|
= Tor and the DreamPlug =
|
|
# Tor and the DreamPlug
|
|
|
|
|
|
This page aims to describe some of the things you can do with Tor on the DreamPlug, such as set up a bridge or a relay. Our goal is that you do not need to read this page - you should simply install the {{{torouter}}} debian meta-package and you'll have a Torouter - this is outlined in #3647; if the ticket isn't closed, we haven't met our goal, so read on!
|
|
This page aims to describe some of the things you can do with Tor on the DreamPlug, such as set up a bridge or a relay. Our goal is that you do not need to read this page - you should simply install the `torouter` debian meta-package and you'll have a Torouter - this is outlined in #3647; if the ticket isn't closed, we haven't met our goal, so read on!
|
|
|
|
|
|
If you have not installed Debian on the DreamPlug already, you may want to do so now. See [wiki:/doc/DebianDreamPlug] for instructions.
|
|
If you have not installed Debian on the DreamPlug already, you may want to do so now. See [/doc/DebianDreamPlug](/doc/DebianDreamPlug) for instructions.
|
|
|
|
|
|
== Packages that are nice to have ==
|
|
## Packages that are nice to have
|
|
|
|
|
|
What follows is a list of packages that you can install if you want to. They may not be required for this howto, but they are be nice to have.
|
|
What follows is a list of packages that you can install if you want to. They may not be required for this howto, but they are be nice to have.
|
|
|
|
|
|
{{{
|
|
```
|
|
aptitude install apt-utils rsyslog
|
|
aptitude install apt-utils rsyslog
|
|
}}}
|
|
```
|
|
|
|
|
|
== Internet interface on eth0 ==
|
|
## Internet interface on eth0
|
|
|
|
|
|
To set up an Internet interface on eth0, make sure ''/etc/network/interfaces'' contain the following:
|
|
To set up an Internet interface on eth0, make sure _/etc/network/interfaces_ contain the following:
|
|
|
|
|
|
{{{
|
|
```
|
|
# The primary network interface
|
|
# The primary network interface
|
|
allow-hotplug eth0
|
|
allow-hotplug eth0
|
|
iface eth0 inet dhcp
|
|
iface eth0 inet dhcp
|
|
}}}
|
|
```
|
|
|
|
|
|
== A dhcp client running on eth0 ==
|
|
## A dhcp client running on eth0
|
|
|
|
|
|
''TODO: document.''
|
|
_TODO: document._
|
|
|
|
|
|
== Install and configure OpenSSH ==
|
|
## Install and configure OpenSSH
|
|
|
|
|
|
If you haven't done so already, run the following command as root to install OpenSSH. Doing so means you can drop the JTAG board and connect to the device via SSH:
|
|
If you haven't done so already, run the following command as root to install OpenSSH. Doing so means you can drop the JTAG board and connect to the device via SSH:
|
|
|
|
|
|
{{{
|
|
```
|
|
aptitude install openssh-server
|
|
aptitude install openssh-server
|
|
}}}
|
|
```
|
|
|
|
|
|
There are a couple of things you can do to keep SSH secure; you can use SSH keys for authentication, edit the config to only allow certain users, disable root login and password authentication, only allow specific IP addresses to connect and so on. We'll take a look at these things in the following sections. You could also set up a firewall on the Torouter, such as ''iptables'' or ''ufw'' (which has been developed to ease iptables firewall configuration).
|
|
There are a couple of things you can do to keep SSH secure; you can use SSH keys for authentication, edit the config to only allow certain users, disable root login and password authentication, only allow specific IP addresses to connect and so on. We'll take a look at these things in the following sections. You could also set up a firewall on the Torouter, such as _iptables_ or _ufw_ (which has been developed to ease iptables firewall configuration).
|
|
|
|
|
|
=== Create SSH keys ===
|
|
### Create SSH keys
|
|
|
|
|
|
To create SSH keys, run the following command from the host you wish to connect to the Torouter from:
|
|
To create SSH keys, run the following command from the host you wish to connect to the Torouter from:
|
|
|
|
|
|
{{{
|
|
```
|
|
ssh-keygen -t rsa
|
|
ssh-keygen -t rsa
|
|
}}}
|
|
```
|
|
|
|
|
|
When asked where you want to save the file, just hit enter for the default option. While it is possible to have an empty passphrase, this is not recommended.
|
|
When asked where you want to save the file, just hit enter for the default option. While it is possible to have an empty passphrase, this is not recommended.
|
|
|
|
|
|
The next step is to transfer the public key to the Torouter:
|
|
The next step is to transfer the public key to the Torouter:
|
|
|
|
|
|
{{{
|
|
```
|
|
scp .ssh/id_rsa.pub [IP address of the Torouter]:.ssh/
|
|
scp .ssh/id_rsa.pub [IP address of the Torouter]:.ssh/
|
|
}}}
|
|
```
|
|
|
|
|
|
You may need to create the ''.ssh'' directory on the Torouter before running the command above. Once the file has been transferred, do:
|
|
You may need to create the _.ssh_ directory on the Torouter before running the command above. Once the file has been transferred, do:
|
|
|
|
|
|
{{{
|
|
```
|
|
cd .ssh
|
|
cd .ssh
|
|
touch authorized_keys2
|
|
touch authorized_keys2
|
|
chmod 600 authorized_keys2
|
|
chmod 600 authorized_keys2
|
|
cat id_dsa.pub >> authorized_keys2
|
|
cat id_dsa.pub >> authorized_keys2
|
|
}}}
|
|
```
|
|
|
|
|
|
If you log out and log back in, you should be asked to enter your passphrase.
|
|
If you log out and log back in, you should be asked to enter your passphrase.
|
|
|
|
|
|
=== Edit /etc/ssh/sshd_config ===
|
|
### Edit /etc/ssh/sshd_config
|
|
|
|
|
|
The next step is to edit ''/etc/ssh/sshd_config'' to include the following lines (note: for some lines you just need to change the option in the config, other lines will have to be added):
|
|
The next step is to edit _/etc/ssh/sshd_config_ to include the following lines (note: for some lines you just need to change the option in the config, other lines will have to be added):
|
|
|
|
|
|
{{{
|
|
```
|
|
# Disable root login
|
|
# Disable root login
|
|
PermitRootLogin no
|
|
PermitRootLogin no
|
|
|
|
|
... | @@ -78,91 +78,91 @@ AllowUsers alice bob |
... | @@ -78,91 +78,91 @@ AllowUsers alice bob |
|
ChallengeResponseAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
PasswordAuthentication no
|
|
PasswordAuthentication no
|
|
UsePAM no
|
|
UsePAM no
|
|
}}}
|
|
```
|
|
|
|
|
|
When you're done editing the config file, restart openssh-server:
|
|
When you're done editing the config file, restart openssh-server:
|
|
|
|
|
|
{{{
|
|
```
|
|
/etc/init.d/ssh restart
|
|
/etc/init.d/ssh restart
|
|
}}}
|
|
```
|
|
|
|
|
|
At this point, only Alice and Bob can log on via SSH, and they have to do so using SSH keys.
|
|
At this point, only Alice and Bob can log on via SSH, and they have to do so using SSH keys.
|
|
|
|
|
|
=== Edit /etc/hosts.allow and /etc/hosts.deny ===
|
|
### Edit /etc/hosts.allow and /etc/hosts.deny
|
|
|
|
|
|
The hosts.allow and hosts.deny files allow you to specify which hosts are allowed to connect without touching your firewall. The first can contain entries of hosts which are allowed to connect, the second contains addresses which are blocked.
|
|
The hosts.allow and hosts.deny files allow you to specify which hosts are allowed to connect without touching your firewall. The first can contain entries of hosts which are allowed to connect, the second contains addresses which are blocked.
|
|
|
|
|
|
Assuming that you wish to allow the remote addresses 10.0.0.x to connect via SSH, but nothing else, you would setup the files as follows. Start by placing the following inside ''/etc/hosts.allow'':
|
|
Assuming that you wish to allow the remote addresses 10.0.0.x to connect via SSH, but nothing else, you would setup the files as follows. Start by placing the following inside _/etc/hosts.allow_:
|
|
|
|
|
|
{{{
|
|
```
|
|
sshd: 10.0.0.0/255.255.255.0
|
|
sshd: 10.0.0.0/255.255.255.0
|
|
}}}
|
|
```
|
|
|
|
|
|
Then disallow all further access by placing the following in ''/etc/hosts.deny'':
|
|
Then disallow all further access by placing the following in _/etc/hosts.deny_:
|
|
|
|
|
|
{{{
|
|
```
|
|
sshd: ALL
|
|
sshd: ALL
|
|
}}}
|
|
```
|
|
|
|
|
|
Once that's done, restart ssh and you're good to go.
|
|
Once that's done, restart ssh and you're good to go.
|
|
|
|
|
|
== Edit /etc/apt/sources.list ==
|
|
## Edit /etc/apt/sources.list
|
|
|
|
|
|
To make sure that you're running the latest stable version of Tor, edit the ''/etc/apt/sources.list'' to use the torproject.org package repository. If you want the stable version, add the following line:
|
|
To make sure that you're running the latest stable version of Tor, edit the _/etc/apt/sources.list_ to use the torproject.org package repository. If you want the stable version, add the following line:
|
|
|
|
|
|
{{{
|
|
```
|
|
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
|
|
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
|
|
}}}
|
|
```
|
|
|
|
|
|
Remember to put the codename of your distribution, such as ''squeeze'' in place of ''<DISTRIBUTION>''.
|
|
Remember to put the codename of your distribution, such as _squeeze_ in place of _<DISTRIBUTION>_.
|
|
|
|
|
|
If you want to use the development branch, add the following two lines:
|
|
If you want to use the development branch, add the following two lines:
|
|
|
|
|
|
{{{
|
|
```
|
|
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
|
|
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
|
|
deb http://deb.torproject.org/torproject.org experimental-<DISTRIBUTION> main
|
|
deb http://deb.torproject.org/torproject.org experimental-<DISTRIBUTION> main
|
|
}}}
|
|
```
|
|
|
|
|
|
Remember to put the codename of your distribution, such as ''squeeze'' in place of ''<DISTRIBUTION>''.
|
|
Remember to put the codename of your distribution, such as _squeeze_ in place of _<DISTRIBUTION>_.
|
|
|
|
|
|
You may wish to include -backports as well (necessary to install certain packages on Debian Squeeze):
|
|
You may wish to include -backports as well (necessary to install certain packages on Debian Squeeze):
|
|
|
|
|
|
{{{
|
|
```
|
|
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
|
|
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
|
|
}}}
|
|
```
|
|
|
|
|
|
== Set the correct timezone ==
|
|
## Set the correct timezone
|
|
|
|
|
|
To select the correct timezone, run:
|
|
To select the correct timezone, run:
|
|
|
|
|
|
{{{
|
|
```
|
|
dpkg-reconfigure tzdata
|
|
dpkg-reconfigure tzdata
|
|
}}}
|
|
```
|
|
|
|
|
|
== Install OpenNTPD ==
|
|
## Install OpenNTPD
|
|
|
|
|
|
OpenNTPD is an alternative implementation of the NTP software, made by the OpenBSD project. OpenNTPD is available in squeeze-backports:
|
|
OpenNTPD is an alternative implementation of the NTP software, made by the OpenBSD project. OpenNTPD is available in squeeze-backports:
|
|
|
|
|
|
{{{
|
|
```
|
|
aptitude -t squeeze-backports install openntpd
|
|
aptitude -t squeeze-backports install openntpd
|
|
}}}
|
|
```
|
|
|
|
|
|
== Install Tor ==
|
|
## Install Tor
|
|
|
|
|
|
Run the following commands to install ''tor'' and ''tor-geoipdb'':
|
|
Run the following commands to install _tor_ and _tor-geoipdb_:
|
|
|
|
|
|
{{{
|
|
```
|
|
gpg --keyserver keys.gnupg.net --recv 886DDD89
|
|
gpg --keyserver keys.gnupg.net --recv 886DDD89
|
|
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
|
|
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
|
|
aptitude update
|
|
aptitude update
|
|
aptitude install tor tor-geoipdb
|
|
aptitude install tor tor-geoipdb
|
|
}}}
|
|
```
|
|
|
|
|
|
== Configure Tor as a bridge ==
|
|
## Configure Tor as a bridge
|
|
|
|
|
|
To configure Tor to run as a bridge, edit ''/etc/tor/torrc'' to include the following lines:
|
|
To configure Tor to run as a bridge, edit _/etc/tor/torrc_ to include the following lines:
|
|
|
|
|
|
{{{
|
|
```
|
|
# Run Tor as a bridge/relay only, not as a client
|
|
# Run Tor as a bridge/relay only, not as a client
|
|
SocksPort 0
|
|
SocksPort 0
|
|
|
|
|
... | @@ -174,42 +174,42 @@ BridgeRelay 1 |
... | @@ -174,42 +174,42 @@ BridgeRelay 1 |
|
|
|
|
|
# Don't allow any Tor traffic to exit
|
|
# Don't allow any Tor traffic to exit
|
|
Exitpolicy reject *:*
|
|
Exitpolicy reject *:*
|
|
}}}
|
|
```
|
|
|
|
|
|
== Ensure regular package updates with apticron ==
|
|
## Ensure regular package updates with apticron
|
|
|
|
|
|
Apticron is a simple script which sends daily emails about pending package updates such as security updates. To install, run:
|
|
Apticron is a simple script which sends daily emails about pending package updates such as security updates. To install, run:
|
|
|
|
|
|
{{{
|
|
```
|
|
aptitude install apticron
|
|
aptitude install apticron
|
|
}}}
|
|
```
|
|
|
|
|
|
You'll be prompted to configure ''apt-listchanges'' first, and you'll be asked how you want display package changes. You will also be asked to enter the email where you wish to receive package update information.
|
|
You'll be prompted to configure _apt-listchanges_ first, and you'll be asked how you want display package changes. You will also be asked to enter the email where you wish to receive package update information.
|
|
|
|
|
|
Apticron won't give output if there aren't packages to update. If you know you have some needed upgrades, run the following command as root to see if it's working as expected:
|
|
Apticron won't give output if there aren't packages to update. If you know you have some needed upgrades, run the following command as root to see if it's working as expected:
|
|
|
|
|
|
{{{
|
|
```
|
|
/etc/cron.daily/apticron
|
|
/etc/cron.daily/apticron
|
|
}}}
|
|
```
|
|
|
|
|
|
The apticron configuration files are:
|
|
The apticron configuration files are:
|
|
* /etc/apticron/apticron.conf
|
|
* /etc/apticron/apticron.conf
|
|
* /etc/apt/listchanges.conf
|
|
* /etc/apt/listchanges.conf
|
|
* /etc/apt/apt.conf.d/20listchanges
|
|
* /etc/apt/apt.conf.d/20listchanges
|
|
|
|
|
|
== Open Wifi that routes over Tor transparently ==
|
|
## Open Wifi that routes over Tor transparently
|
|
|
|
|
|
This section seeks to enable devices that may be unable to run a native Tor or have questionable proxy support. This takes a page from the [wiki:/doc/TransparentProxy] page.
|
|
This section seeks to enable devices that may be unable to run a native Tor or have questionable proxy support. This takes a page from the [/doc/TransparentProxy](/doc/TransparentProxy) page.
|
|
|
|
|
|
You must have the '''uaputl''' binary compiled and ready for use (see Step 12 above). Additionally, we require AP support with the Marvell chipset.
|
|
You must have the **uaputl** binary compiled and ready for use (see Step 12 above). Additionally, we require AP support with the Marvell chipset.
|
|
|
|
|
|
Install a small dhcpd server:
|
|
Install a small dhcpd server:
|
|
{{{
|
|
```
|
|
apt-get install udhcpd
|
|
apt-get install udhcpd
|
|
}}}
|
|
```
|
|
|
|
|
|
Configure it '''/etc/udhcpd.conf''':
|
|
Configure it **/etc/udhcpd.conf**:
|
|
{{{
|
|
```
|
|
# Sample udhcpd configuration file (/etc/udhcpd.conf)
|
|
# Sample udhcpd configuration file (/etc/udhcpd.conf)
|
|
|
|
|
|
# The start and end of the IP lease block
|
|
# The start and end of the IP lease block
|
... | @@ -236,10 +236,10 @@ option subnet 255.255.255.0 |
... | @@ -236,10 +236,10 @@ option subnet 255.255.255.0 |
|
opt router 172.16.23.1
|
|
opt router 172.16.23.1
|
|
option domain local
|
|
option domain local
|
|
option lease 864000 # 10 days of seconds
|
|
option lease 864000 # 10 days of seconds
|
|
}}}
|
|
```
|
|
|
|
|
|
Enable it but disable logging in '''/etc/default/udhcpd''':
|
|
Enable it but disable logging in **/etc/default/udhcpd**:
|
|
{{{
|
|
```
|
|
# Comment the following line to enable
|
|
# Comment the following line to enable
|
|
DHCPD_ENABLED="yes"
|
|
DHCPD_ENABLED="yes"
|
|
|
|
|
... | @@ -249,15 +249,15 @@ DHCPD_ENABLED="yes" |
... | @@ -249,15 +249,15 @@ DHCPD_ENABLED="yes" |
|
# -f run in foreground
|
|
# -f run in foreground
|
|
|
|
|
|
DHCPD_OPTS=""
|
|
DHCPD_OPTS=""
|
|
}}}
|
|
```
|
|
|
|
|
|
Start it:
|
|
Start it:
|
|
{{{
|
|
```
|
|
/etc/init.d/udhcpd start
|
|
/etc/init.d/udhcpd start
|
|
}}}
|
|
```
|
|
|
|
|
|
This '''/etc/network/interfaces''' will automatically create the Wireless BSSID, forge the MAC address to something common (to resist SkyHook and similar services, reload Tor and have it bind to the uap0 interface with the proper firewall rules:
|
|
This **/etc/network/interfaces** will automatically create the Wireless BSSID, forge the MAC address to something common (to resist SkyHook and similar services, reload Tor and have it bind to the uap0 interface with the proper firewall rules:
|
|
{{{
|
|
```
|
|
# This file describes the network interfaces available on your system
|
|
# This file describes the network interfaces available on your system
|
|
# and how to activate them. For more information, see interfaces(5).
|
|
# and how to activate them. For more information, see interfaces(5).
|
|
|
|
|
... | @@ -283,12 +283,11 @@ iface uap0 inet static |
... | @@ -283,12 +283,11 @@ iface uap0 inet static |
|
post-up /root/uaputl/uaputl sys_cfg_ssid "torproject"
|
|
post-up /root/uaputl/uaputl sys_cfg_ssid "torproject"
|
|
post-up /root/uaputl/uaputl bss_start
|
|
post-up /root/uaputl/uaputl bss_start
|
|
pre-down /root/uaputl/uaputl bss_stop
|
|
pre-down /root/uaputl/uaputl bss_stop
|
|
}}}
|
|
```
|
|
|
|
|
|
Here is the '''tor-wireless-firewall.sh''':
|
|
Here is the **tor-wireless-firewall.sh**:
|
|
|
|
|
|
{{{
|
|
```
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
# destinations you don't want routed through Tor
|
|
# destinations you don't want routed through Tor
|
|
NON_TOR="10.0.2.0/24" # currently hard coded for the network on eth0 or eth1
|
|
NON_TOR="10.0.2.0/24" # currently hard coded for the network on eth0 or eth1
|
... | @@ -307,10 +306,10 @@ for NET in $NON_TOR; do |
... | @@ -307,10 +306,10 @@ for NET in $NON_TOR; do |
|
done
|
|
done
|
|
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
|
|
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
|
|
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
|
|
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
|
|
}}}
|
|
```
|
|
|
|
|
|
This is the required Tor configuration that belongs in '''/etc/tor/torrc''':
|
|
This is the required Tor configuration that belongs in **/etc/tor/torrc**:
|
|
{{{
|
|
```
|
|
# middle box stuff
|
|
# middle box stuff
|
|
VirtualAddrNetwork 10.192.0.0/10
|
|
VirtualAddrNetwork 10.192.0.0/10
|
|
AutomapHostsOnResolve 1
|
|
AutomapHostsOnResolve 1
|
... | @@ -318,18 +317,18 @@ TransPort 9040 |
... | @@ -318,18 +317,18 @@ TransPort 9040 |
|
TransListenAddress 172.16.23.1
|
|
TransListenAddress 172.16.23.1
|
|
DNSPort 53
|
|
DNSPort 53
|
|
DNSListenAddress 172.16.23.1
|
|
DNSListenAddress 172.16.23.1
|
|
}}}
|
|
```
|
|
|
|
|
|
Now simply type '''ifup uap0''' and you'll see:
|
|
Now simply type **ifup uap0** and you'll see:
|
|
{{{
|
|
```
|
|
root@holoscanner:~# ifup uap0
|
|
root@holoscanner:~# ifup uap0
|
|
Reloading tor daemon configuration: tor.
|
|
Reloading tor daemon configuration: tor.
|
|
SSID setting successful
|
|
SSID setting successful
|
|
BSS started!
|
|
BSS started!
|
|
}}}
|
|
```
|
|
|
|
|
|
You may stop the wifi network by running '''ifdown uap0''':
|
|
You may stop the wifi network by running **ifdown uap0**:
|
|
{{{
|
|
```
|
|
root@holoscanner:~# ifdown uap0
|
|
root@holoscanner:~# ifdown uap0
|
|
BSS stopped!
|
|
BSS stopped!
|
|
}}} |
|
``` |