You are without doubt already familiar with the Tor project. The Tor browser is already a very handy tool to surf anonymously, but what if we had an entire network's traffic forwarded through Tor via a special gateway? Let's transform a tiny router in a transparent Tor proxy, a portable Wifi access point redirecting all traffic to the Tor network!

Let's begin with a short presentation of one of my favorite hackable network devices: the TL-MR3020.

The portable 3G/4G wireless N router TL-MR3020 from TP-Link

Despite being marketed as a portable 3G/4G wireless N router, it does not possess any kind of mobile telecommunication interface. Instead, it's a very small and cheap router featuring a 802.11n 150Mbps Wifi interface, a 100Mbps ethernet port, and a USB port. It is powered over a mini-B USB port and it has an extremely low power consumption with an average current draw around 120mA at 5V, i.e. 600mW. Its hardware is pretty limited: an Atheros AR9331 SoC with a 400MHz MIPS processor, 32MB of RAM, and 4MB of flash memory.

The preliminary step for our Tor box is to install OpenWRT (this example uses Barrier Breaker) so we have a full-featured Linux system on it. Once OpenWRT is installed, connect to its Wifi network and ssh into the router.

Tor software is available as a package for opkg, OpenWRT's package manager. However, the 4MB flash memory is way too small to install it, so we need to get more space for packages installation. The easiest way to do so is to move the root file system overlay on an external device, e.g. a USB key.

First, format a USB key as ext4 on another computer and plug it in the router. We can then mount the filesystem (we need to install some packages for the proper kernel modules) and copy the overlay partition content there:

# opkg update
# opkg install kmod-usb-storage kmod-fs-ext4 block-mount
# mkdir /mnt/usb
# mount /dev/sda1 /mnt/usb
# tar -cf -C /overlay - . | tar -xf -C /mnt/usb -

Using tar to copy entire filesystems is always a good habit to keep everyting intact, e.g. permissions and links. What tar actually does here basically boils down to converting the entire filesystem in a stream of bytes, then converting the stream of bytes in a filesystem. Then, modify /etc/config/fstab by adding a new entry for the USB key:

[...]
config mount
        option target        '/overlay'
        option device        '/dev/sda1'
        option fstype        'ext4'
        option options       'rw,sync'
        option enabled       1
        option enabled_fsck  0

Eventually, reboot the system, so the USB key will be mounted on /overlay:

# reboot

We can now install Tor:

# opkg update
# opkg install tor

We first configure the wireless interface:

[...]
config wifi-iface
        option device       'radio0'
        option network      'lan'
        option mode         'ap'
        option ssid         'Tor Box'       # SSID of your choice
        option encryption   'psk2+ccmp'     # Enable WPA2 encryption
        option key          'MY_SECRET_KEY' # Pre-shared key

Then we set up the network. The LAN uses the address range 192.168.180.0/24 and the router interface uses 192.168.180.1:

[...]
config interface 'lan'
        option ifname       'wlan0'
        option proto        'static'
        option ipaddr       '192.168.180.1' # Router address on the LAN (Wifi) interface
        option netmask      '255.255.255.0'

config interface 'wan'
        option ifname       'eth0'
        option proto        'dhcp'          # WAN (ethernet) uses DHCP to get an address

Then we modify the firewall to disable forwarding between LAN and WAN:

config defaults
        option input        ACCEPT
        option output       ACCEPT
        option forward      REJECT
        option syn_flood    1
        option disable_ipv6 1         # Disable IPv6, this router will be IPv4 only

config zone
        option name         'lan'
        list   network      'lan'
        option input        ACCEPT
        option output       ACCEPT
        option forward      REJECT    # Important: Do not forward traffic from the LAN
        option conntrack    1
[...]

We need to add two custom iptables lines in /etc/firewall.user to redirect DNS requests and TCP connections from the LAN to the Tor daemon. Other kinds of traffic, for instance other protocols over UDP, won't be routed to the WAN, and will simply be rejected. This restrictive configuration prevents attacks like WebRTC leak. However, don't expect non purely TCP-based protocols like VoIP or BitTorrent to work behind the Tor box.

iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-port 9053
iptables -t nat -A PREROUTING -i wlan0 ! -d 192.168.180.0/24 -p tcp --syn -j REDIRECT --to-port 9040

Eventually, we have to configure the Tor daemon itself in /etc/tor/torrc:

Log notice file /var/log/tor/notices.log
Nickname ChapelierFou # Nickname of your choice
ExitPolicy reject *:* # No exits allowed
RelayBandwidthRate 100 KB
RelayBandwidthBurst 200 KB

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.180.1
DNSPort 9053
DNSListenAddress 192.168.180.1

Everything is now ready, let's enable the Tor daemon and reboot! For some strange reason the daemon won't start with /etc/init.d/tor enable, so the easiest way is to start it from /etc/rc.local:

[...]
sleep 30 && /etc/init.d/tor start
exit 0

# reboot

After a short while, you can surf through Tor with any device simply by connecting to the Wifi network. If something is wrong, check /var/log/tor/notices.log. Hidden services and .onion addresses are available, of course.

Remember that you are responsible for what you do, and that anonymity is _not_ garanteed just by using Tor. At least, be sure you're not logged in on web services, use private mode, enable TLS whenever possible, and stay paranoid. Just because you're paranoid doesn't mean they're not after you!