Wifi AP With TOR Guest Network

Having gotten fed up with commercial wireless router/ap offerings, I decided to see what I could accomplish with little more than an old shuttle computer and a couple of wifi adapters. I also really believe in the https://openwireless.org/ and wanted to help but didn't want to open my network to potential DCMA or other legal noticies. Managed to create a wireless AP that is fast, secure, and allows my neighbors to be able to get online in a pinch without letting any of their traffic directly touch my network or come from my IP.

Required:

• A computer - This could be a single board computer like a Raspberry Pi or an old castoff that you have lying around. You really don't need a lot of power
• Two wireless cards that support AP mode - I chose http://smile.amazon.com/gp/product/B009940KTY/ref=...
• A Debian installation - For the Raspberry Pi you can use Rasbian, for a normal computer you can grab a network install disc from https://www.debian.org/CD/netinst/
• Another device on the network that's handling DHCP and routing to the Internet - I use http://www.untangle.com/untangle-ng-firewall on another spare PC and it works wonders
• Familiarity with Linux and the command line
• Patience

Sources:

• https://openwireless.org/
• https://learn.adafruit.com/setting-up-a-raspberry-...
• https://learn.adafruit.com/onion-pi/install-tor
• http://forum.doozan.com/read.php?2,6300
• http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob...
• http://www.cyberciti.biz/faq/debian-ubuntu-linux-s...

Download and install Debian onto whatever box you are wanting to use as the host for these wireless cards. The setup is rather easy and shouldn't require anything special. Note that the instructions are different for Rasbian or other single board computers.

Suggestions:

• Go with Debian's stable branch for a business installation or testing for a residential installation. The testing branch has slightly newer versions of software packages but this can sometimes require troubleshooting during an upgrade.
• Do not enter a password for the root user, this will cause sudo to be installed and the user created during setup to be granted sudo permissions. This will also disable root which will make your AP a lot harder to brute force since someone would have to guess the username and the password.
• Use 2 partitions during your installation, one for / that uses all but 2GB and another for swap that uses the rest.
• On your / partition, disable atime in the mount options for a faster read speed
• During the software selection screen, only select SSH Server, laptop (for power savings), and standard system utilities
• After the installation, install vim to make editing files faster

I recommend changing /etc/apt/sources.list so that you will always stay with the stable/testing/unstable branch that you have chosen. At the time of writing this, wheezy is stable, jessie is testing, and sid is (as always) unstable. If you do this, you will need to also remove the lines that contain the release name-backports as they do not have stable/testing/unstable repositories.

You will also need to enable contrib and non-free for most wireless adapter's drivers. This is as easy as adding them after main on each of the sources lines.

1. sudo su -
   1. Changes to the root user which makes initial setup of the box easier
2. vim /etc/apt/sources.list
3. :%s/wheezy/stable/ or :%s/jessie/testing/
   1. Uses sed built into vim to replace all instances of the release name with the generic release name. Note the colon and choose the one that's pertinent to your release.
   2. :%s/replace this/with this/
4. :%s/main/main contrib non-free/
   1. Add in the contrib and non-free repos
5. :wq
   1. Save and quit
6. apt-get update
   1. Refresh the package lists from the repos

SysVinit is being deprecated and SystemD is coming in to replace it. I have found that it speeds up my boot dramatically.

1. sudo su -
   1. If you're not still root, change to root
2. apt-get update
   1. This forces aptitude to go grab a listing of all new packages from the repository and ensures you get the latest software
3. apt-get install systemd
   1. Installs systemd package
4. vim /etc/default/grub
   1. Edit the line

      • GRUB_CMDLINE_LINUX_DEFAULT="quiet"

      • to

      • GRUB_CMDLINE_LINUX_DEFAULT="quiet init=/bin/systemd"

5. update-grub

The cards I chose were based on the Ralink chipset and were quite easy to install. For other chipsets you will need to look up what package you need (hint: most of them are firmware-chipset).

1. sudo apt-get install firmware-ralink

Your first card plugged in should get wlan0 and your second card should get wlan1. If your cards are different and it matters which is which, connect your primary card first and your TOR guest card second so that primary gets wlan0 and the TOR guest gets wlan1.

You will need to configure the network interfaces so that wlan0 is in a direct bridge with the onboard ethernet card and wlan1 is assigned a static IP address.

1. sudo su -
2. # apt-get install bridge-utils
3. Download interfaces and place it in /etc/network/interfaces
4. Edit br0 to match your local network settings
5. Edit wlan1 so that it is not on your main network
6. # iptables-save > /etc/iptables.ipv4.nat
7. # ifdown eth0
   1. Take down the old interface
8. # ifup br0
   1. Bring up the bridge
9. # ifup wlan1
   1. Bring up wlan1

Note: I had to rename the interfaces file to net.int due to Instructables giving a 403 error when the file was named interfaces. Be sure to rename net.int to interfaces when downloading the file.

You will need to configure HostAPD with two wireless networks, one for your private network and one for the TOR network.

1. apt-get install hostapd haveged
2. Download secure.conf and place it in /etc/hostapd/secure.conf
3. Edit secure.conf to have your correct SSID and network key
4. Download tor.conf and place it in /etc/hostapd/tor.conf
5. vim /etc/default/hostapd
   1. Change DAEMON_CONF="" to DAEMON_CONF="/etc/hostapd/secure.conf /etc/hostapd/tor.conf"
6. service hostapd stop
7. service hostapd start
   1. Restart doesn't work for this daemon when multiple configs are specified

TOR will encrypt and bounce guest traffic around it's network before allowing it to exit at some random exit node on the Internet.

1. sudo su -
2. # apt-get install tor
3. # service tor stop
   1. Stop the TOR service so that we can modify the config file
4. # mv /etc/tor/torrc /etc/tor/torrc.bak
   1. Make a backup of the config file
5. Download torrc and place in /etc/tor/torrc
6. Change the IP in /etc/tor/torrc to match wlan1

7. # touch /var/log/tor/notices.log

8. # chown debian-tor /var/log/tor/notices.log

9. # chmod 644 /var/log/tor/notices.log

10. # service tor start

Note: I had to rename the torrc file to tor.rc due to Instructables giving a 403 error when the file was named torrc. Be sure to rename tor.rc to torrc when downloading the file.

Now, we need to tell the OS how to get all the traffic from the TOR SSID to the TOR network.

1. sudo su -
2. # apt-get install isc-dhcp-server
3. Download dhcpd.conf and place in /etc/dhcp/dhcpd.conf
4. Edit dhcpd.conf to hand out the correct pool of addresses for the TOR/wlan1 network
5. Change INTERFACES="" to INTERFACES="wlan1" in /etc/default/isc-dhcp-server
6. Uncomment net.ipv4.ip_forward=1 in /etc/sysctl.conf
7. # echo 1 > /proc/sys/net/ipv4/ip_forward
8. # iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 53
9. # iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040
10. # iptables-save > /etc/iptables.ipv4.nat