I2P client inside Whonix-Workstation Issues

There is a solution circulating, in which it is described that the service I2P should be started with i2prouter start to create the config files in /home/user/.i2p/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config.

On a Whonix Template using the command i2prouter start creates the files on the Template but they are not available in the Template-based AppVM afterwards. I guess this has something to do with the Qubes standard persistence settings.

Therefore on the Template-based AppVM you can run i2prouter start which creates configuration files persistent in/home/user/.i2p/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config. Note: sudo dpkg-reconfigure i2p creates configuration files in /var/lib/i2p/ on AppVM only.

Conclusion:

• i2prouter start creates configuration files in /home/user/.i2p/ and works on Template and AppVM.
• sudo systemctl start i2p creates configuration files in /var/lib/i2p/ but does not work on Whonix Template.
• There is currently no way to get the configuration files created in a Whonix Template which are available on the accoding Template-based AppVM as /home/user/ gets overwritten in AppVM.
• Creating configuration files must be done in the Template-based AppVM by starting I2P: 1) With i2prouter start you get the configuration files persistent, with sudo systemctl start i2p you have to create and change configuration files on each restart of the AppVM.

Is it a secure and reliable alternative to use i2prouter start in AppVM so that you don’t have to reconfigure the configuration files on each restart of the AppVM?

The Qubes particularities on how (non-)persistence is implemented meet I2P’s particularities on how config files are handled. In combination, these are creating a usability mess.

Ignore .anondist. This doesn’t need user documentation. Nothing special to know. No big deal.

Details:

ls -la /var/lib/i2p/i2p-config/router.config*

related:
Dev/About Debian Packaging - Kicksecure chapter config-package-dev in Kicksecure wiki

Normal Qubes persistence “issue” if you can call it an issue.

I doubt that.

Quite possibly because I2P only creates the config files when connectivity is available, which is even more weird. And connectivity is limited in Qubes Templates by Qubes design (at time of writing, only the package manager by default can use networking).

It’s not that weird if you consider that I2PSnark, Hidden Services Manager, and even the Router Console are actually separate applications, which will run only after I2P itself is successfully started. Starting them before I2CP is available would not make sense in the same way that allowing Tor Browser to fetch pages before a SOCKS proxy was available would not make sense. The result is that you start with what we call a “monolithic” config file where all the stuff is stored in one file, called clients.config and i2ptunnel.config respectively, which is immediately migrated to a directory config on most platforms. We did it this way because the monolithic config files are still used on places where the base config directory(/usr/share/i2p) and the working config directory(/var/lib/i2p/i2p-config) are the same which includes Android and Portable installations, so this way we still only need to maintain one config file.

However, if a directory config is already present, the migration will not occur. So if you just drop all your custom I2P config files into /var/lib/i2p/i2p-config they won’t be migrated from the defaults in /usr/share/i2p, including router.config. Everything you don’t include in that config(keys, etc) should be regenerated at runtime, and if it doesn’t file an issue and we’ll take care of it on our end.

Ok, maybe we’re getting somewhere! Appreciate all your support!

It’s a drop-in folder where distribution maintainers (Whonix) and/or users can drop snippets…?

In that case…

1. Whonix should stop telling users to edit /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config since there no need for it.
2. Whonix should stop shipping the config-package-dev diverted file /usr/share/i2p/router.config since there’s no need for that either.
3. Whonix should drop its config snippet(s) into the /var/lib/i2p/i2p-config folder? Any file name possible?

Sounds like a plan?

Or would it be more appropriate for Whonix to use /usr/share/i2p folder to drop snippets?

What’s the config line that we need to add to accomplish

Change from 127.0.0.1 to 127.0.0.2 .

?

Sorry it took me a little longer to get back to you. Had a developer leave the project, need to re-allocate some work and offboard him. So let’s see…

It’s a drop-in folder where distribution maintainers (Whonix) and/or users can drop snippets…?

Well yes, in that there are places it looks for default configuration files and if you have an existing configuration in that directory it won’t generally interfere with those settings. If we have to touch one of your settings when we configure your router, we also have to publish something about why, couple examples, we had to reach in and enable “Tunnel Testing” in an update to the Java I2P router a few releases ago in order to avoid a conflict with i2pd routers, and I had to change the update URL in the Easy-Install for Windows due to a conflict with de-coupled I2P routers(Easy-Install for Windows is a bundle). The point is, if you put a config file in the config directory, we don’t change the settings unless it’s really, really important.

1. Whonix should stop telling users to edit /var/lib/i2p/i2p-config/clients.config.d/00- net.i2p.router.web.RouterConsoleRunner-clients.config since there no need for it.
2. Whonix should stop shipping the config-package-dev diverted file /usr/share/i2p/router.config since there’s no need for that either.
3. Whonix should drop its config snippet(s) into the /var/lib/i2p/i2p-config folder? Any file name possible?

Yes to 2 and 3, if I understand correctly, but

2. Possibly put router.config.anondist into /var/lib/i2p/i2p-config/router.config instead.

3. You can either use /var/lib/i2p/i2p-config/i2ptunnel.config and /var/lib/i2p/i2p-config/clients.config in which case the names matter, or you can use /var/lib/i2p/i2p-config/i2ptunnel.config.d and /var/lib/i2p/i2p-config/clients.config.d in which case the directory names matter but any filename is OK as long as it ends in .config

3.a: If you use /var/lib/i2p/i2p-config/i2ptunnel.config and /var/lib/i2p/i2p-config/clients.config simply make your edits* to the default config files and place them in the /var/lib/i2p/i2p-config directory. They will be migrated on the first run to directory configs. Otherwise everything will function normally.

3.b: If you use /var/lib/i2p/i2p-config/i2ptunnel.config.d/ and /var/lib/i2p/i2p-config/clients.config.d/, pre-populate it with all the config files you need, i.e. the migrated versions of the default clients tunnels. In these directories any file with a name ending in .config will be read for a configuration.

Change from 127.0.0.1 to 127.0.0.2 .

Those would occur in clients.config or the corresponding clients.config.d directory, and i2ptunnel.config or the corresponding i2ptunnel.config.d directory. Change any value which you want to be reachable on a different address to that different address.

A post was merged into an existing topic: I2P Integration

Any chance you could send a pull request to anon-apps-config implementing the better config style please?

Main goals:

• As simple as possible for users in the end.
• Use .d style config files whenever possible.
• Avoid need to start I2P just to have it create a default config file and then we having to tell users they need to edit that file. In other words, instructions such as 1. start I2P, 2. edit that file… Not great. Best avoided.
• Ideally all the user would have to do would be installing I2P and all the Whonix specific settings required are already preconfigured and nicely contained in the anon-apps-config package.

Yeah I can probably make that happen after the I2P release on the 22nd, maybe a little sooner.

Yay!

Quote @eyedeekay

I believe this will accomplish what is discussed ITT: I2P client inside Whonix-Workstation Issues - #18 but it wants for testing on an actual Whonix system, I’ve only tried it on regular Debian so far. It changes the default address for user-facing services to 127.0.0.2 instead of 127.0.0.1 using config.d files placed in the i2p-config directory and applies the Whonix-specific router.config using i2p-config instead of using the base configuration. This should require no intervention from the user to set up.

Merged. Thank you!

Added a few commits on top.

This is making a bit of trouble:

## Fix permissions on the I2P configuration directory.

chown -R i2psvc:i2psvc /var/lib/i2p/i2p-config/

• (Would fail if folder does not exist (but I tried to avoid that by just using mkdir --parents) but then…)
• Would fail if user and/or group i2psvc does not exist.
• And lintian complains.

################################################################################
W: anon-apps-config: recursive-privilege-change postinst:56
N:
W: recursive-privilege-change
N:
N:   The named maintainer script appears to call chmod or chown with a
N:   --recursive/-R argument, or it uses find(1) with similar intent.
N:   
N:   All such uses are vulnerable to hardlink attacks on mainline (i.e.
N:   non-Debian) kernels that do not set fs.protected_hardlinks=1.
N:   
N:   The security risk arises when when a non-privileged user set links to
N:   files they do not own, such as such as /etc/shadow or files in
N:   /var/lib/dpkg/. A superuser's recursive call to chown or chmod on
N:   behalf of a role user account would then modify the non-owned files in
N:   ways that allow the non-privileged user to manipulate them later.
N:   
N:   There are several ways to mitigate the issue in maintainer scripts:
N:   
N:    - For a static role user, please call chown at build time
N:      and not during the installation.
N:    - If that is too complicated, use runuser(1) in the
N:      relevant build parts to create files with correct ownership.
N:    - Given a static list of files to change, use non-recursive calls
N:      for each file. (Please do not generate the list with find.)
N:   
N:   Refer to Bug#895597, Bug#889060, Bug#889488, and the runuser(1) manual
N:   page for details.
N:   
N:   Severity: warning
N:   
N:   Check: scripts
N:   
N:   Renamed from:
N:   maintainer-script-should-not-use-recursive-chown-or-chmod
N:
################################################################################

Hence asking is chown -R i2psvc:i2psvc /var/lib/i2p/i2p-config/ very important or will the i2p package later take care of setting proper permissions? That would be much better.

Meanwhile therefore I ported that part to systemd tmpfiles.d.

That didn’t work great either:

anon-apps-config.conf:4: Failed to resolve user ‘i2psvc’: No such process

Will disable for now.

I hope anon-apps-config wouldn’t have to create user i2psvc? That would be a bit much. Would be nice if the i2p package could take care of user creation, folder permissions. What do you think? @eyedeekay

This is now available in the testers repository.

Permissions in folder /var/lib/i2p/i2p-config/i2ptunnel.config.d seem perfect. Owned by user/group i2psvc. So no issue here.

However, some file names contain spaces such as for example:

/var/lib/i2p/i2p-config/i2ptunnel.config.d/00-I2P HTTP Proxy-i2ptunnel.config

Is this intended? No underscored or minus symbols?

The config changes are available inside the VM:

sudo grep -r --color 127.0.0.2 /var/lib/i2p/i2p-config

/var/lib/i2p/i2p-config/i2ptunnel.config.d/05-I2P HTTPS Proxy-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/05-I2P HTTPS Proxy-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/06-gitssh.idk.i2p-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/04-smtp.postman.i2p-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/04-smtp.postman.i2p-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/01-Irc2P-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/01-Irc2P-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/03-I2P webserver-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/03-I2P webserver-i2ptunnel.config:targetHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/00-I2P HTTP Proxy-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/00-I2P HTTP Proxy-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/02-pop3.postman.i2p-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/02-pop3.postman.i2p-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/clients.config.d/04-net.i2p.apps.systray.UrlLauncher-clients.config:clientApp.0.args=http://127.0.0.2:7657/
/var/lib/i2p/i2p-config/clients.config.d/01-net.i2p.sam.SAMBridge-clients.config:clientApp.0.args=sam.keys 127.0.0.2 7656 i2cp.tcp.host=127.0.0.2 i2cp.tcp.port=7654
/var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config:clientApp.0.args=7657 ::1,127.0.0.2 ./webapps/

I’ve also updated Invisible Internet Project (I2P) to remove the complicated steps which should be no longer required.

A change was needed from, old:

D. network.proxy.http → set to 127.0.0.1

to, new:

D. network.proxy.http → set to 127.0.0.2

Then I could reach http://127.0.0.2:7657 in Tor Browser.

Attempting to visit http://i2pforum.i2p/ I’ve got an error Website Not Found in Addressbook. The same goes for all other i2p domains such as zzz.i2p or stats.i2p.

Maybe I need to wait longer, maybe something broken, I don’t know.

Welcome to I2P! Please have patience as I2P boots up and finds peers.

Dunno if that message would disappear after a while. Connections were established but address book still empty.

I hope anon-apps-config wouldn’t have to create user i2psvc? That would be a bit much. Would be nice if the i2p package could take care of user creation, folder permissions.

Let me get back to you on that, it’s probably a small change to create the config directory at package install time I just want to check with zzz who updates our .deb packages/apt repository that it won’t break some part of his process. I doubt it will be a problem but I want to make sure.

Is this intended? No underscored or minus symbols?

I actually simply created a an i2ptunnel.config and a clients.config file with the required changes, forced a migration to a directory configuration, then used the migrated files as a result. Inserting an alternate character, _ or - for instance, won’t cause any problems.

Attempting to visit http://i2pforum.i2p/ I’ve got an error Website Not Found in Addressbook. The same goes for all other i2p domains such as zzz.i2p or stats.i2p.

OK this means I need to make another PR, one which contains a hosts.txt file in the /var/lib/i2p/i2p-config directory with a list of default hosts. Normally there are only 61 or so default hosts in this file, the essentials like our project site and our gitlab. Looks like since I did not include this file you are limited to only using .b32.i2p addresses instead. I’ll make another PR tonight to fix it.

Welcome to I2P! Please have patience as I2P boots up and finds peers.

It will, usually in somewhere between 90 seconds and 10 minutes, but depending on what Whonix does with the /var/lib/i2p/i2p-config/netDb directory at runtime, it may periodically re-appear in cases where the state of that directory is reset or it is otherwise emptied.

That actually reminds me of another interesting point, though, to avoid the reseed process entirely, it’s possible to include a netDb directory in the config directory itself. The router will scan the netDb directory and attempt a to connect to those peers before attempting a reseed. This might result in the “Welcome” message going away faster.

Updated ip2-config file names to use underscores instead of white spaces.

• Non-Qubes-Whonix: No issue.
• Qubes-Whonix: Folder /var/lib/i2p/i2p-config/netDb could be added to How to make any file persistent (bind-dirs) | Qubes OS.

Looking forward to. That’s a good solution to quickly get to a working state.

However, maybe a more complex solution for later… Why I2P can usually bootstrap that by itself but now with the config changes it fails to do that? Hardcoding the address book is non-ideal since this seems a feature degradation versus I2P outside of Whonix. Another thing which needs to be maintained. Would it be possible for I2P inside Whonix to use the same address book bootstrap mechanism that I2P is using outside of Whonix?

Sent last night, also it has the eepsite docroot included which will allow users to enable the default webserver without building their site.

However, maybe a more complex solution for later… Why I2P can usually bootstrap that by itself but now with the config changes it fails to do that? Hardcoding the address book is non-ideal since this seems a feature degradation versus I2P outside of Whonix. Another thing which needs to be maintained. Would it be possible for I2P inside Whonix to use the same address book bootstrap mechanism that I2P is using outside of Whonix?

It’s because it sees the existing config and doesn’t want to change it since if it sees an existing config, the assumption is that the options it has are the options that the user wants. However, this probably applies less to the hosts.txt file than it does to i2ptunnel, for instance. hosts.txt is normally the static and unchanging “bootstrap” hosts file just for project sites(and people who applied to be included because they provide something fundamental like optional petname subscriptions), it needs to get copied once and from there, jump services and subscription services like stats.i2p and notbob.i2p take over the addition of new hosts. New hosts post-install go into the “BlockFileNamingDatabase” which manages user-added and subscription-added hostnames. So the long and short of it is that once you have the initial hosts.txt you should be able to add and remove petnames normally. So an old hosts.txt file isn’t too serious of an issue as long as you’ve got a one from the past few years since LS2(because all the keys changed with LS2). Also we only change it like, once a year, so I can just keep making PR’s when we add new hosts.

BUT, I guess there is a better way… to get a flow improvement for Whonix, I think what needs to happen is that when the I2P router checks if it needs to copy a base config to a working config, and if the hosts.txt file is not present, copy it to the working directory. That’ll be at least a 2.1.0 goal but there’s very little to stop me from making it work that way. This could theoretically be applied to the eepSite docroot as well.

Quote @eyedeekay

It seems that if the config directory already exists, the the default files associated with the usable, “I2P distribution” aren’t copied over to the directory if they are missing. This includes 2 important sets of config files which weren’t covered in the previous PR. These are the hosts.txt file and the “eepSite docroot.” The hosts.txt file contains the default map of human-readable keys to cryptographic identifier values which comes with I2P and which forms the most basic part of it’s naming service. This is a single file. The “eepSite docroot” contains the example hidden HTTP service which end-users may enable to host a static site as an I2P client application. This is 73 files, including 7 XML files for configuring jetty with non-leaking defaults, 21 translated HTML files containing identical text, 21 flags in .png format, 18 various other .png files 3 .css files, 1 HTML template, a robots.txt and 1 .ico file. It is quite a lot, but it is simply the stable default configuration for the recommended webserver.

Thank you for your efforts! However, I am afraid, 74 files, ~ 5000 lines of code, seems far too much. I cannot review that.

Not convinced that it is really, really required to add a lot of html files, png image files, etc. Seems like excessive code duplication. That content if needed should be built into I2P and not duplicated in anon-apps-config which is supposed to only hold minimal, ideally plaintext only config snippets for Whonix compatibility and anonymity improvements.

Also for example /var/lib/i2p/i2p-config/eepsite/etc/realm.properties seems to include passwords.

Could you please minimize, send a new, separate pull request? (I don’t want to add this to the git history.)

Or should I just hand pick the hosts.txt?