Installation and Fix of i2p inside Whonix-Workstation by Default

That’s a “feature” to avoid showing up in Whonix.

The secbrowser package is just a metapackage. The “hidden” scripts can be run from here for testing:

/usr/share/anon-apps-config/usr++bin++secbrowser
/usr/share/anon-apps-config/usr++bin++download-secbrowser

Setting:
extensions.torbutton.use_nontor_proxy true

Allows an I2P page to show up with this message:

The website was not reachable. The website is offline, there is network congestion, or your router is not yet well-integrated with peers. You may want to retry.

EDIT:

It works!

After changing:
network.proxy.share_proxy_settings true

Other settings:

network.proxy.http 127.0.0.1
network.proxy.http_port 8118
network.proxy.no_proxies_on 1
network.proxy.socks_remote_dns false

Privoxy installed and configured with forwarding settings from:

Secbrowser download attempt

user@host:~$ sudo sh /usr/share/anon-apps-config/usr++bin++download-secbrowser
/usr/share/anon-apps-config/usr++bin++download-secbrowser: 10: /usr/share/anon-apps-config/usr++bin++download-secbrowser: source: not found

Got I2P + TBB working see second post above.

I hope we can get this scripted and have I2P and a configured privoxy included OOTB to transform TBB into a I2P Browser on demand in a dedicated snapshot.

It’s bash. Not sh. And thanks to shebang neither sh nor bash needs to be prepended. Running a bash script with sh will break.

source: not found

sh doesn’t know command source.

Also no sudo required.

This approach may be better to restore SecBrowser in Whonix.

sudo dpkg-divert --rename --remove /usr/share/applications/secbrowser.desktop
sudo dpkg-divert --rename --remove /usr/bin/secbrowser
sudo dpkg-divert --rename --remove /usr/bin/download-secbrowser

Won’t survive upgrades.

There is i2pbrowser but nobody maintaining it.

• https://github.com/Whonix/tb-starter/blob/master/usr/share/tb-profile-i2p/profile.i2p/bookmarks.html
• tb-starter/usr/share/tb-profile-i2p/profile.i2p/user.js at master · Kicksecure/tb-starter · GitHub
• https://github.com/Whonix/tb-starter/blob/master/usr/share/tb-profile-i2p/i2p-diffs.html
• tb-starter/usr/share/tb-profile-i2p/start-i2p-browser at master · Kicksecure/tb-starter · GitHub

Is it a matter of making sure he prefs are current and working? I can do that.

I don’t think SecBrowser makes any sense inside Whonix. It’s branded as A Security-hardened, Non-anonymous Browser and will always priorize clearnet browsing and security over privacy/anonymity with no regard to other goals such as i2p or ZeroNet. Using it in Whonix will lead to confusion. That’s why I did hide it in Whonix by default.

What would make sense is reviewing those i2pbrowser related files. See if these make sense. Trying that out. See if it is still working. Needing any changes. And documenting it.

Oops I meant I2P browser whne I said that

Damn you are good +1

Will play with your fix above to see if us plebs can achieve it with manual tinkering in the meantime. But proper I2P browser with necessary settings would be amazing if you can manage it.

OK - you gotta step it out as I still can’t connect to eepsites.

Tell me what’s wrong. (BTW I guessed we ignore all mutedstorm changes inside Whonix-Gateway stuff - 1000 steps - since you didn’t mention it)

1. Create new whonix-ws-15 TemplateVM clone just for installing I2P

(In TemplateVM)
2. sudo apt-get update
3. sudo apt-get install i2p
4. sudo dpkg-reconfigure i2p

• keep user as i2psvc
• have I2P run as daemon when starting
• have AppArmor applied
• adjust RAM upwards e.g. 512MB

5. sudo apt-get install privoxy
6. Edit the /etc/privoxy/config add i2p forwarding

(didn’t bother with accept-intercepted-requests 1 and max-clientconnections 512 since you didn’t mention it?)

• forward .i2p 127.0.0.1:4444

7. Forward Whonix-Workstation Ports to Whonix-Gateway local Ports

Open /etc/anon-ws-disable-stacked-tor.d/50_user.conf with a editor in the Worksation-Template and insert the following:

I2P_PORTS=“2827 3456 4444 4445 6668 7622 7650 7651 7654 7656 7658 7659 7660 7661 7662 8998 8118”

for i2p_port in $I2P_PORTS ; do
$pre_command socat TCP-LISTEN:$i2p_port,fork,bind=127.0.0.1 TCP:$GATEWAY_IP:$i2p_port &
done

8. Create new AppVM (anon-whonix-I2P)

(In AppVM)

9. Launch Tor Browser
10. Change about:config settings

• network.proxy.allow_hijacking_localhost false
• network.proxy.share_proxy_settings true
• extensions.torbutton.use_nontor_proxy true
• network.proxy.http 127.0.0.1
• network.proxy.http_port 8118
• network.proxy.no_proxies_on 0
• network.proxy.socks_remote_dns false
• network.proxy.socks (blank)

11. Go to http://127.0.0.1:7657 for console setup

(Allow javascript for this I suppose)

12. Browse to main I2P Router Console page after connection speed test (which never seems to complete properly)

Network Error is:

Network: ERR-Client Manager I2CP Error - check logs

Explantory notes say:

This is usually due to a port 7654 conflict. Check the logs to verify. Do you have another I2P instance running? Stop the conflicting program and restart I2P.

Can see a bunch of Active Peers, a small number of exploratory tunnels etc.

13. Try to connect to eepsite e.g. http://i2p-projekt.i2p/en/faq

Error appears instantly:

502
This is Privoxy 3.0.28 on localhost (127.0.0.1), port 8118, enabled
No server or forwarder data received

Your request for http://i2p-projekt.i2p/en/faq could not be fulfilled, because the connection to i2p-projekt.i2p (127.0.0.1) has been closed before Privoxy received any data for this request.

This is often a temporary failure, so you might just try again.

If you get this message very often, consider disabling connection-sharing (which should be off by default). If that doesn’t help, you may have to additionally disable support for connection keep-alive by setting keep-alive-timeout to 0.

Critical logs show:

PM CRIT [istener:7654] er.client.ClientListenerRunner: I2CP error listening to port 7654 - is another I2P instance running? Resolve conflicts and restart

PM CRIT [JettyStarter] outer.startup.RouterAppManager: Client Jetty [/var/lib/i2p/i2p-config/eepsite/jetty.xml] START_FAILED
java.io.IOException: Failed to bind to /127.0.0.1:7658
at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:346)
at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:308)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:394)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at net.i2p.jetty.JettyStart$Starter.run(JettyStart.java:138)
Caused by: java.net.BindException: Address already in use
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:227)
at java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:80)
at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:342)

etc. (similar)

Summary

Does all this mean you have to play with all the Whonix-Gateway Steps on MutedStorm + 100 other things he mentions in Workstation etc?

If so, way too hard and no normal user will ever achieve it in Whonix i.e. I2P browser needed. Otherwise you and Patrick (population = 2) will be the only ones to ever browse I2P sites from within the Workstation. Oh yeh, and that MutedStorm guy

No, this thread is for user -> Tor -> i2p.
i2p inside ws.

What was attempted in the other thread was Tor in parallel to i2p. user -> i2p
i2p on gw.

What’s missing here can only be something “small”. Previous instructions worked for a while. I don’t expect much changes. Doesn’t imply figuring out what’s missing is easy.

OK what I did:

1. Install I2P in the WS. I didn’t bother doing ‘sudo dpkg-reconfigure i2p’ though it would be needed for the service to start on reboot.

2. sudo apt-get install privoxy

3. Edit the /etc/privoxy/config add i2p forwarding snippet - I only added this part to the config. No trust file configuration or max client connections changes.

4. Changed only these about:config prefs:

extensions.torbutton.use_nontor_proxy true
network.proxy.share_proxy_settings true
network.proxy.http 127.0.0.1
network.proxy.http_port 8118
network.proxy.no_proxies_on 1
network.proxy.socks_remote_dns false

5. You should be able to connect to the console to set it up 127.0.0.1:7657. I did some things to improve perf like prefer IPv4 and disable UDP and set bandwidth quotas very high

Once the shared client tunnels turns gree it should be conncted and you can test by connecting to echelon.i2p

The stuff with port forwarding was in the case of running I2P on the GW. Won’t be relevant to us ever.

I am prepared to maintain the prefs for this script, however I believe the lack of packaging is what is preventing its inclusion? (@Patrick)

I2P has some very interesting applications and services that can solve problems like permanent take down attacks, distributed Email and so on. It’s a real jewel.

Did you look into existing i2pbrowser? (Even included in stable Whonix.)

Did you look at these files from post Installation and Fix of i2p inside Whonix-Workstation by Default - #20 by Patrick?

Please look at all of these files and send pull requests wherever changes are required.

tb-starter/usr/share/tb-profile-i2p/profile.i2p/user.js at master · Kicksecure/tb-starter · GitHub already has prefs. Why not add there?

Also tb-starter/usr/share/tb-profile-i2p/profile.i2p/user.js at master · Kicksecure/tb-starter · GitHub has a ton of noscript and https everywhere settings. Is that really necessary?

What changed in i2p so we now have to resurrect old privoxy? Ideally avoided. I guess the days of privoxy are counted. It’s from a time where there wasn’t much https. And a local proxy outside of the browser cannot filter https which nowadays is almost everything (non-https even gets google seo score reduction).

OK - that works!! Great.

The only thing was in Qubes-Whonix, I needed to run sudo dpkg-reconfigure i2p step, or I couldn’t connect to the I2P router console at all.

Also, we need to warn users that it can take 10 minutes or more to get stable, established tunnels before you can start connecting to eepsites.

I blocked UDP and preferred IPv4 as well, and majorly bumped up bandwidth before I got any stable connections to various .i2p sites.

What do you think we should be recommending for in/out so people don’t have issues for that (how many kb/sec?). I just randomly put in large values until it worked…

Let me know what you think on above points and I’ll fix up the wiki entry over the weekend.

I had no idea. How do you activate the profile?

Yes this is the ideal place.

No I think it was some optimizations @eyedeekay did to improve sec as fingerprints between i2p and tbb will differ anyhow.

Nothing. I’ll test and confirm once I know how to activate the profile. The whole point was to allow i2pbrowser to be able to open multiple different domains in the future simultaneously without having to change prefs for every different network client

Alright let’s include this step for sure.

Why not? A dialog on i2p first run.

We’d need to ship a optimized config then.

I pushed it up to 9999s and let it rip.

in theory, run

i2pbrowser

Please remove then. Happy you like to take over maintenance of that component. Please edit/remove anything from these config files. Anything that you don’t understand either ask and/or remove.

Could you review I2P: Difference between revisions - Whonix please?

Looks good. Steps like privoxy and prefs could be omitted once I get around to testing i2pbrowser.