I2P Integration

So in summary…

old, last revision really using using privoxy:

  • i2p webinterface functional
  • i2p eepsites functional
  • clearnet broken
  • onion functional

current revision without privoxy [1]:
(this at time of writing)

  • i2p webinterface functional
  • i2p eepsites functional
  • clearnet functional
  • onion broken


[1] privoxy get installed but not configured so effectively doing nothing.

Confirmed. This is true. That is also what I described here:
Tor Browser Customization using user.js (for example for i2pbrowser)

The same in other words:
network.proxy.socks_remote_dns set to true is now hardcoded directly by Tor Browser and it always reverts to Tor Browser default after Tor Browser restart.

i2p inside Whonix-Workstation instructions - both old and new - require network.proxy.socks_remote_dns set to false.

Unless the user re-applies these Tor Browser settings all the time which is very bad usability, I don’t think we currently have a good solution with or without privoxy.

1 Like


1 Like
1 Like

So many posts to drill through, I just wanted to say that if this is possible, it should be a detached project from Whonix

What did you have concluded from the posts before? why do you see it bad idea for i2p to be in whonix?

One way to see it that a lot of time was spent on this with meager results (?) that should be spend on more worthwhile things.

A different way to see this would be interpreting the number of users ever active in this forum thread (or generally on I2P) as a high user interest in I2P.

Long time no polls.
(polls collections (surveys))

Therefore I’ve started with a very basic question to get a bit of a baseline before asking more specific questions in follow-up polls later.

Suggestions for future polls and their wording are welcome.

  • Twitter limits to maximum 4 choices.
  • 25 characters per choice maximum.

Related, for comparison, planned future poll:

Do you use ZeroNet?

  • Yes
  • No

To be posted in a few days?

Instead of only doing this on Twitter which could skew results, a poll or polls could be repeated in Whonix forums similar to a previous poll: User Poll - XFCE vs KDE - KDE Deprecation Considered!

Draft Twitter polls:

Whonix I2P Connection Scheme Wishlist

  • None. Keep as is.
  • Parallel to Tor.
  • user → Tor → I2P → dest

Whonix I2P Integration Wishlist

  • Keep as-is.
  • Easier installation.
  • Installed by default.
1 Like

It’d just make things a lot more harder to maintain and would add more attack surface and decrease development time on other components of Whonix

1 Like

well if there is no easy way to have it maintained then it wont make it as default thats for sure, mostly as well @eyedeekay gonna help with that otherwise also no future for i2p by default (left to users to install it).

Though at the moment in whonix-workstation there is already script automatically configure i2p once installed to be compatible with Tor connections (like disabling upnp, ntp time check, inbound connection…etc)

Disabled ntp time check by i2p.

1 Like

Thanks, merged.

1 Like
1 Like

Thanks, merged!

1 Like

Current Issue:

Changing network.proxy.http value in Tor Browser about:config will break the connection to onion hidden services URLs (dunno if there is a way to make this work from within TB)

Solutions: (But not really)

  • Usage of extensions like foxyproxy can solve the issue but is not real solution here as it will change TB fingerprint and put a trust into external extension… harm more than benefit.

  • Privoxy or tinyproxy usage within Tor Browser in Whonix cant be done because about:preferences#connection doesnt exist in TB within whonix which has an option to modify connection of Tor to certain proxy IP and Port (maybe easy solvable through other ways?).

  • I2P default outproxies in HTTP tunnel support onion connections, meaning you can surf the onion hidden services from I2P tunnels but the problem you will loose all the security benefits/design of Tor within whonix and shift the trust to the outproxy operator.

@eyedeekay said there is a way to make this working, hope he can be able to share it with us.


1 Like

Thanks, merged!

Well I’ve got… maybe good news, maybe bad news. I don’t think there’s a perfect way to do this, but I do think there might be a few “good” ways to do this. Speaking specifically in the Whonix context, I think option 4 is probably using the “SOCKS Outproxy Plugin” for I2P which zzz wrote a while ago. zzz / i2p.plugins.socksoutproxy · GitLab This satisfies two important things:

  • It does not use extensions in Tor Browser to add the ability to switch from I2P to Tor, instead it acts as an add-on to the HTTP proxy that I2P already uses and routes non-I2P requests to a configured SOCKS proxy.
  • It does not shift trust onto the outproxy operator, it uses the Tor Network directly

The bad news is that there’s no Debian-style package for this yet, but I could easily turn it into one in the coming weeks if there is interest and one of us is willing to host it.

There are a few other ways, all of which I think are probably worse for Whonix. That’s the one I would recommend.

1 Like

Interesting, @eyedeekay!

So Tor Browser would be configured to use I2P and then I2P would be smart enough to do what…? The I2P would be smart… And…?

  • Exclude, route clearnet (non-I2P) traffic to the socks proxy (Tor)? Or would that go I2P → outproxy → destination?
  • Exclude, route onion (obviously non-I2P too) traffic to the socks proxy (Tor)? Or would that go I2P → outproxy → destination?
  • Route .i2p traffic over I2P?
  • Permit I2P web interface traffic?
1 Like

Clearnet traffic and Onion traffic(basically, any traffic that is not recognized as I2P traffic) would be routed to Tor, and Tor would take over entirely from there. It essentially functions as alternative to the regular outproxy system and would take over that role entirely. I2P traffic would still go directly over I2P as well.

I don’t think that it would, on it’s own, allow access to the I2P webUI normally available on localhost:7657, however. It should still be possible by overriding proxy settings in user.js or similar, though.

1 Like

I can confirm this users problem. In a fresh whonix-ws template, i follow steps 1-4 with success. If i then run “sudo dpkg-reconfigure i2p” and then run “sudoedit /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config”, i get the same error : “no such file or directory”. However, if i start from scratch and follow steps 1-4 in a newly cloned template, shut that template down, build and start an appvm based off of that same template, configure the tor browser by changing the various parameters in “about:config” and then close tor browser, i can run the “dpkg-reconfigure” and “sudoedit /var/lib…” commands IN the appvm successfully. And, only once. If i close the sudoeditor and try to edit that file again, i get the same error “no such file or directory”. If i run those two commands in the template first, i get the same error, and trying to then re-run them in the appvm fails.

TLDR key problems:

  • command “sudoedit /var/lib…config” only works for a moment in the appvm when ran at a certain time
  • this would only work for standalonevms because appvms do not persist changes to the root directory
  • there is no “.i2p” in the home directory to try to edit as an alternative
1 Like