR network, without bothering about setting up the software on your client computer(s). Simply hook up your computer to the TOR enabled network of your TOR router and no one will know what your real IP address is.

Isn't the TOR network more for criminals? No, it has been set up for people like you and me who are concerned about their privacy. Unfortunately this also includes criminals. Remember the entire internet is full of criminals, that doesn't stop you from using that either, is it?
I mainly use my TOR network to connect virus infected guest computers to the internet, without having to fear that the viruses might spread to my own network. My ISP might even disconnect me from the internet completely if he finds virus or botnet traffic from my network. This is definitely something I can do without when I'm helping people with their Windoze problems.
I'm running my TOR router 24/7 on my Pi SB-Bus driver so I can use it whenever I want to. When I don't actually use the TOR network this doesn't put a notiecable extra load on the machine. Only when I'm downloading a lot (virus definitions and security updates on my patient computers for instance) will the CPU load of the router go up to about 60 to 70%.

Is a TOR router a good substitute for the Tor Browser or Tails? Certainly not! Both the TOR Browser and the Tails package offer much more privacy protection than just a TOR router could. Remember that your normal browser is leaking a lot of privacy information with saved sessions and cookies.
So, if you are really concerned about getting real good privacy go for the TOR Browser package or use Tails instead.

With the setup I describe on this page you do not share any of your network resources with the TOR network. You could decide to become a relay node to contribute to the TOR network, but remember that this will cost you some of your bandwidth (at least 30kB/s). And your Raspberry Pi will suffer a higher processor load, depending on your shared speed setting.
You can even become a TOR exit node, if you really want to help to expand the TOR network. Personally I don't like to do that. You may get into trouble with your ISP or the law when someone does something illegal over your connection.

What Do We Need?

Not much really. All you need is a Raspberry Pi (B or B+) and a second network device. In fact you don't really need a Raspberry Pi as such, just about any Linux computer would do, whether its a virtual machine or a real machine. But since these pages are about the Raspberry Pi, we're going to use one.
That leaves us with the second network device. You'll need a Raspberry Pi B or B+ because it already has one cabled ethernet adapter built in. So all you'll need is a second network device. And that can be a USB wireless adapter, a USB cabled ethernet adapter, or a VLAN adapter.

Using a wireless adapter allows you to connect just about any wireless device to your TOR enabled network. The only thing you want to make sure of is that the wireless adapter is supported by the Raspberry Pi. Most of them are, especially if you buy them from a Raspberry Pi web shop.

Personally I prefer wired connections whenever possible. There are plenty of USB wired ethernet adapters to choose from. I don't know if they'll all work, but I would be surprised if you were able to buy one which is not supported. I've tried two which I had laying around here. One identified itself as ADMtek, Inc. AN986 Pegasus Ethernet, and the other was a D-Link Corp. DUB-E100 Fast Ethernet. Both the adapters I've got are quite old and are just slightly smaller than the Raspberry Pi itself (LOL).
It's quite easy to see if it is working. Type the command ifconfig and you should see both eth0 (built in ethernet adapter) and eth1, the USB adapter.

For the third method you'll need a VLAN capable switch, one which supports the IEEE 802.1q protocol. I have described this here. If you should go for this option, you'll have to set up a VLAN on the Raspberry Pi and the network switch first, before you can proceed with this description.

In any case, you'll need a working version of Raspbian, whether its a full release or a stripped down version. Make sure the software is completely up to date by executing the commands sudo apt-get update and sudo apt-get -y upgrade first.

Installing The Required Software

This is easy. Just enter this command in the terminal and you're good to go:

sudo apt-get install tor isc-dhcp-server

Don't worry if the DHCP server fails to start after it has been installed. This is normal as we haven't told it what to do yet.

Setting Up The Second Network card

Wired Ethernet Adapter

This one is easy. Simply plug the USB cable into the Raspberry Pi and you should be able to see the eth0 and eth1 adapters in the list you'll get when you run the ifconfig command.

Setting Up An IEEE 802.1q VLAN Interface

Again, relatively easy. However it also requires you to make some alterations in your network switch. You can read all about that on my VLAN page.

Setting Up A Wireless Access Point

This paragraph has been copied from other websites and I have not been able to verify its operation because I don't have any suitable USB Wifi adapters. I own a few Wifi adapters, sadly all based on the RTL8188CUS or RTL8187 chip sets. Although they work perfectly in Wifi client mode, they fail miserably in the Access Point mode with the description given here. It appears that this chip set doesn't play nice with the nl80211 driver, used by hostapd. You could use an original Realtek driver, but you'll have to compile it yourself and follow their description to get hostapd to work. As I don't intend to use my TOR Router over Wifi anyway I didn't bother going through all this trouble.
Hopefully the Raspbian distribution will eventually support this chip set too in the near future.

So if you have another Wifi adapter, which works on the Raspberry Pi, you can follow the following description and find out whether it works for you or not. In case you get an error message, when you try to start hostapd like the one below, you'll know that you should get yourself another type of Wifi adapter, or take the long way home.

Configuration file: /etc/hostapd/hostapd.conf
nl80211: 'nl80211' generic netlink not found
Failed to initialize driver 'nl80211'

You can easily see whether your Wifi adapter is supported by the Raspberry Pi by typing the iwconfig command. A wlan0 adapter should be mentioned among the output.
The lsusb command should tell you what chip set is used by the adapter.

So you'd like to give it a go, then start by installing hostapd by executing the sudo apt-get install hostapd command. If you're using my stripped down version of Raspbian you may also have to reinstall some packages related to Wifi which I have removed. This can be done by executing the following commands:

sudo apt-get install wpasupplicant firmware-atheros firmware-brcm80211
sudo apt-get install firmware-libertas firmware-ralink firmware-realtek

Once that is done it is only a matter of making some configuration changes.

Now execute the sudo nano /etc/hostapd/hostapd.conf command, which will create a new file, which we're going to fill with the following information:

interface=wlan0
driver=nl80211
ssid=Tor
hw_mode=g
channel=3
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=secretpassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Some of the settings above need to be tweaked. You can change the SSID (network name), the channel (which is best set to a free channel in your neighbourhood) and the wpa_passphrase (which is your secret key to connect to this network).

Then enter the command sudo nano /etc/default/hostapd and find the line containing #DAEMON_CONF="" and change that to DAEMON_CONF="/etc/hostapd/hostapd.conf" .

Finally execute the command sudo update-rc.d hostapd enable so the hostapd deamon will automatically start when the Raspberry Pi boots up.

You can execute the command sudo hostapd to see whether hostapd works. If you get an error message you'll know that you'll have to get yourself another Wifi adapter.

Setting Up The Network Interfaces

Now we should have two network interfaces. You may have already setup the wireless network, or the VLAN network, but let's revise everything one more time to set it all up correctly.

I'll assume that eth0 will be the network which is connected to your normal network. That will leave wlan0, eth1 or eth0.xx to be your TOR network connection. It's this TOR network connection to which your privacy sensitive computers will connect to. They will get a totally different IP address than your normal public IP address. Better yet, this public IP address will change just about every 10 minutes.
For clarity let's call your normal network the "private network", while the TOR side of the network is called "TOR network".

As we are going to be the DHCP server on the TOR network, it is absolutely necessary to set a fixed IP address on that network. Your private network can be either dynamic or static. Dynamic means that it will get the network settings from your private network's DHCP server, probably your main internet router.
It is also important to note that both networks can not have the same network address! This means that the network parts must differ. The network part is the part where the netmask contains all ones.

Setting The IP Addresses

In this example I'll leave the private network Dynamic, while I set the TOR network to the static IP address of 192.168.10.1/24 on eth1. Of course you can use a different configuration if you like.

Execute the command sudo nano /etc/network/interfaces and replace the current contents of the file with the information below for this configuration.

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
allow-hotplug eth0
auto eth1
iface lo inet loopback

iface eth0 inet dhcp

iface eth1 inet static
address 192.168.10.1
netmask 255.255.255.0

up iptables-restore < /etc/iptables.ipv4.nat

Setting Up The DHCP Server

We are going to run a DHCP server for the TOR network. So let's set this up now. Execute the command sudo nano /etc/default/isc-dhcp-server, find the line INTERFACESv4="" and enter the name of your TOR network interface between the quotes, which is eth1 in our example.

Execute the command sudo nano /etc/dhcp/dhcpd.conf, find the lines which start with option domain-name and option domain-name-servers and place a # symbol in front of them. Now find the line containing #authoritative; and remove the # symbol in front of that line. Then find the portion which starts with # A slightly different configuration and remove all the # symbols from that block, except from the first line. Then change that block so it will look like this:

# A slightly different configuration for an internal subnet.
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.100 192.168.10.199;
option domain-name-servers 84.200.69.80, 84.200.70.40;
option domain-name "local";
option routers 192.168.10.1;
option broadcast-address 192.168.10.255;
default-lease-time 600;
max-lease-time 7200;
}

The range determines the so called DHCP scope, which are the addresses which can be supplied to clients. Addresses outside of this scope which still fall within the network segment can be used as static address. With this setting a total of 100 clients can automatically connect to your TOR network simultaneously. That will be more than enough I think.

Previously I used to use the Google DNS servers 8.8.8.8 and 8.8.4.4, which probably is not such a good choice if you intend to be anonymous on the internet. Recently I got to know dns.watch, a no nonsense DNS service, who claim not to log anything. Surely a much better choice in this case.
You may even want dns.watch to be your preferred DNS server on your normal network too.

Now configure the system to start the DHCP server upon the next boot by executing the command sudo update-rc.d isc-dhcp-server enable .

Setting Up The TOR Deamon

We need to make some changes to the TOR configuration file. Execute the command sudo nano /etc/tor/torrc and add the next lines at the end of the file:

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 172.16.0.0/12
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 192.168.10.1:9040
DNSPort 192.168.10.1:53

# endpoint selection
#StrictNodes 1
#ExitNodes {us},{uk}

Please note that you may want to replace the example IP address 192.168.10.1 with your own.

The TOR deamon needs a log file somewhere. Let's put it there where most log files are located. Execute the next commands to setup the TOR log file named notices.log.

sudo touch /var/log/tor/notices.log
sudo chown debian-tor /var/log/tor/notices.log
sudo chmod 644 /var/log/tor/notices.log

Now prepare the system to start the TOR Deamon on the next boot by executing the command sudo update-rc.d tor enable .

Preferred Countries (Bonus)

Normally you'll get redirected to a new exit node every 10 minutes. When you don't set any restrictions these exit nodes are picked randomly from all over the world. There may be times when you want to use a preferred country from which to connect to the internet. For instance your bank might not like it when you login from a different country every 10 minutes. Or the service you're after is not being supported from Asia for example.

Add the following lines to the /etc/tor/torrc file to select your exit countries. Yes, you can pick more than one. The more the better really, you don't want to put up too many restrictions. The TOR network works best when there are plenty of exit nodes to choose from.

StrictNodes 1
ExitNodes {us},{uk}

You can pick from any of the ISO country codes for the exit node list. Multiple entries are separated from each other by commas.

Setting Up The Routing

Enable Network Forwarding

A router will forward network traffic from one network to another. Before it will do that, we'll need to change a setting. Execute the command sudo nano /etc/sysctl.conf and find the line containing #net.ipv4.ip_forward=1 and remove the # symbol at the beginning of the line.

Now We Need Some Iptables Magic

Don't worry if you don't understand what is happening here. Basically we are going to setup NAT forwarding here and we are going to make sure that we can access the Raspberry Pi's ssh and DHCP servers from your TOR network side. All other traffic is redirected to port 9040, which is in fact the TOR deamon. The last line saves the firewall settings to a file, so they can be reloaded on the next reboot of your Raspberry Pi.

sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -j REDIRECT --to-ports 9040
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

If you are not interested in accessing the Raspberry Pi's ssh server from your TOR network side you can simply omit the first line above. The second line however is mandatory for the DNS requests from your TOR network. This will allow you to resolve .onion and .exit names using normal browsers.
You can allow access to other services, running on your Raspberry Pi, from your TOR network, which run on your Raspberry Pi, by adding more lines to the rules like the first two lines. In that case use the right protocol (TCP or UDP) and replace the 22 (ssh port number) with the port number of the service you want to add.

Wrap Up

Now all that is left to be done is to start all the services. Let's do that by rebooting the Raspberry Pi. That way we can be sure that everything will start automatically next time too.
And if everything is OK you can now connect another computer, tablet or phone to the TOR network and you'll be able to access the internet from a randomly picked anonymous IP address. This can easily be checked by browsing to https://check.torproject.org.