I2P Integration

Thanks, merged!

1 Like

Current Issue:

Changing network.proxy.http value in Tor Browser about:config will break the connection to onion hidden services URLs (dunno if there is a way to make this work from within TB)

Solutions: (But not really)

  • Usage of extensions like foxyproxy can solve the issue but is not real solution here as it will change TB fingerprint and put a trust into external extension… harm more than benefit.

  • Privoxy or tinyproxy usage within Tor Browser in Whonix cant be done because about:preferences#connection doesnt exist in TB within whonix which has an option to modify connection of Tor to certain proxy IP and Port (maybe easy solvable through other ways?).

  • I2P default outproxies in HTTP tunnel support onion connections, meaning you can surf the onion hidden services from I2P tunnels but the problem you will loose all the security benefits/design of Tor within whonix and shift the trust to the outproxy operator.

@eyedeekay said there is a way to make this working, hope he can be able to share it with us.


Patches

1 Like

Thanks, merged!

Well I’ve got… maybe good news, maybe bad news. I don’t think there’s a perfect way to do this, but I do think there might be a few “good” ways to do this. Speaking specifically in the Whonix context, I think option 4 is probably using the “SOCKS Outproxy Plugin” for I2P which zzz wrote a while ago. zzz / i2p.plugins.socksoutproxy · GitLab This satisfies two important things:

  • It does not use extensions in Tor Browser to add the ability to switch from I2P to Tor, instead it acts as an add-on to the HTTP proxy that I2P already uses and routes non-I2P requests to a configured SOCKS proxy.
  • It does not shift trust onto the outproxy operator, it uses the Tor Network directly

The bad news is that there’s no Debian-style package for this yet, but I could easily turn it into one in the coming weeks if there is interest and one of us is willing to host it.

There are a few other ways, all of which I think are probably worse for Whonix. That’s the one I would recommend.

1 Like

Interesting, @eyedeekay!

So Tor Browser would be configured to use I2P and then I2P would be smart enough to do what…? The I2P would be smart… And…?

  • Exclude, route clearnet (non-I2P) traffic to the socks proxy (Tor)? Or would that go I2P → outproxy → destination?
  • Exclude, route onion (obviously non-I2P too) traffic to the socks proxy (Tor)? Or would that go I2P → outproxy → destination?
  • Route .i2p traffic over I2P?
  • Permit I2P web interface traffic?
1 Like

Clearnet traffic and Onion traffic(basically, any traffic that is not recognized as I2P traffic) would be routed to Tor, and Tor would take over entirely from there. It essentially functions as alternative to the regular outproxy system and would take over that role entirely. I2P traffic would still go directly over I2P as well.

I don’t think that it would, on it’s own, allow access to the I2P webUI normally available on localhost:7657, however. It should still be possible by overriding proxy settings in user.js or similar, though.

1 Like

I can confirm this users problem. In a fresh whonix-ws template, i follow steps 1-4 with success. If i then run “sudo dpkg-reconfigure i2p” and then run “sudoedit /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config”, i get the same error : “no such file or directory”. However, if i start from scratch and follow steps 1-4 in a newly cloned template, shut that template down, build and start an appvm based off of that same template, configure the tor browser by changing the various parameters in “about:config” and then close tor browser, i can run the “dpkg-reconfigure” and “sudoedit /var/lib…” commands IN the appvm successfully. And, only once. If i close the sudoeditor and try to edit that file again, i get the same error “no such file or directory”. If i run those two commands in the template first, i get the same error, and trying to then re-run them in the appvm fails.

TLDR key problems:

  • command “sudoedit /var/lib…config” only works for a moment in the appvm when ran at a certain time
  • this would only work for standalonevms because appvms do not persist changes to the root directory
  • there is no “.i2p” in the home directory to try to edit as an alternative
1 Like

Thanks very much for explaining this, it will help me debug on the I2P side.

So, after some more poking around, this is what i have found.

If i run steps 1-4 in a template, shut that template down, start a fresh appvm and configure the tor browser, shut the tor browser down and run “sudo dpkg-reconfigure i2p” and “sudoedit /var/lib…” inside of the appvm, i can change the 127.0.0.1 to 127.0.0.2. After saving and closing, I ran “sudo service i2p restart”, and then “sudo systemctl status i2p” to see that I2P was inactive(dead). So, i then ran “sudo systemctl start i2p” and then “i2prouter start”. “sudo systemctl status i2p” shows I2P is running and then torbrowser pops up to the router-console (except it opens to 127.0.0.1 instead of 127.0.0.2). So after manually changing the .1 to .2, the java router-console displays perfectly, and i can access ‘notbob’. I then checked the home directory and “.i2p” is now available. I can only edit the correct file as root though (even if i change the permissions), but at least i can edit that file while it is in the home directory so it persists.

TLDR again:

  • in a fresh template, ran steps 1-4
  • closed template, built and ran appvm and configured TorBrowser
  • closed TB, “sudo dpkg-reconfigure i2p” and “sudoedit /var/lib…” is successful
  • ran “sudo systemctl start i2p” and then “i2prouter start”. The router console starts but using the wrong proxy. manually switching to 127.0.0.2:7657 is successful, and i can access other eepsites
  • as root, run “nano /.i2p/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config” and edit parameter. run “sudo service i2p restart”
  • poweroff appvm, start it back up, “sudo systemctl start i2p && i2prouter start” gets i2p going nicely
  • router-console still opens to the wrong proxy, but at least its working otherwise

prerequisite knowledge:
Qubes-Whonix ™ Overview chapter Qubes Persistence in Whonix wiki

Quote Invisible Internet Project (I2P) chapter Installation and Setup in Whonix wiki:

Before using I2P, it is recommended to access the I2P router configuration and make several adjustments for better performance.

The part of the usage instructions which are actually mandatory setup instructions (dpkg reconfigure; IP change seems required, not optional) should probably be moved to installation and setup.


I am not sure these two should be combined?
A) sudo systemctl start i2p is when starting I2P using the systemd daemon.
B) i2prouter start is when starting I2P as user without systemd.
Should probably not be combined for most users. Either option could be used if that works. But not both?

Right, it makes me feel naughty. I had tried both commands individually with no luck. Doesn’t make a ton of sense to me either, but it is what I ran that got me results. naturally, YRMV, but i’m hoping there is something simple i am overlooking so i can cut some of these unnecessary steps out.

Issue is fixe, as @eyedeekay said one need start I2P service first then after that stop it then configure the mentioned file.

1 Like

it shouldnt be combined, i2prouter start is the horrible one because it doesnt use I2P apparmor.

Yes just start i2p service from systemctl then stop it you will find the needed files in the mentioned path.

1 Like

Just found on reddit. Didn’t look into it.

2 Likes

Hello all, I’ve recently finished testing a setup of I2P in the Whonix GW and using TBB from the Whonix WS to browse I2P and Tor. It’s a pretty simple setup, good for using these networks for research, but I haven’t evaluated the overall security impact. I took information from the mutedstorm instructions on archive dot org and the geti2p dot net website. I’d be interested if anyone finds it useful, it’s on github under chrisbensch / I2P-Whonix-Integration
This installs I2P inside the gateway and pre-configures the options from mutedstorm and some of my own. Also this instructs a very simple way to get the workstation running on this setup.

1 Like

hey there eyedeekay. I was wondering if there was a reason why the official I2P documentation (geti2p (.) net/en/download/debian) says to start I2P through the command “i2prouter start” in the “post install” section. That is where I got the idea of starting I2P through that command, but according to the devs on this forum, that is a security risk as that starts your router without utilizing apparmour, and that the recommended way to run is “systemctl start i2p” Can you help clear my confusion here? Thanks.

IIRC that info is out-of-date actually, if you have a look at: debian/apparmor/usr.bin.i2prouter · master · I2P Developers / i2p.i2p · GitLab you will see our apparmor profile does include coverage for running as a user. It might be wrong, we’re not apparmor experts, and we welcome contributions, MR’s, suggestions, emails, whatever. There’s no reason that we shouldn’t have apparmor coverage for this mode as far as I know, so if something is really wrong let’s figure out how to fix it.

TODO:

Whonix should update GitHub - Whonix/anon-apps-config and use the conflagration files as suggested by @eyedeekay.

Help wanted!

Its one of the two for I2P to be properly working as it should:

  • Either run it as a user i2prouter start + working apparmor profile = this will resolve Qubes-Whonix issue with apparmor advantage.

  • Or make systemctl start i2p work offline, meaning configs files does exist but just the internet connection not there.

Both going to work properly with Qubes-Whonix.

Note: Non-Qubes-Whonix users (whonix-vbox , whonix-kvm…) the current I2P wiki does work for them without issues.

So if i2prouter command work with apparmor i just need conformation then i will change i2p instructions to use it.