Subscribe to Make Magazine Today!

IMG_20150126_144738

Surf the Internet securely with your very own portable WiFi VPN/TOR router. You can configure a Raspberry Pi with Linux and some extra software to connect to a VPN server of your choice. The VPN connection encrypts your internet traffic so that hackers and spies can’t figure out what web sites you are visiting, and the web sites you are visiting can’t tell which computer you are surfing from.

The router is small and portable, so you can plug it in anywhere, adding secure internet browsing to any occasion, from your room to the café. You can even connect WiFi devices that don’t support VPN, like your Chromecast or Pebl.

The project consists of a Raspberry Pi, two USB WiFi dongles, an SD card, and a power plug.

If you don’t have Ethernet available, your router can connect to a WiFi network in addition to creating its own, acting as a bridge between your personal WiFi access point and an insecure WiFi. The range of this router is just enough to fill a single room.

Once built, any WiFi device has a passive VPN connection. If the VPN connection disconnects, so does your connection to the internet, guaranteeing that unencrypted data is not leaked.

If you are so inclined, we can set it up your router to support TOR, so that you can dive deep into the internet within the internet.

Using open-source software, we can handle WiFi connections from your devices, connect to another WiFi access point, and encrypt your internet through a VPN anywhere you are.

When your friends come over, they will also be on a secure Internet connection, even if they don’t know how to set one up themselves. Additionally, you can access Hulu, Netflix, HBO, or your favorite team’s game while traveling overseas. If you want to take it further, you can add domain-based ad blocking using bind to stop web advertisements dead in their tracks.

Enjoy setting up your very own portable WiFi VPN/TOR router!

  • Difficulty: Intermediate
  • Cost: $60-80
  • Time: 1-4 hours

All images courtesy of NetNinja

Related

Steps

Step #1: Flash SD Card

PrevNext
Browse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR Router
  • Plug your SD card (and card reader) into your computer.
  • We will be using Raspbian Linux for this project. It is a small, Debian-compatible Linux distribution for Raspberry Pi. Go to raspberrypi.org/downloads and download the Raspbian ZIP. When the download is complete, unzip it to reveal an img file. You need to copy this disk image onto the SD card.
  • The Raspberry Pi website has excellent tutorials for how to install a disk image. Essentially, you can use Terminal on Mac or Linux with a command like this: $ sudo dd if=/path/to/raspbian-image.img of=/dev/name-of-sd-card-disk On Windows, you can use a program called Win32DiskImager that lets you drag-and drop the Raspbian image file to the destination disk.
  • When the disk is finished copying, you are ready to assemble. Snap your Raspberry Pi into the case and plug in the WiFi adapters and the SD card. Plug the Pi into a monitor, keyboard, and power adapter, and start it up.

Step #2: Boot Up the Raspberry Pi

PrevNext
Browse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR Router
  • When you boot the Pi for the first time, it will guide you through a setup process called raspi-config. This lets you change your user password, overclock your Pi, and set up the desktop environment.
  • For this project, you should change your user password, expand the disk, and choose “command line” as your Boot environment. If you live outside of the UK, you should change your internationalization options (keyboard, time zone, and locale) to match.
  • You may want to enable SSH, so you can access your Pi after you disconnect its monitor and keyboard. When you exit, you will be brought to a console, ready to go. Log in with the username “pi” and the password you chose for your Pi.

Step #3: Connect to the Internet

PrevNext
Browse Anonymously with a DIY Raspberry Pi VPN/TOR Router
  • Connecting to Ethernet is simple; simply plug in an Ethernet cable and your Pi will figure out how to connect. Connecting to WiFi is a little more challenging. There are several WiFi network types and encryptions available, and each one is configured slightly differently in Linux.
  • To tell your Pi how to connect to WiFi, you’ll have to edit the /etc/network/interfaces file. $ sudo nano –w /etc/network/interfaces In this file, you can set rules for how to connect to a WPA, WEP, or an open WiFi network.
  • Depending on the encryption of the WiFi access point, you’ll need to configure this file differently. For example, if you are connecting to a WPA WiFi network, your /etc/network/interfaces file will contain something like this: allow-hotplug wlan0 # detect WiFi adapter iface wlan0 inet dhcp # connect WiFi with DHCP wpa-ssid "myhostnetwork" # WPA access point name wpa-psk "myhostpassword" # WPA access point password
  • Manually restart WiFi to connect the Raspberry Pi to the Internet. $ sudo ifdown wlan0 $ sudo ifup wlan0 You can validate that you have a WiFi connection by pinging a website or running the command: $ ifconfig wlan0

Step #4: Create an Access Point

PrevNext
Browse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR Router
  • Before proceeding further, update apt-get. $ sudo apt-get update An access point allows a computer to connect to a network over WiFi. On our Pi we will be using hostapd to create the access point and isc-dhcp-server to give IP addresses to computers that connect to our access point.
  • Install access point: You will need a custom version of hostapd, the access point software that supports the Edimax cards you have. Installing hostapd takes about 10 minutes. $ wget https://github.com/jenssegers/RTL8188-hostapd/archive/v1.1.tar.gz $ tar -zxvf v1.1.tar.gz $ cd RTL8188-hostapd-1.1/hostapd $ make $ sudo make install Tell hostapd the name and password of our access point and the name of the device we are using to host WiFi connections: $ sudo nano –w /etc/hostapd/hostapd.conf Change three lines in /etc/hostapd/hostapd.conf to: interface=wlan1 ssid=mySecureRouter wpa_passphrase=mySecurePassword Finally, start hostapd and add it as a service on boot: $ sudo service hostapd start $ sudo update-rc.d hostapd enable
  • Install DHCP server Install dnsmasq: $ sudo apt-get install dnsmasq We will tell our DHCP server that it controls an IP address range between 192.168.0.10 and 192.168.0.200, with our Pi router having the IP of 192.168.0.1. It will be configured as an “authoritative” server acting on the wlan1 device, meaning that it will force clients to discard expired IP addresses. $ sudo nano –w /etc/dnsmasq.d/dnsmasq.custom.conf Add the following to /etc/dnsmasq.d/dnsmasq.custom.conf: interface=wlan1 dhcp-range=wlan1,192.168.10.10,192.168.10.200,2h dhcp-option=3,192.168.10.1 # our router dhcp-option=6,192.168.10.1 # our DNS Server dhcp-authoritative # force clients to grab a new IP Configure the DHCP server to use wlan1 as the device that manages DHCP requests: $ sudo nano -w /etc/resolv.conf In the file /etc/resolv.conf, add the following this line, pointing DNS to the Google public DNS servers: nameserver 192.168.1.1 nameserver 8.8.8.8 nameserver 8.8.8.4 Now configure the wlan1 device to load at boot with a static IP address of 192.168.0.1.$ sudo –w nano /etc/network/interfaces Add the following lines for wlan1: iface wlan1 inet static address 192.168.0.1 netmask 255.255.255.0 Finally, restart the wlan1 WiFi adapter: $ sudo ifdown wlan1 $ sudo ifup wlan1 Now start the DHCP server and add it as a service at boot: $ sudo service dnsmasq start $ sudo update-rc.d dnsmasq enable You should now be able to see “mySecureRouter” as a WiFi access point from your computer. You can connect to it with WPA2 encryption and the password “mySecurePassword.”

Step #5: Connect to a VPN or TOR

PrevNext
Browse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR RouterBrowse Anonymously with a DIY Raspberry Pi VPN/TOR Router
  • Now we are getting to the meat of this project – the encrypted connection to the internet! VPN and TOR are both encryption technologies that hide your browsing activities from prying eyes. It’s not easy to use TOR and VPN on the same network connection, so you should choose which one you want to use on your Pi.
  • TOR vs VPN: TOR, or The Onion Router, is an encryption technology that encrypts and distributes your internet data across a network of computers on the way back and forth to a website, like in image 1. Tor is very easy to install. To use it, you need to also surf on a special TOR-enabled web browser. TOR is relatively slow because it encrypts and routes your Internet traffic over several random nodes on the network before connecting your computer to a web site. TOR also gives you access to a hidden layer of the internet, called the Dark Web, which is unavailable over VPN.
  • VPNs, or Virtual Private Networks, work passively in the background by creating a single encrypted tunnel between your computer and a website, like in image 2. VPNs can be more secure than TOR if you trust your VPN server. A VPN is harder to configure, but don’t require any other special software to use correctly. To use them you must have an account on the VPN server and several files generated on the VPN server that validate your account. You should trust that your VPN server is not recording you or publishing your private information. If you don’t want to pay for a VPN service or you just want to learn to make your own, you can Roll Your Own OpenVPN Server here.
  • To install TOR, install the TOR software: $ sudo apt-get install tor Start TOR and set it up as a service at boot: $ sudo service tor start $ sudo update-rc.d tor enable Lastly, on the computer you will be browsing on, you will have to install the TOR web browser from torproject.org.
  • Installing VPN: Linux supports OpenVPN easily. Many VPN providers also support the OpenVPN protocol. To connect to a VPN, you will need some information from your VPN provider. This may include a CA certificate, and possibly a username and password. You will also need to know the domain name of the VPN server, the port (typically 1194) and protocol (typically UDP). Install OpenVPN: $ sudo apt-get install openvpn If you were provided a CA certificate by a VPN service, save it as /etc/openvpn/ca.crt. If your VPN service provides you with a username and password, put it in /etc/openvpn/auth.txt. auth.txt will look like this: myVPNUserName myVPNPassword Configure the OpenVPN settings to connect to your VPN server. $ sudo nano –w /etc/openvpn/client.conf Although your VPN configuration will depend on your server’s settings, your /etc/openvpn/client.conf should look something like this: client # client mode dev tun proto udp # this must match the server’s protocol remote vpn-server.example.com 1194 # must match the server resolv-retry infinite # reconnect when disconnected nobind persist-key persist-tun ca ca.crt # this file is given by the server #cert client.crt # uncomment if the VPN server requires a client.crt #key client.key # uncomment if the VPN server requires a client.key ns-cert-type server #comp-lzo # uncomment if the server supports lzo compression #auth-user-pass auth.txt # uncomment if your server requires a username and password script-security 3 # must match the server’s script security setting keepalive 5 30 # keep connection alive verb 3 log-append /var/log/openvpn-client.log OpenVPN will not work without a matching timestamp. Since Raspberry Pis don’t have a real-time clock, you’ll need to use the Network Time Protocol (NTP) service. $ sudo service ntp start $ sudo update-rc.d ntp enable Start the OpenVPN client and set it up as a service at boot: $ sudo service openvpn start $ sudo update-rc.d openvpn enable Once you are connected, you can use traceroute to test out your connection by mapping your Internet connection’s path to makezine.com. The first step should show that you are connecting to your VPN server on 10.0.0.1.

Step #6: Set up Routing

PrevNext
Browse Anonymously with a DIY Raspberry Pi VPN/TOR Router
  • Routing is what connects your computer to the internet. It takes packets of data that your computer sends to the Pi, then forwards it on to a website. When the web site responds, packets of data are sent back to your Pi across the internet. Your Pi figures out which WiFi client the response is intended for, and passes it forward to your computer.
  • If you have VPN or TOR configured, these packets will also pass through an encrypted service within the internet. This is done using software called iptables. We must enable and configure the rules that allow our Pi to know how to route packets of data the right way. Let’s enable routing: $ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward Tell Linux to remember this change: $ sudo nano /etc/sysctl.conf In this file, uncomment the line: net.ipv4.ip_forward=1
  • Depending on how you are connecting to the Internet on your Pi (VPN, TOR, Ethernet, or WiFi), you will be routing through one of several devices. Choose the device to route through based on the connection method:
  • Tell Linux to masquerade as your computer on the internet: $ sudo iptables –t nat –A POSTROUTING –o -j MASQUERADE Tell it to forward all traffic to the Internet: $ sudo iptables –A FORWARD –i wlan1 –o -j ACCEPT Finally, tell it to forward returning Internet data to the appropriate client: $ sudo iptables –A FORWARD –i -o wlan1 –m state --state RELATED,ESTABLISHED –j ACCEPT Save these settings for the next reboot:$ sudo sh –c “iptables-save > /etc/iptables.restore” $ echo “up iptables-restore < /etc/iptables.restore” | sudo tee --append /etc/network/interfaces

Step #7: Connect a WiFi client

PrevNext
Browse Anonymously with a DIY Raspberry Pi VPN/TOR Router
  • Go on your computer and try to connect to your WiFi access point. Access point: mySecureRouter Password: mySecurePassword
  • You’ll be able to see the computer that just connected on your Pi using the arp command: $ sudo arp –i wlan1
  • If you set up TOR on your Pi, you’ll have to also install the TOR browser on your computer.
Tony Gaitatzis

Tony Gaitatzis

Most recently, I’ve been working on NetNinja, a startup that builds high security encrypted VPN/TOR routers. I have been programming since I was in grade school, and have worked on everything from web applications and mobile apps to bio-sensors and wearable tech. When I’m not in my room, smoking hookah and playing guitar or hacking together electronics, I’m out dancing and sniffing out mischief in San Francisco and around the world.


blog comments powered by Disqus

Related Supplies at Maker Shed

Follow

Get every new post delivered to your Inbox.

Join 28,855 other followers