3

I need some help or advices since I've not know what could I do to fix this issue.

I've built an onion pi following the adafruit tutorial.

This basicly is a wifi hotspot that routes all traffic through tor network using a wifi dongle and hostapd, which creates a subnet and give DHCP addresses inside that subnet.

I'm able to connect to the wifi hotspot, to receive automatically a new IP address inside the subnet configured, and to browse Internet flawlessly until I add the Iptables rules that routes the traffic through tor.

Once I've added these rules, the hotspot is not able to exit to the internet, and I cannot explain myself why.

sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

If I flush the rules, I'm able again to browse internet with no issues.

This is my torrc config:

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 172.16.0.0/12
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.42.1
DNSPort 53
DNSListenAddress 192.168.42.1

And this is my hostapd config:

interface=wlan0
#driver=rtl871xdrv
ssid=DUGA-93
country_code=US
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=1234567891011
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1

This is my ifconfig:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.250  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ba27:ebff:fe8e:191  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:8e:01:91  txqueuelen 1000  (Ethernet)
        RX packets 5887  bytes 1912947 (1.8 MiB)
        RX errors 0  dropped 127  overruns 0  frame 0
        TX packets 4956  bytes 1399984 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 248  bytes 14160 (13.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 248  bytes 14160 (13.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.42.1  netmask 255.255.255.0  broadcast 192.168.42.255
        inet6 fe80::2e9:b0ff:fe20:23d1  prefixlen 64  scopeid 0x20<link>
        ether 00:e9:b0:20:23:d1  txqueuelen 1000  (Ethernet)
        RX packets 2893  bytes 306895 (299.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1549  bytes 1220073 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

As you can see, tor service is running:

● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
   Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2019-10-29 13:09:47 GMT; 20min ago
  Process: 258 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 258 (code=exited, status=0/SUCCESS)

Oct 29 13:09:47 DUGA-93 systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
Oct 29 13:09:47 DUGA-93 systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).

And I'm running raspbian buster last version (minimal) over a RPI2B+

Linux DUGA-93 4.19.75-v7+ #1270 SMP Tue Sep 24 18:45:11 BST 2019 armv7l GNU/Linux

These are the notices.log from tor:

Oct 29 15:01:48.000 [notice] Tor 0.3.5.8 opening log file.

Oct 29 15:01:48.108 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 1010101f: OpenSSL 1.1.1a 20 Nov 2018; running with 1010104f: OpenSSL 1.1.1d 10 Sep 2019).

Oct 29 15:01:48.145 [notice] Tor 0.3.5.8 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.

Oct 29 15:01:48.146 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning

Oct 29 15:01:48.146 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".

Oct 29 15:01:48.146 [notice] Read configuration file "/etc/tor/torrc".

Oct 29 15:01:48.164 [warn] Skipping obsolete configuration option 'TransListenAddress'

Oct 29 15:01:48.164 [warn] Skipping obsolete configuration option 'DNSListenAddress'

Oct 29 15:01:48.167 [notice] Opening Socks listener on 127.0.0.1:9050

Oct 29 15:01:48.167 [notice] Opened Socks listener on 127.0.0.1:9050

Oct 29 15:01:48.167 [notice] Opening DNS listener on 127.0.0.1:53

Oct 29 15:01:48.167 [notice] Opened DNS listener on 127.0.0.1:53

Oct 29 15:01:48.167 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040

Oct 29 15:01:48.168 [notice] Opened Transparent pf/netfilter listener on 127.0.0.1:9040

Oct 29 15:01:48.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.

Oct 29 15:01:50.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.

Oct 29 15:01:51.000 [notice] Bootstrapped 0%: Starting

Oct 29 15:01:58.000 [notice] Starting with guard context "default"

Oct 29 15:01:58.000 [notice] Signaled readiness to systemd

Oct 29 15:01:58.000 [notice] Opening Socks listener on /run/tor/socks

Oct 29 15:01:58.000 [notice] Opened Socks listener on /run/tor/socks

Oct 29 15:01:58.000 [notice] Opening Control listener on /run/tor/control

Oct 29 15:01:58.000 [notice] Opened Control listener on /run/tor/control

Oct 29 15:01:58.000 [notice] Bootstrapped 10%: Finishing handshake with directory server

Oct 29 15:01:58.000 [notice] Bootstrapped 80%: Connecting to the Tor network

Oct 29 15:01:58.000 [notice] Bootstrapped 90%: Establishing a Tor circuit

Oct 29 15:01:58.000 [notice] Bootstrapped 100%: Done

BTW, If I do this from the Pi command line:

torify curl https://canihazip.com/s

171.25.193.25

It works. I'm connected to tor since that's not my ip.

Please, could you help me?

Thank you so much. Kind Regards.

Inboca
  • 41
  • 3
  • I did not follow the tutorial you have used, to understand what could be wrong. But if you like you can compare it with [How to make Raspberry Pi a Tor router with all kind of network setup using systemd-networkd](https://raspberrypi.stackexchange.com/a/92296/79866) and may find what's the problem with your setup. – Ingo Oct 29 '19 at 17:55

1 Answers1

1

From Reddit, one of the users told me how to solve this problem:

Ah, ok - that's looking better. It does remind me that the tutorial is a bit old and Tor keeps changing configuration options. You'll notice in the log that it's ignoring the TransListenAddress and DNSListenAddress entries. This used to force the whole thing to break but it's been a little odd since then.

Try the following changes to the torrc:

DNSPort 192.168.42.1:53
DNSPort 127.0.0.1:53
TransPort 192.168.42.1:9040
TransPort 127.0.0.1:9040

And restart tor. Once that's done, try running sudo netstat -tlnp and verify that 9040 is listening. If so, try accessing Tor again via the client. If that still doesn't work, try accessing http://104.16.181.15. Note that this is a Cloudflare test IP and will throw an error but should show what your IP is. If this works, and it's not your IP then it sounds like a Tor DNS problem.

Inboca
  • 41
  • 3
  • there is one `DNSPort` and one `TransPort` options in `/etc/tor/torrc` so which one we have to change? please describe more. – emrcftci Apr 12 '20 at 23:05