[Tutorial] Your own private anonymizing proxy – Raspberry Pi / TOR based

This howto uses the Raspberry Pi as the base system (tutorial is based on Debian), and Tor as the SOCKS5 Proxy.

The Objective: be anonymous on the internet, using the Raspberry Pi as a transparent SOCKS 5 proxy.

I didn’t intended this to be a completely exhaustive tutorial, but i feel it’s complete enough for the novice user to follow.

As a bonus, i’ve added info on how to use Tor as a Socks Proxy for your iPhone/iPad – no need to jailbreak.

If in any doubt following this guide, please leave a comment!

Introduction

Sometimes, you need to anonymize yourself in the internet. Or you’re just paranoid and don’t want to be followed around.

Either way, a proxy is a great way to stay anonymous in the internet.

If you just want to browse around, you can download a full featured package with Tor, and its own stripped down version of Firefox called TorBrowser. There are versions for Linux, OS X, and Windows, and you’re ready to go.

But if you don’t want to install anything in every device you own, or you want to be anonymous on your iPhone or Android device, then, this tutorial is for you.

 

How does Tor work?

Tor works by relaying your connection among a few servers. For instance, when you browse Facebook, their servers will log your IP address upon establishing connection. When you log in through a proxy, only the proxy connection is registered: your IP remains hidden.
But when using TOR, the connection is relayed through 3 servers before reaching the destination. When the server wants to reach you, the connection will go though 3 different servers.

How Tor works
How Tor works

 

Please have in mind that Tor is as anonymous as you are. If you’re using Facebook, you’re probably using your name, the browser saves a session cookie, so, only the IP is safe. You’re probably also giving away your location, since many sites track your location.

Tor has a powerful built in Socks 5 proxy, easy to setup without the need for an external tool (such as Polipo or ProxyChains).

Install Tor on the Raspberry Pi

I’m assuming you already have a Raspberry Pi with latest Debian installed, and connected to the internet. Latest Debian has codename Wheezy (version 7.1). The one before was Squeeze (version 6.xx).

 

EDIT: not feeling like compiling? I’ve compiled tor for Raspbian (should work on any Debian distro for the Raspberry Pi) from the sources: Download here – compiled on 27-dec-2013 for the Raspberry Pi. Then, after decompressing, install them as usual:

$ sudo dpkg -i tor_*.deb

 

Then add these lines to your /etc/apt/sources.list file (you can use nano for editing the file, easier then vi).

deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
deb-src http://deb.torproject.org/torproject.org <DISTRIBUTION> main
deb-src http://deb.torproject.org/torproject.org tor-experimental-0.2.5.x-<DISTRIBUTION> main

where you put the codename of your distribution (i.e. lenny, sid, saucy or whatever it is) in place of <DISTRIBUTION>.

So, if you’re on Wheezy, you should add:

deb http://deb.torproject.org/torproject.org wheezy main
deb http://deb.torproject.org/torproject.org tor-experimental-0.2.5.x-wheezy main
deb-src http://deb.torproject.org/torproject.org wheezy main
deb-src http://deb.torproject.org/torproject.org tor-experimental-0.2.5.x-wheezy main

Update and install the dependencies:

# apt-get update
# sudo apt-get install build-essential fakeroot devscripts
# sudo apt-get build-dep tor

Now, build Tor from source (go grab a beer while you wait, or 5):

$ mkdir ~/debian-packages; cd ~/debian-packages
$ apt-get source tor
$ cd tor-*
$ debuild -rfakeroot -uc -us
$ cd ..

If you have any error – i got some dependencies missing in latest Raspbian from Dec 20, install a few more dependencies and repeat the last step:

$ sudo apt-get install quilt libssl-dev libevent-dev asciidoc docbook-xml docbook-xsl xmlto dh-apparmor

If there are no errors you’re good to continue and install Tor.

$ sudo dpkg -i tor_*.deb

Configure Tor

This step is a bit tricky, but following these lines, it should be straightforward – don’t panic!. Open /etc/tor/torrc with your favorite file editor.

Uncomment the line

SocksPort 9050

And add the line

SocksListenAddress 192.168.1.10:9050

where 192.168.1.10 is the Raspberry Pi IP address on your local network, and 9050 is the port where the Socks proxy will be listening.

Then, we need to set which clients can connect to the  proxy on the Pi, configuring the lines SocksPolicy. These are read top to bottom, so, we’re configuring the hosts we’re allowing on top, and deny everything else.

If your local network is 192.168.1.1 – 192.168.1.254, then, we add

SocksPolicy accept 192.168.1.0/24

If you have more networks you’d like to access (for instance, a VPN network – more on that later), you can add them here. Make sure the last lne is SocksPolicy reject * (this is the default).

For this to work, Tor will have to work as a relay for the Tor network. This is safe to do, and will use a configurable amount of bandwidth to the network. Tor relies on bandwidth donated by the Relays. You’ll find more information here. Setting the bandwidth too low, will give you a lousy experience.

Uncomment the lines,

ORPort 9001
ORPort 443 NoListen
ORPort 127.0.0.1:9090 NoAdvertise

Finally, if you’d like, set the bandwidth you’d like to donate to the Tor network with the parameters. Setting it too high will prevent other applications for using the internet in an efficient way. Play around with the values. Setting this to 20% of your total bandwidth is a good way to start.
But please remember – Tor is supposed to be anonymous, not blazing fast!

RelayBandwidthRate 500 KB
RelayBandwidthBurst 700 KB

These values are in KiloBytes per second, but usually our connections are in Kilobits per second. So, if you have a 12Mbps connection, you’re looking in at 12000/8 = 1500KBps (values are rounded). The values above would donate 500KB/s of consistent streams of total data going through the relay, while allowing 700KB/s of bursts.

A little down the file you’ll find mechanisms to keep track of this. You can set limits for Tor to work, for instance, no more than 2GB a day, or  only letting it run after midnight. The file is very well documented.

Uncomment

ExitPolicy reject *:*

and at the end of the file add

DNSPort 53
DNSListenAddress 192.168.1.10
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

And you’re done.

The ExitPolicy will make you only a transit relay (i.e., not the last IP of the network that gets logged on the end point. This is what makes this setup safe for anyone to run.
The last lines will listen for DNS requests on standard port 53 and on Pi’s local IP address, and map .exit and .onion domains to the Tor network (these don’t exist anywhere else in the Internet).

Restart the service, and test it!

sudo /etc/init.d/tor restart

Testing it

In order to test it, you’ll need to configure your browser to use the Proxy we’ve just enabled. In most browsers this is done the same way: go to Preferences => Advanced => Network => Connection / configure. Here’s a snapshot on Firefox:

Firefox Proxy settings
Firefox Proxy settings

You can also set a system wide proxy, so every application will be anonymous on the internet. Here’s how to do it on Windows 7, and on Ubuntu, and on OS X. For other operating systems, you should be able to find it easily on google.

You’ll complete the fields under SOCKS 5 with the Raspberry Pi IP address, and proxy port: 9050.

For a final test, just go to https://check.torproject.org and you should see a happy green onion:

Check tor
Checking if tor is working

 

Bonus: proxy on unsupported devices!

I hate that my iPhone won’t let me set a Socks proxy, but only an HTTP proxy.

I won’t go exhaustive on this one, but just giving the basic steps.

1) Install a web server, such as LigHTTPd, and check if you have a test web page on your Raspberry Pi’s IP address:

sudo apt-get install lighttpd

2) If everything is good, create the Proxy Auto-Configuration file. Give it a strange/secure name, and place it under /var/www – i’ll name it mysupersecretproxy.pac

nano /var/www/mysupersecretproxy.pac

3) enter the following on the file:

function FindProxyForURL(url, host)
{ 
     return "SOCKS 192.168.1.10:9050";
}

4) Configure your iPhone with the newly created PAC file.

Go to Settings > Wifi and click the blue arrow to the right of your  network, scroll to the bottom, click Auto and type in the address to your PAC file (e.g. http://192.168.1.10/mysupersecretproxy.pac).

Bonus 2 – anonymizing yourself through your VPN

If you have a VPN connecting you from the outside to your Raspberry Pi, you can stay anonymous wherever you are!

Once again, not going to be thorough with this one, but if you have a VPN, it’s easy enough! Considering your Pi is on 192.168.1.10, and you get a IP on your VPN in the 192.168.2.x range, edit your /etc/tor/torrc file and add the following line:

SocksPolicy accept 192.168.2.0/24

Restart the service with sudo /etc/init.d/tor restart and you’re done!

Your Socks proxy is now accessible through the VPN, and relaying connections through the Tor network!

3 thoughts on “[Tutorial] Your own private anonymizing proxy – Raspberry Pi / TOR based”

  1. Hello!

    Thank you for the tutorial. Please be so kind and tell me for what those entries are:
    1.
    ORPort 9001 # this is the normal behaviour
    ORPort 443 NoListen #but for what are this line
    ORPort 127.0.0.1:9090 NoAdvertise #and this one?

    2.
    DNSPort 53
    DNSListenAddress 192.168.1.10
    AutomapHostsOnResolve 1
    AutomapHostsSuffixes .exit,.onion

    Also for what are the entries at point two? I never used them before. Port is for dns resolution and dnslistenaddresss should be the Ip for the PI. But why do you set those? And ofc the last two lines which start with “Automap”?

    thank you in advanced

Leave a Reply

Your email address will not be published. Required fields are marked *


six − 5 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>