Building a more stable TOR Access Point

As I earlier pointed out I want to have more convenience in using the TOR network which means that I want to be independent from Browser software updates, OS updates etc.

In one of my earlier postings I described building the SPONionPi based on a tutorial brought to us by Spiegel Online. This is Raspberry Pi project works like some sort of Access Point Bridge with one DHCP WLAN client and one Access Point with a DHCP server bound to it.

The disadvantage of this project is:

  • The admin interface is purely German
  • Only a limited number of card drivers seems to be implemented
  • Authentication method does only cover WPA but not WPA2
  • Limited monitoring etc.

Having a WLAN AP Bridge looks smart but for my purpose it is not necessary to have more WLAN dongles. They consume power and increase the temperature of the Raspberry, which means that I would have to lower clocking to compensate those effects.

Furthermore all those articles I found explain building Aps and TOR servers but they are very simple with regards what you should do to avoid exit nodes which might not be trustworthy, which browsers you should use and give some basic rules of thumb on how to use TOR.

I therefore decided to create my own Raspberry Pi disk image and mix some good features I found elsewhere and combine those things with some general hints for using TOR.

Baseline the Raspberry

My RaspberryPi shall be build on the adafruit learning system with their OnionPi. So please apologize that I will only describe the basic steps shortly. I will add some more steps within the initial setup procedure from which I believe they improve stability or make the configuration slightly easier for people like me (not a Linux native).

 Create your Occidentalis image, prepare your SD card

I believe it is best to follow the instructions on the adafuit webpage:

 First Power On and initial login

Use a ssh connection (eG PuTTY on Windows or the terminal in your MAC) to login using the default credentials “pi” ant “raspberry”

Initial configuration

Use the sudo raspi-config to start the configuration program.

Please upgrade the installation application first to be able to set the right parameters. You will be asked if you want to allocate more diskspace then answer “y” to confirm. After having done so, please use the sudo raspi-config program againto set the right parameters for:

  • Expand Filesystem
  • Change User Password
  • Internationalisation Options – Change Timezone
  • Advanced Options – A2 Hostname

When exiting the application please reboot the Raspberry.

Due to the broken ssh pipeline you will need to re-login.


Please run the sudo apt-get upgrade command to bring the image to a recent state. Go and have a cup of coffee – or better two – because it will take some time-

Installing software for Ethernet and WLan

The initial configuration is now done and we can start to configure the network adapters.

The next step will include the setup of the network conection.

We will hace a DHCP client to listen to the Ethernet interface whereas the WLan will provide a DHCP service to authenticat incoming connections from our mobile devices.

Use command sudo apt-get install hostapd isc-dhcp-server to install both packages.

Do not worry that you will receive a message telling you that start of the DHCP server failed. It is not configured yet 😉

After having installed these packages we will start with the configuration of both.

Please power down the Raspberry to plug in the wlan dongle.Please take a few minutes to let it boot up with the wlan dongle before loging in using ssh.

Set up the DHCP server

First we will have to configure the file /etc/dhcpd/dhcpd.conf by using the sudo nano /etc/dhcp/dhcpd.conf

Please search for the following lines and change them

Original   Changed
option domain-name “”; #option domain-name “”;
option domain-name-servers,; #option domain-name-servers,;
# If this DHCP server is the official DHCP server for the local # If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented. # network, the authoritative directive should be uncommented.
#authoritative; authoritative;

After this add the following lines at the bottom of the file:

subnet netmask {


option broadcast-address;

option routers;

default-lease-time 600;

max-lease-time 7200;

option domain-name “local”;

option domain-name-servers,;


You may want to change the DNS servers or the IP range. I will take a closer look at the DNS service itself.

Close file with ctrl-x (or strg-x) followed by “y”  and “return” to confirm saving.

Type sudo nano /etc/default/isc-dhcp-server

Change the line that contains interfaces=”” to interfaces=”wlan0”

As I have written before, the WLan interface will provide a DCP server so that it needs to have a static IP address. It also serves as gateway between WLan and Ethernet interface.

Please run “sudo nano /etc/network/interfaces”

Add a “#” in front of the auto wlan0.

After that make sure that you add these lines to file and that there is no further “iface wlan0” line exists

iface wlan0 inet static



After having saved the file (ctrl-x, y, return) run sudo ifconfig wlan0

Configuring the Access Point

Now let’s start configuring the HostAPD which is used to authenticate incoming requests.

We will create a new file by running sudo /etc/hostapd/hostapd.conf

Please paste the following code into this configuration file and make sure that you set the ssid and wpa_passphrase with the parameters you want to use.

Later on I will spend some time to explain the configuration file in more detail and make some changes to it. But for the moment we are done!














Now we will tell the hostapd where the configuration file can be found.

Change the line #DAEMON_CONF=”” to DAEMON_CONF=”/etc/hostapd/hostapd.conf  and save the file as usual.

Now we need to configure the path from the wlan to the Ethernet interface using NAT (network address translation)

Type sudo nano /etc/sysctl.conf and scroll to the section looking like this

# Uncomment the next line to enable packet forwarding for IPv4


and remove the # before net.ipv4.ip_forward=1 to enable IP forwarding

Now we need to run the command

sudo sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”

to active forwarding at once

The following commands will then start the address translation between eth0 and wlan0:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Then change the boot configuration to execute this every time you boot this image.

sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

run again sudo nano /etc/network/interfaces  and add

up iptables-restore < /etc/iptables.ipv4.nat

at the very end of this file and save it again

We will simply bring the hostapd together with drivers etc. to an appropriate version using the following commands:



sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG

sudo mv hostapd /usr/sbin

sudo chmod 755 /usr/sbin/hostapd

The configuration is now finished and we simply need to finally test it using a mobile device to list our wlan networks.

BildAs you can see from the screenshot from my iPhone the WLan “myTOR” is active

Finalizing the AccessPoint before Installing TOR

There are a few commands you will need to run to complete our installation.

Start services

sudo service hostapd start

sudo service isc-dhcp-server start

Did that work?

sudo service hostapd status
sudo service isc-dhcp-server status

Finally: Reboot using sudo reboot

Now: Installing TOR

Now we need to downlaod TOR and configure it propperly by typing the following command:

sudo apt-get install tor

Please edit the torrc file by opening it

sudo nano /etc/tor/torrc

and then copying the following lines to the top of the file

Log notice file /var/log/tor/notices.log


AutomapHostsSuffixes .onion,.exit

AutomapHostsOnResolve 1

TransPort 9040


DNSPort 53


It is now time to configure the iptables, routing, ports etc by using the following commands:

sudo iptables -F
sudo iptables -t nat -F

sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp –dport 22 -j REDIRECT –to-ports 22

sudo iptables -t nat -A PREROUTING -i wlan0 -p udp –dport 53 -j REDIRECT –to-ports 53

sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp –syn -j REDIRECT –to-ports 9040

sudo iptables -t nat -L

Then replace the old NAT file with the new ones:

sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

will create a log file for debug purposes

sudo touch /var/log/tor/notices.log
sudo chown debian-tor /var/log/tor/notices.log
sudo chmod 644 /var/log/tor/notices.log

check it

ls -l /var/log/tor

start the TOR service manually

 sudo service tor start

and make it start right when you power on your Raspberry

sudo update-rc.d tor enable

After reboot using sudo reboot as usual you may now check your TOR connection by using the URL

You may also want to see where you are leaving the TOR network which can be done using a geolocation service.

A better reeadable version as PDF is downloadable here : Link to the PDF


2 thoughts on “Building a more stable TOR Access Point

  1. Hallo Jörg,

    spannendes Projekt! Ich hatte mir so etwas auch schon einmal überlegt, aber bislang noch nie umgesetzt. Wenn die Verbindung zu Tor stabil läuft, könnte man damit auch einen öffentlichen Hotspot anbieten, weil die eigene IP-Adresse ja verschleiert wird und man somit die Anbieterhaftng elegant umgehen kann. Der Pi steht schon bereit – das muss ich mal testen!

    Beste Grüße,


    • Hallo Alex,
      dazu folgende Überlegungen:

      1. Ich glaube nicht, dass das TOR Netzwerk geeignet ist, solchen Traffic zu handeln.
      2. Ich denke, damit wird auch die Überlegung des TOR Netzes ggf. ad absurdum geführt, da die IP Adresse mit der Nutzung von personalisierten Services wieder transparent wird.
      3. Ich denke, dass die Provider von Exit Nodes das nicht sehr schätzen würden, wenn hier ggf. kommerzieller Traffic läuft.

      Wenn es nur um die Verschleierung am Endpoint (mobile Device) herausläuft, aber nicht generell um Anonymisierung, dann könnte man auch über einen Exit Node für höheren Traffic nachdenken und in der torrc.conf diesen Node als einzigen Exit Node hinterlegen.
      Die Problematik der Nutzung der TOR Infrastruktur für ggf. kommerzielle Zwecke bleibt bestehen.
      Let’s discuss.
      Best regards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s