Raspberry Pi as a Tor router and web filter

Lack of Comprehensive Protection

In this configuration, Onion Pi effectively conceals your IP address. Nevertheless, you do not surf completely anonymously, because scripts and browser extensions such as Java and Flash are able to circumvent this type of anonymization. One example is a flaw in the Javascript engine of Firefox, which Tor used to deliver as part of its browser bundle until the end of June 2013. If a Tor user visited an appropriately prepared web page, the script contained on the page could grab the MAC address and the host name and send the information to a server of a US intelligence agency.

Logging into your email provider or using a credit card during online shopping also reveals personal data and details about you. Additionally, so-called bad exit nodes represent another danger if you are sending login data through a connection not secured via SSL. The operators of such nodes filter login data out of the data stream and misuse it for their own purposes.

For increased protection, I therefore recommend not only being careful when dealing with your own personal data but also using Firefox in combination with the free extension NoScript [3]. The NoScript add-on blocks all additional multimedia plugins as well as scripts (Figure 5).

Figure 5: Once YouTube is removed from the whitelist of NoScript, it no longer shows videos in your browser.

I recommend that, immediately after installation, you take a look at the settings for the NoScript extension. You will be able to choose the plugins to be deactivated as well as determine which web pages can execute Java or Flash content in the browser by way of an exception list. If you wish to install a central content filter instead, refer to the "Privoxy" box.

Privoxy

The task of installing a content filter for all devices and browsers that use the Tor network over the Tor-Rasp Pi is best done via a centralized control, for obvious reasons. A favorite tool for this purpose is Privoxy. Thanks to finely adjustable rules, the software reliably blocks ads and cookies and provides increased security by also blocking scripts.

To install Privoxy, enter sudo apt-get install privoxy at the console. To make the filter available to the entire Wi-Fi network, open /etc/privoxy/config and assign the value 0.0.0.0:8118 to the variable listen-address.

Similar to an ad blocker for web browsers, Privoxy also provides the capability to block a list of known (advertisement) web pages. The commands in Listing 8 allow you to download such a list and deposit it with the content filter. The installed script automatically downloads filter lists, converts them to the format required by Privoxy, and stores them under /etc/privoxy. Additionally, the lists are recorded in file /etc/privoxy/config for future use.

The provider updates the filter lists several times a month. Thus, you are advised to establish a cron job, which avoids manual refreshes of the filter lists. To do this, enter crontab -e as user "root" and append the following to the end of the file:

0 22 * * * root /bin/bash /usr/local/bin/privoxy-blocklist.sh

This setting causes the script to run every night at 10pm. Next, you should add a directive to the iptables rules to prevent the communication between the client and Privoxy from being directly communicated to Tor and store it right away (Listing 9).

To be on the safe side, restart Privoxy now via service privoxy restart to apply the changes to the configuration. Also, remember to record the proxy setting in the browsers of all your clients (Figure 6). In my test, Privoxy reliably filtered out ads from web pages without any browser add-ons (Figure 7).

Privoxy does have one disadvantage: With several concurrently active users, its CPU usage is rather high. During my tests, this situation caused load times of representative web pages to increase by up to 15 seconds.

Listing 8

Adding Blocklist

# cd /usr/local/bin
# wget -O privoxy-blocklist.sh "http://andrwe.org/doku.php/scripting/bash/privoxy-blocklist?do=export_code&codeblock=0"
# chmod +x privoxy-blocklist.sh
# ./privoxy-blocklist.sh -v 1

Listing 9

Configuring iptables

# iptables -t nat -I PREROUTING -i wlan0 -p tcp --dport 8118 -j REDIRECT --to-ports 8118
Figure 6: The correct proxy settings in Firefox.
Figure 7: On the left, the website cnet.com is shown without NoScript or activated Privoxy; on the right, it is filtered via Privoxy.

Up and Running

The Tor proxy on the Raspberry Pi is impressive because of its fast installation and minimal operating costs. This type of Onion router is the ideal tool for ensuring maximum privacy on your own home network.

However, there's no such thing as a free lunch. The surfing performance for a Tor-enabled Raspberry Pi system lags significantly behind performance of the unprotected solution. Although testing showed hardly any reduction in data throughput, the latency times turned out to be a bottleneck. With Tor, the latency amounted to about 600 milliseconds. By comparison, a similat system running without Tor had a latency of 20 milliseconds.

If you use Google as the search engine on the Tor-Rasp Pi, the system will regularly prompt you to enter a captcha; even worse, sometimes searches will not be performed at all. The reason for this behavior stems from an automatic mechanism for recognizing bots, which classifies the IP address presented by Tor as a possible open proxy or a script. The reason for this is because the address of the actual Tor exit node is presumably used by several hundred users at the same time.

Alternative search engines, such as DuckDuckGo [4] or Startpage [5], avoid this issue, because they route search requests to Google and display the results directly.

Der Autor

Valentin Höbel works as technical project leader for the Linux Informations Systems AG. In his free time, he keeps himself busy with playing foosball (table soccer) and with his favorite operating system and the Raspberry Pi.

Buy this article as PDF

Express-Checkout as PDF

Pages: 6

Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content