Installation and Fix of i2p inside Whonix-Workstation by Default

HulaHoop · February 3, 2020, 4:10pm

https://github.com/Whonix/anon-apps-config/pull/10/commits/c9271f705a8329b81e008f0e032dd726524bbad5

Thinkablemellow · February 3, 2020, 4:51pm

Always, a muted Storm cant be stopped

Yeah, kinda redundant, but shouldnt do any harm.
Cant find the Docs about that atm, but if i remember correctly it does set the upload speed or something similar.

Havent done any testing with that setup but i can do some tests and see if it even matters and what works best.

nurmagoz · February 3, 2020, 8:26pm

I see , this will make WS disastrous with adding OpenJDK and its stuff + I2Pj is a mess of combining tools which needs to be disabled in order for I2P to serve well over Tor.

I have tested this , nothing is breakable because this is one of the design options within I2Pj we are not making something outside of it.

Things also to be considered:

in Web Apps http://127.0.0.1:7657/configwebapps
**Disable autostart and stop I2Psnark service (No Torrent support over Tor)
**Disable autostart and stop Imagegen service as this is used for Eepsites (if i remember). But it depends if Eepsites going to be useful in our case or not.
** Disable autostart and stop I2PControl - Remote Control Service / json-rpc as i find it useless in our case.
in Network http://127.0.0.1:7657/confignet :
** Disable UPnP as most routers dont allow it by default and its a security disaster anyhow (unless someone know what hes doing).
** Enable Hidden mode - do not publish IP (prevents participating traffic), Yes publishing Tor IP address is not harmful but I2Prouter over Tor is not useful for participating anyway.
** IPv6 Configuration: “Prefer IPv4 over IPv6” OR " Disable IPv6" because default option which is " Prefer IPv6 over IPv4" not for Tor. (Yes Tor support lately some IPv6 , but not the majority of its traffic)
** Enable Laptop Mode: This is useful as the IP going to change over Tor thus changing the I2P identity as well resulting in enhancing the anonymity. (Though enabling it doesnt has the same impact of anonymity enhancement as using it over clearnet, because its already over anonymized traffic.)
** UDP Configuration: Completely disable (select only if behind a firewall that blocks outbound UDP) - This is our case anyway with Tor as it lacks completely the use of UDP.
in Local tunnels configurations http://127.0.0.1:7657/i2ptunnelmgr
** Remove 127.0.0.1:4445 = useless tunnel
** Hidden Service/Eepsite tunnel = do we need it ? is it useful in our case? if no please remove/disable by default.
** POP3/SMTP tunnels: This is really depend if Susimail is going to be working/useful in our scenario , if its going to work fine then leave them if not then remove/disable them. (also dont forget as well to stop autostart of susimail web app as well in case disabled)
** Disable out proxies from 127.0.0.1:4444 + Shared Client ability (mentioned above)
in http://127.0.0.1:7657/configstats:
** Disable all statistics , as all of them are only local/internal usage and wont be useful to anyone unless for the one who will look at it. So consuming resources by default for no needed reason.
in http://127.0.0.1:7657/configupdate
**Refresh frequency: make it never, as it take bandwidth to always check on that plus its like every router in i2p in every couple of time will hit that news URL server which is i believe its not nice to have that.

This is what i believe are the harden options when using I2Pj.

Notes:

I2Pd has way less headache than I2Pj , but their developers i doubt about doing things always right or very much active.
Wait for 0.9.45 version of I2Pj because it will have some good improvements (gonna be released in one month or so).

Heya buddy! welcome back

Yeah but still they better for security/usability to be modified.

Maybe , i have played before long time with “Tunnel Options” it gave too much errors. I think for this to keep default better.

but if we want to go deep, then we need to check the rest options if they are useful as well like Count,Backup,Variance how much to give for each (sorta extra headache, upstream citation might be useful as well).

HulaHoop · February 3, 2020, 11:42pm

You’re confusing openjdk with the shitty and unsecure java applets of a decade ago. Java is a memory safe language like Python and if anything, coding errors here result in a crash rather than RCE.

I2PSnark works over I2P.

Have you seen my conf? I already apply many of these.

Updater is disabled in the Debian version

We track Debian stable versioning so we’ll be on 9.38 for the foreseeable future.

The java version has a nice GUI that introduces the users to all the major sites and services of the network. I’m not sure there is an alternative if we give that up. i2d is also in Debian and is receiving new version updates if you look across Debian branches.

Patrick · February 4, 2020, 5:24am

HulaHoop via Whonix Forum:

https://github.com/Whonix/anon-apps-config/pull/10/commits/c9271f705a8329b81e008f0e032dd726524bbad5

Merged.

Patrick · February 4, 2020, 6:28am

No answer to [Whonix-devel] I2P Custom Router Conf yet.

It is important to mention that the Debian -- Details of package i2p in buster / Debian -- Details of package i2p-router in buster is being used since Debian patches configuration paths.

They had /etc/i2p in mind but it looks like it wasn’t completes by looking at debian/i2p.links · master · Debian / i2p · GitLab.

This is a problem. If the very file is modified that we ship than that will result in an dpkg interactive conflict resolution dialog.

Better to modify /usr/share/i2p/router.config. That one is probably not modified by the application. That file we can take over using config-package-dev displace. I speculate it will be used as a template and copied to /var/lib/i2p/i2p-config/router.config only once. Probably disadvantage: users won’t receive your changes to /usr/share/i2p/router.config when anon-apps-config is updated. At least not automatically / easily. That’s not easy without a proper .d folder.

Patrick · February 4, 2020, 7:17am

I wasn’t aware that this has been suggested earlier. Can be considered.

Please check:

~~If the applications issues network activity, there must be a way to properly configure it for Stream Isolation, to keep Tor’s TransPort clean for the user’s own stuff.~~ (Deprecated [archive])

Can i2p be configured to use a Tor SocksPort or a Tor HttpTunnelPort?

Must not issue network activity while the application is not in use.

Should i2p be autostarted and autoconnect? (Same behavior as installing i2p package.)

It would be running in every Whonix-Workstation? How much system resources does i2p eat?

How much traffic does i2p generate when not in use? I guess a fair share of Whonix users won’t be using i2p? How much load are we going to add ti the Tor network?

There is currently no such thing.

Ideally this could serve as an extra APT repository source (mirror). I don’t know much about Tahoe. Is traffic free if we upload there and all our users download from there?

HulaHoop · February 4, 2020, 2:36pm

Currently configure to use a max of 128MiB

A few kilobytes as per router stats.

We are not acting as a tunnel for other user’s traffic (only same mode as Tor client) so the load/traffic generated is absolutely negligible.

I meant a decentralized Whonix news.

Yes it’s a contributor public grid so free,

Thinkablemellow · February 4, 2020, 3:38pm

Wouldnt this be against what is stated in the config ?

 If you have a 'split' directory installation, with configuration
 # files in ~/.i2p (Linux), %LOCALAPPDATA%\I2P (Windows),
 # or /Users/(user)/Library/Application Support/i2p (Mac), be sure to
 # edit the file in the configuration directory, NOT the install directory.
 # When running as a Linux daemon, the configuration directory is /var/lib/i2p
 # and the install directory is /usr/share/i2p .

Wouldnt we lose the changes when i2p is updated/reinstalled?

I would say no, since we need to wait for Tor first anyway and to not waste system resources for People who dont use i2p.

Connecting doesnt take that long so it wont be a benefit to autostart.

It should be close to zero when not in use because we are not routing other peoples traffic

Did you check a fresh Router without Userinput? I would guess the only traffic that is send/recv without any input is the first Reseeding.

Not sure, i’ll take a look. Maybe @eyedeekay can help , can someone ping him on git ?

This might be useful GitHub - eyedeekay/i2pdistro: Re-creating an I2P Linux Distro

HulaHoop · February 4, 2020, 4:42pm

You are right. /usr/share/i2p/router.config survives app purges and serves as an initial template for /var/ upon install. Any changes after that are ignored. Should I move the file there?

Patrick · February 4, 2020, 5:33pm

I don’t think we have a spare 128MiB. Due to many issues, we’re on a very tight RAM budget.

Default RAM:

Whonix-Gateway: 512 MB
Whonix-Workstation: 768 MB

Already require to use a hack for Whonix-Gateway: swap - swap file - Whonix-Gateway freezing during apt-get dist-upgrade - encrypted swap-file-creator

There is no Whonix-Host yet. Therefore we can not be more clever an automatically assign more RAM to users VMs if available.

Memory de-duplication had to be disabled due to security issues.

Opening too many Tor Browser tabs can already make a VM slow or freeze.

Desktop environments realistically available for Whonix (from packages.debian.org, OK usability, …) require more RAM nowadays than in past.

Whonix system requirement is 4 GB.
4 GB - 768 MB (workstation RAM) - 512 MB (gateway RAM) - 16 MB (gateway video RAM) - 128 MB (workstation video RAM) leaves the host with only around 2576 MB RAM. That’s not much and not even including any multiple Whonix-Workstation’s.

There is currently no Whonix News integrated into whonixcheck.

Yes but config-package-dev displace will sort that out for us.

No. config-package-dev displace will effectivly assign management of that file to package anon-apps-config.

Yes. i2p could be started on demand. Such as when people start i2pbrowser or other i2p apps if any?

Interesting! Wasn’t aware of it.

“Is there an I2P Linux Distro” or “Is iPredia still alive” or questions about I2P use in Whonix or TAILS is a very frequently asked question on reddit

Had no idea.

Official inclusion in Whonix is dependent on inclusion in Debian,

Is this still applicable / up to date? Debian -- Details of package i2p-router in buster now exists and here we are discussing i2p installation by default in Whonix.They mean for i2p apps?

Btw what about Debian -- Details of package syndie in buster? I don’t recall testing it but it’s a suggested package by i2p-router package. Should be pre-installed too? Still a tool up to date / recommended / requested / in use / etc?

Yes.

Thinkablemellow · February 4, 2020, 9:19pm

We can try to lower that and see how it impacts performance, but these Defaults seem to me quite Outdated.
I remember a Poll about that here on the Forum, is this really an Issue ?

In what kind of Setup? I’ve never had an Issue even with 4GB RAM on an old Qubes Laptop.

Is there a special reason for that?
RAM isnt that expensive and older Hardware isnt Supported due to missing VT-XYZ Stuff so its kinda odd.

Nice good to know, i’ll take a look thx

I’ve seen this request a couple of times but i’m not a frequent reddit lurker

I think it was depending on your requirements, so i guess no?
No i think he means the I2P Router itself

I would say no, its not really that useful (at least what i’ve seen when i tested it) and its easily installed later if someone wants it.
Bote would be nice but AFAIK there is no package for that.

Patrick · February 5, 2020, 6:06am

github.com/Whonix/anon-apps-config

Eepsite docroot disable redux

Whonix:master ← eyedeekay:eepsite-docroot-disable-redux

opened 04:45PM - 05 Dec 22 UTC

eyedeekay

+4 -25

Disables the built-in hidden site by default, neither jetty nor the correspondin…g tunnel will start in this configuration, thereby eliminating the need for all the shipped jetty configuration files. Example config can still be found in /usr/share/i2p/eepsite, if the user wishes to use the built-in hidden site they need only copy those files to /var/lib/i2p/i2p-config and re-enable the site.

A quick test has shown that config values are inherited as expected.

Other file maybe useful for editing.

apt-file list i2p-router

/usr/share/i2p/blocklist.txt
/usr/share/i2p/clients.config
/usr/share/i2p/i2psnark.config
/usr/share/i2p/i2ptunnel.config
/usr/share/i2p/router.config

Patrick · February 5, 2020, 6:18am

Yes, can be (re-)considered.

https://twitter.com/Whonix/status/1070983624105676801

Debian, VirtualBox, Whonix default RAM settings.

Qubes / Qubes-Whonix manages RAM far more efficiently.

Simplified said, “There is no GUI running inside VM.” I mean by that, no “full X server”, lightdm, XFCE is running inside a VM. XFCE desktop environment packages aren’t even installed by default in VMs. X running inside Qubes VMs is connected to X running in dom0. The de-duplication of that saves a ton of RAM.
Qubes RAM management isn’t as static as “if VM is started, assign it to VM in full”. It dynamically assigns RAM. I.e. VMs that are just auto started but idle need far less RAM. Not sure this might be called memory ballooning.

Therefore Qubes / Qubes-Whonix cannot be compared much to Non-Qubes-Whonix as far as RAM requirements are going.

No idea. i2p-router is in packages.debian.org and there is now also:

Depends but things might have changed now.

As per https://geti2p.net/en/docs/applications/supported there are bundled apps, third party plugins. Perhaps it’s about these third party plugins which aren’t packaged but the point? Didn’t read much and not sure which ones he might be referring to.

Thinkablemellow · February 5, 2020, 3:53pm

https://eyedeekay.github.io/I2P-in-Private-Browsing-Mode-Firefox/

Just found this, damn its hard to keep up with this guy

This seems like a great way to replace privoxy if/when it gets deprecated and to have a visual distinction between TBB and I2P Browser, what do you think?

Edit: https://www.reddit.com/r/i2p/comments/eljqgd/experimental_webextension_i2p_in_private_browsing/
A few helpful comments from eyedeekay

Thinkablemellow · February 5, 2020, 4:26pm

Out of curiosity why do you think its inferior security, could you please elaborate ?

HulaHoop · February 5, 2020, 4:59pm

Almost all factors that have nothing to do with I2P code quality:

Increased theoretical attack surface

possibility of misconfiguring iptables and ending up with leaks

users mistakenly executing apps and plugins on the gw which would be a disaster for isolation design. (I have no idea if I2P can support a split design where apps can run on a different machine than where the router is)

the fact that most routers are run by people on home OSs like Windows, likely proprietary and surveillance friendly instead of Tor’s network mostly Debian based. Who knows what kind of traffic flow info MS collects?

Thinkablemellow · February 5, 2020, 6:51pm

@HulaHoop Thanks for the elaboration

Some more exiting stuff i’ve found regarding I2P Browser
https://www.reddit.com/r/i2p/comments/e7vnyx/i2p_browser/fa6qscz/

A little more info on what’s going to start happening in the next few months with the I2P browser: We’ve been thinking about the future of I2P Browser as a project, with regard to what is most important about it especially, and that has at times revealed a pretty boring picture. We can get better and better at backporting Tor patches and we are, but that really just leaves us with a Tor Browser clone where we’ve subbed in I2P for Tor. So now we’re in the final phases of adapting Tor Browser’s build infrastructure for our purposes, we have ways to confirm that we’ve done so successfully, what’s next is that we start modernizing the way you interact with the applications that come with I2P from the I2P browser. For instance, very soon we plan to make bittorrent(via I2PSnark) work as first-class downloads within Firefox, with familiar browser-like dialogs and menu integration, no more copy-and-pasting magnet links or copying torrent files into directories to operate the torrent client for I2P browser users. There are plenty of similar little rough edges in how I2P(Especially I2P web browsing) has always worked that we may have an opportunity to ease away with the browser. So it’s very hard to say when it will be “Stable” exactly, it’s not going to be stable for some time in that we’re carefully working on features and trying to make it all cohesive, which will take some time, and most definitely isn’t what we’ll have in January. What we’ll have in January is one where we’re very sure that we’re good enough at adapting the features we need in a timely manner to work on better things.

It looks like i(/we?) should focus more on the I2P Browser and the changes needed to it (especially for the WS) than the I2P Router for an easy to use I2P Setup,the problem then would be the low amount of RAM for running I2PB and TBB at the same time.
https://geti2p.net/en/browser

I played with it a couple of hours and it runs well like the “normal” i2p router, its a pretty out of the box solution.
I tested Torrent,mail,our router config,reseeding via Tor and a couple of other settings, it uses 1.5-2GB of RAM when in heavy use (thats to be expected for a Browser i would say).
The Update Fails for some reason but besides that i havent encountered any issues besides the usual I2P quirks.

Patrick · February 6, 2020, 10:53am

HulaHoop · February 6, 2020, 2:15pm

Thanks to @eyedeekay’s code I was able to tweak the default TBB to work with privoxy with the latest TBB. What extra benefits do we get from using their project instead of what we do right now?

A custom I2P landing page would be a nice little addition to the current i2pbrowser script but not necessary.