{"id":23803540,"url":"https://github.com/d3cod3/sectorpi","last_synced_at":"2025-02-21T17:17:24.906Z","repository":{"id":149329815,"uuid":"229419604","full_name":"d3cod3/SecTorPi","owner":"d3cod3","description":"A Reasonably Secure Raspberry Pi Tor Access Point","archived":false,"fork":false,"pushed_at":"2025-01-19T19:14:34.000Z","size":536,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-19T20:23:43.769Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/d3cod3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-21T11:44:27.000Z","updated_at":"2025-01-19T19:14:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"a1add560-6e85-429f-807d-a518b6902bb3","html_url":"https://github.com/d3cod3/SecTorPi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3cod3%2FSecTorPi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3cod3%2FSecTorPi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3cod3%2FSecTorPi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3cod3%2FSecTorPi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/d3cod3","download_url":"https://codeload.github.com/d3cod3/SecTorPi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240054101,"owners_count":19740766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-01T22:32:18.913Z","updated_at":"2025-02-21T17:17:24.895Z","avatar_url":"https://github.com/d3cod3.png","language":null,"readme":"# SecTorPi\n\n## A Reasonably Secure Raspberry Pi 3 Tor Access Point ( or the Onion Router )\n\n![Onion Router](https://github.com/d3cod3/SecTorPi/raw/master/img/onion-router.jpg)\n\n[![ko-fi](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/V7V21B90C)\n\n\nTable of Contents\n=================\n\n  * [Description](#description)\n  * [Install](#install)\n  * [Post-Install Config](#post-install-config)\n  * [Configuration](#configuration)\n    * [Users](#users)\n    * [SSH](#ssh)\n    * [APT sources](#apt-sources)\n    * [Encryption](#encryption)\n    * [Net](#net)\n    * [Tor](#tor)\n    * [DNSCrypt](#dnscrypt)\n\n\n# Description\n\nThere are a lot of tutorials over the web about bulding yout RPi onion router, some outdated, some perfectly working, and this one is just another one trying to explain in details all the steps, plus adding some security enhancement to the overall process.\nUsing Tor for anonymously browse the web can be done in different ways, depending on your skillsets, specific needs and paranoia levels, and, as always, there is not a better solution for everyone, it will always depends of every user needs. This approach, the **RPi Onion Router** one, is not the best one/highest security level, in terms of \"apocalyptic paranoia\" needs, but is way better than download the Tor Browser in your computer and use it while posting on Instagram.\n\nEveryone have the right to anonymize his/her internet life, so let's do that properly, or at least just learn something from trying.\n\n# Install\n\n### 1 - Download the last official Raspbian Buster Lite from https://www.raspberrypi.org/downloads/raspbian/\n\nDirect link: https://downloads.raspberrypi.org/raspbian_lite_latest\n\n### 2 - Scrambling microSD card (patience here)\n\nThis is a good method to make the drive almost impossible to forensic extract previous data, apply this step if you're going to use a previously used microSD card (from a camera, from another raspberry Pi project, etc) so your previous data will be reasonably safe.\nIf you just buyed a new microSD card, this step is not really necessary.\n\n```bash\n# on OSX\nsudo dd if=/dev/urandom of=/dev/YOUR_DEVICE_NAME bs=1m\n\n# on linux\nsudo dd if=/dev/urandom of=/dev/YOUR_DEVICE_NAME bs=1M\n```\n\n### 3 - Installing raspbian buster lite on microSD card\n\n```bash\n# on OSX\nsudo dd if=raspbian-buster-lite.img of=/dev/YOUR_DEVICE_NAME bs=1m conv=sync\n\n# on linux\nsudo dd if=raspbian-buster-lite.img of=/dev/YOUR_DEVICE_NAME bs=1M conv=fdatasync\n```\n\n# Post-Install Config\n\n### 1 - Launch raspi-config to expand filesystem and activate ssh server\n\n```bash\nsudo raspi-config\n```\n\nRemember to not change anything unnecessary (like localization options), less identifiable information, the better.\n\nWe first go to Network Options, and change the hostname, just to get rid of the default **raspberrypi** hostname (choose whatever name of your likes) and hide this piece of information from the network snoopers.\n\nThen we go to Advanced Options and Expand Filesystem, in order to have the entire SD memory card storage at our disposal.\n\nAnd finally we go to Interfacing Options and SSH, to enable remote command line access to our Pi using ssh protocol.\n\nNow just reboot and access our device via ssh, with default raspbian credentials:\n\nuser **pi**, passwd **raspberry**\n\n# Configuration\n\n## Users\n\n### 1 - Get rid of the default RPi credentials:\n\n```bash\npasswd\n```\n\n```bash\nsudo passwd\n```\n\n## SSH\n\n\n### 0 - Create a new SSH Key Pair for securing the server with a public key authentication\n\nUsually we can connect to a remote server via SSH with a simple username/password, and that's ok in a lot of scenarios, but we are trying here to configure our **RPi Onion Router** in order to obtain better/reasonably security ( we don't want to risk someone hacking our router with some advanced exploit and monitor everything we are doing with the idea that we have complete anonymity ) so a good practice is to use an ssh user keypair in order to authenticate.\nAn ssh user keypair is an asymmetric cryptography mechanism, also know as public-key cryptography, similar to [PGP](https://es.wikipedia.org/wiki/Pretty_Good_Privacy), that use two keys, one private and one public; while the User Private Key must be kept secret (in your secure personal computer), the User Public key can be shared with anyone and with any server.\n\nSo, let's create a keypair and configure it to connect with our **RPi Onion Router**.\n\n**In our secure personal computer** (IMPORTANT), create the keys (OSX or LINUX):\n\n```bash\nssh-keygen -t rsa -b 8192 -C \"sectorPi_rsa\"\n```\n\nIt will ask you where to save the keys and to set a password.\n\nWhen done ( it can take a minute ) you will have a private key \"myKey\" and a public key \"myKey.pub\", in the .ssh directory of the localuser's home directory. Remember that the private key should not be shared with anyone who should not have access to your servers!\n\nNow, copy our newly created PUBLIC key to the **RPi Onion Router**:\n\n```bash\nssh-copy-id -i myKey.pub pi@RPI_ip_number\n```\n\n**Now back to our server**, just to check it, if we print the file ~/.ssh/authorized_keys:\n\n```bash\ncat ~/.ssh/authorized_keys\n```\n\nwe will see our ssh-rsa public key added.\n\nThat's it, now we may SSH login to our server using the private key as authentication, so the time has come for configuring our SSH daemon for better security.\n\n### 1 - Update ssh config, edit /etc/ssh/sshd_config:\n\n```bash\nsudo nano /etc/ssh/sshd_config\n```\nAnd edit:\n\n```bash\n# Disable ipv6\n#ListenAddress ::\nListenAddress 0.0.0.0\n\n# Disallow SSH access to root account\nLoginGraceTime 60\nPermitRootLogin no\nStrictModes yes\nMaxAuthTries 6\nMaxSessions 3\n\n# Don't read the user's ~/.rhosts and ~/.shosts files\nIgnoreRhosts yes\n\n# disable rhosts based authentication\nRhostsAuthentication no\nRhostsRSAAuthentication no\n\n# enable RSA authentication\nRSAAuthentication yes\n\n# Disable X11Forwarding\nX11Forwarding no\n\n# disable challenge-response password\nChallengeResponseAuthentication no\n\n# Disable tunneled cleartext password authentication and enable SSH public key only access\nPasswordAuthentication no\nPermitEmptyPasswords no\nPubkeyAuthentication yes\nAuthorizedKeysFile      .ssh/authorized_keys\n\n# Add AllowUsers pi, in order to enable access for your default user ONLY\nAllowUsers pi\n```\n\nSave it and restart ssh:\n\n```bash\nsudo /etc/init.d ssh restart\n```\n\n## APT sources\n\n\n### 1 - Change apt sources\n\n```bash\nsudo nano /etc/apt/surces.list\n```\n\nAnd uncomment the deb-src line:\n\n```bash\ndeb http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi\ndeb-src http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi\n```\n\nSave and launch an update:\n\n```bash\nsudo apt update \u0026\u0026 sudo apt dist-upgrade -y\n```\n\n## Encryption\n\nOk, this is a hard one, we are going to implement full disk encryption using LUKS, we'll just need patience, commitment and a USB flash drive, to solve this step.\n\nFirst of all, why? Why go through all this work?\n\nWell, a simple security problem with an RPi is that everyone with physical access can extract the SD card, copy it, manipulate it, open it as an external drive in a linux computer and do whatever with your system, so basically, that is a tremendous security flaw. If we encrypt our drive, we eliminate this flaw, or at least mitigate the flaw and make it almost impossible for a \"non governmental or organized cyber-crime powered\" entity ( or individual ) to spy on us.\n\n**REMEMBER: LUKS encryption is not unbreakable, nothing is really, but with a proper strong password ( use a complex one if you're good with mnemonics, or use a password manager to remember it for you ), and due to the lack of hibernation/sleep state in our RPi ( there are advanced attack techniques that can extract data cached from RAM, and while in hibernation/sleep in a LUKS encrypted computer, our encryption master password is stored on RAM, so... ), we can say that this will reasonably secure our project some more.**\n\nHopefully we'll get through this without failure, but be aware, this step involves backing up your data to a USB drive and destroying all data on your SD card, and because of that we are doing it at the beginning, just in case, so we will not lose all our almost completed **RPi Onion Router**\n\nNow, i'm going to use this tutorial from [robpol86.com](https://robpol86.com/raspberry_pi_luks.html) as reference, but there will be some differences as that tutorial was written for raspbian jessie, and we are on raspbian buster ( two releases later ).\n\nLet's get to it!\n\n### 1 - Install necessary software\n\n```bash\nsudo apt install busybox cryptsetup initramfs-tools expect\n```\n\n### 2 - Add a kernel post-install script\n\nRaspbian doesn’t normally use an initrd/initramfs, so it doesn’t auto-update the one we’re about to create when a new kernel version comes out. Our initramfs holds kernel modules since they’re needed before the encrypted root file system can be mounted. When the kernel version changes it won’t be able to find its new modules.\n\nThen we fix it writing a new file:\n\n```bash\nsudo nano /etc/kernel/postinst.d/initramfs-rebuild\n```\n\nAnd write this:\n\n```bash\n#!/bin/sh -e\n\n# Rebuild initramfs.gz after kernel upgrade to include new kernel's modules.\n# https://github.com/Robpol86/robpol86.com/blob/master/docs/_static/initramfs-rebuild.sh\n# Save as (chmod +x): /etc/kernel/postinst.d/initramfs-rebuild\n\n# Remove splash from cmdline.\nif grep -q '\\bsplash\\b' /boot/cmdline.txt; then\n  sed -i 's/ \\?splash \\?/ /' /boot/cmdline.txt\nfi\n\n# Exit if not building kernel for this Raspberry Pi's hardware version.\nversion=\"$1\"\ncurrent_version=\"$(uname -r)\"\ncase \"${current_version}\" in\n  *-v7+)\n    case \"${version}\" in\n      *-v7+) ;;\n      *) exit 0\n    esac\n  ;;\n  *+)\n    case \"${version}\" in\n      *-v7+) exit 0 ;;\n    esac\n  ;;\nesac\n\n# Exit if rebuild cannot be performed or not needed.\n[ -x /usr/sbin/mkinitramfs ] || exit 0\n[ -f /boot/initramfs.gz ] || exit 0\nlsinitramfs /boot/initramfs.gz |grep -q \"/$version$\" \u0026\u0026 exit 0  # Already in initramfs.\n\n# Rebuild.\nmkinitramfs -o /boot/initramfs.gz \"$version\"\n```\n\nNext we need to include **resize2fs** , **fdisk** and other kernel modules in our initramfs image, so we’ll need to create a hook file:\n\n```bash\nsudo nano /etc/initramfs-tools/hooks/resize2fs\n```\n\nAnd write this:\n\n```bash\n#!/bin/sh -e\n\n# Copy resize2fs, fdisk, and other kernel modules into initramfs image.\n# https://github.com/Robpol86/robpol86.com/blob/master/docs/_static/resize2fs.sh\n# Save as (chmod +x): /etc/initramfs-tools/hooks/resize2fs\n\nCOMPATIBILITY=false  # Set to false to skip copying other kernel's modules.\n\nPREREQ=\"\"\nprereqs () {\n  echo \"${PREREQ}\"\n}\ncase \"${1}\" in\n  prereqs)\n    prereqs\n    exit 0\n  ;;\nesac\n\n. /usr/share/initramfs-tools/hook-functions\n\ncopy_exec /sbin/resize2fs /sbin\ncopy_exec /sbin/fdisk /sbin\ncopy_exec /sbin/dumpe2fs /sbin\ncopy_exec /usr/bin/expect /sbin\ncp -R /usr/share/tcltk/* ${DESTDIR}/lib/\n\n# Raspberry Pi 1 and 2+3 use different kernels. Include the other.\nif ${COMPATIBILITY}; then\n  case \"${version}\" in\n    *-v7+) other_version=\"$(echo ${version} |sed 's/-v7+$/+/')\" ;;\n    *+) other_version=\"$(echo ${version} |sed 's/+$/-v7+/')\" ;;\n    *)\n      echo \"Warning: kernel version doesn't end with +, ignoring.\"\n      exit 0\n  esac\n  cp -r /lib/modules/${other_version} ${DESTDIR}/lib/modules/\nfi\n```\n\nOk, now let's build the new initramfs and make sure our utilities have been installed. The mkinitramfs command may print some WARNINGs from cryptsetup, but that should be fine since we’re using CRYPTSETUP=y. As long as cryptsetup itself is present in the initramfs it won’t be a problem.\n\n```bash\nsudo chmod +x /etc/kernel/postinst.d/initramfs-rebuild\nsudo chmod +x /etc/initramfs-tools/hooks/resize2fs\n\necho 'CRYPTSETUP=y' | sudo tee --append /etc/cryptsetup-initramfs/conf-hook \u003e /dev/null\nsudo mkinitramfs -o /boot/initramfs.gz\n\n# check it\nlsinitramfs /boot/initramfs.gz | grep -P \"sbin/(cryptsetup|resize2fs|fdisk|dumpe2fs|expect)\"\n#Make sure you see sbin/resize2fs, sbin/cryptsetup, sbin/dumpe2fs, sbin/expect, and sbin/fdisk in the output.\n```\n\n### 3 - Prepare the boot files\n\nLet's check our partitions:\n\n```bash\nlsblk\n```\n\nMy output:\n\n```bash\nNAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT\nmmcblk0     179:0    0 59.5G  0 disk\n├─mmcblk0p1 179:1    0  256M  0 part /boot\n└─mmcblk0p2 179:2    0 59.2G  0 part /\n```\n\nSo we have the /boot partition (mmcblk0p1) that need to remain unencrypted, and the / partition (mmcblk0p2) that we'll encrypt in a bit.\n\nNow we need to prepare the boot files, telling the RPi to boot our soon-to-be-created encrypted partition. We’ll make these changes first since they’re relatively easily reversible if you mount your SD card on another computer, should you wish to abort this process:\n\n```bash\n# Append initramfs initramfs.gz followkernel to the end of /boot/config.txt\necho 'initramfs initramfs.gz followkernel' | sudo tee --append /boot/config.txt \u003e /dev/null\n\n# open /boot/cmdline.txt and search for root=YOUR_PARTITION_ID\n# in my case i have root=PARTUUID=2f927c11-02\n\n# Append cryptdevice=PARTUUID=2f927c11-02:sdcard to the end of /boot/cmdline.txt\n\n# Now replace root=PARTUUID=2f927c11-02 with root=/dev/mapper/sdcard in /boot/cmdline.txt\n\n# Then replace PARTUUID=2f927c11-02 with /dev/mapper/sdcard in /etc/fstab\n\n# Append sdcard  PARTUUID=2f927c11-02  none    luks to the end of /etc/crypttab\necho 'sdcard PARTUUID=2f927c11-02 none luks' | sudo tee --append /etc/crypttab \u003e /dev/null\n```\n\nPerfect, now reboot and let's hope we didn't commit any mistakes\n\n```bash\nsudo reboot\n```\n\nIf everything was right, our RPi will fail to boot and automatically drop into the initramfs shell.\n\n![Initramfs](https://github.com/d3cod3/SecTorPi/raw/master/img/intramfs.jpeg)\n\n### 4 - Shrink and encrypt\n\nGood, we are now in the initramfs shell, let's shrink our system partition and copy it to an external USB flash drive.\nSo, insert your USB drive and:\n\n```bash\ne2fsck -f /dev/mmcblk0p2  # Check SD card for errors for safety.\nresize2fs -fM /dev/mmcblk0p2  # Shrink the file system on the SD card.\n# Write down the number of 4k blocks long in the resize2fs output.\n# ex. The file system on /dev/mmcblk0p2 is now 1397823 (4k) blocks long.\n# Substitute \"1397823\" below with your number of interest.\ndd bs=4k count=1397823 if=/dev/mmcblk0p2 | sha1sum # Write down the SHA1.\nfdisk -l /dev/sda  # Make sure /dev/sda is your USB drive. If not check dmesg.\ndd bs=4k count=1397823 if=/dev/mmcblk0p2 of=/dev/sda  # Copy data to USB drive.\ndd bs=4k count=1397823 if=/dev/sda | sha1sum # Make sure it's the same value!\n```\n\nNow we wipe our system partition, create an empty encrypted one and copy back all our data.\nThe first **cryptsetup** command will prompt you for the password you want to use for your encrypted partition. Make sure it’s a strong one.\n\n```bash\ncryptsetup --cipher aes-cbc-essiv:sha256 luksFormat /dev/mmcblk0p2\ncryptsetup luksOpen /dev/mmcblk0p2 sdcard  # Mounts the encrypted file system.\ndd bs=4k count=1397823 if=/dev/sda of=/dev/mapper/sdcard # Copy back your data.\ndd bs=4k count=1397823 if=/dev/mapper/sdcard | sha1sum # Make sure it's the same!\ne2fsck -f /dev/mapper/sdcard  # Check encrypted SD card for errors.\nresize2fs -f /dev/mapper/sdcard  # Expand back to full size.\n```\n\nAlmost finished, remove USB drive and exit from initramfs shell\n\n```bash\n# Remove USB drive, no longer needed.\nexit  # Continue to boot into your encrypted SD card.\n```\n\n### 5 - Build the new initramfs\n\nLast step, rebuild our new initramfs:\n\n```bash\nsudo mkinitramfs -o /boot/initramfs.gz\nsudo lsinitramfs /boot/initramfs.gz | grep -P \"sbin/(cryptsetup|resize2fs|fdisk|dumpe2fs|expect)\"\n```\n\nAnd that’s it. Reboot and it should prompt you with something like \"Please unlock disk /dev/mmcblk0p2 (sdcard)\", enter your chosen password and the system will boot. Now enter again from ssh, next chapter, networking!\n\n## Net\n\n\n### 0 - Before we start\n\nIn case we do not want to use the default RPi onboard wifi card, and instead use an external one, maybe one with a better antenna or whatever, we have the option to disable onboard wifi and bluetooth. And, as it can be considered common practice to disable what you're not going to use, if security is important for us, then we can do that just by editing the /boot/config.txt file:\n\n```bash\nsudo nano /boot/config.txt\n\n# add this at the end\ndtoverlay=disable-wifi\ndtoverlay=disable-bt\n```\n\nSo on startup, our RPi will recognize as **wlan0** our external wifi card, not the default onboard one.\n\n### 1 - Install\u0026configure necessary packages for make the rpi an access point in a standalone network\n\nWe'll configure here our wifi card **wlan0** as a router, assigning a static ip to the interface.\n\n```bash\nsudo apt install dnsmasq hostapd tcpdump\nsudo nano /etc/dhcpcd.conf\n\ninterface wlan0   # Use the require wireless interface - usually wlan0\n    static ip_address=192.168.66.1/24\n    nohook wpa_supplicant\n\nsudo systemctl restart dhcpcd\n```\n\n### 2 - Configure the DHCP server (dnsmasq)\n\nThen we configure our dhcp server ip range, in order to have an automatic ip assigned to every connecting client. As we assigned to our wifi card/router the ip 192.168.66.1, we use a range starting from 192.168.66.2 till 192.168.66.200, but here you can trim it as you prefer, reducing the maximum number of clients or extending it. your choice.\n\n```bash\nsudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig\nsudo nano /etc/dnsmasq.conf\n\ninterface=wlan0      # Use the require wireless interface - usually wlan0\ndhcp-range=192.168.66.2,192.168.66.200,255.255.255.0,24h\n# Set DHCP as authoritative\ndhcp-authoritative\n\nsudo systemctl reload dnsmasq\n```\n\n### 3 - Configure the access point host software (hostapd)\n\nNOTE: wpa_key must be minimum 8 characters\n\nHere we configure our access point, configuring his name (how will appear on wifi lists), the password and some more technical details. Remember to choose a good password, at least of 10 characters, in order to make it harder for brute force crackers.\n\n```bash\nsudo nano /etc/hostapd/hostapd.conf\n\ninterface=wlan0\ndriver=nl80211\nssid=YOUR_SSID_NAME\nhw_mode=g\nchannel=5\nwmm_enabled=0\nmacaddr_acl=0\nauth_algs=1\nignore_broadcast_ssid=0\nwpa=2\nwpa_passphrase=YOUR_SSID_PASSWORD\nwpa_key_mgmt=WPA-PSK\nwpa_pairwise=TKIP\nrsn_pairwise=CCMP\n```\n\nNow apply the config and restart the services:\n\n```bash\nsudo nano /etc/default/hostapd\n\nDAEMON_CONF=\"/etc/hostapd/hostapd.conf\"\n\nsudo systemctl unmask hostapd\nsudo systemctl enable hostapd\nsudo systemctl start hostapd\n```\n\n### 4 - Install iptables-persistent and configure network address translation\n\n```bash\nsudo apt install iptables-persistent\n```\n\nAnd then run the following commands to create the network translation between the ethernet port eth0 and the wifi port wlan0:\n\n```bash\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nsudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\nsudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT\n```\n\nCheck it:\n\n```bash\nsudo iptables -t nat -S\nsudo iptables -S\n```\n\nThen save it:\n\n```bash\nsudo sh -c \"iptables-save \u003e /etc/iptables/rules.v4\"\n```\n\nOk, right now we have a full working router, with a new wifi connection where we can connect from every computer or phone. Next steps, a little hardening and finally the installation of tor software.\n\n### 5 - Hardening\n\nKernel hardening for security:\n\n```bash\nsudo nano /etc/sysctl.conf\n\n# enable Spoof protection\nnet.ipv4.conf.default.rp_filter=1\nnet.ipv4.conf.all.rp_filter=1\n\n# Enable TCP/IP SYN cookies\nnet.ipv4.tcp_syncookies=1\n\n# enable packet forwarding for IPv4\nnet.ipv4.ip_forward=1\n\n# Ignore ICMP broadcasts\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\n# Ignore bogus ICMP errors\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\n\n# Do not accept ICMP redirects (prevent MITM attacks)\nnet.ipv4.conf.all.accept_redirects = 0\n\n# Do not send ICMP redirects\nnet.ipv4.conf.all.send_redirects = 0\n\n# Do not accept IP source route packets\nnet.ipv4.conf.all.accept_source_route = 0\n\n# rpi tweaks\nvm.swappiness=1\nvm.min_free_kbytes = 8192\n\n```\n\n## Tor\n\n### 1 - Install tor, the onion routing software\n\n```bash\nsudo apt install tor\n```\n\nNow, configure it, just change the configured access point ip *192.168.66.1* if different:\n\n```bash\nsudo nano /etc/tor/torrc\n\nLog notice file /var/log/tor/notices.log\nVirtualAddrNetwork 10.192.0.0/10\nAutomapHostsSuffixes .onion,.exit\nAutomapHostsOnResolve 1\nTransPort 192.168.66.1:9040\nTransListenAddress 192.168.66.1\nDNSPort 192.168.66.1:53\nDNSListenAddress 192.168.66.1\n\n# change exit ip every 10 seconds\nCircuitBuildTimeout 10\nLearnCircuitBuildTimeout 0\nMaxCircuitDirtiness 10\n\n# blacklist exit nodes by geolocation\n# country codes list: https://b3rn3d.herokuapp.com/blog/2014/03/05/tor-country-codes/\nStrictNodes 1\nExcludeExitNodes {CHOOSE_YOUR_COUNTRY_CODES_HERE}\n\n```\n\nAlmost there, we now need to change out ip routing tables so that connections via the wifi interface (wlan0) will be routed through the tor software ONLY:\n\n```bash\nsudo iptables -F\nsudo iptables -t nat -F\n```\n\n```bash\nsudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53\nsudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040\n```\n\n```bash\nsudo iptables -t nat -L\n```\n\n```bash\nsudo sh -c \"iptables-save \u003e /etc/iptables/rules.v4\"\n```\n\nNow we create our log file for debug:\n\n```bash\nsudo touch /var/log/tor/notices.log\nsudo chown debian-tor /var/log/tor/notices.log\nsudo chmod 644 /var/log/tor/notices.log\n```\nThen we activate the tor service in order to have it running automatically on startup and restart it to apply the new config:\n\n```bash\nsudo update-rc.d tor enable\n\nsudo service tor restart\n\nsudo service tor status\n```\n\n![Onion Router](https://github.com/d3cod3/SecTorPi/raw/master/img/raspberryPi3TorAccessPoint.png)\n\nOk, we have now our well configured **Onion Router**, and we can test it through several pages:\n\n* https://check.torproject.org\n* https://ipleak.org\n\n### 2 - Install monit service to reload Tor service if down\n\nThis simple application automatically reload our Tor service if down, so we'll have the service always up.\n\n```bash\nsudo apt install monit\n\nsudo nano /etc/monit/monitrc\n\ncheck process gdm with pidfile /var/run/tor/tor.pid\n   start program = \"/etc/init.d/tor start\"\n   stop program = \"/etc/init.d/tor stop\"\n\nsudo systemctl restart monit\nsudo systemctl enable monit\n```\n\n## DNScrypt\n\nIf you want to add to our system DNS encryption, to prevent DNS spoofing we'll install dnscrypt, that using cryptographic signatures it verifies if the DNS response originates from the configured DNS resolver and haven’t been tampered with. This can prevent MITM (Man-in-the-Middle) attacks, or at least some of them.\n\nOk, we start with downloading DNSCrypt in our */opt* directory ( the last release is now 2.0.36, change the link below accordingly with the actual last release ):\n\n```bash\ncd /opt\n\nsudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.36/dnscrypt-proxy-linux_arm-2.0.36.tar.gz\n```\n\nExtract the prebuilt binary:\n\n```bash\nsudo tar -xf dnscrypt-proxy-linux_arm-2.0.36.tar.gz\n```\n\nAnd rename it\n\n```bash\nsudo mv linux-arm dnscrypt-proxy\n```\n\nNow, enter the directory and edit the config file:\n\n```bash\ncd dnscrypt-proxy\n\nsudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml\n\nsudo nano dnscrypt-proxy.toml\n```\n\nThen edit it and save it:\n\n```bash\n# dnscrypt server list: https://dnscrypt.info/public-servers\nserver_names = ['cloudflare'] # choose here the one/s you prefer\n\n# port 53 is already occupied by dnsmasq, so we need to use a different one\nlisten_addresses = ['127.0.2.1:54']\n\n# Server must support DNS security extensions (DNSSEC)\nrequire_dnssec = true\n\n# Always use TCP to connect to upstream servers.\n force_tcp = true\n\n # SOCKS proxy\n proxy = 'socks5://127.0.0.1:9050'\n```\n\nIn order to have dnsmasq running with dnscrypt we need to modify our /etc/dnsmasq.conf:\n\n```bash\n\nsudo nano /etc/dnsmasq.conf\n\ninterface=wlan0      # Use the require wireless interface - usually wlan0\ndhcp-range=192.168.66.2,192.168.66.200,255.255.255.0,24h\n# Set DHCP as authoritative\ndhcp-authoritative\n# Redirect everything to dnscrypt-proxy\nserver=127.0.2.1#54\nno-resolv\nproxy-dnssec\n```\n\nThen restart dnsmasq:\n\n```bash\nsudo systemctl reload dnsmasq\n```\n\nNow we install and start the new service:\n\n```bash\nsudo ./dnscrypt-proxy -service install\n\nsudo ./dnscrypt-proxy -service start\n\nsudo ./dnscrypt-proxy -service status\n```\n\nLet's check it with netstat:\n\n```bash\nnetstat -tulp\n```\n\nYou will find in the output:\n\n```bash\ntcp        0      0 192.168.66.1:9040       0.0.0.0:*               LISTEN      966/tor             \ntcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      707/dnsmasq         \ntcp        0      0 127.0.2.1:54            0.0.0.0:*               LISTEN      520/dnscrypt-proxy\n```\n\nSo, if everything went ok, we will have dnsmasq redirecting all the port 53 requests to our dnscrypt proxy configured at 127.0.2.1 at port 54, so all DNS queries will be encrypted on the way.\n\nThat's it, finally we can check our DNS info from here:\n\n* https://www.dnsleaktest.com\n\nIf everything were configured right, you'll see a lot of DNS servers with different location from your real one, and differents ISP from the one you're really using.\n\nEnjoy!\n","funding_links":["https://ko-fi.com/V7V21B90C"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3cod3%2Fsectorpi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd3cod3%2Fsectorpi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3cod3%2Fsectorpi/lists"}