OK. I will experiment with /etc/ and see if it overrides everything else and pull the trigger if it does.
1 Like
Not sure which package would fit. GitHub - Whonix/anon-apps-config ?
vs dependencies vs default installation…
1 Like
Yes but we must have included i2p and all deps before adding it, otherwise installing it manually would overwrite the file?
1 Like
Update:
Merely adding a new config in any of these directories has no effect whatsoever.
Digging thru Goldstein’s steps he relied on sed to modify router.config
The official documentation makes no mention of how to do custom confs.
1 Like
No such issue. Overwriting / file conflicts is only a problem if two different packages want to put a file to the same location.
For example no package yet ships file /etc/i2p/router.config. Therefore issue if anon-apps-config ships /etc/i2p/router.config.
The timing when anon-apps-config and when i2p gets installed doesn’t matter from a packaging file conflicts perspective. Since no i2p package ships file /etc/i2p/router.config there is no conflict.
(The timing only matters for usability but once upgraded or new build anon-apps-config will be already installed before users have time to manually install i2p.)
This was a theoretic reply since I didn’t test if the i2p application actually makes use of /etc/i2p/router.config.
1 Like
Not good. I guess we just need to figure out the proper file path.
If /var/lib/i2p/i2p-config/router.config is regarded by i2p I would imagine that
/etc/i2p/router.configOR/etc/i2p/i2p-config/router.config
would overrule /var/lib/i2p/i2p-config/router.config. Please ask upstream about this. Ask if Debian ships a file /var/lib/i2p/i2p-config/router.config then how derivative distributions such as Whonix or local system administrators would configure their i2p daemon. Which file location to use.
That’s really hacky, often fragile and should only be last resort if upstream is aware and there is no better solution yet.
/var/lib/i2p/i2p-config/router.config is not really “owned” (not managed by its APT package) by any i2p package.
dpkg -S /var/lib/i2p/i2p-config/router.config
dpkg-query: no path found matching pattern /var/lib/i2p/i2p-config/router.config
No surprise since file location in in /var.
But we don’t know by what and how /var/lib/i2p/i2p-config/router.config is (re-)generated. Any manual change (or change by sed) might be reverted later (such as perhaps on pacakge upgrades) which would then break the functionality provided by the sed hack.
See also:
cat /usr/share/doc/i2p-router/README.Debian
cat /lib/systemd/system/i2p.service
cat /etc/default/i2p
cat /etc/i2p/wrapper.config
1 Like
@Patrick good catch. Changes made in /var/lib/i2p/i2p-config/router.config override the other instances of router.config. I’ll work on a pull request.
For tunnel lengths, let’s stick to defaults? that way we stack protection of both networks in case a Tor users is compromised by a malicious guard?
1 Like
Great! Please add default config first. Then make changes to that file so we can better show which changes are made by Whonix.
No idea. Defaults sounds good. Anything else could be considered future work.
1 Like
Good. So going by that, I imagine we can ship a custom privoxy file too?
1 Like
Another question, do we want to disable the I2P first run wizard, set lang to English and set the bandwidth?
1 Like
privoxy: somehow we can. Please work on the config. I will think about where to place to file etc.
Please also see apt-file list privoxy and read all the human readable files such as /lib/systemd/system/privoxy.service.
Should we modify the default behavior of privoxy when installed by replacing its default config somehow? Or should user installed privoxy / i2p privoxy we separate privoxy processes? The latter I am not sure yet how difficult / useful.
1 Like
Not sure. Not too important. If easily doable, I guess yes why not. Less questions, more out of the box experience, the better.
1 Like
1 Like
OK here it is:
forward .bit 127.0.0.1:43110
forward .i2p 127.0.0.1:4444
accept-intercepted-requests 1
max-client-connections 512
Added early zeronet support too. This belonged in /etc/privoxy/config.
Any mention of custom configs leads to recommendations to edit the user.action files which still needs editing existing files.
I experimented with creating a file with just these setings above and then installing privoxy from scratch and dpkg would ask if I wanted to replace our existing file or use it instead. It is not sufficient on its own to make privoxy work as it needs other settings in the default config.
1 Like
This is I2Pjava or I2Pd ?
over Tor or parallel with Tor (over clearnet)?
if its I2Pj for security reasons adjust the following:
- Remove 127.0.0.1:4445 tunnel as 127.0.0.1:4444 is resolving TLS over it. (legacy tunnel thus still in the i2pconsole) #2562
- Disable “shared clients” for tunnels as it will switch the tunnel by force to use SHA-1 even if you configured to use Ed25519-SHA-512 #2525
- Make sure all tunnels using signature “Ed25519-SHA-512” (Though SHA-1 which is used by very old routers you will find them in the netDB liking that or not #2643)
(others like disabling UPNP and seed over Tor and stuff i think already mentioned by @Goldstein)
For usability might better to know that:
2 Likes
I2PJava over Tor
Nothing ever gets sent to port 4445 as we are using the http proxy only via privoxy.
Thanks for your suggestions however I will defer any crypto tweaks to upstream as it might break operations. With newer versions I2P is using an improved NTCP protocol anyhow.
1 Like
I found a Privoxy wrapper script designed to run it with a conf in an alternative location on Mac but it should be usable on Linux with little to no tweaking. Introducing privoxyctl. Licensed under public domain but the code is hopelessly garbled. When we straighten out the script it will be a matter of adding a default conf + my changes in /home/user/.privoxy and figuring out how to always execute the daemon with it upon start and updates.
More on privoxyctl usage here: NovoSial.org: Privoxy Configuration
1 Like
/etc/privoxy/config is managed by package privoxy postinst script ins a special way see /var/lib/dpkg/info/privoxy.postinst. Therefore the usual config-package-dev displace probably won’t work.
But I found an OK solution using a Environment= systemd unit file drop-in.
/etc/privoxy/config by Debian privoxy can stay as is. We won’t modify it. It will be effectively do nothing beside linger around there. The default privoxy instance will be reconfigured to use /etc/privoxy/config_anon-apps-config.conf. Untested but quite confident this will work. (It doesn’t restart privoxy and I am not sure that would be sane/useful/needed. Probably better to assume anon-apps-config already installed or already system rebooted before privoxy start.)
Please add privoxy config here:
Html issue. The source code is readable in the website source code. Probably not needed by us. (Running privoxy as system daemon vs under same user account vs installation path vs we’re not supporting multiple privoxy’s running at the same time.)
/var/lib/i2p/i2p-config/router.config could be troublesome as per this post. Can /etc/i2p/i2p-config/router.config or any other location in /etc be used?
1 Like
https://github.com/Whonix/anon-apps-config/pull/8/commits/0384581694c33c27f4b9b2f743c4a5e9b7e0d349
I wonder if the setting confdir /etc/privoxy should be changed or should it just work with your technique? Let’s try as is. If it doesn;t work then I’ve made a note as to why.
1 Like
Should just work. confdir didn’t change.
This will be the effective settings:
cat etc/privoxy/config_anon-apps-config.conf | grep --invert-match "\#"
Grepped for everything that does not start with a hash (#).
forward .bit 127.0.0.1:43110
forward .i2p 127.0.0.1:4444
accept-intercepted-requests 1
max-client-connections 512user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
logdir /var/log/privoxy
filterfile default.filter
logfile logfile
listen-address 127.0.0.1:8118
listen-address [::1]:8118
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
enable-proxy-authentication-forwarding 0
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
tolerate-pipelining 1
socket-timeout 300
1 Like