How to make Raspberry Pi a Tor router with all kind of network setup using systemd-networkd

Question

I have looked for a way to connect to the Tor network transparently using systemd-networkd. I want just to connect to a Raspberry Pi by wifi or wired and get into the internet through the Tor network. I have found several questions but all without an answer except to Use Rapsberry Pi as Tor relay with desktop computer. But it seems a bit outdated and referenced only to a specific network setup.

Is there a way to use systemd-networkd to make a transparent proxy (Tor router) to the Tor network independent from the underlaying network setup?

Ingo · Accepted Answer · 2020-05-19T22:00:53.687

Tested on a Raspberry Pi 4B with
Raspbian Buster Lite 2020-02-13 updated on 2020-05-19.
Updates done with sudo apt update && sudo apt full-upgrade && sudo reboot.

The setup of a Tor proxy does not depend on the underlying network configuration. The proxy only needs an interface that can be used to send data to the Tor network, and an internet connection. So you can use any tutorial to setup the network, as long as that results in stable and error-free network connections. For systemd-networkd you should be able to use one of the following setups:

access point (ap0) with wifi uplink (wlan0), wlan repeater with on-board wifi - section: Setup wifi repeater
access point (wlan0) with wired uplink (eth0), wlan repeater with wired uplink - section: Setting up an access point and with eth0, with routing
access point (wlan1) with wifi uplink (wlan0), wlan repeater with additional USB/wifi dongle
wired subnet (eth1) with uplink (eth0), router with two wired ports

You can follow one of the above tutorials or setup your own installation and ensure it's stable. For this example I will use the wlan repeater with on-board wifi without a bridge as shown in the first link above as I think it is the most frequently used. In this example, the access point will be assigned a static ip address: 192.168.4.1 to interface ap0.

Once you have a stable network, then install the Tor daemon. It comes with complete systemd services.

rpi ~$ sudo -Es
rpi ~# apt install tor
rpi ~# systemctl stop tor.service

First create a default setup file to define what interface the tor proxy should use as its entry point. For this example it is:

rpi # mkdir /usr/local/etc/default
rpi # cat > /usr/local/etc/default/torproxy <<EOF
# interface to be used as entry point to the Tor network
TOR_IFNAME=ap0
TOR_IFADDR=192.168.4.1
EOF

Setup tor configuration:

rpi ~# [[ -f /etc/tor/torrc.orig ]] || mv /etc/tor/torrc /etc/tor/torrc.orig

rpi ~# cat > /etc/tor/torrc <<EOF
VirtualAddrNetworkIPv4 10.192.0.0/10
VirtualAddrNetworkIPv6 [FC00::]/7
AutomapHostsOnResolve 1
TransPort 127.0.0.1:9040
DNSPort 127.0.0.1:53

# endpoint selection
# uncomment and edit next lines if you want your exit nodes only in
# specific countries
#StrictNodes 1
#ExitNodes {de},{uk},{us}
EOF

Now configure the transparent proxy with iptables rules. We add this so that the tor service will be started and stopped with iptables. Edit the service with:

rpi ~# systemctl edit tor.service

Into the empty editor insert these statements, save them and quit the editor. Have attention to the - sign after the equal sign on some statements:

[Service]
EnvironmentFile=/usr/local/etc/default/torproxy

ExecStartPre=/bin/bash -c '/bin/sed -i "s/^TransPort .*:/TransPort $TOR_IFADDR:/" /etc/tor/torrc'
ExecStartPre=/bin/bash -c '/bin/sed -i "s/^DNSPort .*:/DNSPort $TOR_IFADDR:/" /etc/tor/torrc'

ExecStartPost=/sbin/iptables -t nat -A PREROUTING -i $TOR_IFNAME -p tcp --dport 22 -j REDIRECT --to-ports 22
ExecStartPost=/sbin/iptables -t nat -A PREROUTING -i $TOR_IFNAME -p udp --dport 53 -j REDIRECT --to-ports 53
ExecStartPost=/sbin/iptables -t nat -A PREROUTING -i $TOR_IFNAME -p tcp --syn -j REDIRECT --to-ports 9040

ExecStopPost=-/sbin/iptables -t nat -D PREROUTING -i $TOR_IFNAME -p tcp --dport 22 -j REDIRECT --to-ports 22
ExecStopPost=-/sbin/iptables -t nat -D PREROUTING -i $TOR_IFNAME -p udp --dport 53 -j REDIRECT --to-ports 53
ExecStopPost=-/sbin/iptables -t nat -D PREROUTING -i $TOR_IFNAME -p tcp --syn -j REDIRECT --to-ports 9040

Finish the setup and start the tor proxy with:

rpi ~# systemctl daemon-reload
rpi ~# exit
rpi ~$ sudo systemctl start tor.service

For testing your tor proxy you can connect with a mobile phone to your access point. Use an internet browser to connect to this site:

https://check.torproject.org

References:
[1] Change Your Raspberry Pi Into A TOR Router

Pls review my edits to ensure I've not inadvertently changed your meaning. — Seamus, Dec 28 '18 at 07:18
@Seamus Thank you for review. Everything is ok (I wanted to distinguish between tor daemon and Tor network but that really doesn't matter). — Ingo, Dec 28 '18 at 12:51
Tor vs tor... yeah - I agree, but I may have gotten that wrong. Any questions, let's chat about it. Great post BTW! — Seamus, Dec 28 '18 at 13:52
FYI - still works as of 2021-10-13 with current (2021-05-07) raspios-buster-lite, though I also had to create the drop-in config for the tor@default systemd unit, e.g.:
systemctl edit tor@default

adding the same [Service] override as for tor.service. — Jef, Oct 13 '21 at 19:07

score 2 · Answer 2 · answered Jan 14 '19 at 03:10

2

I am working on a script linux-router that supports creating transparent Tor network.

First run Tor on your Pi with TransPort and DNSPort set in torrc. Then run

# lnxrouter --ap wlan0 <SSID> --password <password> --tp 9040 --dns 9053

(as described here)

That command creates Wifi AP and redirects clients' Internet traffic to Tor.

answered Jan 14 '19 at 03:10

garywill

21
1

1

It doesn't really answer the question which asked for using systemd-networkd. – Ingo Jan 14 '19 at 21:50

How to make Raspberry Pi a Tor router with all kind of network setup using systemd-networkd

2 Answers2

Linked