I2P Integration

NOTICE:

A more updated guide is found here:

https://github.com/mutedstorm/Whonix-I2P

I’ll keep updating this Post to share my current Progress and to collect everything in one Thread

Status :

• I2P Router works in the Gateway (reseeds fine via Tor, builds Tunnels etc)
• Forwarding Workstation → Gateway works
• Torrents work (see below)

Steps to reproduce (quick Draft) :

Notes:

• Please excuse the ugly Presentation and Wording (i know its all over the Place, going to fix that soon™)
• Privoxy isn’t working, i left it in there for others to see what i did wrong
• i left Foxyproxy setup in it to have a way to verify that the Forwarding and I2P is working properly
• Tested only on Qubes OS 3.2 and Whonix 13
• i think a lot can be done better but i haven’t had the Time to research it

Preparation

Create a separate Gateway (TemplateVM&) ProxyVm and Workstation (TemplateVM&) AppVM

Installing I2P

Whonix Gateway (Template)VM

We’ll install I2P using the Debian packages.from the ‘official’ I2P project’s. (Kytv used to build the packages used by both (his repo and the offical )(see Disclaimer) ).

Before adding the repo Debian/Ubuntu - I2P, fetch the key and verify https://geti2p.net/_static/i2p-debian-repo.key.asc fingerprints. Always check the fingerprint for yourself. The output at the moment is:

    pub  4096R/0x67ECE5605BCF1346 2013-10-10 I2P Debian Package Repository <killyourtv@i2pmail.org>
          Key fingerprint = 7840 E761 0F28 B904 7535  49D7 67EC E560 5BCF 1346

Download key with scurl to home folder.

user@host:~$ scurl -o i2p-debian-repo.key.asc https://geti2p.net/_static/i2p-debian-repo.key.asc

Check fingerprints/owners without importing anything.

user@host:~$ gpg -n --import --import-options import-show i2p-debian-repo.key.asc

If it looks good import into trusted.gpg.d.
To import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.

user@host:~$ gpg --no-default-keyring --keyring ./i2p-pubkey.gpg --import i2p-debian-repo.key.asc

user@host:~$ sudo cp i2p-pubkey.gpg /etc/apt/trusted.gpg.d/i2p-pubkey.gpg

For default Whonix 13 using Debian stable:

user@host:~$ echo -e ‘deb https://deb.i2p2.de/ jessie main\ndeb-src https://deb.i2p2.de/ jessie main’ | sudo tee /etc/apt/sources.list.d/i2p-release.list > /dev/null

For Whonix 14 using Debian Stretch

user@host:~$ echo -e ‘deb https://deb.i2p2.de/ stretch main\ndeb-src https://deb.i2p2.de/ stretch main’ | sudo tee /etc/apt/sources.list.d/i2p-release.list > /dev/null

Update Packages

user@host:~$ sudo apt-get update

Install I2P, its dependencies and (optional) iceweasel:

`user@host:~$ sudo apt-get install i2p i2p-keyring iceweasel

Configure I2P as a service that automatically runs when your system boots, set the amount of Ram to your needs and leave the User as i2psvc

user@host:~$ sudo dpkg-reconfigure i2p

Make the I2P folders persistent in the ProxyVM by adding the following to /usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf

binds+=( '/etc/i2p' )
binds+=( '/var/lib/i2p/i2p-config/' )

Whonix Gateway (Proxy)VM

Edit the firewall rules

Add the settings in the Whonix-Firewall /etc/whonix_firewall.d/50_user.conf (Uncomment any SocksPort you dont need)

NO_NAT_USERS+=" $(id -u i2psvc)"
SOCKS_PORT_I2P_BOB=2827
SOCKS_PORT_I2P_TAHOE=3456
SOCKS_PORT_I2P_WWW=4444
SOCKS_PORT_I2P_WWW2=4445
SOCKS_PORT_I2P_IRC=6668
SOCKS_PORT_I2P_XMPP=7622
SOCKS_PORT_I2P_CONTROL=7650
SOCKS_PORT_I2P_SOCKSIRC=7651
SOCKS_PORT_I2P_SOCKS=7652
SOCKS_PORT_I2P_I2CP=7654
SOCKS_PORT_I2P_SAM=7656
SOCKS_PORT_I2P_EEP=7658
SOCKS_PORT_I2P_SMTP=7659
SOCKS_PORT_I2P_POP=7660
SOCKS_PORT_I2P_BOTESMTP=7661
SOCKS_PORT_I2P_BOTEIMAP=7662
SOCKS_PORT_I2P_MTN=8998
SOCKS_PORT_PRIVOXY=8118

Now reload the Whonix Firewall

user@host:~$ sudo /usr/bin/whonix_firewall

Add these Lines to /var/lib/i2p/i2p-config/router.config to Reseed via Tor

stat.full=false
stat.logFile=stats.log
stat.logFilters=
stat.summaries=
i2np.upnp.enable=false
router.reseedProxy.authEnable=false
router.reseedProxyEnable=false
router.reseedSSLDisable=false
router.reseedSSLProxy.authEnable=false
router.reseedSSLProxyEnable=true
router.reseedSSLProxyHost=127.0.0.1
router.reseedSSLProxyPort=9050
router.reseedSSLProxyType=SOCKS5
router.reseedSSLRequired=false

Disable the Outproxy

We don’t want to access the Clearnet with I2P run the following to disable Outproxies

Remove the outproxy from the tunnel on port 4444

user@host:~$ sed -i '/^.*tunnel\.0\.\(proxyList\|option\.i2ptunnel\.httpclient\.SSLOutproxies\)/d' "/var/lib/i2p/i2p-config/i2ptunnel.config"

Disable the https outproxy (port 4445)

user@host:~$ sed -i 's|^.*\(tunnel\.6\.startOnLoad\).*|\1=false|' "/var/lib/i2p/i2p-config/i2ptunnel.config"

Changing I2P’s listening interface

I2P listens for connections on 127.0.0.1. This won’t work for us since we want to access I2P from the Workstation.
We’ll setup I2P to listen on the Gateway IP, which could be 10.137.x.10 depending on the Whonix version that you’re using. Note:
By the time we’re finished here, you will be able to access I2P from the workstation via 127.0.0.1 as well.

user@host:~$ GATEWAYIP=$(ip addr | grep 'eth1' | grep -v 'BROADCAST' | cut -d / -f 1 | awk '{print $2}')

user@host:~$ sudo sed -i "s/\(.*interface=\).*/\1$GATEWAYIP/g;s/\(.*targetHost=\).*/\1$GATEWAYIP/g" /var/lib/i2p/i2p-config/i2ptunnel.config

user@host:~$ sudo sed -i "s/127\.0\.0\.1/$GATEWAYIP/g" /var/lib/i2p/i2p-config/clients.config

user@host:~$ echo -e ‘usimail.host=$GATEWAYIP’ | sudo tee /var/lib/i2p/i2p-config/susimail.config > /dev/null

change the Router console listening IP back to localhost

user@host:~$ sudo sed -i "s/clientApp\.0\.args\=7657 \:\:1\,$GATEWAYIP/clientApp\.0\.args\=7657 \:\:1\,127\.0\.0\.1 \./g" /var/lib/i2p/i2p-config/clients.config

Whonix Workstation (Template)VM

Install Privoxy

user@host:~$ sudo apt-get install privoxy

Edit the /etc/privoxy/user.action and add i2p forwarding

forward .i2p 127.0.0.1:4444
accept-intercepted-requests 1
max-client-connections 512

Forwarding Whonix-Workstations Ports to Whonix-Gateway local Ports

Open /etc/anon-ws-disable-stacked-tor.d/50_user.conf with a editor in your Worksation-Template and insert the following:

I2P_PORTS="2827 3456 4444 4445 6668 7622 7650 7651 7654 7656 7658 7659 7660 7661 7662 8998 8118"

for i2p_port in $I2P_PORTS ; do
   $pre_command socat TCP-LISTEN:$i2p_port,fork,bind=127.0.0.1 TCP:$GATEWAY_IP:$i2p_port &
done

Whonix Workstation (App)VM

Edit TorBrowser to use Privoxy

Open the TorBrowser enter about:config and change these Settings

extensions.torbutton.use_nontor_proxy;true
network.proxy.no_proxies_on;0
network.proxy.http;127.0.0.1
network.proxy.http_port;8118
network.proxy.socks;         <--(blank)

currently working on:

• shortening the Setup Guide and adding current changes
• rewriting Scripts (pretty awful atm)
• modifying Itoopie
• writing a terminal monitor for I2P (like arm/nyx)

TBD

• Torrents need a extra Application (Robert or Transmission-I2P) or files need to be moved between the Gateway (i2psnark) and the Workstation (i don’t like the later option)
• Tor Browser (TBB) profile with custom about:config settings - #15 by Goldstein
  needs to be solved
• I’m thinking about switching to I2Pd for better performance and lower Memory needs (should be optional though)
• I2Pcontrol isn’t included yet so we would need to download that or use a localhost browser on the Gateway
• itoopie could be used to display Bandwidth, Tunnel count, Status Informations and change basic configs similar to arm/nyx. It would require I2Pcontrol though.

I had a short chat with ZZZ on i2p-dev about running I2P Plugins in another VM, currently this isn’t possible but they are thinking about Packaging Plugins as Debian Package in the long run and add the option to run them standalone.

…more to come

Just to get you up to speed here’s our bugtracker ticket on the matter: ⚓ T775 I2P Integration

The major news is I2P is coming to Debian proper and that makes maintenance and availability a breeze. We are generally reluctant to add any third party repos because if they are compromised then the system is hosed because they have root access.

Of course and exception can be made if its uploaded to our official repos but this would require some maintenance overhead and a way to verify the package integrity to protect against dev machines being compromised.

Are you talking about a WS->I2P GW or does I2P still go thru Tor?

Sounds pretty awesome

AFAIK I2Pd is not the work of the official devs? Its made by the guys who wrote the abscond browser which is a really poor effort compared to the Tor Browser. I wouldn’t touch it in that case.

Nice. Keep us updated and lets work out the details.

I’m talking about I2P running on the Gateway and forwarding the Workstation.

yes I2Pd isn’t developed by the official devs, it performs better on low spec systems and since it’s based on c++ it doesn’t require java but there are still some issues regarding the code. Like i said it is going to be optional.

Optional is OK if the devs can be trusted but we know nothing about them. Can you or someone trusted vouch for them?

@Goldstein I was mistaken. I2pd isn’t related to the anscond bundle though there is some bad blood between them Kovri. Anyway the relevant info here is that it also landed in Debian Sid and these packages may be a good starting point for you:

https://media.readthedocs.org/pdf/i2pd/latest/i2pd.pdf

http://i2pd.website/

hello there @Goldstein

why Tor ? why not just I2P ? TCP only with i2p is not a great choice.

Transmission-I2P sounds cool

dunno but isnt it better to have i2p configured browser ?

good thinking , bad time. i2pd far from to be used by normal users atm. i2p-java the choice at least at the first couple of years.

yeah that really sucks …

even more clear for the story:-

we’re only reseeding with Tor, it’s not TCP only, this should give us some protection against blocking the Reseed URLs.

Thats why we’re going to have multiple TBBs because we want the fingerprint protection (whats left of it when we modify it) from the TorBrowser.

i wouldn’t say years but yes this is why we’re going to make it optional ,i talked to some I2P folks and they prefer I2Pd over Java and for people with low Memory this would also be needed.

yeah, but this will be solved either by the I2P devs when they Bundle it or when they add it as deb package,
until then we need to fetch it via I2P and have a small workaround.

because Tor just TCP , so u wont have the chance for UDP traffic.

• i would suggest if we want to update/upgrade the distro thats going to be only through Tor (with apt-trasport-tor and debian onion repos).

• Remove any outside proxy. since i2p itself doesnt support or acting well with outproxies i would suggest if we remove them completely from the router.

i wouldnt say i2pd is not good if its completed , but there r alot of features they need to add one of the as e.g compression of the traffic and each day they r adding stuff from i2p-java. so it will really take time since add to that not much of testers to it. (check kovri as well if they progressed more than i2pd)

u can download i2p from debian buster repos. but there r alot of stuff there need to be added. also the one whos working on it has disappeared as last time i checked.

at any rate if u want to test some stuff i can help u

we don’t need UDP for Reseeding, after I2P has fetched the Router Information from the Reseed Server it’s going to connect directly (without Tor) to the I2P Network.
We could do it without Tor (there will be a config file for that, if for example Tor is blocked to disable it ) but i like to use it because its already there (no need to configure Tor) and we get the above mentioned benefit.

yes, we don’t change that

yes, already done, because of Tor we don’t need outproxies

yes correct, i check the Repo quite often to see how they progress with it. I wouldn’t count on Kovri, although i like Monero but their way of managing it is quite a disaster, plus the Dev is really inexperienced with the Code base, i’ll keep an eye on it nonetheless.

i meant I2PControl, which hasn’t been added to the Debian Repo AFAIK

mhatta ?

Thank you

yeah i think still not yet.

yeah . seems to be hes busy or so.

focus on Whonix core development

I want to thank everyone who has contributed to Whonix and encourage all those who would like to contribute in the future. I enjoy collaborating with you and helping you get up to speed on the inner workings of Whonix.

Unfortunately, with the present shortage of manpower and funding, I have no choice but to focus my own efforts on the core functionality of Whonix. This means that those of you working on major non-core enhancements will need to be resourceful and persevere on your own (or with the help of others) until more core developers and administrators step forward to reduce my workload. I encourage you to fork Whonix and progress at your own speed until we have the resources to review and merge.

While your projects are important to you and the community, please also keep in mind that you can greatly impact the health of Whonix by working on some of the open tasks at https://phabricator.whonix.org. The more people that help with open tasks, the more features we can add to Whonix in the future.

No worries,i have to thank you for your help, the main Problems got solved, the remaining Problems should be solvable without your Contribution.

Updated first post with instructions (not finished)

@HulaHoop did you manage to change TBBs config to use privoxy ? I’m running against a wall with this

did use i2p java or i2pd…etc?

also which virtualization u gonna support? vbox,xen,kvm,qemu ? (hope not vmware)

java

xen, maybe vbox and kvm later

thats awesome. r u gonna include jetty and susi by default?

jetty is going to get included but not enabled by default
see

susi yes definitely
see

I was digging up tutorials and concepts, haven’t tried it out yet. If you give details on how you are configuring it we can work out whats causing problems.

Some guides but they likely won;t work for us since Tor is not running on localhost
https://wiki.archlinux.org/index.php/Privoxy
https://i2p.rocks/blog/i2p-browser-configuration-tutorial-the-proper-way.html