Create a Tor VLAN using a Raspberry Pi and pfSense

First of all, majority of the credit goes to Magnus Hedemark for his article CREATE A TOR-ONLY VLAN WITH A RASPBERRY PI. I've copied parts of his article to mine since I did not do all of the steps he did.

Here's the list of things I used:

A few assumptions up front:

  1. You've already got a Raspbian base image installed on your Pi.
  2. It’s plugged into an Ethernet switch where untagged traffic transmits on a trusted network, and has a route to the public Internet.
  3. For the sake of this blog post, we’ll call that vlan10 and assume its native network is 192.168.1.0/24.
  4. For me, I had the switch move all untagged traffic to VLAN30 because my VLAN30 was a VPN connection
  5. There is a second VLAN configured on this switch, we’ll call it vlan40, and its native network is 172.16.15.0/24. This is an isolated VLAN with no transit to the Internet.
  6. If you use anything other than 40, please make sure you substitute all instances of the 40 in "eth0.40" below to whatever number you use.
  7. You've created a VLAN in pfSense and assigned it a static IPv4 address.
  8. Since I'm using the 172.16.15.0/24 network, I assigned the interface a static IP of 172.16.15.1
  9. I turned on the DHCP server for this new interface and gave it a range of 172.16.15.100 via 172.16.15.150
  10. I set the default DNS server and the default gateway to point to the Raspberry Pi
  11. My Raspberry Pi is going to be given a static IP of 172.16.15.2, so this is the IP address I used in those fields.
  12. You've already walked through the initial setup menu when logging into your Raspberry Pi for the first time.

OK let’s get started:

  • run sudo apt-get update to update the index of available packages
  • run sudo apt-get dist-upgrade to upgrade to the latest versions of installed packages
  • run sudo apt-get install tor to install tor.
  • This will start the tor daemon automatically, which we’re not quite ready for yet.
  • run sudo /etc/init.d/tor stop to stop the tor daemon for now
  • run sudo apt-get install vlan to give us the ability to set up a tagged VLAN interface
  • run sudo modprobe 8021q

To enable the kernel module for tagged VLAN support:

  • run sudo vconfig add eth0 40 and you should see this:
pi@raspberrypi ~ $ sudo vconfig add eth0 40
Added VLAN with VID == 40 to IF -:eth0:-
  • sudo echo 8021q >> /etc/modules to persist this change across reboots
  • sudo ifconfig eth0.40 172.16.15.2/24 sets the IP address on the new VLAN interface.
  • Let’s make this permanent.
  • Run sudo nano /etc/network/interfaces and add this:
auto eth0.40
iface eth0.40 inet static
address 172.16.15.2
netmask 255.255.255.0
  • Let’s go ahead and adjust tor’s configuration to handle transparent proxying for us. Go ahead and sudo vi /etc/tor/torrc and add the following lines to the end of the file:
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.15.2
DNSPort 53
DNSListenAddress 172.16.15.2
  • Go ahead and start tor. sudo /etc/init.d/tor start (but we’re still not done)
  • We've got both networks up. We've got tor configured to transparently proxy all TCP traffic and DNS queries. But we don’t have anything funneling TCP traffic into tor yet. Let’s continue.
  • Let’s build our Firewall rules. Go ahead and sudo nano /etc/iptables.up.rules and paste the following lines into it:
*nat
:PREROUTING ACCEPT [9:3009]
:INPUT ACCEPT [1:141]
:OUTPUT ACCEPT [5:372]
:POSTROUTING ACCEPT [5:372]
-A PREROUTING -i eth0.40 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -i eth0.40 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
COMMIT
*filter
:INPUT ACCEPT [5:616]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0.40 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
  • Let’s make the firewall rules persistent. sudo nano /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
  • And this new script needs to be executable: sudo chmod +x /etc/network/if-pre-up.d/iptables
  • For good measure, since we grabbed updates earlier in this process, it’s probably not a bad idea to sudo reboot
  • Wait until the Raspberry Pi is back up. Try plugging a laptop into a switch port that is untagged on VLAN40. You should get a DHCP lease on the 172.16.15.0/24 network. Go ahead and open a web browser. You should be able to surf.
  • Or if you've already configured a Wireless network for VLAN40, you should be able to connect to that instead.
  • Try going to a site like http://www.whatismyip.com/ and see what IP you’re coming from.

Remember, this isn't perfect anonymity. Your browser cookies, your browsing habits, the plugins you use, etc. can easily give away your identity (This is one reason I'm using Tor over my PIA VPN connection). The main point of this is to give a clever option for providing guest WiFi services with a lower risk to the service host. This also gives the guests a better shot at reclaiming their privacy and anonymity.

Most ICMP traffic is going to get dropped on the floor with this system, as well as almost all UDP traffic. DNS queries will get captured and redirected through tor. A hidden bonus of this arrangement is that guests can browse .onion hidden services without installing anything on their end. Tor is really a TCP-only network, so forget about running BitTorrent here, or playing your favorite games (which more often than not depend on UDP).

You should now have a privacy-enhanced VLAN configured, with transit to the Internet handled transparently through Tor. My Tor connection has added security because it's connecting to the Tor network over my VPN connection.

I also went one step further and created rules on the VLAN interface to only allow traffic to the gateway. This will keep my guests from reaching my main internal network, as well as keep them from reaching other guests. All I may need to do now is tighten up the security of my Raspberry Pi as they will have access to reach that device. I also imaged the MicroSD card to a file on my PC so that I can easily restore it later if needed. I used the guide located here for that part.

This setup is not 100% secure (or is it?), so if you have any further idea's on making this better, please let me know in the comments below and I'll be glad to add them in to this post.