Casey Callendrello Identity Archive

Configuring a TOR-ified wireless network

08 June 2014

This is a guide to configuring a wireless network that transparently directs all traffic over Tor.


It’s important to use Tor whenever reasonable. The more traffic that uses it, the stronger it is against correlation attacks. Likewise, if Tor is primarily used for illicit traffic, then all users of the network lose.

Unrelatedly, I’d like to offer WiFi to those in my neighborhood, but don’t wish to be responsibile for their browsing.

And, lastly, I just set up a Vyatta based router, so I want to play around with it.


When this project is complete, you’ll have a separate VLAN within your network. Hosts connecting to this network will receive a DHCP configuration that sends all their traffic to a Tor node acting as a transparent proxy.

In order to accomplish this, you will either need an access point that supports multiple SSIDs and VLANs (I use a UniFi AP, or two access points. You will also need a router running Vyatta or a derivative (EdgeOS, in my case). Lastly, you’ll need a machine running Tor to act as a gateway. (I used a Raspberry Pi).


My router has two interfaces: eth0 is the NAT’d Internet connection, and br0 is the bridge of all my internal ports. Connected is a UniFi AP that supports multiple SSIDs.

Setting up the VLAN

First, configure the vlan and address space on the router:

ubnt@ubnt:~$ configure
 set interfaces bridge br0 vif 40 address

Likewise, do it on the Tor gateway by editing /etc/network/interfaces

auto eth0.40
iface eth0.40 inet static

Lastly, you need to configure your wireless AP to serve VLAN 40 over a separate SSID. I called mine OpenWireless.

Configuring Tor

If you haven’t done so, install Tor:

apt-get install tor

Next, configure Tor to act as a transparent proxy. Add these lines to torrc:

AutomapHostsOnResolve 1
TransPort 9040
DNSPort 5353

Finally, tell iptables to NAT all traffic on the vlan to the Tor address:

iptables -t nat -A PREROUTING -i eth0.40 -p udp --dport 53 -j REDIRECT --to-ports 5353
iptables -t nat -A PREROUTING -i eth0.40 -p tcp --syn -j REDIRECT --to-ports 9040


Configuring the router

First, make sure that the TOR’d vlan is NOT able to NAT, by restricting NAT to only the non-Tor subnet:

ubnt@ubnt:~$ configure
  set service nat rule 5000 source address

Then, set up a DHCP pool with the Tor gateway as gateway and DNS server

ubnt@ubnt:~$ configure
  edit service dhcp-server shared-network-name Tor-Subnet subnet
  set default-router
  set dns-server
  set start stop

Test it out!

Connect to your TOR’d SSID, and visit Hopefully all is well!