The Tor Browser is fantastic for anonymous web browsing and an absolute lifeline for journalists, whistleblowers, and citizens living under oppressive regimes.
But what if you want to extend that anonymity to all of the devices in your home or office?
Well, that’s what this Tor Gateway is for. It’s a dedicated device that routes all traffic from connected devices through the Tor network, creating a privacy-focused network segment in your home.
Why would you want to do this?
Setting up a separate device as a Tor gateway offers several benefits to those who need a certain level of protection and anonymity when using the internet:
- System-wide Anonymity: It forces all internet traffic from connected devices (not just browsers) through the Tor network, providing a comprehensive layer of obfuscation.
- Centralized Control: You configure Tor once on the gateway, and all devices you connect to it automatically benefit.
- Physical Separation: By putting Tor on a separate device, you add an additional layer of security, potentially mitigating risks if your main computer is compromised.
- Simplicity for Clients: Your devices don’t need individual Tor installations or complex configurations; they just connect to the designated network.
FYI: I set this up on a little Beelink mini PC on a second LAN on my home office network (which is connected to the main home router), and behind a OPNSense firewall router.
This way I can connect the devices I want to the second LAN that is configured solely for TOR.
Important Note: This gateway is for anonymizing general system traffic from non-browser applications or providing a privacy-focused hotspot.
For anonymous web browsing, always use the Tor Browser.
Before we get started
As much as I tried to make this an easy to follow guide, it’s inevitable that it won’t be perfect for every possible set up or situation. In addition to these instructions I highly recommend that you have on standby:
- Documentation for your specific router brand and model.
- Your favorite LLM or AI tool (Like Gemini or ChatGPT) to help troubleshoot any issues.
- Secondary internet access. During configuration you may temporarily lose internet access on the network we are configuring. If you can access these instructions via your phone, mobile hotspot or a separate network of some kind it will insure that you are not cut off from the instructions during configuration.
What you will need
- Raspberry Pi 4B or better), and all the cords, power supply, and a microSD card (32GB+), or a mini PC with Linux installed.
- 2 Ethernet cables
- Another computer to access and set up your TOR device via SSH and to test things when you’re done.
- Your home router: Important – If you are setting this up on your home router ( and not a secondary router/LAN) you will need to make sure that you can gain admin access to your router so that you can configure it’s settings to work with your TOR gateway.
Step 1: Preparing the TOR Gateway Device
1. Flash and Boot Linux OS
For Raspberry Pi:
- Download and install the Raspberry Pi Imager on your computer.
- Launch the Imager and select:
• Operating System: Choose “Raspberry Pi OS Lite (64-bit)”
• Storage: Select your microSD card - Before writing, click the gear icon (⚙️) to open “Advanced Settings”
- In Advanced Settings:
• Enable SSH: Choose “Use password authentication”
• Set username and password: Pick something easy to remember (e.g., pi / torsecure)
• Configure Wi-Fi (optional): Enter your Wi-Fi SSID and password if you’re not using Ethernet
• Set hostname: Use something like tor-gateway - Click “SAVE” and then “WRITE” to flash the OS
For Mini PC:
- Download Ubuntu Server 22.04 or Debian Minimal ISO. (I used Ubuntu desktop and it worked just fine)
- Flash the image using Balena Etcher or Rufus
- Boot the mini PC from the USB stick and follow the on-screen installer to:
• Create a user and password
• Enable OpenSSH server during install.
• Connect to your network
2. Boot and Connect via SSH
Once the system boots:
- On your other computer (that is connected to your router with an Ethernet cable), open a terminal (Mac/Linux) or use Powershell or PuTTY (Windows)
- Connect via SSH using the hostname or IP (e.g., tor-gateway.local or 192.168.1.xxx)
Example command:
ssh pi@tor-gateway.local
ssh pi@192.168.1.100
3. Update the System
sudo apt update && sudo apt upgrade -y
4. Assign Static IP
Decide on an unused IP address in your local network. If your router’s IP is 192.168.1.1, use something like 192.168.1.100 for your Tor Gateway.
How and where this is done depends on your router. For specific instructions look on your router for it’s name and model number, and either Google (or ChatGPT) search the specific instructions on where to find those settings and how to implement them.
Check your current network details with:
ip a
ip route
nmcli con mod "Wired connection 1" ipv4.addresses 192.168.1.100/24
nmcli con mod "Wired connection 1" ipv4.gateway 192.168.1.1
nmcli con mod "Wired connection 1" ipv4.dns 192.168.1.100
nmcli con mod "Wired connection 1" ipv4.method manual
nmcli con up "Wired connection 1"
💡 Tip: Log into your home router and reserve this IP in the DHCP/static lease section so it doesn’t change later.
5. Enable IP Forwarding
Temporarily:
sudo sysctl -w net.ipv4.ip_forward=1
Make it permanent:
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
Step 2: Install and Configure Tor
1. Install Tor
In the terminal of your TOR Gateway device (the thing we’re configuring)
sudo apt install tor -y
2. Configure Tor as Transparent Proxy
Backup and edit torrc:
sudo cp /etc/tor/torrc /etc/tor/torrc.backup
sudo nano /etc/tor/torrc
Append the following lines:
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 0.0.0.0:9040
DNSPort 127.0.0.1:53
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor
Save: (Ctl+o then Enter then Ctl+x)
💡 Quick Note: The VirtualAddrNetworkIPv4 is not based on your actual LAN IP like 192.168.x.x.
It must be a non-routable, unused internal block that Tor uses internally to assign anonymous virtual addresses.
So why 10.192.0.0/10?
This range is:
• Reserved for use by Tor only, for mapping .onion and resolved destinations
• Completely separate from your real network (e.g., 192.168.1.x)
• Never appears on your LAN — only within Tor’s internal DNS and proxying logic
Using your actual network range like 192.168.1.0/24 would cause IP conflicts or routing failures.
Enable Tor on boot:
sudo systemctl enable tor@default
Step 3: Set Up Firewall Rules
Install iptables-persistent:
sudo apt install iptables-persistent -y
Apply these rules:
sudo iptables -t nat -A PREROUTING -i enp1s0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i enp1s0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
TOR_UID=$(id -u debian-tor)
sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
Make them persistent:
sudo netfilter-persistent save
Step 4: Configure Your Router
This step ensures that only the traffic you intend is routed through the Tor gateway.
Option 1: Use a Separate Wi-Fi Network or VLAN (Best Practice)
If your router supports multiple SSIDs or VLANs:
- Log in to your router’s admin page (usually 192.168.1.1) using a browser.
- Create a new SSID (e.g., “TorNet”) or VLAN
- Set its DHCP settings to:
• Default Gateway: use the IP you assigned to your Tor Gateway (e.g., 192.168.1.100)
• Primary DNS Server: same IP as above - Connect only the devices you want anonymized to this new SSID or VLAN
Option 2: Use the Main Router (Simpler, Less Isolated)
If your router does not support VLANs or extra Wi-Fi SSIDs. This option will route all traffic to all devices connected to this router through TOR.
If that is NOT what you want (and your ISP’s router does support having more than one LAN), consider buying a separate router that can be connected to your main router as a separate access point.
- Log into your router (e.g., 192.168.1.1)
- Go to DHCP or LAN settings
- Change the Default Gateway and DNS Server to the IP of your Tor Gateway (e.g., 192.168.1.100)
- All devices will now route through Tor by default
⚠️ This may slow down your whole network or affect services like video calls and streaming.
Strongly Recommended: Block DNS Leaks
If your router allows firewall rules:
- Block all outbound UDP port 53 except to your Tor Gateway’s IP
Multiple Clients on Wi-Fi?
Yes — multiple devices can use the Tor Gateway over Wi-Fi, as long as:
- They receive DNS and gateway info pointing to the Tor Gateway
- They connect to the correct network segment (SSID/VLAN or default).
Step 5: Connect and Test
From your computer:
- Connect to the correct Wi-Fi (or Ethernet)
- Make sure it uses DHCP (automatic IP configuration)
- Open a terminal or browser and run:
curl https://check.torproject.org
✅ You should see: “This browser is configured to use Tor.”
Or open the link in a browser to confirm visually.
You did it ! (hopefully)
You’ve built a secure, transparent Tor gateway that routes all traffic from connected devices through the Tor network. Combine this with smart operational security for maximum privacy.
Additional OPSEC Tips
- Always use Tor Browser for web anonymity.
- Avoid disclosing PII (real name, photo, writing style).
- Strip metadata from shared files
- Use E2EE apps like Signal, Session.
- Enable MAC randomization.
- Avoid public Wi-Fi if possible.
It is important to remember: Nothing is absolutely perfect or proven to be unbreakable. Even with perfect OpSec, prolonged activity increases the chance of human error and eventual compromise.
Stay up to date. Stay vigilant.
If you've found this helpful...
Grab my free Newsletter
Get the inside scoop & all the essentials: tech insights, AI tips, privacy + security issues, IT, & real talk on running a small business.
Subscribe today and get the free privacy guides >
- Navigating the Dark Web Safely
- How to use Tails Linux
- Dark Web Websites & Search Engines
Multi-disciplinary IT support strategist with 15+ years experience empowering entrepreneurs, corporate colleagues and remote teams with the knowledge, skills and technologies to get stuff done. | Sec+ – CySA+ (CSAP) – ITIL – ACSP
One Comment
Comments are closed.