The AnonyBox – How To




In my previous post, I explained that I had turned a PogoPlug E02 into a stand-alone network device that allows me to easily anonymize online activity.  The AnonyBox connects to an anonymous VPN service(, in my case), and presents a SOCKS & HTTP proxy to the machines on my network.

In this post, I’ll explain how to set up your own privacy protecting AnonyBox.

ABSTRACT (For those who know what they’re doing)

  1. Install Arch Linux ARM on PogoPlug
  2. Install & Configure Squid and Dante proxies
  3. Install, Configure, & Script OpenVPN

Section 1: Install Arch Linux

I am not going to attempt to cover the basic installation of Arch on the Pogoplug E02.  Simply follow the instructions here.  Double-check your model number, as other models require different instructions.

once you have booted into a functioning copy of Arch, be sure to set up OpenNTPD, to set the clock to the correct time on boot, update the package manager, and install the unzip utility:

systemctl enable openntpd
systemctl start openntpd
pacman -Syu
pacman -S unzip

Section 2: Install & Configure Proxies

First we need to install the Squid and Dante packages:

pacman -S squid dante

Squid is all set at this point, but Dante needs a little configuration.  Open the Config file for Dante with this command:

nano /etc/sockd.conf

Then, replace the contents with the following script:

logoutput: syslog

#this allows connections from any computer on this side of the tunnel
internal: eth0 port = 1080
internal: port = 1080

#this is the openvpn interface
external: tun0

#no login necessary (behind firewall/router)
method: username none
user.notprivileged: nobody

#local computers can use this as a proxy to anything
client pass {
  from: port 1-65535 to:

client pass {
  from: port 1-65535 to:

client block {
  from: to:
  log: connect error

pass {
  from: to:
  protocol: tcp udp

pass {
  from: to:
  protocol: tcp udp

block {
  from: to:
  log: connect error

Step 3: Configuring OpenVPN (it’s a doozie)

Now we are ready to install the OpenVPN package:

pacman -S openvpn

Next we’ll need to get the certificate and configuration files for our VPN host.  These steps are written for the host PrivateInteretAccess, but should be able to be modified easily to work with other hosts.  These commands will create the necessary config files in the /etc/openvpn directory:

cd /root
cp ca.crt /etc/openvpn/ca.crt
cp "YOUR REGION.ovpn" /etc/openvpn/config.conf

Now, we’ll need to create our authentication file:

nano /etc/openvpn/auth.txt

The contents of the file are just two lines.  the first is your username, and the second is your password.  Do not add anything else.

Then, we need to create the script to run on successful connection:

nano /etc/openvpn/

The contents of the script should be:

#!/bin/bash -e
echo none > /sys/class/leds/status\:blue\:health/trigger
echo default-on > /sys/class/leds/status\:green\:health/trigger
systemctl start sockd
systemctl start squid

And the script to run on if the vpn connection is lost:

nano /etc/openvpn/

The contents of the script should be:

#!/bin/bash -e
echo none > /sys/class/leds/status\:green\:health/trigger
echo default-on > /sys/class/leds/status\:blue\:health/trigger
systemctl stop sockd
systemctl stop squid

Then we need to modify the configuration file:

nano /etc/openvpn/config.conf

Change the line “ca ca.crt” to:

ca /etc/openvpn/ca.crt

Change the line “auth-user-pass” to:

auth-user-pass /etc/openvpn/auth.txt

And add our new scripts at the end:

script-security 2
# run /etc/openvpn/ when the connection is set up
up /etc/openvpn/
down /etc/openvpn/

Now we set permissions for these new files:

chmod +x /etc/openvpn/config.conf
chmod +x /etc/openvpn/
chmod +x /etc/openvpn/

Finally, we just need to set OpenVPN to start on boot:

systemctl enable [email protected]
systemctl start [email protected]

and reboot:


Voila!  Your own Anonymizing VPN Proxy, or AnonyBox for short.  The HTTP proxy is accessed through port 3128, and the SOCKS proxy is on port 1080.  The LED on your AnonyBox shows the status of your VPN.  Green is safe and yellow means that you’ve lost your VPN connection.  For safety, when the VPN goes down, you will also lose access to the proxies.

UPDATE: Be sure to update your DNS and Proxy Client settings to protect your DNS requests. See This Post for details.

Have fun, and be safe online.

30 thoughts on “The AnonyBox – How To

  1. [root@alarm openvpn]# unzip
    -bash: unzip: command not found
    [root@alarm openvpn]#

    Any clue why I would be getting this? When I run whereis unzip, I get the following.

    [root@alarm openvpn]# whereis unzip
    [root@alarm openvpn]#

    I am lost so any help would be great.


  2. Excellent guide. Got it to run as well!! thank you!
    2 questions:

    1) is there anyway I can select the server I connect to?
    2) The unit reboots fine through SSH. if I introduce a power interruption, it does not reboot. It hangs. I have to got through some major hoops in order to get it up and running again. shutdown -r now works, but I’d have to SSH into it then wait. So, I am worried about power failure.

    Any ideas?

    • With regard to your first question, I have a rough idea of how you might switch servers. I haven’t really worked it out fully, but the basic idea would be to modify all the ovpn files from privateinternetaccess with the same changes that you made to the one you renamed config.conf (also rename this one back to its original name). Then, write a script that presents a menu to the user, and based on their choice, copies the chosen ovpn file to /etc/openvpn/config.conf (writing over whatever is there), and runs “systemctl restart openvpn@config”.

      The more fun version of this would involve running an nginx/php-fast-cgi server, and offering the menu in a php file, along with status information about the connection.

      As for your second question, power failure does have the possibility of screwing up your install. SD cards are not meant to be disconnected mid-write. Most of the time, it should come back up ok after a failure, but the chance is certainly there.

      I recommend using Win32DiskImager on windows (or simply a DD command in linux), to make a backup of your usb drive, as an ISO file. That way if any corruption occurs, your can simply overwrite the drive with the image, and you’re good to go.

      • Thank you! I am grateful for the info and I appreciate it. I have another question is I may.

        When using utorrent, I point the proxy setting to the Pogo IP and the 1080 port. it works great in downloading but I get no incoming connections. I tried forwarding port in my router but no joy. My ratios are starting to ache.

        Am I doing something wrong?

        • You are not doing anything wrong. The process of getting external connections working through a PIA VPN is pretty complicated, and I honestly haven’t had time to tackle it yet. I can point you in the right direction, but It’ll take a free weekend or so before I’ll be able to get it running and create a guide.

          First off, port forwarding your router will have no effect on VPN traffic. All the VPN traffic is sent through a persistent encrypted connection that requires no forwarding to get through your router.

          However, you will need to request a forwarded port through PIA… you can find info on making a request script here: PIA Port Forwarding Guide The script would need to be put into a service that calls it every hour, then you would start the service in your file and stop it in your file.

          That gets us a VPN forwarded external port, but the port number changes every hour. To provide a single port for torrent clients, you would want to install Portfwd on the pogoplug. Then edit the forwarding script you made so that when it requests a port forward from PIA, it retrieves the port number, kills all existing portfwd instances, and creates two new portfwds: one from the port PIA gives to a port of your choosing (lets say 4455), and another from your chosen port (4455) to the port PIA gave.

          Now you’ll have a port on the AnonyBox, that is accessible from the internet. However, there is one last problem. Your SOCKS Proxy is not currently set up to forward incoming connections to your computer. To solve this last hurdle, you’ll have to modify your sockd.conf to support bind, bindreply, udpassociate, and udpreply. I think I have the code for this down, but I haven’t had a chance to test it. Here’s what I think you’ll need for pass rules:

          pass {
          from: to:
          command: bind connect udpassociate
          log: error # connect disconnect iooperation
          pass {
          from: to:
          command: bind connect udpassociate
          log: error # connect disconnect iooperation
          pass {
          from: to:
          command: bindreply udpreply
          log: error # connect disconnect iooperation
          pass {
          from: to:
          command: bindreply udpreply
          log: error # connect disconnect iooperation

          If you decide to give this a shot, let me know how it goes. Otherwise, I plan to get it working myself soon, then I’ll write a post about it.

          • Thank you!

            I’ll give it a shot this weekend. Confidence level is not the highest but I will try it out. I will post the results.

          • No joy,

            had a serious go at it on sunday….I frakked it up good. good thing I had a backup of the usb image.

  3. James George says:

    Hello, and thanks for doing so much of the legwork. I had similar errors at a couple of points as a user above where it came back no file exists, etc. I fixed all by simply logging out of the putty/ssh session, relogging in and it worked,not sure why, unless I was in the ‘wrong’ directory but if I followed it as you wrote it, I shouldnt have been in a wrong directory. but I have a 1 issue and a couple questions still. I didnt get the openNTPD to work/install in the first step, the first 2 lines. Does the new version not have that installed? I get error when trying to start in the 2nd line. Now, my questions are: I have green light on the pogobox, but not sure how I point anything at it? I dont remember setting up any kind of nat router or forwarding so that when I point devices or apps at it, it knows to forward them through the tunnel. I am trying to use bit torrent clients through it and to take the knowledge further, I want to know how to VPN into it from outside of it and how to forward complete devices internet traffic through it. I am either not using the right terms when I search the internet or I am not understanding the instructions on how to configure SOCKS and Proxy in apps or devices. Since the Pogo is connected, anything I point at the pogo ({socks} and{proxy}) I dont need to enter the login/password information from the PrivateInterenetAccess account, correct? If you have another site you can share that clears up this whole proxy,SOCKS, vpn mess for me, I’d appreciate it. I am an IT graduate and do not work with networking at this level, so I am competent, and always learn but I have to understand the workigns, so please excuse my basic confusion with these protocols. thanks.

    • Well, if you were able to connect to the VPN, and get a green light, some form of NTP must be installed and functioning. If it were not, you would be getting an error when it attempted to connect, saying that your security certificate wasn’t valid yet.

      As for how to use the Anonybox, you won’t need to do anything further with authenticating to the VPN. The AnonyBox is constantly connected and authenticated on its own. All you have to do, is connect to it as a proxy. The AnonyBox does not require any login or password for users on the local network ( There are several different way to use the AnonyBox, but I’ll try to list a few.

      In Firefox, you can route all browser traffic, using an addon called “Foxxyproxy”. Simply give it the address and port of your Anonybox, and you’re done. In Chrome, the same is accomplished with an addon called “Proxy Switchy!” The squid proxy is recommended for browser traffic, as it caches images and data, so it can speed up page loading times after visiting them once. However, that cache does contain personal data, so if you are worried about privacy from other users within your local network, use SOCKS for everything.

      In most Bittorrent clients, there is a proxy page in the settings, where you can set what server and port to use. This is the same as setting it for a browser. Just point the client at your SOCKS port.

      to set all internet traffic to go through the proxy, simply go to your LAN settings (location depends on operating system), and enter the SOCKS proxy settings under the proxy settings there.

      I hope that helps a bit.

  4. I’m in the same boat as B. No incoming connections and magnet links won’t budge. I believe it’s a problem with UDP. This is very frustrating. I inserted the pass rules you posted into the sock conf and I’m still no joy.

  5. Hi,

    This is a great tutorial, and it worked flawlessly!

    Unfortunately after a power cycle I cannot get the USB hard drive to power on, so I think it has finally failed. Do you know if the PogoPlug device is salvageable and can reinstall Arch Linux on a different drive?

    Best regards,

    • The hard drive you connected may have failed, or the bootloader on it may have simply become corrupt from the crash. To test, try plugging the drive into a computer, and format it. If it functions ok, it simply got corrupted.

      Either way, the PogoPlug should not be damaged. Simply unplug the hard drive and reboot the PogoPlug without it. Then, once it has booted, plug in whatever device you want, and repeat the steps to install Arch.

      after unplugging the drive and rebooting, the SSH username and pass for the pogo will likely revert to “root”.

    • PIA’s kill switch is a specific implementation of an ifdown script. The ifdown script for the anonybox kills the proxies if the connection to PIA goes down. This should functionally be identical to kill switch, but I do not offer any warranty or guarantee on that front.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>