Last Updated: February 25, 2016
· bt3gl

A Tor Proxy in a Raspberry Pi

In this tutorial I walk through all the steps to setup a Tor proxy in a Raspberry Pi (Model B). This work was based on some of tutorials from Adafruit.


Setting Up a Raspberry Pi

Installing an Operational System in the SD card

You can either install NOOBS and then choose your OS:

Or you can download the Fedora ARM Installer and the OS image you prefer:

Network Setup

The easiest way is to connect your Pi in the network is through an ethernet interface. Connecting the cable should be allow the connection directly as long as your network router allows DHCP.

In addition, you can also setup a wireless connect, which requires your router to be broadcasting the SSID. At Raspbian, there is a WiFi configuration icon. Type wlan0 adapter and scan. After connecting in your network you will also be able to see the IP of your Pi.

Input/Output Setup

The easiest way to connect to your Pi is by a HDMI cable to a monitor and an USB keyboard. Another options is through a console cable or a SSH connection.

Connection through a Console Cable (3.3V logic levels)

The connections are to the outside pin connections of the GPIO header:

  • The red lead should be connected to 5V.
  • The black lead to GND,
  • The white lead to TXD.
  • The green lead to RXD.

If the serial lead (red) is connected, do not attach the Pi's USB power adapter.

In Linux you can use screen:

$ sudo apt-get install screen
$ sudo screen /dev/ttyUSB0 115200

In Windows, you can use a terminal emulation such as Putty and the drivers from this link: Verify the number of the COM serial port in the Device manager and connect with speed 115200.

SSH Connection

You need to enable SSH in the Pi:

$ sudo raspi-config

Find the Pi's IP by:

$ sudo ifconfig

From your Linux PC (using "pi" as user):

$ sudo PI-IP -l pi

You can (should) set RSA keys. In a terminal session on the Linux client enter:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ ssh-keygen -t rsa

Now copy the public key over to the Pi by typing in the client:

$ ssh-copy-id <userid>@<hostname or ip address>

Setting up a Wi-Fi Access Point

You need an ethernet cable and a WiFi adapter. First, check if you see the wlan0 (the WiFi) module:

$ ifconfig -a 

DHCP Server Configuration

Install the software that will act as the hostap (host access point):

$ sudo apt-get install hostapd isc-dhcp-server

If the Pi cannot get the apt-get repositories:

$ sudo apt-get update 

Edit /etc/networks/interfaces :

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0

iface wlan0 inet static

Then edit the DHCP server configuration file, /etc/dhcp/dhcpd.conf:

subnet netmask {
option broadcast-address;
option routers;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers,;

Now, add the bellow line to /etc/default/isc-dhcp-server:


Restart the network:

$ sudo /etc/init.d/networking restart

IP Forwarding

Enable IP forwarding and setting up NAT to allow multiple clients to connect to the WiFi and have all the data 'tunneled' through the single Ethernet IP:

$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
$ sudo nano /etc/sysctl.conf

Uncomment the next line to enable packet forwarding for IPv4:


And update:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

Firewall Configuration

We insert an iptables rules to allow NAT (network address translation):

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

To make the above true in every reboot:

$ sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

For additional security (it blocks access from RFC 1918 subnets on your internet (eth0) interface as well as ICMP (ping) packets and ssh connections.):

$ sudo iptables -A INPUT -s -i eth0 -j DROP
$ sudo iptables -A INPUT -s -i eth0 -j DROP
$ sudo iptables -A INPUT -s -i eth0 -j DROP
$ sudo iptables -A INPUT -s -i eth0 -j DROP
$ sudo iptables -A INPUT -s -i eth0 -j DROP
$ sudo iptables -A INPUT -s -i eth0 -j DROP
$ sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
$ sudo iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
$ sudo iptables-save > /etc/iptables.up.rules

If you want to see how many packets your firewall is blocking:

$ iptables -L -n -v

If your eth0 still shows a private address, it probably didn't renew when you moved it to your modem. Fix this by running:

$ sudo ifdown eth0 && sudo ifup eth0

Access Point Configuration

Configure Access Point with hostpad, editing /etc/hostapd/hostapd.conf:


Now we will tell the Pi where to find this configuration file in /etc/default/hostapd:


And start the access point by running hostpad:

$ hostapd -d /etc/hostapd/hostapd.conf

To start automatically, add the command to /etc/rc.local:

$ hostapd -B /etc/hostapd/hostapd.conf

Logs and Status

To see the system log data, run in the Pi:

$ tail -f /var/log/syslog

You can always check the status of the host AP server and the DHCP server with:

$ sudo service hostapd status
$ sudo service isc-dhcp-server status

Setting up a Daemon

Now that we know it works, we can set it up as a 'daemon' (a program that will start when the Pi boots):

$ sudo service hostapd start 
$ sudo service isc-dhcp-server start

To start the daemon services. Verify that they both start successfully (no 'failure' or 'errors')

$ sudo update-rc.d hostapd enable 
$ sudo update-rc.d isc-dhcp-server enable

Removing WPA-Supplicant

Depending on your distribution, you may need to remove WPASupplicant. Do so by running this command:

sudo mv /usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service ~/

Setting up the Tor Proxy

You now have a wirelesses access point in your Pi. To make it a Tor proxy, first install Tor:

$ sudo apt-get install tor

Then edit the Tor config file at /etc/tor/torrc:

Log notice file /var/log/tor/notices.log
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53

Change the IP routing tables so that connections via the WiFi interface (wlan0) will be routed through the Tor software. To flush the old rules from the IP NAT table do:

$ sudo iptables -F
$ sudo iptables -t nat -F

Add the iptables, to be able to ssh:

$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22 

To route all DNS (UDP port 53) from interface wlan0 to internal port 53 (DNSPort in our torrc):

$ sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53

To route all TCP traffic from interface wlan0 to port 9040 (TransPort in our torrc):

$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040 

Check that the iptables are right with:

$ sudo iptables -t nat -L

If all is good, we'll save it to our old NAT save file:

$ sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Next we'll create our log file (handy for debugging) with:

$ sudo touch /var/log/tor/notices.log
$ sudo chown debian-tor /var/log/tor/notices.log
$ sudo chmod 644 /var/log/tor/notices.log

Check it with:

ls -l /var/log/tor

Finally, you can start the Tor service manually:

$ sudo service tor start

And make it start on boot:

$ sudo update-rc.d tor enable

That's it! Browser safe!