This is a guide to configuring a wireless network that transparently directs all traffic over Tor.
Motivation
It’s important to use Tor whenever reasonable. The more traffic that uses it, the stronger it is against correlation attacks. Likewise, if Tor is primarily used for illicit traffic, then all users of the network lose.
Unrelatedly, I’d like to offer WiFi to those in my neighborhood, but don’t wish to be responsibile for their browsing.
And, lastly, I just set up a Vyatta based router, so I want to play around with it.
Overview
When this project is complete, you’ll have a separate VLAN within your network. Hosts connecting to this network will receive a DHCP configuration that sends all their traffic to a Tor node acting as a transparent proxy.
In order to accomplish this, you will either need an access point that supports multiple SSIDs and VLANs (I use a UniFi AP, or two access points. You will also need a router running Vyatta or a derivative (EdgeOS, in my case). Lastly, you’ll need a machine running Tor to act as a gateway. (I used a Raspberry Pi).
Configuration
My router has two interfaces: eth0
is the NAT’d Internet connection, and br0
is the bridge of all my internal ports. Connected is a UniFi AP that supports multiple SSIDs.
Setting up the VLAN
First, configure the vlan and address space on the router:
ubnt@ubnt:~$ configure
set interfaces bridge br0 vif 40 address 10.1.1.1/24
commit
Likewise, do it on the Tor gateway by editing /etc/network/interfaces
auto eth0.40
iface eth0.40 inet static
address 10.1.1.2
netmask 255.255.255.0
Lastly, you need to configure your wireless AP to serve VLAN 40 over a separate SSID. I called mine OpenWireless
.
Configuring Tor
If you haven’t done so, install Tor:
apt-get install tor
Next, configure Tor to act as a transparent proxy. Add these lines to torrc
:
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.1.1.2
TransListenAddress 127.0.0.1
DNSPort 5353
DNSListenAddress 10.1.1.2
DNSListenAddress 127.0.0.1
Finally, tell iptables to NAT all traffic on the vlan to the Tor address:
iptables -t nat -A PREROUTING -i eth0.40 -p udp --dport 53 -j REDIRECT --to-ports 5353
iptables -t nat -A PREROUTING -i eth0.40 -p tcp --syn -j REDIRECT --to-ports 9040
Configuring the router
First, make sure that the TOR’d vlan is NOT able to NAT, by restricting NAT to only the non-Tor subnet:
ubnt@ubnt:~$ configure
set service nat rule 5000 source address 192.168.1.0/24
Then, set up a DHCP pool with the Tor gateway as gateway and DNS server
ubnt@ubnt:~$ configure
edit service dhcp-server shared-network-name Tor-Subnet subnet 10.1.1.0/24
set default-router 10.1.1.2
set dns-server 10.1.1.2
set start 10.1.1.100 stop 10.1.1.200
commit
save
Test it out!
Connect to your TOR’d SSID, and visit https://check.torproject.org/. Hopefully all is well!