Using a Raspberry Pi and a USB ethernet adapter you can create a personal router that isolates all network traffic from one adapter to be sent over the Tor anonymity network. This prevents common browser and operating system deanonymization attacks, where even if an entire system is owned, the machine is isolated on a network stub with only access to the internet through the Tor network. Users can still vulnerable to deanonymization if they move a computer to clear net (i.e. regular internet) and cookies, telemetry or other means of tracking are exposed to the internet, or if they use personally identifiable accounts or information over the tor network. No amount of technical intervention can prevent a user determined to make such mistakes and is outside of the scope of this project.
This guide was made using a Raspberry Pi Model B v.1. It might work with others, but this is the only model I have available to test with. It assumes that you are using the integrated, on board ethernet adapter to connect to your LAN which will provide it an address via DHCP. If you need to set a static IP address you will need to edit onion-router.sh to reflect these settings, information on setting up a static IP can be found here. This also assumes that you are using a USB ethernet adapter for the Tor-only network. You should not use wifi for this connection, as a compromised host that connects via wireless can be used to determine your physical location based on a number of things including the networks, devices, and traffic available to that interface. Don’t use wifi if you wish to remain anonymous. Finally, this also assumes that the user wishes to have SSH access from the clear net side of the Raspberry Pi. This is useful to check for any possible DHCP problems and keeping the system up to date with software and operating system patches. It is NOT available from the Tor side in order to lessen the potential attack surface of a compromised machine. If you wish to disable SSH access from even the WAN side of the router, edit the script in the IPTables section under "# Enable SSH from WAN side, comment this out if you want to disable" and disable the ssh service via
sudo systemctl disable ssh.service
FIRST STEP – DOWNLOAD AND INSTALL RASPBIAN BUSTER LITE
Raspbian is a Debian based operating system specifically made for the Raspberry Pi, and is available from their site here. Download the Raspbian Buster Lite zip file. Unzip it and write the image to an SD card. For windows you can use Win32DiskImager, or on Linux/BSD write the image with
dd like this:
$ sudo dd if=2019-07-10-raspbian-buster-lite.img of=/dev/sdb bs=1M 2096+0 records in 2096+0 records out 2197815296 bytes (2.2 GB, 2.0 GiB) copied, 363.986 s, 6.0 MB/s
BOOT YOUR RASPBERRY PI, AND CONFIGURE
Install the SD card in the Raspberry Pi and power it on. You will need to have a monitor (VGA or HDMI) and keyboard connected as by default SSH is disabled. Once you boot the machine you will need to login, the default credentials are:
Next you need to download the script, make it executable, and run it. This script is available on bitbucket or an updated copy is always available at https://idontwatch.tv/static/onion-router.sh. Running it will take a while, mostly the downloading and updating of the system. The last time I ran this it took 14.3 minutes on August 14, 2019. To complete this step, run:
pi@raspberrypi:~ $ wget https://idontwatch.tv/static/onion-router.sh --2019-08-14 20:30:03-- https://idontwatch.tv/static/onion-router.sh Resolving idontwatch.tv (idontwatch.tv)... 188.8.131.52 Connecting to idontwatch.tv (idontwatch.tv)|184.108.40.206|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10482 (10K) [text/plain] Saving to: ‘onion-router.sh’ onion-router.sh 100%[===================>] 10.24K --.-KB/s in 0.004s 2019-08-14 20:30:04 (2.62 MB/s) - ‘onion-router.sh’ saved [10482/10482] pi@raspberrypi:~ $ chmod +x onion-router.sh pi@raspberrypi:~ $ sudo ./onion-router.sh [+] Starting installation process [+] Update and upgrade the operating system [+] Installing services and tools, this may take a while [+] Configuring Network [+] Configuring IPTables [+] Configuring DNSMasq [+] Configuring Tor [+] Setting hostname [+] Enable SSH Server [+] Disabling unnecessary services ALL DONE! The next step is to change the password of user root, then reboot. Reboot and login. pi@raspberrypi:~ $
Change the user pi’s password as mentioned above, run passwd pi as root. It would be wise to completely remove the user and create another with sudo access, but that will be left as an exercise for the reader.
If you make any changes and happen to break anything it is safe to re-run onion-router.sh to reset configuration and service settings. If that doesn't work, start from scratch. Estimated time from start to finish is ~30 minutes, most of it waiting for updates/upgrades.