Tor Proxy set-up

[NewPi]

Hi again,

Having now set up the Pi as a WAP, I'm trying to set it up as a Tor proxy. I followed all the steps, but can't connect to the AP successfully. I'm pretty sure i did everything correctly....for your perusal, here is some info :

interface=wlan0
driver=rtl871xdrv
ssid=ORPi
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=*******
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

i@raspberrypi ~ $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:ssh redir ports 22
REDIRECT udp -- anywhere anywhere udp dpt:domain redir ports 53
REDIRECT tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN redir ports 9040

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

I didn't get any errors during the tutorial. The only thing I did that deviated slightly, was to add that entry to the iptables to allow me to SSH later on, but I did that according to the instructions. Any ideas ?

[adafruit_support_mike]

The behavior for the NAT table looks okay, but let's take a look at the contents of /etc/iptables.ipv4.nat just to be sure.

While we're at it, could you also post the contents of /etc/sysctl.conf? Let's make sure the kernel is turning NAT on by default when the system boots.

CODE tags for both, please.

[NewPi]

Sure thing...

Code: Select all

sudo nano /etc/iptables.ipv4.nat

# Generated by iptables-save v1.4.14 on Thu Dec 12 12:05:12 2013
*nat
: PREROUTING ACCEPT [2:406]
:INPUT ACCEPT [2:406]
:OUTPUT ACCEPT [0:0]
: POSTROUTING ACCEPT [0:0]
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -i wlan0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIREC$
COMMIT
# Completed on Thu Dec 12 12:05:12 2013
# Generated by iptables-save v1.4.14 on Thu Dec 12 12:05:12 2013
*filter
:INPUT ACCEPT [135:42346]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [115:30663]
COMMIT
# Completed on Thu Dec 12 12:05:12 2013

Code: Select all

sudo nano /etc/sysctl.conf

...

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1

...


# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

# rpi tweaks
vm.swappiness=1
vm.min_free_kbytes = 8192
net.ipv4.ip_forward=1

Please note, I left out some of that file for the sake of brevity. It was all that informational stuff. The stuff there is what I thought was relevant...

[adafruit_support_mike]

Okay, those look good. Let's back up and check some basics: what do you get from `ifconfig -a`, and what do you have in /ect/network/interfaces?

[NewPi]

Sorry for the delay....here you go :

Code: Select all

auto lo

iface lo inet loopback
iface eth0 inet dhcp

auto wlan0

iface wlan0 inet static
  address 192.168.42.1
  netmask 255.255.255.0

#iface wlan0 inet manual
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet dhcp

up iptables-restore < /etc/iptables.ipv4.nat

and ...

Code: Select all

pi@raspberrypi ~ $ ifconfig -a
eth0      Link encap:Ethernet  HWaddr b8:27:eb:22:df:cc  
          inet addr:192.168.0.104  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2976 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2272 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3154536 (3.0 MiB)  TX bytes:463280 (452.4 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:13:ef:d0:19:98  
          inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

[adafruit_support_mike]

Those look good too. The wifi adapter has an IP address, but it clearly shows no data received or sent.

Are you sure `hostapd` is starting at boot time? Try `ps ax | grep hostapd` to see if you have a version of it running currently.

[NewPi]

Wish I knew enough to be able to be proactive....I did have to reconfigure my keyboard to get the pipe symbol though, so that's something...here you go :

Code: Select all

pi@raspberrypi ~ $ ps ax | grep hostapd
 2315 ?        Ss     0:00 /usr/sbin/hostapd -B -P /var/run/hostapd.pid /etc/hostapd/hostapd.conf
 2845 pts/0    S+     0:00 grep --color=auto hostapd

[adafruit_support_mike]

Linux has lots of moving pieces, and the command line environment is a toolkit crammed with 50 years of potentially useful stuff. It takes a while to learn the territory.

The output you posted shows that `hostapd` is running as it should. So far, all the tests show that you have a working WAP server/TOR proxy, except for that little detail of it not working at all.

Let's see if the system diagnostics tell us anything useful: try `dmesg | more` to see if there are any problems reported in the general vicinity of where the OS recognizes the wifi dongle. Also take a look in /var/log/messages to see if that has anything that looks suspicious.

[NewPi]

Sorry for the delay...darn holiday season...pretty sure the wifi adapter is being recognized...

Code: Select all

[    3.507158] usb 1-1.2: Product: 802.11n WLAN Adapter
[    3.532538] usb 1-1.2: Manufacturer: Realtek
[    3.552543] usb 1-1.2: SerialNumber: 00e04c000001
[    3.672867] usb 1-1.3: new high-speed USB device number 5 using dwc_otg
[    3.814476] usb 1-1.3: New USB device found, idVendor=05e3, idProduct=0608
[    3.842571] usb 1-1.3: New USB device strings: Mfr=0, Product=1, SerialNumber
=0

...and as far as /var/log/messages, doesn't look as if anything's out of place. Again, I'm new to this though.

Code: Select all

Dec 18 08:50:07 raspberrypi kernel: [    3.507158] usb 1-1.2: Product: 802.11n WLAN Adapter
Dec 18 08:50:07 raspberrypi kernel: [    3.532538] usb 1-1.2: Manufacturer: Realtek
Dec 18 08:50:07 raspberrypi kernel: [    3.552543] usb 1-1.2: SerialNumber: 00e04c000001

Nothing to suggest any errors anywhere in there.

[adafruit_support_mike]

Well, the dmesg output looks normal and the part of /var/log/messages doesn't give any useful hints.

Let's poke at hostapd to see if it has anything. Shut down the version that's running now.. when you execute `ps ax | grep hostapd`, the number in the first column is the 'process identifier' or PID. If the PID is 1234, use `sudo kill -9 1234` to shut the daemon down.

Then restart it from the command line with `sudo hostapd -ddKt /etc/hostapd/hostapd.conf`. The '-dd' option tells the program to emit as many debug messages as it can, '-K' tells it to display key information when appropriate, and '-t' tells it to display timestamps when those are appropriate. The combination basically means "tell me everything".

[NewPi]

Hey, so happy holidays ! Hope they brought you guys a cheese tray or something; alternatively, if you're working from home, that you at least had a mild buzz going...anyway, the output from that command starts as follows :

Code: Select all

pi@raspberrypi ~ $ sudo hostapd -ddKt /etc/hostapd/hostapd.conf
1388178033.892236: random: Trying to read entropy from /dev/random
1388178033.893604: Configuration file: /etc/hostapd/hostapd.conf
drv->ifindex=3
l2_sock_recv==l2_sock_xmit=0x0x3a3638
1388178033.898637: BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits)

then goes through all the channels that are allowed. then mode, channel, and freq...

Code: Select all

1388178033.914475: Mode: IEEE 802.11g  Channel: 6  Frequency: 2437 MHz

not sure if this is significant:

Code: Select all

+rtl871x_sta_deauth_ops, ff:ff:ff:ff:ff:ff is deauth, reason=2
rtl871x_set_key_ops
rtl871x_set_key_ops
rtl871x_set_key_ops
rtl871x_set_key_ops
1388178033.917845: Using interface wlan0 with hwaddr 00:13:ef:d0:19:98 and ssid 'ORPi'
1388178033.918013: Deriving WPA PSK based on passphrase
1388178033.918119: SSID - hexdump_ascii(len=4):
     4f 52 50 69                                       ORPi            

then this last bit:

Code: Select all

1388178034.217701: random: Got 20/20 bytes from /dev/random
1388178034.218648: Get randomness: len=32 entropy=0
1388178034.223918: GMK - hexdump(len=32): cf 53 eb e0 c1 17 ec 0f 26 5c 09 f0 ea 63 9f c8 15 d4 39 3e 0e 74 f3 a8 b4 c9 2a de fc 6a 9f 07
1388178034.229419: Get randomness: len=32 entropy=0
1388178034.234132: Key Counter - hexdump(len=32): 14 56 93 85 0d 79 1c 61 7c 7b 98 f8 3f db 99 99 f2 a7 51 7e 32 c6 fc 87 19 9c 79 d3 a0 df 31 4a
1388178034.249402: WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
1388178034.249556: Get randomness: len=16 entropy=0
1388178034.253913: GTK - hexdump(len=16): 65 b0 4a ab ff 5a 92 b1 eb 0e b8 e6 1f 50 38 3f
1388178034.254142: WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
rtl871x_set_key_ops
rtl871x_set_beacon_ops
rtl871x_set_hidden_ssid_ops
1388178034.280945: wlan0: Setup of interface done.
1388178034.282398: Wireless event: cmd=0x8b15 len=20

[adafruit_support_mike]

According to that, `hostapd` is running perfectly. It even saw enough entropy from /dev/random to update the encryption key.

I'm starting to wonder if it's just not broadcasting its SSID. Try doing a manual connection to 'ORPi' with the PSK you chose, and see if that does anything. Leave the -ddKt version of `hostapd` running while you do, and see if it reports any wireless events/traffic.

[NewPi]

Ok, here are the results for that (sorry for the delay):

This bit seemed interesting...

Code: Select all

+rtl871x_get_sta_wpaie, 24:fd:52:ce:c5:47 is sta's address
1388928703.577767: Add randomness: count=1 entropy=0
1388928703.577918: wlan0: STA 24:fd:52:ce:c5:47 IEEE 802.11: associated
1388928703.580551: STA included RSN IE in (Re)AssocReq
1388928703.581058:   New STA
1388928703.581547: wlan0: STA 24:fd:52:ce:c5:47 WPA: event 1 notification
rtl871x_set_key_ops
1388928703.582251: IEEE 802.1X: Ignore STA - 802.1X not enabled or forced for WPS

Then this...

Code: Select all

1388928703.583489: wlan0: STA 24:fd:52:ce:c5:47 WPA: start authentication
1388928703.583865: WPA: 24:fd:52:ce:c5:47 WPA_PTK entering state INITIALIZE
rtl871x_set_key_ops
1388928703.587272: wlan0: STA 24:fd:52:ce:c5:47 IEEE 802.1X: unauthorizing port
1388928703.587892: WPA: 24:fd:52:ce:c5:47 WPA_PTK_GROUP entering state IDLE
1388928703.588524: WPA: 24:fd:52:ce:c5:47 WPA_PTK entering state AUTHENTICATION
1388928703.589055: WPA: 24:fd:52:ce:c5:47 WPA_PTK entering state AUTHENTICATION2
1388928703.590301: WPA: Re-initialize GMK/Counter on first station
1388928703.590916: Get randomness: len=32 entropy=1

Code: Select all

1388929132.848146: WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 1)
1388929133.058784: IEEE 802.1X: 121 bytes from 24:fd:52:ce:c5:47
1388929133.058901:    IEEE 802.1X: version=1 type=3 length=117

But the last part seems to indicate things are ok ?

Code: Select all

1388929133.070971: WPA: 24:fd:52:ce:c5:47 WPA_PTK entering state PTKINITDONE
rtl871x_set_key_ops
1388929133.071158: wlan0: STA 24:fd:52:ce:c5:47 IEEE 802.1X: authorizing port
1388929133.071233: wlan0: STA 24:fd:52:ce:c5:47 RADIUS: starting accounting session 52C95E97-00000001
1388929133.078197: wlan0: STA 24:fd:52:ce:c5:47 WPA: pairwise key handshake completed (RSN)

So trying to connect to the AP, yields "limited connectivity". I still tried to browse to http://www.mit.edu (firefox), to see what would come up on that hostapd debug log:

Code: Select all

1388929260.830862: Wireless event: cmd=0x8c04 len=20
1388929260.831019: wlan0: STA 24:fd:52:ce:c5:47 IEEE 802.11: disassociated
1388929260.831237: wlan0: AP-STA-DISCONNECTED 24:fd:52:ce:c5:47
1388929260.831313: wlan0: STA 24:fd:52:ce:c5:47 WPA: event 2 notification
rtl871x_set_key_ops
1388929260.831421: WPA: 24:fd:52:ce:c5:47 WPA_PTK entering state DISCONNECTED
1388929260.831472: WPA: 24:fd:52:ce:c5:47 WPA_PTK entering state INITIALIZE
rtl871x_set_key_ops
1388929260.831593: wlan0: STA 24:fd:52:ce:c5:47 IEEE 802.1X: unauthorizing port
+rtl871x_sta_remove_ops, 24:fd:52:ce:c5:47 is sta address removed
1388929263.638152: wlan0: WPA rekeying GTK
1388929263.638256: WPA: group state machine entering state SETKEYS (VLAN-ID 0)
1388929263.638309: Get randomness: len=16 entropy=3

Needless to say, the site didn't come up.

[adafruit_support_mike]

Hmm.. The 802.X error tends to show up when there are problems with the broadcast frame, or the driver doesn't support AP mode.

What OS and wifi dongle are you using?

[NewPi]

Pretty sure it's Raspian Wheezy (13/07/26), and the WiFi dongle supplied through your company. I had bought the Onion Pi kit, and it came with it. On the site, it's just called "miniature wifi 802.11 b/g/n".