It's long been a goal of mine to provide an open wireless access point that routes everything straight through tor.
Why? Because internet access wants to be free, or some such non-sense.
My ideal user experience is an enticing WSSID being broadcast, no wireless security, users being forcibly redirected to a captive portal page explaining what's going on, with a list of warnings/dumb things not to do with Tor, after which they are free to roam around, while being completely isolated from my local network.
I've got most of that working, except the captive portal. Be it my poor iptables skills or something else, I can't quite get the nocatsplash bits to play ball with the rest of the setup.
Has anybody else attempted such a setup, and if so, have you gotten further than I did?
Here's what I have so far:
I followed various instructions online to various degrees, the details of which I cannot point to due to my account restrictions, but essentially:
- I've defined a new virtual wireless interface wl0.1 with its own SSID point to bridge br1 ( access point, no security, broadcast )
- Bridge br1 is defined to use a distinct local IP address space (10.0.0.1/255.255.252.0)
- no VLAN tweaks
- Tor project enabled, default settings, redirects all users from br1.
- Added a few lines under the Administration->Scripts->Firewall section, namely:
iptables -t nat -A PREROUTING -i br1 -p tcp ! -d 10.0.0.1 -j DNAT --to-destination 10.0.0.1:9040
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to-destination 10.0.0.1:9053
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 80 -d 10.0.0.1 -j DROP
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 443 -d 10.0.0.1 -j DROP
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 22 -d 10.0.0.1 -j DROP
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 23 -d 10.0.0.1 -j DROP
Those lines, assuming I didn't botch things up too much, should redirect every TCP connection through Tor (rather than the default settings of only passing HTTP traffic through, which seems like a terrible default), redirect DNS lookups through Tor as well, and prevent access to my router's open ports.
That's not quite right, since I should be blackholing all traffic to my router except to port 9040 and 9053, and I should be blackholing any UDP traffic that isn't a DNS request proxied through Tor, but as a first approximation, it's not completely unreasonable.
And that's about all I've got. I've messed around a bit with enabling the captive portal UI that sets up nocatsplash, but without much luck. enabling the captive portal adds quite a few more iptables rules that I don't quite understand, yet are obviously meant for a simpler setup than mine, as they seem to be completely ignored.
Any help/advice here that'd get me closer to my goal would be appreciated.