Introduction: Wifi AP With TOR Guest Network

Having gotten fed up with commercial wireless router/ap offerings, I decided to see what I could accomplish with little more than an old shuttle computer and a couple of wifi adapters. I also really believe in the https://openwireless.org/ and wanted to help but didn't want to open my network to potential DCMA or other legal noticies. Managed to create a wireless AP that is fast, secure, and allows my neighbors to be able to get online in a pinch without letting any of their traffic directly touch my network or come from my IP.

Required:

Sources:

Step 1: Install Debian

Download and install Debian onto whatever box you are wanting to use as the host for these wireless cards. The setup is rather easy and shouldn't require anything special. Note that the instructions are different for Rasbian or other single board computers.

Suggestions:

  • Go with Debian's stable branch for a business installation or testing for a residential installation. The testing branch has slightly newer versions of software packages but this can sometimes require troubleshooting during an upgrade.
  • Do not enter a password for the root user, this will cause sudo to be installed and the user created during setup to be granted sudo permissions. This will also disable root which will make your AP a lot harder to brute force since someone would have to guess the username and the password.
  • Use 2 partitions during your installation, one for / that uses all but 2GB and another for swap that uses the rest.
  • On your / partition, disable atime in the mount options for a faster read speed
  • During the software selection screen, only select SSH Server, laptop (for power savings), and standard system utilities
  • After the installation, install vim to make editing files faster

Step 2: Change Aptitude's Sources.list

I recommend changing /etc/apt/sources.list so that you will always stay with the stable/testing/unstable branch that you have chosen. At the time of writing this, wheezy is stable, jessie is testing, and sid is (as always) unstable. If you do this, you will need to also remove the lines that contain the release name-backports as they do not have stable/testing/unstable repositories.

You will also need to enable contrib and non-free for most wireless adapter's drivers. This is as easy as adding them after main on each of the sources lines.

  1. sudo su -
    1. Changes to the root user which makes initial setup of the box easier
  2. vim /etc/apt/sources.list
  3. :%s/wheezy/stable/ or :%s/jessie/testing/
    1. Uses sed built into vim to replace all instances of the release name with the generic release name. Note the colon and choose the one that's pertinent to your release.
    2. :%s/replace this/with this/
  4. :%s/main/main contrib non-free/
    1. Add in the contrib and non-free repos
  5. :wq
    1. Save and quit
  6. apt-get update
    1. Refresh the package lists from the repos

Step 3: Install and Configure SystemD

SysVinit is being deprecated and SystemD is coming in to replace it. I have found that it speeds up my boot dramatically.

  1. sudo su -
    1. If you're not still root, change to root
  2. apt-get update
    1. This forces aptitude to go grab a listing of all new packages from the repository and ensures you get the latest software
  3. apt-get install systemd
    1. Installs systemd package
  4. vim /etc/default/grub
    1. Edit the line
      • GRUB_CMDLINE_LINUX_DEFAULT="quiet"

      • to

      • GRUB_CMDLINE_LINUX_DEFAULT="quiet init=/bin/systemd"

  5. update-grub

Step 4: Install Wireless Card Drivers

The cards I chose were based on the Ralink chipset and were quite easy to install. For other chipsets you will need to look up what package you need (hint: most of them are firmware-chipset).

  1. sudo apt-get install firmware-ralink

Your first card plugged in should get wlan0 and your second card should get wlan1. If your cards are different and it matters which is which, connect your primary card first and your TOR guest card second so that primary gets wlan0 and the TOR guest gets wlan1.

Step 5: Configure Network Interfaces

You will need to configure the network interfaces so that wlan0 is in a direct bridge with the onboard ethernet card and wlan1 is assigned a static IP address.

  1. sudo su -
  2. # apt-get install bridge-utils
  3. Download interfaces and place it in /etc/network/interfaces
  4. Edit br0 to match your local network settings
  5. Edit wlan1 so that it is not on your main network
  6. # iptables-save > /etc/iptables.ipv4.nat
  7. # ifdown eth0
    1. Take down the old interface
  8. # ifup br0
    1. Bring up the bridge
  9. # ifup wlan1
    1. Bring up wlan1

Note: I had to rename the interfaces file to net.int due to Instructables giving a 403 error when the file was named interfaces. Be sure to rename net.int to interfaces when downloading the file.

Step 6: Configure HostAPD

You will need to configure HostAPD with two wireless networks, one for your private network and one for the TOR network.

  1. apt-get install hostapd haveged
  2. Download secure.conf and place it in /etc/hostapd/secure.conf
  3. Edit secure.conf to have your correct SSID and network key
  4. Download tor.conf and place it in /etc/hostapd/tor.conf
  5. vim /etc/default/hostapd
    1. Change DAEMON_CONF="" to DAEMON_CONF="/etc/hostapd/secure.conf /etc/hostapd/tor.conf"
  6. service hostapd stop
  7. service hostapd start
    1. Restart doesn't work for this daemon when multiple configs are specified

Step 7: Install & Configure TOR

TOR will encrypt and bounce guest traffic around it's network before allowing it to exit at some random exit node on the Internet.

  1. sudo su -
  2. # apt-get install tor
  3. # service tor stop
    1. Stop the TOR service so that we can modify the config file
  4. # mv /etc/tor/torrc /etc/tor/torrc.bak
    1. Make a backup of the config file
  5. Download torrc and place in /etc/tor/torrc
  6. Change the IP in /etc/tor/torrc to match wlan1
  7. # touch /var/log/tor/notices.log

  8. # chown debian-tor /var/log/tor/notices.log

  9. # chmod 644 /var/log/tor/notices.log

  10. # service tor start

Note: I had to rename the torrc file to tor.rc due to Instructables giving a 403 error when the file was named torrc. Be sure to rename tor.rc to torrc when downloading the file.

Step 8: Configure DHCP Server, NAT, and Routing for TOR

Now, we need to tell the OS how to get all the traffic from the TOR SSID to the TOR network.

  1. sudo su -
  2. # apt-get install isc-dhcp-server
  3. Download dhcpd.conf and place in /etc/dhcp/dhcpd.conf
  4. Edit dhcpd.conf to hand out the correct pool of addresses for the TOR/wlan1 network
  5. Change INTERFACES="" to INTERFACES="wlan1" in /etc/default/isc-dhcp-server
  6. Uncomment net.ipv4.ip_forward=1 in /etc/sysctl.conf
  7. # echo 1 > /proc/sys/net/ipv4/ip_forward
  8. # iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 53
  9. # iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040
  10. # iptables-save > /etc/iptables.ipv4.nat

Comments

author
unixlinuxiosguy made it!(author)2016-07-09

i have gotten the same thing '403 forbidden' or access restricted. i believe that this is because our machines have already been compromised in some way . the way myself and a few friends are trying to get around this is by having friends try to download the same things , and so far there has been luck.i hope my comment does not fall on deaf ears, and i fully support the open network as do the providers as long as they get to watch everything...i am not mentioning any names, comcast or xfinity for example. watch livescifi and you will see how much trouble tim has with his comcast network.nobody realizes how much their networks are compromised until all of a sudden 5,000 dollars is missing form their accounts. Thank you and all the others that support the open network policy and produce great tutorials.!!!

author
Acab69 made it!(author)2014-07-26

Hey man! It is an excellent tutorial but you will think your able to upload again (or copy them elsewhere) configuration files again? Intefaces and torrc files do not work, it redirects me this error "403 Forbidden Request forbidden by administrative rules. "

I appreciate you upload again so we can do the full tutorial!

author
natrinicle made it!(author)2014-07-26

Thanks for catching that for me! I tried uploading the files again with the same names and they were still giving 403 errors. I renamed the files and reuploaded them and they worked fine. I can only assume that Instructables has hidden reserved names for files to protect against server attacks?

author
Acab69 made it!(author)2014-07-27

You say this is true, before ending in "*. null". Thanks for uploading again!

Now we can finish the tutorial ;)

About This Instructable

7,505views

54favorites

License:

More by natrinicle:A/C MisterWifi AP with TOR Guest NetworkWindow Aquaponics Garden
Add instructable to: