Setting up a Tor gateway

Now that the "Snooper's charter" bill has become law, extending UK state surveillance I thought it was about time to set up a Tor gateway. Tor (The Onion Router) is an anonymisation tool originally developed by the US military and can be used to avoid censorship and worse under oppressive regimes. My task for tonight was to route (almost) all my home internet use through Tor, in a way that is minimally invasive and automagically just works on every machine on my network.

At home I have a small wired network, connected with a gigabit switch. Previously one port of this switch connected to my ADSL router, which acted as authoritative DHCP server to manage IP addresses on the LAN. After tonight's efforts, this uplink port is replaced by a wired connection to my Raspberry Pi 3, and the Pi is now the authoritative DHCP server on the new LAN subnet 192.168.43.#. The Pi is connected to the internet via the ADSL router's WiFi access point on the 192.168.1.# subnet. The Pi runs Tor, with network forwarding set up following the Onion Pi guide as a starting point. Now all traffic to the internet from computers connected to my switch is routed through Tor.

Here are the gritty details, brief and possibly missing some steps...

$ sudo su -
# apt-get update
# apt-get upgrade
# reboot
$ sudo su -
# apt-get install isc-dhcp-server iptables-persistent tor
# nano /etc/dhcp/dhcpd.conf
subnet netmask {
  option broadcast-address;
  option routers;
  option domain-name "local";
  option domain-name-servers;
  default-lease-time 600;
  max-lease-time 7200;
# nano /etc/default/isc-dhcp-server
# nano /etc/network/interfaces
iface eth0 inet static
# ifconfig eth0
# nano /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/ip_forward
# nano /etc/tor/torrc
Log notice syslog
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
# update-rc.d tor enable
# update-rc.d isc-dhcp-server enable
# iptables -t nat -A PREROUTING -i eth0 -p tcp -d --dport 22 -j REDIRECT --to-ports 22
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 53
# iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
# iptables-save >/etc/iptables/iptables.ipv4.nat
# service isc-dhcp-server start
# service tor start

There are a few small issues - some sites present annoying CAPTCHAs more often, Freenode network doesn't have a Tor gateway at present (though they are working on it as far as I can tell) so I IRC from the Pi directly without going through Tor, BBC international site is organised slightly differently from the UK site - but no show stoppers so far (except when I had to modify the port 22 iptables rule to be able to ssh to internet, correct version is above). Traffic from the Pi itself to the internet isn't yet routed through Tor, and I have yet to verify which DNS servers are used and whether DNS traffic passes through Tor - so there might be some leakage here. A work in progress.