Tor at the Heart: NetAidKit

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

by Menso Heus

The NetAidKit is a USB-powered router that connects to your wired or wireless network and helps you increase your privacy and beat online censorship for all your devices. Acting as a friendly man-in-the-middle, the NetAidKit is able to send all your network traffic over a VPN or Tor connection without needing to configure any of your devices. This also means that if you have specific hardware devices that are unable to run Tor, you can simple connect them to the NetAidKit to make all the traffic go over Tor anyway.

Free Press Unlimited and Radically Open Security developed the NetAidKit specifically for non-technical users, and the NetAidKit comes with an easy to use web interface that allows users to connect to Tor or upload OpenVPN configuration files and connect to VPN networks.

The NetAidKit transparently routes traffic over Tor. We believe this is a great (and free) way to circumvent censorship, but it obviously does not provide the same anonymity benefits that the Tor Browser Bundle provides. This is something we warn users about specifically every time they connect to Tor, recommending they also the Tor Browser Bundle if they wish to remain anonymous.

At the same time, by routing all traffic over Tor, NetAidKit provides a tool for users' e-mail, social media clients and other network applications to run over Tor as well, providing Tor's benefits to applications other than a browser.

The NetAidKit runs on OpenWRT and uses the OpenWRT tor client. Current challenges include getting the obfuscating protocols to work on the NetAidKit since it has a limited storage capacity. We hope that in 2017 we can improve Tor support further by collaborating with the Tor Project.

For more information and links to our Github repository, visit

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

How is this different from setting up a Raspberry Pi to route the wifi through Tor?

Off the top of my head, without looking at the documentation,
1. You don't need to buy a power cable, SD card, WiFi card (except Pi 3), or case
2. You don't need to consume an extra USB port for power
3. You don't need to install any OS on the SD card using another Linux machine or image writer application
4. You don't need an HDMI compatible monitor/TV or serial port to perform the initial setup (enabling SSH)
5. You don't need to install the Tor package, enable the systemd service, and edit torrc (to listen on non-loopback ports)
6. You might not need to manually updates

Although personally I would just use a Raspberry Pi if I needed a dedicated hardware device for some reason, for many people it is easier to use one of these boxes.

FOR THE TOR DEVELOPERS: You might want to check if this new attack against elliptic curves might somehow affect Tor:

This is offtopic to the post at hand, but Tor doesn't use Barreto-Naehrig curves or pairing base crypto.

Can't even read without loading JS.

That's a bad sign for a security/privacy project.

This series is fabulous!

A few requests:

1. Keep a page collecting links to all the "Tor at the Heart" posts, for easy reference by pro-democracy enthusiasts who want to brag all next year to politicians about all the things Tor is doing for The People.

2. Summarize the results of the Funding Drive in pie charts as per Tails Project: where the money came from and where it is spent.

3. Ask Bruce Schneier or another expert to review the cryptographic state of the art at the layperson level (hard), with respect to technical threats and opportunities for future Tor.

For (1), check out

That's great ! What model of GLI device do you use ?

I read through some of their code on github and I have to say I wasn't impressed... First thing I came across was their sshd running on a high port, which is a no-no for security. And all the actual options for hardening they could have used, they didn't implement. And then they have /usr/bin/netaidkit run with NOPASSWD sudo in their sudoers config, instead of using a service to run it as the proper user. Their password changing script hashes your password with... wait for it... MD5!

So yeah. Be skeptical.

sshd port: Yeah, and why exactly do you say that? Besides, it's running only if you compile a developer's image. Check the Makefile [1].

sudo: This daemon is doing things that need that. There always will be parts of your system that need that. Alternatives were considered. Security is not binary.

md5: It's a uClibc limitation in OpenWRT trunk and that's actually documented in repo history [2]. If anybody can physically access your router, you're screwed anyway and there's no escaping that. Always use a strong password and ideally never re-use it.


If only uClibc would support it - they would use it. There has been rollback from SHA256 to MD5 due to that.

Can NetAidKit or any other Tor box be easily configured to run as a plug and play relay?

Tor used to strongly discourage these "Tor router" boxes in the past. How is this one different?

I think if we'd had more time, we would have done this blog post better. Netaidkit is a great candidate for Mike's upcoming "Tor Labs" plan, which aims to showcase projects that need more developer attention. In the mean time, for a bit more discussion about magic anonymity boxes, be sure to look at these two posts from the past:

I have one, and it works.

Post new comment

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content Syndicate content