Giters

mischif / PORTALofPi

PORTAL of Pi - RaspberyPi based PORTAL device. Certified UNIX Network Technicians only!

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

  ___  ___  ___ _____ _   _
 | _ \/ _ \| _ \_   _/_\ | | of ._ o  
 |  _/ (_) |   / | |/ _ \| |__  |_)|  
 |_|  \___/|_|_\ |_/_/ \_\____| |

PORTAL of Pi - Raspberry Pi-based isolating Tor proxy

Credits

Inspiration: the grugq Implementation: Mischif

Overview

PORTAL - Personal Onion Router To Avoid LEO

From the original post on the concept, a PORTAL should:

[...] create a compartmented network segment that can only send data to the Tor network. To accomplish this the PORTAL device itself is physically isolated and locked down to prevent malicious tampering originating from the protected network. So if the user’s computer is compromised by malware, the malware is unable to modify the Tor software or configuration, nor can it directly access the Internet (completely preventing IP address leakage). Additionally, the PORTAL is configured to fail close – if the connection to Tor drops, the user loses their Internet access. Finally, the PORTAL is "idiot proof", simply turn it on and it works.

The purpose of the PORTAL of Pi project is to create a PORTAL from a Raspberry Pi.

Architecture

Again, from the original post:

The PORTAL requires a minimum of two network interfaces: one for the Internet uplink, and one for the isolated network segment. In order to protect the PORTAL from tampering from malware (or malicious users), it also requires a third administration interface. This can be either a serial console, or physical connection.

The architecture of the PORTAL of Pi is as follows:

                                ____________
                                |          |
((Internet))-------[WiFi]-------|  PORTAL  |-------[Ethernet]-------((Client Computer))
                                |__________|                                ^
                                     |                                      |
                                     |____________[TTL Serial]______________|

WAN:

  • Exposed to the Internet
  • Uses WiFi, either built-in on Pi 3+/Zero W boards or using a dongle on Pi 1/2 boards
  • No exposed services

LAN:

  • Exposed to the client computer
  • Uses Ethernet, either using a dongle on Pi Zero W boards or built-in on all other boards
  • SOCKS proxy at port 9150
  • DNS server at port 53
  • DHCP server on port 137

Administration:

  • Exposed to the client computer or some other airgapped computer
  • Uses Pi serial console, only connected to another computer during active administration
  • Requires serial/USB adapter, purchased separately

Build Steps

While every attempt was made to automate the PORTAL build process, there is an unfortunate amount of necessary prep work.

  • These steps assume you will be using VirtualBox as your hypervisor; substituting another hypervisor is allowed, but not tested.
  • These steps assume you downloaded the project zip; cloning the project makes no meaningful difference.
  • These steps assume you have a folder on your host at ~/portal where this project is stored.
  1. Add the networks you will want the PORTAL to connect to in WPA supplicant format to ~/portal/wireless.conf
  2. Set up a new VM guest (Other Linux, 64-bit) with a 2G hard drive and at least 2G RAM
  3. Create a shared folder named portal mapping to ~/portal on your host
  4. Download a copy of the virtual build of Alpine
  5. Insert the Alpine ISO into your guest and boot
  6. Run setup-alpine and make a sys install to disk (root password doesn't matter as this VM is meant to be disposable)
  7. Power down the guest, remove the Alpine ISO and reboot
  8. Enable access to community repos: sed -i '3s/^#//' /etc/apk/repositories
  9. Create the shared folder mount: mkdir /media/portal
  10. Install the guest tools to enable shared folders: apk update && apk add virtualbox-guest-additions
  11. Reboot and mount the shared folder: mount -t vboxsf portal /media/portal
  12. Extract the project: unzip /media/portal/PORTALofPi-master.zip -d /media/portal
  13. Begin building your PORTAL image: /media/portal/PORTALofPi-master/portal.sh
  14. Choose your desired architecture; after about 15 minutes portal-${TARGET_ARCH}.tar.gz should exist in the shared folder
  15. Power down the guest and extract the tarball onto a MicroSD card

Drawbacks

  • This PORTAL currently does not handle captive portals; if using a device obtained from the Calyx Institute or a phone as a hotspot is untenable, the current best workaround is to use macchanger to associate to the base station before using the PORTAL of Pi

User Notes

  • It takes a few minutes for a PORTAL to become usable after boot, especially first boot
  • The root user on the PORTAL of Pi has no default password; you may wish to rectify this before becoming operational (don't forget to commit your changes)
  • DNS requests made for example.com are not routed through Tor; this is for planned captive portal support in the future
  • DNS requests made for pool.ntp.org are not routed through Tor; this is because the current time is necessary for Tor certificates to be accepted
  • If you use Firefox as your browser and you intend to connect to onion services, be sure to set network.dns.blockDotOnion to false
  • As the admin interface is meant to be connected for active administration only, you should minimize the amount of time spent connected to it, ideally to just enough to confirm everything is functional

Stay safe out there.

About

PORTAL of Pi - RaspberyPi based PORTAL device. Certified UNIX Network Technicians only!

Languages

Language:Shell 100.0%