Setting Up a Tor Wi-Fi Access Point for Anonymous Client Traffic
In this article, we’ll look at how to configure a Wi-Fi access point (AP) that automatically anonymizes all outgoing client traffic through the Tor network. We’ll also explore some practical use cases for both everyday users and security researchers.
Why Use a Tor Access Point?
With the rise of widespread IP address blocking, more people are realizing the need for proxying and anonymization tools in daily life. While free VPN clients are increasingly available, not all of them are trustworthy or well-implemented. Tor, on the other hand, provides both proxying (to bypass blocks) and advanced anonymity out of the box. All communication between Tor nodes is encrypted, and connections are routed through at least three randomly selected nodes. By automating the process of connecting to a Wi-Fi AP and routing all traffic through Tor, you get a powerful tool that goes far beyond just bypassing censorship.
Initial AP Setup
To create the access point, you’ll need a device capable of running a Linux-based OS (a virtual machine works too). Any Linux distribution will do; here, we’ll use a Debian-based system. You’ll also need a Wi-Fi adapter.
- Connect your Wi-Fi adapter. Check its interface name (e.g.,
wlan0) withip addr show wlan0. - Disable Network Manager’s control over Wi-Fi and activate the adapter:
$ sudo nmcli radio wifi off $ sudo rfkill unblock wlan
- Assign an IP address to the adapter (this will be the gateway for clients):
# ip addr add 10.0.0.1/24 dev wlan0
- Switch the adapter to AP mode using
hostapd:$ sudo apt-get install hostapd
Create a
hostapd.conffile with the following content:interface=wlan0 ssid=TorNet channel=1 macaddr_acl=0 deny_mac_file=./denied_macs logger_syslog=-1 logger_syslog_level=2 hw_mode=g wpa=2 wpa_passphrase=xxxxxxxx wpa_key_mgmt=WPA-PSK WPA-EAP WPA-PSK-SHA256 WPA-EAP-SHA256
Start hostapd:
# hostapd ./hostapd.conf
Note: Some hostapd versions have a bug where Network Manager blocks the interface. If you see “Interface wlan0 wasn’t started,” see this workaround.
Enabling DHCP and DNS
Clients won’t be able to connect until you set up DHCP. Install dnsmasq:
$ sudo apt-get install dnsmasq
Create a dnsmasq.conf file:
interface=wlan0 dhcp-range=10.0.0.10,10.0.0.250,8h dhcp-option=3,10.0.0.1 dhcp-option=6,10.0.0.1 log-queries log-dhcp
Start dnsmasq:
# dnsmasq -C ./dnsmasq.conf
Internet Access for the AP
You’ll need a second network interface for internet access (e.g., eth0 or a second Wi-Fi adapter). To enable NAT between interfaces:
$ sudo sysctl -w net.ipv4.ip_forward=1 $ sudo iptables -P FORWARD ACCEPT $ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
At this point, your AP works like a regular router, providing internet access to clients via your ISP’s IP address. Next, we’ll route all client traffic through Tor.
Routing All Traffic Through Tor
- Install Tor:
$ sudo apt-get install tor
- Edit
/etc/tor/torrcto set up Tor as a transparent proxy:VirtualAddrNetwork 192.168.100.0/10 AutomapHostsOnResolve 1 TransPort 10.0.0.1:9040 DNSPort 10.0.0.1:53
- Start the Tor service:
$ sudo service tor start
- Redirect all TCP and DNS traffic from clients to Tor using iptables:
$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -j DNAT --to-destination 10.0.0.1:9040 $ sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j DNAT --to-destination 10.0.0.1:53
Remove the previous NAT masquerade rule:
$ sudo iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Now, all client traffic is transparently routed through Tor. You can verify this by connecting a device to the AP and visiting 2ip.ru to check your public IP address.
Practical Applications
Using a Raspberry Pi as an AP
A Raspberry Pi is ideal for this setup. With a few tweaks and automatic configuration at boot (using systemd or initV), you can power up your Tor AP anywhere by simply plugging it in.
Traffic Analysis
- Client Traffic Capture: You can run Wireshark or tcpdump on the AP to capture traffic from specific clients before it’s routed through Tor. The extent of capture depends on the security of the client device and applications.
- Application Network Activity Analysis: If you need to analyze the network activity of a specific app (e.g., to check for hidden connections), you can use the AP to monitor and restrict traffic. For example, to only allow traffic to certain hosts for a specific device:
$ sudo iptables -t nat -F $ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -d <APP_HOST1> -m mac --mac-source <DEVICE_MAC> --dport 443 -j DNAT --to-destination 10.0.0.1:9040 $ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -d <APP_HOST2> -m mac --mac-source <DEVICE_MAC> --dport 443 -j DNAT --to-destination 10.0.0.1:9040 $ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -d <APP_HOST3> -m mac --mac-source <DEVICE_MAC> --dport 443 -j DNAT --to-destination 10.0.0.1:9040
This setup only allows traffic to the specified hosts; all other traffic is blocked.
- Blocking Specific Hosts: To block access to certain hosts and display a custom message, set up a web server and redirect blocked traffic:
$ sudo iptables -t nat -I PREROUTING 1 -i wlan0 -p tcp -d m.vk.com --dport 80 -j DNAT --to-destination 192.168.1.82:80 $ sudo iptables -t nat -I PREROUTING 1 -i wlan0 -p tcp -d m.vk.com --dport 443 -j DNAT --to-destination 192.168.1.82:443
For HTTPS, you’ll need a self-signed certificate and to configure your web server for HTTPS.
- Blocking Ad Networks for Better Anonymity: Ad scripts often try to collect as much information as possible about visitors, threatening anonymity. You can block ad networks for all clients by adding a DNS blocklist to
dnsmasq.conf:addn-hosts=/full/path/to/my_dns_hosts.txt
The file format is the same as
/etc/hosts. You can find large blocklists on GitHub.
Conclusion
With this setup, you’ve created a Wi-Fi access point that hides all client traffic behind Tor. As a bonus, you gain full control over all network traffic passing through your AP, which can be used for both good and not-so-good purposes.