Open GoogleCodeExporter opened 9 years ago
GoogleCodeExporter
commented
9 years ago Hello,
Can you paste your torberry.conf (stripping sensitive information like
passwords) and the output of http://your.torberry.ip/sysStat (deleting mac, ip
and other sensitive information)?
We will see if driver is loaded and (probably) misconfigured.
Thanks
Original comment by alex.a.b...@gmail.com on 30 Aug 2013 at 2:19
GoogleCodeExporter
commented
9 years ago Hi Alex,
Firstly, well done on a very useful application of the RasPi as a tor proxy.
I don't know if you managed to sort this out on your own already as I can see
the issue hasn't been touched since last August. I understand how other
commitments can erode project time, believe me ;D
I know the OP didn't respond, but I was having the very same problems as the
one they seemed to be describing, and I now have a "hotfix" solution if you're
still working on this and interested.
The web interface looks very clean and stylish, although still a little
un-finished. In particular, the initial splash after login could host some
torproject.org links or widgets etc. But more importantly, for the 'Physical
Isolation' Network configuration area, there isn't an option to set ESSID,
Channel, Regulatory Domain, TX Power, Encryption or Passphrase etc like there
often is normally for an AP mode device's web interface.
I've found hostapd is very good at handling all of this in my experience and is
pretty stable. I've also tried different configs like this using ifconfig,
iwconfig, iw, and airbase-ng, but hostapd seems the best way IMHO.
I would gladly contribute towards this project with you if you wished to take
it up again and try and progress it onwards a little further.
I'm probably lacking in skills somewhat compared to yourself, but if you're
willing to put up with my sparse work periods (I'm working full time but really
think this project is very cool :D) and stupid questions then I'll do my best
to learn fast.
Anyway...
For what its worth & to help other beginners...
(Feel free to add anything here to the wiki section if you think it's helpful
as a temporary fix for people)
Here are the steps I took to setup my 'TORGate Wifi AP transparent tor proxy'
Ive used 'hostapd' for my fix as it provides a good implementation of the
'nl80211 driver' that works well with my Alfa Card, but only because I've used
it on a similar project on another *NIX Box and find it pretty reliable.
my kit consists of:
Raspberry Pi - Model B rev 2 512Mb with a 32GB SDHC Sandisk Extreme Card in a
Pibow case (http://shop.pimoroni.com/products/pibow-raspberry-pi-case)
Alfa AWUS036NH Wifi Card
(http://www.amazon.co.uk/gp/product/B0041L3FI8/ref=wms_ohs_product?ie=UTF8&psc=1
)
HAMA USB Hub powered by a 5V 2.0Amp power source (important for power level
stabilization so that the Alfa Card and RasPi to work together nicely)
and some double-sided sticky foam tape to hole it all together (see photos
attached).
For the un-initiated...
From scratch then :D
This setup is intended to allow the TorBerry to plug into one of your Home
Router's LAN Ethernet ports and host either a secure (WPA2) or Open AP via the
usb wifi card. The users connecting to this Wifi AP will then be transparently
Proxied via the tor network. BOSH!!!...
Download, extract and copy (dd) the image over to the SD Card (/dev/XXX) as
described in this sites wiki area...
user@linuxpc:~# wget http://TorBerry.googlecode.com/files/TorBerry-0.40.img.xz
user@linuxpc:~# tar -xf TorBerry-0.40.img.xz
user@linuxpc:~# dd bs=1M if=TorBerry-0.40.img of=/dev/XXX
Now remove the SD Card from PC then re-insert it.
Use a partitioning tool to expand the 500MB'ish partition up to your drives
full capacity (I used Gparted's GUI just because it was easy and you get good
error checking and notifications compared to most CLI tools during the
operation).
plug everything up and use your home router's configuration site (or NMAP,
TCPDUMP if you want) to find the IP that the TorBerry has been assigned and use
that to ssh into it.
user@linuxpc:~# ssh pi@192.168.0.X
The authenticity of host '192.168.0.X (192.168.0.X)' can't be established.
RSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
Are you sure you want to continue connecting (yes/no)? yes
pi@TorBerry ~ $ passwd # default is 'raspberry' as always. ;D
Enter new UNIX password: XXXXXXXXX
Retype new UNIX password: XXXXXXXXX
pi@TorBerry ~ $ sudo passwd root # to enable the root account it needs a
password assigned.
Enter new UNIX password: XXXXXXXXX
Retype new UNIX password: XXXXXXXXX
pi@TorBerry ~ $ exit
user@linuxpc:~# ssh root@192.168.0.45 # Now ssh and login as root.
root@TorBerry:~# apt-get update; apt-get upgrade -y # update and upgrade
the base packages
root@TorBerry:~# apt-get install hostapd ssh
root@TorBerry:~# ssh root@192.168.0.XX # connect back to your 'linuxpc' or
equivalent to auto add its key fingerprint to TorBerry's known hosts file and
leave it logged in for now.
Now I use the 'Nautilus' 'Connect to Server' tool built into Debian to SFTP to
the root of my TorBerry to make it easier to edit the files. Just select the
setting to use ssh in the drop-down if you use this method. there are other
SFTP, FTP, SCP etc clients out there you can use, but I leave that bit up to
you.
Place the following into a script (after changing the Passphrase!) in
/root/startTORGate.sh
#!/bin/bash
# This script will build our wireless access point using hostapd. This gives
some of the the most reliable performance and is the easiest to configure. an
init.d script entry is set up to establish the AP upon boot. To reverse the
'Wifi AP on boot' settings you can remove the init.d script entry and reboot.
sed -i 's#^DAEMON_CONF=.*#DAEMON_CONF=/etc/hostapd/hostapd.conf#'
/etc/init.d/hostapd
# comment out everything below channel for an Open AP Setup. or change to
ignore_broadcast_ssid=1 to hide your SSID.
cat <<EOF > /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=TORGate
channel=8
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=XXXXXXXXXXXXXX
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
EOF
hostapd -d /etc/hostapd/hostapd.conf
#end of script
Now return to the root terminal ssh session with the TorBerry, take ownership
of the script, set it to executable, then run it...
root@TorBerry:~# chown root startTORGate.sh
root@TorBerry:~# chmod +x startTORGate.sh
root@TorBerry:~# sh startTORGate.sh
it will automatically follow the output of hostapd in the terminal, leave it
running...
Now, use another device to look for the wifi network and connect to it while
you tail the log of this in the terminal.
It will fail to connect as no DHCP Server is set up yet, but that's good at
this stage as long as the 4-way handshake is working on the output.
you should see output like this pay attention for EAPOL-Key frames (1/4
Pairwise), to (4/4 Pairwise) if your output is vastly different to this
something has gone wrong and I suggest you just start by typing 'history' into
each users session that you've used and see what you typed. This is often
quicker than scanning through all the code. If In doubt just re-flash and start
again from scratch... :(
wlan0: STA MA:Cx:AD:DR:ES:Sx WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=8 kde_len=0
keyidx=0 encr=0)
WPA: Use EAPOL-Key timeout of 100 ms (retry counter 1)
nl80211: Event message available
nl80211: New station MA:Cx:AD:DR:ES:Sx
IEEE 802.1X: MA:Cx:AD:DR:ES:Sx TX status - version=2 type=3 length=95 - ack=1
WPA: EAPOL-Key TX status for STA MA:Cx:AD:DR:ES:Sx ack=1
WPA: Increase initial EAPOL-Key 1/4 timeout by 1000 ms because of acknowledged
frame
IEEE 802.1X: 121 bytes from MA:Cx:AD:DR:ES:Sx
IEEE 802.1X: version=1 type=3 length=117
WPA: Received EAPOL-Key from MA:Cx:AD:DR:ES:Sx key_info=0x10a type=2
key_data_length=22
WPA: Received Key Nonce - hexdump(len=32): b7 ee 55 a2 5a cb 8b 55 22 d8 c4 26
ee 0e 10 19 e8 19 f7 eb 2c ef 76 a2 49 20 e8 c1 a5 3a 5b c4
WPA: Received Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 01
wlan0: STA MA:Cx:AD:DR:ES:Sx WPA: received EAPOL-Key frame (2/4 Pairwise)
WPA: MA:Cx:AD:DR:ES:Sx WPA_PTK entering state PTKCALCNEGOTIATING
WPA: PTK derivation - A1=MA:Cx:AD:DR:ES:Sx A2=MA:Cx:AD:DR:ES:Sx
WPA: Nonce1 - hexdump(len=32): 67 d0 9d 88 c4 92 9b b4 34 7c 01 b1 4b b6 9a 7e
ca 9d 93 20 62 b3 dd d9 51 31 78 dc 72 9e 67 01
WPA: Nonce2 - hexdump(len=32): b7 ee 55 a2 5a cb 8b 55 22 d8 c4 26 ee 0e 10 19
e8 19 f7 eb 2c ef 76 a2 49 20 e8 c1 a5 3a 5b c4
WPA: PMK - hexdump(len=32): [REMOVED]
WPA: PTK - hexdump(len=48): [REMOVED]
WPA: MA:Cx:AD:DR:ES:Sx WPA_PTK entering state PTKCALCNEGOTIATING2
WPA: MA:Cx:AD:DR:ES:Sx WPA_PTK entering state PTKINITNEGOTIATING
wlan0: STA MA:Cx:AD:DR:ES:Sx WPA: sending 3/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=2 secure=1 mic=1 ack=1 install=1 pairwise=8 kde_len=46
keyidx=1 encr=1)
Plaintext EAPOL-Key Key Data - hexdump(len=56): [REMOVED]
WPA: Use EAPOL-Key timeout of 100 ms (retry counter 1)
IEEE 802.1X: MA:Cx:AD:DR:ES:Sx TX status - version=2 type=3 length=151 - ack=1
WPA: EAPOL-Key TX status for STA MA:Cx:AD:DR:ES:Sx ack=1
IEEE 802.1X: 99 bytes from MA:Cx:AD:DR:ES:Sx
IEEE 802.1X: version=1 type=3 length=95
WPA: Received EAPOL-Key from MA:Cx:AD:DR:ES:Sx key_info=0x30a type=2
key_data_length=0
WPA: Received Key Nonce - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
WPA: Received Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 02
wlan0: STA MA:Cx:AD:DR:ES:Sx WPA: received EAPOL-Key frame (4/4 Pairwise)
Now hit [Ctrl+c] and logout and exit the ssh session and terminal.
Next, use the web interface to login with the pi account and change the
following in 'Network Configuration'...
Config mode = Physical isolation
Upstream Interface = eth0
Downstream Interface = wlan0
The rest of the settings can be left as it is for a small home network of 20
hosts or less.
Save and reset!...
Once the TorBerry is back up connect and enjoy the Invisible Proxy
Anonomizinggggg GooooooodnessssssssSSSSS!!!
Also I can still point wired hosts at the TorBerry's IP as the Default Gateway
and DNS Server to give them the same benefit too.
Cheers.
And a massive thank you again to the author of this project for their awesome
idea and prior efforts.
You Rock Mate!
Patt :DOriginal comment by stuwertp...@googlemail.com on 29 Jun 2014 at 11:07
Attachments:
Original issue reported on code.google.com by
cc.dj...@gmail.comon 28 Jul 2013 at 9:28