Raspberry PI and Tor for slightly easier OPSEC

Published on by

With a desire for stronger operational security (OPSEC) I've built a dual homed Raspberry Pi to act as a Tor client. It sits between my laptop and the internet only allowing traffic that is routed through Tor outbound. For under $50USD this relatively cheap device should significantly reduce the risk of your real IP address being accidentally divulged by human error or by software that decides to connect directly to the Internet.

As this is a physically separate hardware device it should prevent your identity or location being disclosed even if your laptop is compromised(assuming you have no personally identifiable information on your laptop). This device makes it harder to make mistakes.

Software Installation

Setting up the Pi is a relatively familiar but slow process for anyone that has used Linux - I opted to use the Debian based distribution "Raspbian" as the operating system for the Raspberry Pi choosing to install from scratch on a SDHC card rather than using a pre-built image.

As well as Tor, Polipo and the standard Raspbian packages I've installed the following:

  • sshd - for management, listening on eth0
  • iptables - to restrict access to the device
  • macchanger - to randomly assign a new mac address on Internet facing interfaces
  • wireless-tools and wpa_supplicant- for Wifi

As the Raspberry PI only has one Ethernet adapter you need to use either a USB to Ethernet / Wireless USB adapter / 3G dongle as the other NIC. For the Wireless adapter I've opted for an Alpha Card as which is supported out of the box.

Tor and Polipo can chew up a fair amount of memory so performance is a lot better on the Model B Raspberry Pi which has 512MB of RAM. To make it easier to swap the method for connecting to the Internet I used the on-board NIC as the interface to the laptop. The whole set up looks something like this:

If you need access to a socks proxy then the Tor socks proxy (TCP/9050) could also be exposed on eth0.

System Hardening

All the services are configured so that they don't store any logs. Additionally, SSH is configured with public/private keys which are not stored on the laptop. Disk encryption can be enabled but it means typing in a password each time the Pi boots.

Power

As the Raspberry Pi is powered using USB it can be powered directly from the laptop and is therefore fully portable (assuming you have a case). Boot time is approximately 1 minute.

Final Thoughts

I'm not sure how secure the Tor Network is but using it is certainly better than using nothing. This device will prevent you from making basic mistakes and if you combine it with free wireless connections should make it significantly harder for you to be identified.