Raspberry Pi Zero W TOR wifi AP?

[Jeremy Harris]

I know this isn't building related, but knowing there are some RPi folks here, I thought it worth asking.  A bit of background; I have built a RPi zero remote camera, with a wifi dongle and directional antenna to get a wifi signal from the far end of the garden to the house.  Because I didn't want to use the house LAN and wifi (mainly because I needed a wifi AP in the end of the eaves space to be able to receive the signal OK) I built a wifi AP using another RPi Zero, plus a Zero4U four port USB hub.  This has a wifi dongle plus a USB to Ethernet dongle and runs a separate wifi network, on a different channel and subnet to the main network.  The Ethernet cable connects to the wired LAN in the house.  This works well, it keeps the camera system separate from the main house wifi and yet is easy to access.  The plan is to have a dedicated CCTV server (using another RPi and a HDD) eventually, so I can run a low power, battery backed, security system, with 1080p video (the RPi camera is excellent, BTW, especially with a decent IR illuminator for night vision).

 

Anyway, I was idly pondering the power budget for the battery back up system, and had the idea of swapping out the current PiZero plus Zero4U hub, plus the wifi dongle, for a Pi Zero W, with built in wifi.  I could then fit a micro USB to Ethernet adaptor, run PoE up the spare pairs in the Ethernet cable and have a neat, single board, lower power, wifi AP for the CCTV.

 

Having had this thought, I then wondered whether I could set up another Pi Zero W in the same way but as a wifi AP plus TOR router, rather like the Ladyada Onion Pi.  I rather like the idea of having a secure, short range, TOR-enabled wifi network, or even one that was just running OpenVPN (save me having to remember to turn Open VPN on and off all the time - sites like the BBC get upset if you seem to be outside the UK...............).

 

The question is, does the Pi Zero W wifi allow use as an AP?  I've dug around the usual Raspberry Pi sources of info, but can't seem to confirm whether the Pi Zero W will work like this or not.  There's a bit of a dearth of info on the Pi Zero W, generally, other than some having problems with wifi drivers.  This is probably to be expected given that the Pi Zero W is relatively new.  I've ordered a Pi Zero W to play with, but if anyone here has tried to do something like this I'd be interested to hear their experiences.

 

I can confirm that it's pretty easy, if a bit tedious, to get a Pi Zero plus USB hub, plus dongles, working OK as an AP, although there is a lot of duff info (probably just out of date) on some of the config file entries needed to make this work OK.

[PeterW]

I've considered using something like this for hanging off the end of a PoE cable as it gives lots of opportunity - a combined NVR with storage all powered off a single PoE to 5v 2A adapter springs to mind. 

 

http://www.farnell.com/datasheets/1694165.pdf

 

The 15w of PoE available gives plenty of opportunity for micro distributed compute and potentially storage at an end point - these would also work if you built it into a Pi managed NAS and USB 3 is a bonus. 

[SteamyTea]

If you set up a PI as a TOR router, is it still possible to log in remotely and be secure?

I set one up a while back when I had 'proper internet' and could log in locally easily enough.

Just wonder how easy it would be to log into when away from home.

I know that this can be done via a VPN, but I am always interested in other secure methods, and it is hard to beat TOR at the moment.

 

[Jeremy Harris]

As far as I can make out, you can't remotely use a Pi as a TOR router, as it sits as a "middle box" on your LAN, with one connection to the internet (via your home LAN) and the other as a wireless access point that you can connect to locally.  What it does mean is that you can connect any wireless device within range to the Pi wireless AP, which then routes everything via the TOR network.  The big downside is that TOR can be a bit slow, but it's pretty secure.  I still think the best option when out and about is to run Tails from a USB stick, as that is pretty foolproof.  It does mean having a device that will boot from a USB stick though.

 

A more flexible, and faster, option is seems to be to set up a Pi as a VPN at home that you can access from anywhere via your home connection.  That would allow you to connect to your VPN from anywhere in the world, potentially, and then route your traffic via your VPN.  Effectively your traffic from wherever you are routes to your home, through the Pi VPN and then back out again.   Not as secure as TOR, but more flexible.

 

At the moment I use Nord VPN (pretty good, I've found, and relatively cheap if you buy a multi-year package), but that does mean having it installed on every device you use (the basic package allows up to 5 or 6 devices, IIRC) and it also means remembering to open Nord VPN and choose a country that you want to use.  The latter can cause a few problems with web sites that geolocate based on your IP, like the BBC and some search engines, so you can find that you don't get the content you want or you get a search in whatever language your VPN server IP is based in.  I've not looked too deeply into running Open VPN on Pi, but can say that running a cheap little Pi Zero as a wireless access point seems fine, I've even streamed HD video through it with no problems, despite the fact that I'm using two USB connections either end of the thing (I suspect they may well be the real bandwidth bottle neck).

 

The Pi Zero W seems to offer the advantage of not needing a USB hub, and having a direct wifi capability, rather than needing a USB dongle, so probably can't be worse in terms of performance than the basic Pi Zero.

 

The Startech USB 3 Ethernet adapter looks good if you've got devices that support USB 3, but, AFAIK, few of the small single board computers do.  The RPi doesn't support USB 3.  It's pretty easy to squirt up to half an amp up the unused pairs of a Cat 5e cable, with surprisingly little voltage drop, even over fairly long runs.  It's a bit of a Commando bodge, and not an officially supported PoE method, but you can buy cheap Chinese Ethernet adapter leads that have power plugs and sockets on for doing this, making it an easy system to put together.  I run our VDSL modem like this, to save having another wall wart power supply next to the master socket, and to allow it to be battery powered as a standby system. 

[PeterW]

I've bought a couple of cheap PoE to USB Micro B 5v adapters as I run a full Cisco PoE 24 port switch as my core switch. I can enable PoE on any port and allows me multiple VLANs. 

 

I may look at something like a basic Radius server on a Pi somewhere in the network as I'm using ex Corporate Cisco AP units which don't support anything above WPA. 

 

 

[Jeremy Harris]

Just to finish this off, a new Pi Zero W arrived this morning, so I plugged in one of these cheap micro USB to Ethernet adapters from Ebay: 

(£3.45, inc delivery) stuck in a µSD card loaded with Jessie Lite, plugged in a power supply and Ethernet cable and within ten minutes had a running wifi AP. 

 

The next step is to take the USB to Ethernet adapter out of the plastic case, solder on some links to the spare Ethernet pairs to get power, and make up a short micro USB power lead.  The whole thing will then be fitted into a small plastic box, giving me a tiny Ethernet PoE powered wifi AP that I can stick in the corner of the internal eaves to receive the wifi from the external IP cameras and relay it back to another RPi running as a CCTV recorder.

[SteamyTea]

3 hours ago, JSHarris said:

loaded with Jessie Lite,

How have you setup the IP, dynamic or static, if static, how did you manage it in Jessie Lite?

(I never tried to set up the eth(0) on mine in Jessie Lite after the disaster of trying to setup the wifi as a static)

[Jeremy Harris]

The IP is static for the Ethernet port to the house LAN (the router just accepts devices with a static IP even though it's running DHCP, some don't, so you need to set the static IP in the router too).  The second wifi LAN is dynamic, with DHCP being done by the Zero W. 

 

To set a static Ethernet IP you have to edit the eth0 entry (or probably add it at the end) in /etc/dhcpd.conf, via SSH, as there are no spare ports for a keyboard - save an empty file in the root of the µSD card called "ssh" (no suffix) to enable SSH on Jessie, as by default it's disabled now.  You need to know your routers gateway IP (often something like 192.168.0.1), and a quick web search will give a few tutorials for editing the interfaces file to set a static IP.

 

To make the AP sub-net work over a different local IP range to the main LAN, then you need to install a DHCP server on the Zero W and translate from the wireless LAN to the Ethernet LAN.  Again there are tutorials on the web to show how to do this.  In essence you install hostapd,  isc-dhcp-server and an IP tables manager (iptables-persistent) then configure dhcp (by editing config files) to set the IP range for the AP wifi sub-net.  Edit the hostapd config file to set the encryption, SSID, password etc for the AP, and set the lot to run from boot with daemon.  I also set up network address translation (NAT) to allow translation from the wlan0 port to the eth0 port, saving this in iptables to make it permanent.  All told it's around 20 minutes or so to get a blank copy of Jessie Lite configured as a wifi AP with a fixed Ethernet IP and a DHCP server on the wifi side. 

 

I've got into the habit of saving base images that make life a bit quicker, so I already had an image with Jessie Lite, with SSH enabled and hostapd and isc-dhcp-server loaded, with a base configuration.  Setting it up is then just a matter of editing a few config files to set up IP ranges, NAT, the AP SSID, password, encryption etc.

Edited May 6, 2017 by JSHarris

[Jeremy Harris]

Just back from doing some shopping, and re-reading the above I've realised it's not very clear!

 

One of the better web tutorials on setting up a Pi as a wireless AP is this one by the inimitable Ladyada: https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software

 

She's demonstrated using an older RPi, but I can confirm that these instructions work fine with the RPi Zero and Zero W, with one slight tweak.  There's no need to be explicit about the wifi device driver in hostapd.conf. as the newer kernel has drivers built in that work fine with the RPi3, Pi Zero fitted with many common USB wifi dongles and the Pi Zero W (which uses the same wifi chip as the RPi3).  If you just comment out the line "driver=rtl871xdrv" (with a leading "#") in hostapd.conf it will work fine (I found this out with a bit of trial and error!).

[SteamyTea]

Shall have a read though, thanks

[Jeremy Harris]

Made a bit of progress on making things smaller and simpler.  I discovered that there is a direct power connection between the power micro USB and OTG micro USB on the Pi Zero W, which means that the Pi Zero W can be powered just as well through the OTG micro USB port as it can through the adjacent power micro USB port. 

 

Next, I decided to take one of the cheap Ethernet to micro USB adapters apart.  Dead easy, the sticky labels on either side are all that hold the push together case in one piece.  This is what they look like when apart (one is untouched, the other has been pulled apart):

 

Here's a close up of the top of the module:

 

 

Next I discovered that the pins for power over ethernet were there on the underside of the board, so it was dead easy to just add two wire links to connect 5V to the USB lead:

 

 

I put the unit back in it's case, hooked it up to one of the cheap Chinese PoE injectors, plugged it into the Pi Zero W, plugged the PoE injector into a spare 5m Ethernet cable, with the opposite gender PoE adapter on the other end, which was plugged into a 5V power supply and the router, and lo and behold the Pi Zero W AP came to life, powered by the Ethernet cable alone.

 

This is one of the simplest bodges I've done, yet will be very handy in terms of being able to run a single length of Ethernet cable to the place where I want to put the AP, and have it both power the thing and transfer data back to the network.

 

[MikeSharp01]

Cool, @JSHarris so now you can have almost anything, control wise, managed by a PI at the end of a wire. 

[Jeremy Harris]

Indeed, I'm seriously impressed by how easy this was to do, especially as I'd not bought the parts with this in mind!

 

It'd work just as well for a remote Pi Zero (rather than Pi Zero W) being used as a data collection hub.  The greatest power consumption is the Ethernet to micro USB adapter, as the Pi Zero W is pretty low power (and the Pi Zero is cheaper and even lower power), and both can have their supply current reduced by around 25 mA by just turning off the HDMI port (not needed when it's running headless).

[Mackers]

Jeremy, fantastic. Ive a few PoE ideas for the RPI. I just need time to implement them. I also need to learn more about the security end of things too.

[Jeremy Harris]

Here's a bit more info for anyone that wants to run this pretty crude form of power over Ethernet.  Cat 5e/6 cable has four spare wires (two pairs) that aren't used, pins 4, 5, 7 and 8 at the connector.  This sketch shows where these connections are on the cheap Chinese Ethernet to USB adaptors, together with the cable colours for the T568B Ethernet cable (there are two standards, T568A and T568B, but my whole house happens to be T568B - it makes no difference as far as PoE is concerned):

 

 

 

To inject power to the unused pairs, I used a cheap Chinese PoE injector.  These are sold as pairs on ebay, with a power socket on the power injection end and a power plug on the other end, to power equipment.  I've not bothered with the equipment end adapter, as I just soldered link wires inside the Ethernet to USB adapter:

 

 

Typical prices for a pair of these PoE adapters is less than £2 for a pair, including shipping from China.  An ebay search for "Ethernet PoE adapter" will throw up hundreds of these things, I bought a bag of 5 pairs for a bit over £8.

 

I should point out that this is a non-standard way of using PoE, and won't work over long distances.  It depends on the amount of current the device at the end draws, but I've found that as long as the current is below about 500mA then there's very little voltage drop over up to around 15m of cable.  More than that and you would be better looking at proper PoE systems, that use a higher voltage on the cable with a high efficiency voltage regulator at the equipment end.  By increasing the voltage and regulating it at the equipment end, proper PoE gets around the cable voltage drop and runs a lower current down the cable.

 

For home use, where you know what you're doing, the "Commando" style system of just running low voltage DC down the unused pairs works fine, though, you just need to remember what voltage any particular cable is running at, if you have more than one (I'm running 12V over a system like this to power our VDSL modem, which is mounted on the wall next to the master socket).

 

Finally, this is the complete test setup from yesterday, with the Pi Zero W wireless AP hanging off the end of the cable:

 

 

Note that I've marked the modified Ethernet to USB adapter to show that it has to run on 5V PoE, just in case I forget at some future date!

[Mackers]

I must admit that I love the RPI. Its so versatile and has brought DIY programming to the masses. There were others before but I really like the RPI.

 

Ive all sorts of projects dreamt up. Hopefully start implementing some sooner rather than later.

 

Ill start threads on here so we can all help eachother.

[SteamyTea]

3 hours ago, Mackers said:

Ill start threads on here so we can all help eachother.

We should swap code too so that it can be improved and to save duplication.

 

[Jeremy Harris]

9 minutes ago, SteamyTea said:

We should swap code too so that it can be improved and to save duplication.

 

 

That's a good idea, as some of the online tutorials are out of date, or have errors.  I took the time to write down everything I did to get the basic wireless access point running on the Pi Zero W, which is virtually the same as the online tutorial I linked to earlier, but with one significant difference, in that I couldn't get network address translation to work at first.  Adding a reboot part way through setting up the Pi Zero W fixes this, although I'm not sure why.  Attached are the instructions I've written up, less the extra steps to add TOR.  I'm still working on that, as for some reason I can't seem to get TOR to connect, not sure why, I need to spend some more time looking at what's going on.

 

Raspberry Pi Zero W as Wireless Access Point - no passwords.txt

[Guest Alphonsox]

On 5/7/2017 at 08:49, JSHarris said:

I should point out that this is a non-standard way of using PoE, and won't work over long distances.  It depends on the amount of current the device at the end draws, but I've found that as long as the current is below about 500mA then there's very little voltage drop over up to around 15m of cable.  More than that and you would be better looking at proper PoE systems, that use a higher voltage on the cable with a high efficiency voltage regulator at the equipment end.  By increasing the voltage and regulating it at the equipment end, proper PoE gets around the cable voltage drop and runs a lower current down the cable.

 

@JSHarris Do these adapters isolate pins 4,5,7,8 on the injector RJ45 plug ? In a Gigabit system these pins aren't spare and I'd be worried about uncontrolled DC voltages on the ports of a gigabit switch.

[Jeremy Harris]

Yes they do.  The Ethernet plug on the adapter/injector only has a four core cable, so there are no connections to the Gigabit pins.  It's only the Ethernet sockets that use all 8 pins, 4 for data and 4 for power, so you could use these safely on a Gigabit switch or router (accepting that you're only going to be able to run at 10/100).

[Mackers]

On 2017-5-7 at 15:39, SteamyTea said:

We should swap code too so that it can be improved and to save duplication.

 

Fantastic. I've a few ideas for UPoE lighting with DALI controls. Ill have to get a go at it shortly. 

 

If only I could find the time!

[Jeremy Harris]

A final update.  I faffed around for hours trying to get TOR to run on the Pi Zero W, as an Onion router, to no avail.  I can still use the Pi Zero W as an access point for the IP camera subnet, and it works well doing that, and doing this reduces the amount of wireless traffic on the main wireless router, which is running on a different subnet.  I'll probably get around to writing up how I've used some cheap Chinese outdoor IP cameras, to connect to this subnet, and then to a Raspberry Pi 3 CCTV server, running MotioneyeOS, at some point.  Suffice to say that it works well in this role, and significantly extends the outdoor WiFi range.

 

To resolve the desire to run TOR on a router, I discovered that the OpenWrt team had ported a version that runs on a very cheap and small, mini-router, the WT3020 series.  I bought a WT3020F, which has both a LAN and WAN Ethernet port, plus WiFi and a USB storage port, for less than £15 delivered, from Banggood: https://www.banggood.com/NEXX-WT3020F-300Mbps-Portable-Mini-Wireless-WIFI-NAS-Router-AP-Reapeater-Support-USB-Flash-Drive-p-1108743.html

 

The mini-router arrived this morning (took around two weeks to get here)  and I set about connecting to it (it has a firmware coded back door that you can Telnet into) and installing first OpenWrt, then installing OnionWRT.

 

After around 10 minutes or so I had a working TOR router, that I can connect to via a separate wireless subnet, and that routes all traffic via the TOR network.  It's pretty secure, but is only as private as you make it, as unless used with care your identity can still be leaked.  Having said that, TOR can be pretty private if used carefully, and it's certainly a heck of a lot more secure than normal web use.  The WT3020 is believed to be free from any hard-coded backdoors, and a quick look that I did with a packet sniffer (Wireshark) shows there's no obvious unusual traffic, so I think it's probably safe enough.  I'm sure that if there was an issue with these then some of those that have been hacking them would have spotted it by now.

 

I've written up some instructions as a text file (so the commands should be easy to cut and paste into a Telnet terminal), that illustrate, step by step what I did to get this working.  Nothing I've done was my own work; all I've done is filter some of the out of date information on hacking these mini-routers and use some up to date links (there are a lot of dead links and out of date information around for these things, I found) .

WT3020F TOR mini router.txt