Configuring a TOR-ified wireless network
Jun 8, 2014
This is a guide to configuring a wireless network that transparently directs all traffic over Tor.
It’s important to use Tor whenever reasonable. The more traffic that uses it, the stronger it is against correlation attacks. Likewise, if Tor is primarily used for illicit traffic, then all users of the network lose.
Unrelatedly, I’d like to offer WiFi to those in my neighborhood, but don’t wish to be responsibile for their browsing.
And, lastly, I just set up a Vyatta based router, so I want to play around with it.
When this project is complete, you’ll have a separate VLAN within your network. Hosts connecting to this network will receive a DHCP configuration that sends all their traffic to a Tor node acting as a transparent proxy.
In order to accomplish this, you will either need an access point that supports multiple SSIDs and VLANs (I use a UniFi AP, or two access points. You will also need a router running Vyatta or a derivative (EdgeOS, in my case). Lastly, you’ll need a machine running Tor to act as a gateway. (I used a Raspberry Pi).
My router has two interfaces:
eth0 is the NAT’d Internet connection, and
br0 is the bridge of all my internal ports. Connected is a UniFi AP that supports multiple SSIDs.
Setting up the VLAN
First, configure the vlan and address space on the router:
ubnt@ubnt:~$ configure set interfaces bridge br0 vif 40 address 10.1.1.1/24 commit
Likewise, do it on the Tor gateway by editing
auto eth0.40 iface eth0.40 inet static address 10.1.1.2 netmask 255.255.255.0
Lastly, you need to configure your wireless AP to serve VLAN 40 over a separate SSID. I called mine
If you haven’t done so, install Tor:
apt-get install tor
Next, configure Tor to act as a transparent proxy. Add these lines to
VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 10.1.1.2 TransListenAddress 127.0.0.1 DNSPort 5353 DNSListenAddress 10.1.1.2 DNSListenAddress 127.0.0.1
Finally, tell iptables to NAT all traffic on the vlan to the Tor address:
iptables -t nat -A PREROUTING -i eth0.40 -p udp --dport 53 -j REDIRECT --to-ports 5353 iptables -t nat -A PREROUTING -i eth0.40 -p tcp --syn -j REDIRECT --to-ports 9040
Configuring the router
First, make sure that the TOR’d vlan is NOT able to NAT, by restricting NAT to only the non-Tor subnet:
ubnt@ubnt:~$ configure set service nat rule 5000 source address 192.168.1.0/24
Then, set up a DHCP pool with the Tor gateway as gateway and DNS server
ubnt@ubnt:~$ configure edit service dhcp-server shared-network-name Tor-Subnet subnet 10.1.1.0/24 set default-router 10.1.1.2 set dns-server 10.1.1.2 set start 10.1.1.100 stop 10.1.1.200 commit save
Test it out!
Connect to your TOR’d SSID, and visit https://check.torproject.org/. Hopefully all is well!