wiki:doc/TorDreamPlug

Tor and the DreamPlug

This page aims to describe some of the things you can do with Tor on the DreamPlug, such as set up a bridge or a relay. Our goal is that you do not need to read this page - you should simply install the torouter debian meta-package and you'll have a Torouter - this is outlined in #3647; if the ticket isn't closed, we haven't met our goal, so read on!

If you have not installed Debian on the DreamPlug already, you may want to do so now. See doc/DebianDreamPlug for instructions.

Packages that are nice to have

What follows is a list of packages that you can install if you want to. They may not be required for this howto, but they are be nice to have.

aptitude install apt-utils rsyslog

Internet interface on eth0

To set up an Internet interface on eth0, make sure /etc/network/interfaces contain the following:

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

A dhcp client running on eth0

TODO: document.

Install and configure OpenSSH

If you haven't done so already, run the following command as root to install OpenSSH. Doing so means you can drop the JTAG board and connect to the device via SSH:

aptitude install openssh-server

There are a couple of things you can do to keep SSH secure; you can use SSH keys for authentication, edit the config to only allow certain users, disable root login and password authentication, only allow specific IP addresses to connect and so on. We'll take a look at these things in the following sections. You could also set up a firewall on the Torouter, such as iptables or ufw (which has been developed to ease iptables firewall configuration).

Create SSH keys

To create SSH keys, run the following command from the host you wish to connect to the Torouter from:

ssh-keygen -t rsa

When asked where you want to save the file, just hit enter for the default option. While it is possible to have an empty passphrase, this is not recommended.

The next step is to transfer the public key to the Torouter:

scp .ssh/id_rsa.pub [IP address of the Torouter]:.ssh/

You may need to create the .ssh directory on the Torouter before running the command above. Once the file has been transferred, do:

cd .ssh
touch authorized_keys2
chmod 600 authorized_keys2
cat id_dsa.pub >> authorized_keys2

If you log out and log back in, you should be asked to enter your passphrase.

Edit /etc/ssh/sshd_config

The next step is to edit /etc/ssh/sshd_config to include the following lines (note: for some lines you just need to change the option in the config, other lines will have to be added):

# Disable root login
PermitRootLogin no

# Allow only Alice and Bob to log in via SSH
AllowUsers alice bob

# Disable password authentication
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

When you're done editing the config file, restart openssh-server:

/etc/init.d/ssh restart

At this point, only Alice and Bob can log on via SSH, and they have to do so using SSH keys.

Edit /etc/hosts.allow and /etc/hosts.deny

The hosts.allow and hosts.deny files allow you to specify which hosts are allowed to connect without touching your firewall. The first can contain entries of hosts which are allowed to connect, the second contains addresses which are blocked.

Assuming that you wish to allow the remote addresses 10.0.0.x to connect via SSH, but nothing else, you would setup the files as follows. Start by placing the following inside /etc/hosts.allow:

sshd: 10.0.0.0/255.255.255.0

Then disallow all further access by placing the following in /etc/hosts.deny:

sshd: ALL

Once that's done, restart ssh and you're good to go.

Edit /etc/apt/sources.list

To make sure that you're running the latest stable version of Tor, edit the /etc/apt/sources.list to use the torproject.org package repository. If you want the stable version, add the following line:

deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main

Remember to put the codename of your distribution, such as squeeze in place of <DISTRIBUTION>.

If you want to use the development branch, add the following two lines:

deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
deb http://deb.torproject.org/torproject.org experimental-<DISTRIBUTION> main

Remember to put the codename of your distribution, such as squeeze in place of <DISTRIBUTION>.

You may wish to include -backports as well (necessary to install certain packages on Debian Squeeze):

deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free

Set the correct timezone

To select the correct timezone, run:

dpkg-reconfigure tzdata

Install OpenNTPD

OpenNTPD is an alternative implementation of the NTP software, made by the OpenBSD project. OpenNTPD is available in squeeze-backports:

aptitude -t squeeze-backports install openntpd

Install Tor

Run the following commands to install tor and tor-geoipdb:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
aptitude update
aptitude install tor tor-geoipdb

Configure Tor as a bridge

To configure Tor to run as a bridge, edit /etc/tor/torrc to include the following lines:

# Run Tor as a bridge/relay only, not as a client
SocksPort 0

# What port to advertise for incoming Tor connections
ORPort 443

# Be a bridge
BridgeRelay 1

# Don't allow any Tor traffic to exit
Exitpolicy reject *:*

Ensure regular package updates with apticron

Apticron is a simple script which sends daily emails about pending package updates such as security updates. To install, run:

aptitude install apticron

You'll be prompted to configure apt-listchanges first, and you'll be asked how you want display package changes. You will also be asked to enter the email where you wish to receive package update information.

Apticron won't give output if there aren't packages to update. If you know you have some needed upgrades, run the following command as root to see if it's working as expected:

/etc/cron.daily/apticron

The apticron configuration files are:

  • /etc/apticron/apticron.conf
  • /etc/apt/listchanges.conf
  • /etc/apt/apt.conf.d/20listchanges

Open Wifi that routes over Tor transparently

This section seeks to enable devices that may be unable to run a native Tor or have questionable proxy support. This takes a page from the doc/TransparentProxy page.

You must have the uaputl binary compiled and ready for use (see Step 12 above). Additionally, we require AP support with the Marvell chipset.

Install a small dhcpd server:

apt-get install udhcpd

Configure it /etc/udhcpd.conf:

# Sample udhcpd configuration file (/etc/udhcpd.conf)

# The start and end of the IP lease block
start		172.16.23.10
end		172.16.23.254

# The interface that udhcpd will use
interface	uap0

# The maximim number of leases (includes addressesd reserved
# by OFFER's, DECLINE's, and ARP conficts
max_leases	244

# If remaining is true (default), udhcpd will store the time
# remaining for each lease in the udhcpd leases file. This is
# for embedded systems that cannot keep time between reboots.
# If you set remaining to no, the absolute time that the lease
# expires at will be stored in the dhcpd.leases file.
remaining	no

# Use Tor's DNSPort and route via Tor
opt	dns     172.16.23.1	
option	subnet	255.255.255.0
opt	router	172.16.23.1
option	domain	local
option	lease	864000		# 10 days of seconds

Enable it but disable logging in /etc/default/udhcpd:

# Comment the following line to enable
DHCPD_ENABLED="yes"

# Options to pass to busybox' udhcpd.
#
# -S    Log to syslog
# -f    run in foreground

DHCPD_OPTS=""

Start it:

/etc/init.d/udhcpd start

This /etc/network/interfaces will automatically create the Wireless BSSID, forge the MAC address to something common (to resist SkyHook and similar services, reload Tor and have it bind to the uap0 interface with the proper firewall rules:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# The magic Tor wireless network someday
auto uap0
iface uap0 inet static
        address 172.16.23.1
        netmask 255.255.255.0
        network 172.16.23.0
        broadcast 172.16.23.255
        pre-up ifconfig uap0 hw ether 00:66:66:66:66:66
        post-up /etc/init.d/tor reload
        post-up /etc/init.d/udhcpd restart
        post-up /root/tor-wireless-firewall.sh
        post-up /root/uaputl/uaputl sys_cfg_ssid "torproject"
        post-up /root/uaputl/uaputl bss_start
        pre-down /root/uaputl/uaputl bss_stop

Here is the tor-wireless-firewall.sh:

#!/bin/sh

# destinations you don't want routed through Tor
NON_TOR="10.0.2.0/24" # currently hard coded for the network on eth0 or eth1

# Tor's TransPort
TRANS_PORT="9040"

# your internal interface
INT_IF="uap0"

iptables -F
iptables -t nat -F

for NET in $NON_TOR; do
  iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

This is the required Tor configuration that belongs in /etc/tor/torrc:

# middle box stuff
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.23.1 
DNSPort 53
DNSListenAddress 172.16.23.1 

Now simply type ifup uap0 and you'll see:

root@holoscanner:~# ifup uap0
Reloading tor daemon configuration: tor.
SSID setting successful
BSS started!

You may stop the wifi network by running ifdown uap0:

root@holoscanner:~# ifdown uap0
BSS stopped!
Last modified 7 years ago Last modified on Jul 26, 2011, 5:24:04 PM