UPDATE July 19, 2019: This does not work with Debian 10 (Buster) Raspbian image. An updated article will be released shortly covering Debian 10. See https://idontwatch.tv/onion-router

Last Updated April 2, 2018
Using a Raspberry Pi and a USB ethernet adapter you can create a personal router that isolates all network traffic from one adapter to be sent over the Tor anonymity network. This prevents common browser and operating system deanonymization attacks, where even if an entire system is owned, the machine is isolated on a network stub with only access to the internet through the Tor network. Users can still vulnerable to deanonymization if they move a computer to clear net (i.e. regular internet) and cookies or other means of tracking are exposed to the internet, or if they use personally identifiable accounts or information over the tor network. No amount of technical intervention can prevent a user determined to make such mistakes and is outside of the scope of this project.

This guide was made using a Raspberry Pi Model B v.1. It might work with others, but this is the only model I have available to test with. It assumes that you are using the integrated, on board ethernet adapter to connect to your LAN which will provide it an address via DHCP. If you need to set a static IP address you will need to edit onion-router.sh to reflect these settings, information on setting up a static IP can be found here. This also assumes that you are using a USB ethernet adapter for the Tor-only network. You should not use wifi for this connection, as a compromised host that connects via wireless can be used to determine your physical location based on a number of things including the networks, devices, and traffic available to that interface. Don’t use wifi if you wish to remain anonymous. Finally, this also assumes that the user wishes to have SSH access from the clear net side of the Raspberry Pi. This is useful to check for any possible DHCP problems and keeping the system up to date with software and operating system patches. It is NOT available from the Tor side in order to lessen the potential attack surface of a compromised machine. If you wish to disable SSH access from even the WAN side of the router, edit the script in the IPTables section under "# Enable SSH from WAN side, comment this out if you want to disable" and disable the ssh service via sudo systemctl disable ssh.service

Raspbian is a Debian based operating system specifically made for the Raspberry Pi, and is available from their site here. Grab the image and the sha256sum.

Verify that you have downloaded the entire fire and it hasn’t been tampered with by using sha256sum like this:

$ sha256sum -c 2017-09-07-raspbian-stretch-lite.zip.sha256 
2017-09-07-raspbian-stretch-lite.zip: OK  

Alternatively you can use sha256sum 2017-09-07-raspbian-stretch-lite.zip and match the signature on the Raspbian download page. Historical versions can be downloaded here but the concept should be the same with newer versions. If the sha256sum does not match, do not continue. You either have an incomplete download or the download has been tampered with. Download again until the sha256sum matches, otherwise continuing from here will be a waste of time.

Now you need to unzip the download and write it to an SD card. To unzip on windows, just double click and drag the img file out of the folder, on linux use unzip.

To write this file to the SD card in Windows use Win32DiskImager, with Linux/BSD or OSX use dd like this:

$ sudo dd if=2017-09-07-raspbian-stretch-lite.img of=/dev/sdb bs=1M
1768+1 records in  
1768+1 records out
1854590976 bytes (1.9 GB, 1.7 GiB) copied, 197.858 s, 9.4 MB/s  

Install the SD card in the Raspberry Pi and power it on. You will need to have a monitor (RGA or HDMI) and keyboard connected as by default SSH is disabled. Once you boot the machine you will need to login, the default credentials are:
User: pi
Password: raspberry

The script needs to be run as root so run sudo su - and you will see that your prompt has changed from $ to #

Next you need to download the script, make it executable, and run it. This script is available on bitbucket or an updated copy is always available at https://idontwatch.tv/static/onion-router.sh. Running it will take a while, mostly the downloading and updating of the system. The last time I ran this it took 14.3 minutes on November 30th 2017. To complete this step, run:

pi@raspberrypi:~ $ sudo su -  
root@raspberrypi:~# wget https://idontwatch.tv/static/onion-router.sh  
root@raspberrypi:~# chmod +x onion-router.sh  
root@raspberrypi:~# ./onion-router.sh  
[+] Starting installation process
[+] Updating the system... this can take a while
[+] Installing services and tools
[+] Enabling hardware random number generator
[+] Configuring network interfaces
[+] Configuring DNSMasq
[+] Configuring Tor
[+] Configuring IPTables
[+] Enabling services
Almost done, now you need to change the password for the user pi.  
To do that run passwd pi  
Then reboot and you're done.  

Change the user pi’s password as mentioned above, run passwd pi as root. It would be wise to completely remove the user and create another with sudo access, but that will be left as an exercise for the reader.

If you make any changes and happen to break anything it is safe to re-run onion-router.sh to reset it back to proper functioning order.

This has been tested and is working with the March 14th 2018 Raspbian Lite release.