raspberry-pi-week_banner-1
Make_Matrix

Feel like someone is snooping on you? Browse the web anonymously anywhere you go with the Onion Pi Tor proxy. This is a cool weekend project that uses a Raspberry Pi mini computer, USB wi-fi adapter, and Ethernet cable to create a small, low-power, and portable privacy Pi.

Using it is easy-as-pie. First, plug the Ethernet cable into any internet connection in your home, work, hotel, or conference/event. Next, power up the Pi with the Micro-USB cable connected to your laptop, or with a wall adapter. The Pi will boot up and create a new secure wireless access point. Connecting to that access point will then automatically route any web browsing from your computer through the anonymizing Tor network. Your tracks are swept clean.

What Is Tor?

Tor is an “onion routing” service: Internet traffic is wrapped in layers of encryption and sent through a random circuit of relays before reaching its destination. This makes it much harder for the server you’re accessing (or anyone snooping on your internet use) to figure out who and where you are. It’s an excellent way for people who are blocked from accessing websites to get around those restrictions. Journalists, activists, businesspeople, law enforcement agents, and even military intelligence operatives use Tor to protect their privacy and security online.

Why Use a Proxy?

You may have a guest or friend who wants to use Tor but doesn’t have the ability or time to set it up on their computer. You may not want to, or may not be able to, install Tor on your work laptop or “loaner” computer. You may want to browse anonymously on a netbook, tablet, phone, or other mobile or console device that cannot run Tor and does not have an Ethernet connection. There are lots of reasons you may want to build and use an Onion Pi, not least of which is that it is an interesting way to learn about Raspberry Pi, network interfaces, and the Linux command line.

Warning

Before you start using your proxy, remember that there are a lot of ways to identify you, even if your IP address is “randomized.” So delete and block your browser cache, history, and cookies — some browsers even allow “anonymous sessions.” Do not log into existing accounts with personally identifying information (unless you’re sure that’s what you want to do). Use SSL whenever available to encrypt your communication end-to-end. And visit torproject.org for more info on how to use Tor in a smart, safe way.

This tutorial is a great way to make something fun and useful with your Raspberry Pi, but we can’t guarantee it’s 100% anonymous and secure. Be smart and paranoid about your Tor usage.

Project Steps

Prepare your SD card.

NOTE: This tutorial assumes you’ll be using Raspbian, and may not work exactly as written with other Linux distributions.

When you buy a Raspberry Pi, it may or may not come with an SD card. The SD card is important because this is where Raspberry Pi keeps its operating system and it’s also where you’ll store your documents and programs. Even if your Pi came with an SD card with the operating system already installed, it’s a good idea to update it to the latest version, as improvements and bug fixes are going in all the time.

Experienced users have many options for preparing an SD card. We recommend new users visit raspberrypi.org and follow the instructions in their Quick Start Guide for formatting an SD card and installing the official New Out Of Box Software (NOOBS) package. Briefly, the steps are:

  • Format the card. The Raspberry Pi Foundation recommends using the SD card foundation’s official formatting tool, SD Formatter, which is available for Windows, Mac, and Linux. The settings may vary depending on your OS. Refer to the Quick Start Guide for details.
  • Download NOOBS. You can get the .ZIP archive directly from the Raspberry Pi website, one of several mirror servers, or through BitTorrent.
  • Extract the NOOBS archive to your SD card. The contents of the archive, including the file bootcode.bin and the images and slides folders, should be in the top-level directory.

Boot and configure.

If you want to mount your Pi in a case, now’s a good time.

Insert the SD card you just prepared into the Pi’s drive slot, being careful to note the correct orientation of the contacts. Connect your display and keyboard before plugging in the Micro-USB power cable. The Pi should boot automatically.

Install Raspbian. From the NOOBS boot screen, select Raspbian, press Enter, and confirm that you want to overwrite the disk. When installation is complete, press Enter again to dismiss the notice, and your Pi should reboot automatically.

After a lot of scrolling text, you’ll arrive at the raspi-config options screen. Using the arrow keys to navigate and Enter to select, first update the default password (“raspberry”) for the default user account (“pi”) to a secure phrase known only to you.

TIP: You may notice a short lag between selecting options or entering commands and the system’s response. This is normal. Be patient.

Select Internationalisation Options and set the time zone, language, and keyboard layout options to match your preference. Then select Finish and press Enter.

Connect Ethernet/Wi-Fi.

For most home networks, you should also be able to connect to the internet through the Ethernet connection via your router without any further configuration. After raspi-config exits, you’ll be presented with the Raspbian command prompt:

pi@raspberrypi ~ $_

When you see the prompt, connect your Pi to your router using a standard network cable. As soon as you plug your Pi in, you should see its network LEDs start to flicker.

At the Raspbian command line, type in:

sudo wget http://cdn.makezine.com/make/tor.sh http://cdn.makezine.com/make/pifi.sh

The Linux command sudo allows one user to assume the security privileges of another, commonly the superuser or root. (Think: “

superuser do.”) The next command, wget, will not run correctly unless preceded by sudo.

NOTE: Linux user rights and privileges can get pretty complicated, but as a general rule, you’ll need to sudo any commands that involve making changes to the disk. Read-only commands, like listing directories or displaying (without modifying) the contents of files, can usually be executed without sudo.

The command wget instructs the operating system to retrieve a file from the web, and takes as argument the web address of the file to be retrieved. In this case, we’re grabbing a pair of shell scripts that will automate much of the fiddly typing for configuring your Pi as a wireless access point.

TIP: If you get tired of typing sudo all the time, the command sudo su allows you to become the superuser as long as you want.

When you understand what the command is supposed to do, press Enter to execute it. If your Ethernet connection is working, you’ll shortly be notified that the file has been saved.

If your Ethernet connection is not working, you’ll see an error message (such as failed: Name or service not known). Make sure that your Pi is correctly connected to your router, the network cable is good, and your router is correctly configured for DHCP (Dynamic Host Configuration Protocol).

Don’t plug in your wi-fi adapter yet — you’ll crash the Pi and corrupt the SD card. First, turn off your Pi by entering sudo halt. After shutdown, plug in the wi-fi adapter. Now restart your Pi by cycling the power.

Set up the “PiFi” access point.

Now we’ll set up the Pi to broadcast a wi-fi service and route wireless internet traffic through the Ethernet cable. One of the great things about Linux is that every little detail of a system’s configuration can be easily modified to suit your application by typing in commands or modifying the contents of text files.

The tradeoff is that the details can get pretty complicated, and you have to know what you’re doing to understand exactly what needs to be changed, and how.

To make the process easier, we’ve prepared a script (which you just downloaded with wget) that will automatically make these changes for you (see image). If you just want to get it working, all you have to do is run the script, as explained below.

After your Pi reboots, you’ll be prompted to log in. Enter the default user ID “pi” followed by the password you set from raspi-config.

At the Raspbian command prompt, enter these commands to extract the shell scripts:

sudo unzip onionpi

sudo bash pifi.sh

We just made friends with sudo; now it’s time to meet bash, the Linux command-line interpreter. In fact, you’ve already been introduced: whenever you enter text at the command prompt, you are interacting with bash, which is the program that processes what you’ve typed and figures out what to do with it. bash runs automatically whenever you’re working from the Linux command line, but can also be called as a command, itself, to execute a script file.

In this case, we’re telling bash to read through the script pifi.sh and execute each line of text as if it had been typed in at the command prompt.

Press Enter and you’ll soon see the script splash screen, with the option to start the script or abort. Press Enter again to start.

When prompted, enter the name (SSID) for your new wireless network, and the password required to access it.

NOTE: Both network name and password can be updated later by editing the config file with any text editor.

When the script is complete, your Pi should reboot automatically, after which you should be able to detect your new “PiFi” network from nearby computers, smartphones, and other wi-fi appliances. Log on to the wireless network using the password you just set, open a web browser, and navigate to your favorite web page to verify that everything is working properly.

If you just want to configure your Pi as a wireless access point, you’re done! You shouldn’t even have to log in to Raspbian again; the Pi will now automatically function as a wireless router whenever it’s on.

NOTE: For a slower and more instructive experience, we recommend opening the pifi.sh script (which is just a text file) in another computer and typing in the commands by hand, to get a feel for what each one does and how the system responds. The script file also contains comments that explain each step in more technical detail, for those who are interested.

Install Tor.

To continue setting up your Pi to anonymize your wi-fi traffic with Tor, log in to Linux again and run the second script with:

sudo bash tor.sh

This script is less complicated. Basically, it installs and configures the Tor software, then updates your IP tables to route everything through it. As always, it’s a good idea to read through the commands and comments in the script file before running it. More technical detail is available there.

The Pi will automatically reboot again when the script is done. Your Tor proxy may not work until the reboot is complete.

Browse anonymously.

When your Pi has finished rebooting, log on to your “PiFi” wireless network from a nearby computer, smartphone, or other wi-fi appliance. Then open your favorite internet browser and visit check.torproject.org. If your Onion Pi is working correctly, you should see something like the screen shot shown here.

Going Further

We use Ethernet because it requires no configuration or passwords — just click the cable to get DHCP. But if you want, it’s not too hard to set up a wi-fi-to-wi-fi proxy. You’ll need to use two wi-fi adapters and edit the settings in /etc/networks/interfaces to add the wlan1 interface with SSID and password to match your internet provider. See makezine.com/go/pifi2wifi for more details.

It’s also pretty easy to configure Tor to give you a presence in any country you choose. For example, here’s a torrc configuration file that sets up a Pi at IP address 192.168.0.178 to appear “present” in Great Britain:

Log notice file /var/log/tor/notices.log 

SocksListenAddress 192.168.0.178

ExitNodes {GB} 

StrictNodes 1

You’ll also need to configure your browser

to use a SOCKS5 proxy on 192.168.0.178

(or whatever your Pi’s IP address may be), port 9050.

If you like using Tor, you can help make it faster by joining as a relay, or increase its effectiveness by becoming an exit node. Check out torproject.org for details.

Finally, if you want to support Tor but can’t run your own relay or exit node, please consider donating to the project to help cover development, equipment, and other expenses. Your donation is even tax-deductible if you live in the United States.