This is a guide to configuring a wireless network that transparently directs all traffic over Tor.

Motivation

It’s important to use Tor whenever reasonable. The more traffic that uses it, the stronger it is against correlation attacks. Likewise, if Tor is primarily used for illicit traffic, then all users of the network lose.

Unrelatedly, I’d like to offer WiFi to those in my neighborhood, but don’t wish to be responsibile for their browsing.

And, lastly, I just set up a Vyatta based router, so I want to play around with it.

Overview

When this project is complete, you’ll have a separate VLAN within your network. Hosts connecting to this network will receive a DHCP configuration that sends all their traffic to a Tor node acting as a transparent proxy.

In order to accomplish this, you will either need an access point that supports multiple SSIDs and VLANs (I use a UniFi AP, or two access points. You will also need a router running Vyatta or a derivative (EdgeOS, in my case). Lastly, you’ll need a machine running Tor to act as a gateway. (I used a Raspberry Pi).

Configuration

My router has two interfaces: eth0 is the NAT’d Internet connection, and br0 is the bridge of all my internal ports. Connected is a UniFi AP that supports multiple SSIDs.

Setting up the VLAN

First, configure the vlan and address space on the router:

ubnt@ubnt:~$ configure
 set interfaces bridge br0 vif 40 address 10.1.1.1/24
 commit

Likewise, do it on the Tor gateway by editing /etc/network/interfaces

auto eth0.40
iface eth0.40 inet static
	address 10.1.1.2
	netmask 255.255.255.0

Lastly, you need to configure your wireless AP to serve VLAN 40 over a separate SSID. I called mine OpenWireless.

Configuring Tor

If you haven’t done so, install Tor:

apt-get install tor

Next, configure Tor to act as a transparent proxy. Add these lines to torrc:

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.1.1.2
TransListenAddress 127.0.0.1
DNSPort 5353
DNSListenAddress 10.1.1.2
DNSListenAddress 127.0.0.1

Finally, tell iptables to NAT all traffic on the vlan to the Tor address:

iptables -t nat -A PREROUTING -i eth0.40 -p udp --dport 53 -j REDIRECT --to-ports 5353
iptables -t nat -A PREROUTING -i eth0.40 -p tcp --syn -j REDIRECT --to-ports 9040
 

Configuring the router

First, make sure that the TOR’d vlan is NOT able to NAT, by restricting NAT to only the non-Tor subnet:

ubnt@ubnt:~$ configure
  set service nat rule 5000 source address 192.168.1.0/24

Then, set up a DHCP pool with the Tor gateway as gateway and DNS server

ubnt@ubnt:~$ configure
  edit service dhcp-server shared-network-name Tor-Subnet subnet 10.1.1.0/24
  set default-router 10.1.1.2
  set dns-server 10.1.1.2
  set start 10.1.1.100 stop 10.1.1.200
  commit
  save

Test it out!

Connect to your TOR’d SSID, and visit https://check.torproject.org/. Hopefully all is well!