I2P client inside Whonix-Workstation Issues

Yay!

Quote @eyedeekay

I believe this will accomplish what is discussed ITT: I2P client inside Whonix-Workstation Issues - #18 but it wants for testing on an actual Whonix system, I’ve only tried it on regular Debian so far. It changes the default address for user-facing services to 127.0.0.2 instead of 127.0.0.1 using config.d files placed in the i2p-config directory and applies the Whonix-specific router.config using i2p-config instead of using the base configuration. This should require no intervention from the user to set up.

Merged. Thank you!

Added a few commits on top.

This is making a bit of trouble:

## Fix permissions on the I2P configuration directory.

chown -R i2psvc:i2psvc /var/lib/i2p/i2p-config/
  • (Would fail if folder does not exist (but I tried to avoid that by just using mkdir --parents) but then…)
  • Would fail if user and/or group i2psvc does not exist.
  • And lintian complains.
################################################################################
W: anon-apps-config: recursive-privilege-change postinst:56
N:
W: recursive-privilege-change
N:
N:   The named maintainer script appears to call chmod or chown with a
N:   --recursive/-R argument, or it uses find(1) with similar intent.
N:   
N:   All such uses are vulnerable to hardlink attacks on mainline (i.e.
N:   non-Debian) kernels that do not set fs.protected_hardlinks=1.
N:   
N:   The security risk arises when when a non-privileged user set links to
N:   files they do not own, such as such as /etc/shadow or files in
N:   /var/lib/dpkg/. A superuser's recursive call to chown or chmod on
N:   behalf of a role user account would then modify the non-owned files in
N:   ways that allow the non-privileged user to manipulate them later.
N:   
N:   There are several ways to mitigate the issue in maintainer scripts:
N:   
N:    - For a static role user, please call chown at build time
N:      and not during the installation.
N:    - If that is too complicated, use runuser(1) in the
N:      relevant build parts to create files with correct ownership.
N:    - Given a static list of files to change, use non-recursive calls
N:      for each file. (Please do not generate the list with find.)
N:   
N:   Refer to Bug#895597, Bug#889060, Bug#889488, and the runuser(1) manual
N:   page for details.
N:   
N:   Severity: warning
N:   
N:   Check: scripts
N:   
N:   Renamed from:
N:   maintainer-script-should-not-use-recursive-chown-or-chmod
N:
################################################################################

Hence asking is chown -R i2psvc:i2psvc /var/lib/i2p/i2p-config/ very important or will the i2p package later take care of setting proper permissions? That would be much better.

Meanwhile therefore I ported that part to systemd tmpfiles.d.

That didn’t work great either:

anon-apps-config.conf:4: Failed to resolve user ‘i2psvc’: No such process

Will disable for now.

I hope anon-apps-config wouldn’t have to create user i2psvc? That would be a bit much. Would be nice if the i2p package could take care of user creation, folder permissions. What do you think? @eyedeekay

This is now available in the testers repository.

Permissions in folder /var/lib/i2p/i2p-config/i2ptunnel.config.d seem perfect. Owned by user/group i2psvc. So no issue here.

However, some file names contain spaces such as for example:

/var/lib/i2p/i2p-config/i2ptunnel.config.d/00-I2P HTTP Proxy-i2ptunnel.config

Is this intended? No underscored or minus symbols?

The config changes are available inside the VM:

sudo grep -r --color 127.0.0.2 /var/lib/i2p/i2p-config

/var/lib/i2p/i2p-config/i2ptunnel.config.d/05-I2P HTTPS Proxy-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/05-I2P HTTPS Proxy-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/06-gitssh.idk.i2p-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/04-smtp.postman.i2p-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/04-smtp.postman.i2p-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/01-Irc2P-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/01-Irc2P-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/03-I2P webserver-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/03-I2P webserver-i2ptunnel.config:targetHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/00-I2P HTTP Proxy-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/00-I2P HTTP Proxy-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/02-pop3.postman.i2p-i2ptunnel.config:i2cpHost=127.0.0.2
/var/lib/i2p/i2p-config/i2ptunnel.config.d/02-pop3.postman.i2p-i2ptunnel.config:interface=127.0.0.2
/var/lib/i2p/i2p-config/clients.config.d/04-net.i2p.apps.systray.UrlLauncher-clients.config:clientApp.0.args=http://127.0.0.2:7657/
/var/lib/i2p/i2p-config/clients.config.d/01-net.i2p.sam.SAMBridge-clients.config:clientApp.0.args=sam.keys 127.0.0.2 7656 i2cp.tcp.host=127.0.0.2 i2cp.tcp.port=7654
/var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config:clientApp.0.args=7657 ::1,127.0.0.2 ./webapps/

I’ve also updated Invisible Internet Project (I2P) to remove the complicated steps which should be no longer required.

A change was needed from, old:

D. network.proxy.http → set to 127.0.0.1

to, new:

D. network.proxy.http → set to 127.0.0.2

Then I could reach http://127.0.0.2:7657 in Tor Browser.

Attempting to visit http://i2pforum.i2p/ I’ve got an error Website Not Found in Addressbook. The same goes for all other i2p domains such as zzz.i2p or stats.i2p.

Maybe I need to wait longer, maybe something broken, I don’t know.

Welcome to I2P! Please have patience as I2P boots up and finds peers.

Dunno if that message would disappear after a while. Connections were established but address book still empty.

I hope anon-apps-config wouldn’t have to create user i2psvc? That would be a bit much. Would be nice if the i2p package could take care of user creation, folder permissions.

Let me get back to you on that, it’s probably a small change to create the config directory at package install time I just want to check with zzz who updates our .deb packages/apt repository that it won’t break some part of his process. I doubt it will be a problem but I want to make sure.

1 Like

Is this intended? No underscored or minus symbols?

I actually simply created a an i2ptunnel.config and a clients.config file with the required changes, forced a migration to a directory configuration, then used the migrated files as a result. Inserting an alternate character, _ or - for instance, won’t cause any problems.

Attempting to visit http://i2pforum.i2p/ I’ve got an error Website Not Found in Addressbook. The same goes for all other i2p domains such as zzz.i2p or stats.i2p.

OK this means I need to make another PR, one which contains a hosts.txt file in the /var/lib/i2p/i2p-config directory with a list of default hosts. Normally there are only 61 or so default hosts in this file, the essentials like our project site and our gitlab. Looks like since I did not include this file you are limited to only using .b32.i2p addresses instead. I’ll make another PR tonight to fix it.

Welcome to I2P! Please have patience as I2P boots up and finds peers.

It will, usually in somewhere between 90 seconds and 10 minutes, but depending on what Whonix does with the /var/lib/i2p/i2p-config/netDb directory at runtime, it may periodically re-appear in cases where the state of that directory is reset or it is otherwise emptied.

That actually reminds me of another interesting point, though, to avoid the reseed process entirely, it’s possible to include a netDb directory in the config directory itself. The router will scan the netDb directory and attempt a to connect to those peers before attempting a reseed. This might result in the “Welcome” message going away faster.

1 Like

Updated ip2-config file names to use underscores instead of white spaces.

Looking forward to. That’s a good solution to quickly get to a working state.

However, maybe a more complex solution for later… Why I2P can usually bootstrap that by itself but now with the config changes it fails to do that? Hardcoding the address book is non-ideal since this seems a feature degradation versus I2P outside of Whonix. Another thing which needs to be maintained. Would it be possible for I2P inside Whonix to use the same address book bootstrap mechanism that I2P is using outside of Whonix?

1 Like

Sent last night, also it has the eepsite docroot included which will allow users to enable the default webserver without building their site.

However, maybe a more complex solution for later… Why I2P can usually bootstrap that by itself but now with the config changes it fails to do that? Hardcoding the address book is non-ideal since this seems a feature degradation versus I2P outside of Whonix. Another thing which needs to be maintained. Would it be possible for I2P inside Whonix to use the same address book bootstrap mechanism that I2P is using outside of Whonix?

It’s because it sees the existing config and doesn’t want to change it since if it sees an existing config, the assumption is that the options it has are the options that the user wants. However, this probably applies less to the hosts.txt file than it does to i2ptunnel, for instance. hosts.txt is normally the static and unchanging “bootstrap” hosts file just for project sites(and people who applied to be included because they provide something fundamental like optional petname subscriptions), it needs to get copied once and from there, jump services and subscription services like stats.i2p and notbob.i2p take over the addition of new hosts. New hosts post-install go into the “BlockFileNamingDatabase” which manages user-added and subscription-added hostnames. So the long and short of it is that once you have the initial hosts.txt you should be able to add and remove petnames normally. So an old hosts.txt file isn’t too serious of an issue as long as you’ve got a one from the past few years since LS2(because all the keys changed with LS2). Also we only change it like, once a year, so I can just keep making PR’s when we add new hosts.

BUT, I guess there is a better way… to get a flow improvement for Whonix, I think what needs to happen is that when the I2P router checks if it needs to copy a base config to a working config, and if the hosts.txt file is not present, copy it to the working directory. That’ll be at least a 2.1.0 goal but there’s very little to stop me from making it work that way. This could theoretically be applied to the eepSite docroot as well.

1 Like

Quote @eyedeekay

It seems that if the config directory already exists, the the default files associated with the usable, “I2P distribution” aren’t copied over to the directory if they are missing. This includes 2 important sets of config files which weren’t covered in the previous PR. These are the hosts.txt file and the “eepSite docroot.” The hosts.txt file contains the default map of human-readable keys to cryptographic identifier values which comes with I2P and which forms the most basic part of it’s naming service. This is a single file. The “eepSite docroot” contains the example hidden HTTP service which end-users may enable to host a static site as an I2P client application. This is 73 files, including 7 XML files for configuring jetty with non-leaking defaults, 21 translated HTML files containing identical text, 21 flags in .png format, 18 various other .png files 3 .css files, 1 HTML template, a robots.txt and 1 .ico file. It is quite a lot, but it is simply the stable default configuration for the recommended webserver.

Thank you for your efforts! However, I am afraid, 74 files, ~ 5000 lines of code, seems far too much. I cannot review that.

Not convinced that it is really, really required to add a lot of html files, png image files, etc. Seems like excessive code duplication. That content if needed should be built into I2P and not duplicated in anon-apps-config which is supposed to only hold minimal, ideally plaintext only config snippets for Whonix compatibility and anonymity improvements.

Also for example /var/lib/i2p/i2p-config/eepsite/etc/realm.properties seems to include passwords.

Could you please minimize, send a new, separate pull request? (I don’t want to add this to the git history.)

Or should I just hand pick the hosts.txt?

Sure absolutely, I’ll make a revised one this evening and rip out the eepsite docroot. Splitting the difference would be to not include anything in the actual docroot(HTML, PNG, CSS) directory and pare it down to just the XML files where the jetty config happenss. Would that be acceptable? It would be more like 7 files instead of 74.

1 Like

Hopefully these 2 address your concerns:

1 Like

Merged. Thanks!

This one was easy to compare against https://geti2p.net/hosts.txt.

What’s jetty? How important is it?
This is still a lot code.
A lot stuff which sounds security relevant but where I could only guess what it’s used for.

    <Set name="ExcludeCipherSuites">
      <Array type="java.lang.String">
        <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>

And impossible for me to keep that up to date.

Is there some better way? Can I2P be instructed to auto generate this content so it doesn’t have to be added to anon-apps-conf package source code?

Jetty is a web server written in Java, as part of the default install it is an optional “Client” of I2P which, when enabled, automatically runs a hidden service. Normally, a preview of the content which would be available on a hidden service is available on http://127.0.0.1:7658, but for Whonix it should be at http://127.0.0.2:7658 instead. This functionality is activated by forwarding that local service into the I2P network by starting the “I2P Webserver” which would be found at: http://127.0.0.1:7657/i2ptunnel/edit?tunnel=3 where it is configured.

The motivation for doing things in this way comes from things like OnionScan and other projects which discover misconfigured hidden services en-masse, we attempt to provide a “safe” default jetty configuration for this site which does not have these weaknesses. Apparently this kind of thing is still quite prevalent: Ionut Cernica - Deanonymization of TOR HTTP hidden services - DEF CON Forums

That said, this is an entirely optional feature. We can yank it out and it won’t hurt anything. We would do this by simply deleting the corresponding clients.config.d and i2ptunnel.config.d files, which are 03-I2P_webserver-i2ptunnel.config and 03-net.i2p.jetty.JettyStart-clients.config. In that case the site will be completely disabled by default and no configuration files need to be included. however we should also warn against attempting to activate it, because it will probably not work at all without them and if they do work it won’t be in a configuration we keep track of.

1 Like

Sounds good! Could you please send a pull request / edit the wiki?


Maybe a lot / most / all of this complication could be avoided if I2P was Whonix-Workstation aware? If it had an IF in the source code saying “IF Whonix-Workstation is detected, use 127.0.0.2 instead of 127.0.0.1”.

Maybe a lot / most / all of this complication could be avoided if I2P was Whonix-Workstation aware? If it had an IF in the source code saying “IF Whonix-Workstation is detected, use 127.0.0.2 instead of 127.0.0.1”.

How would you recommend I go about detecting the Whonix workstation? As long as there’s a standard way then I’ll see what I can do.

1 Like

Yeah I’ll make another PR today

1 Like

File /usr/share/anon-ws-base-files/workstation would be very suitable.

(From Whonix ™ friendly applications best practices chapter Programmatically Detecting Whonix in Whonix wiki)

1 Like