You should have a gateway Pi working with VPN and Tor, either FDE with LUKS and LVM2, or unencrypted. If it's FDE, it should be configured with dropbear for opening LUKS via SSH. You should also have a workspace Pi that's ready to setup, either FDE with LUKS and LVM2 or unencrypted. Attach the monitor or TV, USB keyboard, and USB mouse (or touchpad) to the workspace Pi. Attach the workspace Pi network adapter (eth0) to the USB-to-ethernet (eth1) of the gateway Pi.
Powerup both gateway Pi and workspace Pi. of them. If necessary, open the workspace LUKS volume. If the GUI desktop hasn't been enabled, run raspi-config and enable it, and reboot.
If the gateway Pi is FDE, SSH from the workspace Pi to dropbear in the gateway (initramfs), and open the LUKS volume using your LUKS passphrase (LUKS_passphrase).
pi@workspacesd:~$ ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i ~/.ssh/id_rsa_dropbear root@192.168.2.1
pi@workspacesd:~$ echo -ne LUKS_passphrase >/lib/cryptsetup/passfifo
Now SSH from the workspace Pi to the gateway Pi.
pi@workspacesd:~$ ssh pi@192.168.2.1
Then start the VPN and restart Tor.
pi@gatewaysd:~$ ./bin/Start
Build and Configure Tor Browser
The Tor Project does not distribute Tor Browser for Raspbian wheezy, and the Debian/Ubuntu version doesn't work. And so you will need to build from source. That's actually (truly!) not very hard, because the instructions at https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking are clear, and work. However, the git source folder is large (900MB compressed download) and so you may want to bypass Tor in the gateway Pi. By default, the gateway Pi boots with iptables rules (/etc/iptables/rules.v4
) that route all traffic through Tor. If you like, load vpn-rules.v4
.
pi@gatewaysd:~$ sudo iptables-restore < /etc/iptables/vpn-rules.v4
Now configure networking on the workspace Pi.
pi@workspacesd:~$ sudo nano /etc/network/interfaces
........................
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.2.2
netmask 255.255.255.0
gateway 192.168.2.1
........................
If you're using the gateway Pi in VPN mode, use nameserver 10.9.0.1
here (and remember to switch back when done).
pi@workspacesd:~$ sudo nano /etc/resolv.conf
......................
domain localdomain
search localdomain
nameserver 192.168.2.1
......................
First install required packages.
pi@workspacesd:~$ sudo apt-get install --no-install-suggests --no-install-recommends zip unzip libglib2.0-dev libgtk2.0-dev libdbus-1-dev libdbus-glib-1-dev yasm libasound2-dev libcurl4-openssl-dev libxt-dev mesa-common-dev autoconf autoconf2.13 libtool hardening-wrapper libgstreamer-plugins-base0.10-dev pkg-config g++ libpulse-dev
Also install torsocks and rinetd, so that apps can access SocksPorts on the gateway Pi.
pi@workspacesd:~$ sudo apt-get install torsocks rinetd
Edit /etc/rinetd.conf
.
pi@workspacesd:~$ sudo nano /etc/rinetd.conf
....................................................
bindaddress bindport connectaddress connectport
127.0.0.1 9050 192.168.2.1 9050
127.0.0.1 9151 192.168.2.1 9151
....................................................
Then clone the Tor Browser source.
pi@workspacesd:~$ git clone https://git.torproject.org/tor-browser.git
Don't worry about the "can't checkout" error, because git branch -a
handles that.
pi@workspacesd:~$ cd tor-browser
pi@workspacesd:~$ git branch -a
pi@workspacesd:~$ git checkout remotes/origin/tor-browser-31.5.0esr-4.5-1
Generate the configure scripts.
pi@workspacesd:~$ make $CONFIGURE_ARGS -f client.mk configure CONFIGURE_ARGS="--with-tor-browser-version=4.5a4 --enable-update-channel=alpha"
Disable Tor Browser update, because none is available.
pi@workspacesd:~$ nano /home/pi/tor-browser/.mozconfig
...
#ac_add_options --enable-tor-browser-update
...
Compile. It should take 6-7 hours at 100% CPU. I recommend cooling the Pi 2 with a small fan, to prevent overheating and self-protective shutdown.
pi@workspacesd:~$ make $MAKEOPTS -f client.mk build
Now make Tor Browser (Firefox).
pi@workspacesd:~$ make -C obj-* package INNER_MAKE_PACKAGE=true
It will be at /home/pi/tor-browser/obj-armv7l-unknown-linux-gnueabihf/dist/firefox
.
Download tor-browser-linux32-4.5a4_en-US.tar.xz
and extract in /home/pi/
.
pi@workspacesd:~$ mv /home/pi/tor-browser-linux32-4.5a4_en-US.tar.xz /home/pi/
pi@workspacesd:~$ tar xvfJ tor-browser-linux32-4.5a4_en-US.tar.xz
pi@workspacesd:~$ cp -a /home/pi/tor-browser/obj-armv7l-unknown-linux-gnueabihf/dist/firefox/* /home/pi/tor-browser_en-US/Browser/
To avoid the possibility of Tor over Tor, delete the Tor folder in Tor Browser.
pi@workspacesd:~$ rm -r /home/pi/tor-browser_en-US/Browser/TorBrowser/Tor
By default, Tor Browser won't start without Tor running. So add these two lines to prefs.js
.
pi@workspacesd:~$ nano ~/tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/prefs.js
.............................................................
...
user_pref("extensions.torlauncher.prompt_at_startup", false);
user_pref("extensions.torlauncher.start_tor", false);
...
.............................................................
Make sure that gateway Pi is routing everything through Tor.
pi@gatewaysd:~$ sudo iptables-restore < /etc/iptables/rules.v4
And make sure that workspace Pi is using <192.168.2.1> as nameserver.
pi@workspacesd:~$ sudo nano /etc/resolv.conf
......................
domain localdomain
search localdomain
nameserver 192.168.2.1
......................
Start Tor Browser.
pi@workspacesd:~$ /home/pi/tor-browser_en-US/start-tor-browser
Go to Preferences/Advanced/Network/Settings, and change SOCKS Host from <127.0.0.1> to <192.168.2.1>.
Browse https://check.torproject.org/: "Congratulations. This browser is configured to use Tor."
Hit "New Tor Circuit for this Site" in Torbutton: check page reloads with new IP address.
To be added
uwt (torsocks with stream isolation)
proxychains-ng
TorBirdy
Icedove + Enigmail
Tor Messenger
Electrum