First of all, majority of the credit goes to Magnus Hedemark for his article CREATE A TOR-ONLY VLAN WITH A RASPBERRY PI. I've copied parts of his article to mine since I did not do all of the steps he did.
Here's the list of things I used:
- Raspberry Pi 2 Model B
- 8GB MicroSD
- Raspbian for the Raspberry Pi 2
- pfSense 2.2.2-RELEASE
- Cisco 8-Port Smart Switch (Supports VLAN Tagging)
- Cisco Meraki MR18 Wireless AP (Supports multiple SSID's with VLAN Tagging)
A few assumptions up front:
- You've already got a Raspbian base image installed on your Pi.
- It’s plugged into an Ethernet switch where untagged traffic transmits on a trusted network, and has a route to the public Internet.
- For the sake of this blog post, we’ll call that vlan10 and assume its native network is
- For me, I had the switch move all untagged traffic to VLAN30 because my VLAN30 was a VPN connection
- There is a second VLAN configured on this switch, we’ll call it vlan40, and its native network is
172.16.15.0/24. This is an isolated VLAN with no transit to the Internet.
- If you use anything other than
40, please make sure you substitute all instances of the
eth0.40" below to whatever number you use.
- You've created a VLAN in pfSense and assigned it a static IPv4 address.
- Since I'm using the
172.16.15.0/24network, I assigned the interface a static IP of
- I turned on the DHCP server for this new interface and gave it a range of
- I set the default DNS server and the default gateway to point to the Raspberry Pi
- My Raspberry Pi is going to be given a static IP of
172.16.15.2, so this is the IP address I used in those fields.
- You've already walked through the initial setup menu when logging into your Raspberry Pi for the first time.
OK let’s get started:
sudo apt-get updateto update the index of available packages
sudo apt-get dist-upgradeto upgrade to the latest versions of installed packages
sudo apt-get install torto install tor.
- This will start the tor daemon automatically, which we’re not quite ready for yet.
sudo /etc/init.d/tor stopto stop the tor daemon for now
sudo apt-get install vlanto give us the ability to set up a tagged VLAN interface
sudo modprobe 8021q
To enable the kernel module for tagged VLAN support:
sudo vconfig add eth0 40and you should see this:
pi@raspberrypi ~ $ sudo vconfig add eth0 40 Added VLAN with VID == 40 to IF -:eth0:-
sudo echo 8021q >> /etc/modulesto persist this change across reboots
sudo ifconfig eth0.40 172.16.15.2/24sets the IP address on the new VLAN interface.
- Let’s make this permanent.
sudo nano /etc/network/interfacesand add this:
auto eth0.40 iface eth0.40 inet static address 172.16.15.2 netmask 255.255.255.0
- Let’s go ahead and adjust tor’s configuration to handle transparent proxying for us. Go ahead and
sudo vi /etc/tor/torrcand add the following lines to the end of the file:
VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 172.16.15.2 DNSPort 53 DNSListenAddress 172.16.15.2
- Go ahead and start tor.
sudo /etc/init.d/tor start(but we’re still not done)
- We've got both networks up. We've got tor configured to transparently proxy all TCP traffic and DNS queries. But we don’t have anything funneling TCP traffic into tor yet. Let’s continue.
- Let’s build our Firewall rules. Go ahead and
sudo nano /etc/iptables.up.rulesand paste the following lines into it:
*nat :PREROUTING ACCEPT [9:3009] :INPUT ACCEPT [1:141] :OUTPUT ACCEPT [5:372] :POSTROUTING ACCEPT [5:372] -A PREROUTING -i eth0.40 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 -A PREROUTING -i eth0.40 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 COMMIT *filter :INPUT ACCEPT [5:616] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0.40 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i eth0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT
- Let’s make the firewall rules persistent.
sudo nano /etc/network/if-pre-up.d/iptables
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
- And this new script needs to be executable:
sudo chmod +x /etc/network/if-pre-up.d/iptables
- For good measure, since we grabbed updates earlier in this process, it’s probably not a bad idea to
- Wait until the Raspberry Pi is back up. Try plugging a laptop into a switch port that is untagged on VLAN40. You should get a DHCP lease on the
172.16.15.0/24network. Go ahead and open a web browser. You should be able to surf.
- Or if you've already configured a Wireless network for VLAN40, you should be able to connect to that instead.
- Try going to a site like http://www.whatismyip.com/ and see what IP you’re coming from.
Remember, this isn't perfect anonymity. Your browser cookies, your browsing habits, the plugins you use, etc. can easily give away your identity (This is one reason I'm using Tor over my PIA VPN connection). The main point of this is to give a clever option for providing guest WiFi services with a lower risk to the service host. This also gives the guests a better shot at reclaiming their privacy and anonymity.
Most ICMP traffic is going to get dropped on the floor with this system, as well as almost all UDP traffic. DNS queries will get captured and redirected through tor. A hidden bonus of this arrangement is that guests can browse .onion hidden services without installing anything on their end. Tor is really a TCP-only network, so forget about running BitTorrent here, or playing your favorite games (which more often than not depend on UDP).
You should now have a privacy-enhanced VLAN configured, with transit to the Internet handled transparently through Tor. My Tor connection has added security because it's connecting to the Tor network over my VPN connection.
I also went one step further and created rules on the VLAN interface to only allow traffic to the gateway. This will keep my guests from reaching my main internal network, as well as keep them from reaching other guests. All I may need to do now is tighten up the security of my Raspberry Pi as they will have access to reach that device. I also imaged the MicroSD card to a file on my PC so that I can easily restore it later if needed. I used the guide located here for that part.
This setup is not 100% secure (or is it?), so if you have any further idea's on making this better, please let me know in the comments below and I'll be glad to add them in to this post.