Source :

I followed instructions from that magazine http://boutique.ed-diamond.com/home/861-hackable-magazine-6.htm
Note that a lot of step are in common with my other #Pi MITM ..
It can be summarized as follow :

Install OS :

Install last version of raspbian on your SD card

Configure network :

configure /etc/network/interface to use eth0 as DHCP client (which will be connected to your network), and wlan0 as fixed IP address (the tor access point) :

auto lo eth0 wlan0
iface lo inet loopback
iface eth0 inet dhcp
iface wlan0 inet static
   address 192.168.74.1
   netmask 255.255.255.0

Install DHCP server :

install isc-dhcp-server

sudo apt install isc-dhcp-server

And update configuration in /etc/dhcp/dhcpd.conf :

ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.74.0 netmask 255.255.255.0 {
  range 192.168.74.100 192.168.74.200;
  option broadcast-address 192.168.74.255;
  option routers 192.168.74.1;
  option domain-name "local";
  option domain-name-servers 80.67.169.12, 80.67.169.40;
}

Install Access Point :

install hostapd.

sudo apt install hostapd

If you’re using an Edimax wifi key based on the rtl8192cu chipset, you’ll need a special hostapd build (compiled with that driver) that I found here :

• http://willhaley.com/blog/raspberry-pi-hotspot-ew7811un-rtl8188cus/ (download links seems broken)
• or http://anarsoul.blogspot.fr/2013/08/access-point-with-raspberry-pi-and.html

Then update configuration to enable a open access point by editing /etc/hostapd/hostapd.conf :

interface=wlan0
driver=rtl871xdrv
ssid=torAP
country_code=US
hw_mode=g
channel=5
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0

Beware to change ssid and country_code according your need / region.

Install TOR

sudo apt install tor

and update configuration in /etc/tor/torrc :

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransListenAddress 192.168.74.1
TransPort 9040
DNSListenAddress 192.168.74.1
DNSPort 53

Redirect traffic :

redirect traffic from wlan0 to port 9040 (intercept by tor) & DNS to port 53 (tor has too an option to capture DNS request) via :

sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo sh -c “iptables-save > /etc/iptables.up.rules”

You’ll need to reload iptables rules at boot by adding that line to `/etc/network/interfaces` :

up iptables-restore < /etc/iptables.up.rules

Avoid wifi dongle to sleep :

If you have an Edimax wifi key based on the rtl8192cu chipset, you may, as explained on that blog, avoid it to sleep by creating /etc/modprobe.d/8192cu.conf :

sudo vi /etc/modprobe.d/8192cu.conf

and add :

# Disable power management
options 8192cu rtw_power_mgnt=0 rtw_enusbss=0

Test your installation :

test via https://check.torproject.org/