Build Your Own: Safeplug (Tor Proxy Box)

James Bruce 16-05-2014

Safeplug is a special router that creates an anonymous Internet connection via Tor network (what is Tor Really Private Browsing: An Unofficial User’s Guide to Tor Tor provides truly anonymous and untraceable browsing and messaging, as well as access to the so called “Deep Web”. Tor can’t plausibly be broken by any organization on the planet. Read More ?); it costs $50 – but you can make your own with a Raspberry Pi and USB WiFi dongle.


In truth, you won’t be saving much: the cost of the Pi plus a suitable WiFi dongle will cost you about $50 or more. But DIY is fun, we’ll learn lots in the process, and you probably already have a Pi sitting around collecting dust.


Shopping List

  • Raspberry Pi (model B)
  • SD Card of at least 4 gigabytes
  • Ethernet cable
  • Compatible USB Wifi adapter – this means able to work in structure mode with hostapd package (such as this one based on RT5370 chipset)
  • Micro USB power adapter


The Theory

We’ll adapt Raspberry Pi to act as a router: it’ll plug into an Ethernet port on your existing Internet router just like any other device, but it’ll also connect to the Tor anonymising network. You can read our complete guide to Tor Really Private Browsing: An Unofficial User’s Guide to Tor Tor provides truly anonymous and untraceable browsing and messaging, as well as access to the so called “Deep Web”. Tor can’t plausibly be broken by any organization on the planet. Read More to find out more, but essentially, it works by sending your Internet requests through multiple computers – bouncing it around the globe – making you virtually untraceable. The Pi will broadcast a WiFi network just like your router probably does, such that any traffic on the WiFi will be sent out to the Internet, via Tor. In fact, if you don’t already have a WiFi-enabled router and want one – just follow the first half of this tutorial.

There is, of course, a reduction in speed to doing this, both through the routing element and the actual Tor network.


Be warned though: browsing through Tor alone won’t completely anonymise your session. Your browser is full of cached files and cookies which can be used to identify your presence on a website (what is a cookie? What Is a Website Cookie? How Cookies Affect Your Online Privacy You've heard of internet cookies, but what exactly are they? What do they have to do with your privacy? Here's what you need to know. Read More ). Make sure these are disabled, and blocked (use incognito mode) – and obviously don’t start logging onto websites.

Getting Started

Burn a fresh copy of the latest Raspian Wheezy image to your SD card; plug in the power, Ethernet, USB WiFi adapter, and boot up. You don’t need a monitor or keyboard plugged in – we’ll be doing this all from the command line.

Use an IP scanner Top 3 Portable Network Analysis and Diagnostics Tools Read More to figure out the IP address of your Raspberry Pi (IP Scanner for OS X works well for me), then SSH into it from a command prompt (how to use SSH in Windows How to Use SSH in Windows: 5 Easy Ways SSH is an encrypted network protocol used for remote access. Here's how to use SSH in Windows using native and third-party apps. Read More ) with the command:

ssh pi@x.x.x.x

where x.x.x.x is the IP address of your Pi. The default password is “raspberry”



sudo raspi-config

to run the graphical setup utility. Expand the filesystem, then exit the setup utility and restart. You should still have the same IP address – go ahead and SSH back in again.

Check if the Pi can access the Internet by typing


from within your SSH session (not on your local machine). You should see something like this:



Hit CTRL-C to stop it. Now check your WiFi adapter is recognised by typing:

ifconfig -a

If you see wlan0 listed, all is good. If not, your wireless adapter isn’t even recognised, let alone capable of structure/AP mode.



Let’s update the system, and install some software. Run the following one by one, walking through prompts as needed. In the second step, we’re removing the wolfram-engine to fix a math kernel bug – we also save 450 megabytes in the process.

sudo apt-get update
sudo apt-get remove wolfram-engine
sudo apt-get install hostapd isc-dhcp-server


Here, we’ve installed a DHCP server so WiFi clients can automatically get an IP address. Ignore the error – this just means we haven’t actually set it up yet.

sudo nano /etc/dhcp/dhcpd.conf

Comment out (add a # to start of them) the following lines:

option domain-name "";
option domain-name-servers,;

Uncomment (remove the #) the word authoritative from these lines:

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

Now scroll right down the bottom and paste in:

subnet netmask {
option broadcast-address;
option routers;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers,;

Save with CTRL-X -> Y -> enter.

Next, type:

sudo nano /etc/default/isc-dhcp-server

Change the last line so it reads:



Which means our DHCP server should listen on the wireless interface in order to give out IP addresses. Lastly:

sudo nano /etc/network/interfaces

Replace everything after (leaving this line in):

allow-hotplug wlan0

With this:

iface wlan0 inet static
#iface wlan0 inet manual
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet dhcp


Exit and save (CTRL-X, Y, enter – remember that, I won’t say it again!). We’ve now defined a static IP address for the wireless network, and we’ve told DHCP server to assign IP addresses to clients. Awesome. Next, type:

sudo ifconfig wlan0

To define our hotspot, edit the HostAP config file as follows.

sudo nano /etc/hostapd/hostapd.conf

Add the following lines, editing the ssid (WiFi network name) and wpa_passphrase if you wish.


Now we need to tell the Pi where our config file is.

sudo nano /etc/default/hostapd

Replace this line:




Finally, we need to configure NAT. NAT, or Network Address Translation, is the process of changing internal network IP addresses into a single external IP, and routing things around appropriately.

sudo nano /etc/sysctl.conf

At the very bottom, add:


Save. Run all the following commands – feel free to paste them all at once. Here we’re establishing routing tables that basically just connect our ethernet and WiFi adapter.

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Finally, run:

sudo nano /etc/network/interfaces

and add:

up iptables-restore < /etc/iptables.ipv4.nat

to the very end. To test, we run:

sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf

Your PiTest network should be broadcasting now, assuming you didn’t change the name. Try to connect from another machine or mobile device and you should see some debug information displayed on the screen, like this:


Now, hit CTRL-C to cancel the program, and let’s make sure this runs as a service on restart. Run these commands:

sudo service hostapd start
sudo service isc-dhcp-server start
sudo update-rc.d hostapd enable
sudo update-rc.d isc-dhcp-server enable


Now we’ve got the routing part setup, but we still need to add Tor to the equation – right now, we’ve literally just made a router.

Install Tor

sudo apt-get install tor
sudo nano /etc/tor/torrc

Copy and paste this right at the top. Ignore everything else, and save:

Log notice file /var/log/tor/notices.log 
AutomapHostsSuffixes .onion,.exit 
AutomapHostsOnResolve 1 
TransPort 9040 
DNSPort 53


Get rid of our old routing tables and add an exception for SSH so we can still log back in. We’re adding a passthrough for DNS lookups; and directing all TCP traffic (control signals) to 9040.

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040

You can check the entries like so:

sudo iptables -t nat -L

Save the file so it’s loaded on reboot.

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Enable it to start at boot, then restart so we can test it.

sudo update-rc.d tor enable
sudo shutdown -r now

You can create a log file and tail it using the following (these aren’t necessary, but may be useful for debugging if you’re having issues).

sudo touch /var/log/tor/notices.log
sudo chown debian-tor /var/log/tor/notices.log
sudo chmod 644 /var/log/tor/notices.log
tail -f /var/log/tor/notices.log

Head over to to verify your IP isn’t from your own ISP:


Or use


You may find Google is asking to verify with a Captcha quite often – this is because Tor is often used by spammers, and there’s not much you can do about it.


Congratulations, you are anonymised and can now access hidden Tor websites with the .onion domain (How to find active Onion sites? How to Find Active .Onion Dark Web Sites (And Why You Might Want To) The Dark Web, in part, consists of .onion sites, hosted on the Tor network. How do you find them and where to go? Follow me... Read More ). Just don’t do anything silly, like start a website selling drugs for Bitcoins, or use your real name anywhere, and you should be fine. Let us know if you have problems and I’ll try to help.

Related topics: Online Security, Raspberry Pi, Tor Network.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Ryan Knutson
    October 26, 2016 at 2:40 pm

    How would I do this over ethernet? I have a 2nd ethernet card and would like to share to my router.

  2. wut
    August 23, 2016 at 4:48 pm

    An even cleaner way to remove wolfram-engine is apt-get purge.
    Is this bug still present nowadays?

  3. Zesty2016
    August 3, 2016 at 7:04 pm

    Hi Guys, I have been following the walkthrough but encountered some problems when I got to the iptables commands, I just kept getting modprobe errors.

    I am actually using a RPi2 but with Raspian Jessie as I couldn't get hold of a copy of wheezy. I'm not sure if this is what is causing my issues. Does anyone know if there is an updated version to cover this?

    • Zesty2016
      August 4, 2016 at 2:53 pm

      UPDATE: User Error
      When I git to the I'm outside tables section of the tut, I copied & pasted the text into my ssh client & got a load of errors. On reviewing this, I decided to type the commands in manually. They all worked & I now have a functioning anonymiser.
      Mental note to self - less haste

  4. sachin
    May 20, 2016 at 8:08 am


    I m a beginner (Pi3)& want to install tor on a box on my local network so can you please give me a step by step detailed guide for configuring my Pi3 for it. I couldn't set it up using these instructions as i think they are for Pi 2

  5. GG
    March 31, 2016 at 9:35 pm

    I eventually got this running from the prompt after installing the correct firmware package for the Belkin WiFi adapter that I was using.

    It isn't restarting automatically though as it doesn't appear to be running as a service, and I have to remote shell to the PI at type 'sudo nohup /usr/sbin/hostapd /etc/hostapd/hostapd.conf &' to start a background process right now - which is far from ideal.

    Any ideas?

    • James Bruce
      April 1, 2016 at 9:50 am

      You could put that command in your rc.local file (and set it as executable). Still not a service, but making something a service is quite complicated...

  6. Anonymous
    December 6, 2015 at 4:22 pm

    After running sudo ifconfig wlan0, I was kicked out of ssh and was no longer able to ssh to my pi. Any ideas?

    • James Bruce
      December 6, 2015 at 7:29 pm

      Sounds like you were connecting to the Pi over it's Wi-Fi? Next time SSH to the Ethernet IP.

  7. Anonymous
    August 23, 2015 at 6:23 pm

    Great walkthrough. I was able to get it up and running on my first try. How would I configure hostapd.conf to not require a password? I tried commenting out everything after channel, but now it seems to have stopped being able to assign IP addresses.

  8. Anonymous
    June 29, 2015 at 1:58 am

    Hi, I'm trying to follow your Cat Wifi guide and the first part led me here. I have followed the instructions up to "Install Tor". When I try to turn on the network, it broadcasts and my devices can connect and seem to be assigned IP addresses, however they have no internet access. Any suggestions?

  9. Majik
    October 12, 2014 at 9:08 pm

    That's not a Safeplug-like configuration.

    Safeplug does not have wifi.

    It acts as a proxy using Privoxy and Tor.

    It also does not act as a DHCP server.

    All of those components are unnecessary.

    All you have to do is install/configure Privoxy and Tor, and configure your browser to use the Ras as a proxy.

  10. Zaida Joy
    October 8, 2014 at 9:28 am

    I'm still having the isc-dhcp-server error. Please help me fix it. i'm using a mobile broadband to connect the internet so i used the ppp0 instead of eth0. What am I doing wrong?

    • James Bruce
      October 9, 2014 at 7:22 am

      What error are you getting? What does your etc/network/interfaces show?

    • Mike
      February 16, 2015 at 2:00 pm

      I've had same issue with dhcp server failing.
      wlan0 doesn't seem to be taking the ip address assignment.
      type ifconfig and see if your wlan0 has the address assigned to it.
      If it does not, run

      sudo ifconfig wlan0

      to start the interface , and then start the dhcp server with

      sudo service isc-dhcp-server start

      It should succeed after that, however, I have not yet found a permanent fix. I have to run the above two lines every time the pi is restarted.

      Totally dig this though, and looking for a more permanent solution for this problem. Thank you James!

  11. Scott H
    May 16, 2014 at 5:07 pm

    use flash router as well as it make you more protected and hidden and it give you more options and up to 3 vpn on it search it if you don't know what flashrouters are very useful routers

  12. Scott H
    May 16, 2014 at 4:52 pm

    also buy a flash router with vpn built in so you protected as well

  13. Scott H
    May 16, 2014 at 4:49 pm

    you can get pass the Google verify Captcha use a proxy like hidemyass or duckduckgo and then go to google and there you have it no Google verify Captcha and it make you more protected and i like using vpn with it to but do not need to hide as i do nothing bad on this web