So many posts to drill through, I just wanted to say that if this is possible, it should be a detached project from Whonix
What did you have concluded from the posts before? why do you see it bad idea for i2p to be in whonix?
One way to see it that a lot of time was spent on this with meager results (?) that should be spend on more worthwhile things.
A different way to see this would be interpreting the number of users ever active in this forum thread (or generally on I2P) as a high user interest in I2P.
Long time no polls.
(polls collections (surveys))
Therefore I’ve started with a very basic question to get a bit of a baseline before asking more specific questions in follow-up polls later.
https://twitter.com/Whonix/status/1542064351015747586
Suggestions for future polls and their wording are welcome.
- Twitter limits to maximum 4 choices.
- 25 characters per choice maximum.
Related, for comparison, planned future poll:
Do you use ZeroNet?
- Yes
- No
To be posted in a few days?
Instead of only doing this on Twitter which could skew results, a poll or polls could be repeated in Whonix forums similar to a previous poll: User Poll - XFCE vs KDE - KDE Deprecation Considered!
Draft Twitter polls:
Whonix I2P Connection Scheme Wishlist
- None. Keep as is.
- Parallel to Tor.
- user → Tor → I2P → dest
Whonix I2P Integration Wishlist
- Keep as-is.
- Easier installation.
- Installed by default.
It’d just make things a lot more harder to maintain and would add more attack surface and decrease development time on other components of Whonix
well if there is no easy way to have it maintained then it wont make it as default thats for sure, mostly as well @eyedeekay gonna help with that otherwise also no future for i2p by default (left to users to install it).
Though at the moment in whonix-workstation there is already script automatically configure i2p once installed to be compatible with Tor connections (like disabling upnp, ntp time check, inbound connection…etc)
Disabled ntp time check by i2p.
Thanks, merged.
Thanks, merged!
Current Issue:
Changing network.proxy.http
value in Tor Browser about:config will break the connection to onion hidden services URLs (dunno if there is a way to make this work from within TB)
Solutions: (But not really)
-
Usage of extensions like foxyproxy can solve the issue but is not real solution here as it will change TB fingerprint and put a trust into external extension… harm more than benefit.
-
Privoxy or tinyproxy usage within Tor Browser in Whonix cant be done because
about:preferences#connection
doesnt exist in TB within whonix which has an option to modify connection of Tor to certain proxy IP and Port (maybe easy solvable through other ways?). -
I2P default outproxies in HTTP tunnel support onion connections, meaning you can surf the onion hidden services from I2P tunnels but the problem you will loose all the security benefits/design of Tor within whonix and shift the trust to the outproxy operator.
@eyedeekay said there is a way to make this working, hope he can be able to share it with us.
Patches
Thanks, merged!
Well I’ve got… maybe good news, maybe bad news. I don’t think there’s a perfect way to do this, but I do think there might be a few “good” ways to do this. Speaking specifically in the Whonix context, I think option 4 is probably using the “SOCKS Outproxy Plugin” for I2P which zzz wrote a while ago. zzz / i2p.plugins.socksoutproxy · GitLab This satisfies two important things:
- It does not use extensions in Tor Browser to add the ability to switch from I2P to Tor, instead it acts as an add-on to the HTTP proxy that I2P already uses and routes non-I2P requests to a configured SOCKS proxy.
- It does not shift trust onto the outproxy operator, it uses the Tor Network directly
The bad news is that there’s no Debian-style package for this yet, but I could easily turn it into one in the coming weeks if there is interest and one of us is willing to host it.
There are a few other ways, all of which I think are probably worse for Whonix. That’s the one I would recommend.
Interesting, @eyedeekay!
So Tor Browser would be configured to use I2P and then I2P would be smart enough to do what…? The I2P would be smart… And…?
- Exclude, route clearnet (non-I2P) traffic to the socks proxy (Tor)? Or would that go I2P → outproxy → destination?
- Exclude, route onion (obviously non-I2P too) traffic to the socks proxy (Tor)? Or would that go I2P → outproxy → destination?
- Route
.i2p
traffic over I2P? - Permit I2P web interface traffic?
Clearnet traffic and Onion traffic(basically, any traffic that is not recognized as I2P traffic) would be routed to Tor, and Tor would take over entirely from there. It essentially functions as alternative to the regular outproxy system and would take over that role entirely. I2P traffic would still go directly over I2P as well.
I don’t think that it would, on it’s own, allow access to the I2P webUI normally available on localhost:7657, however. It should still be possible by overriding proxy settings in user.js
or similar, though.
I can confirm this users problem. In a fresh whonix-ws template, i follow steps 1-4 with success. If i then run “sudo dpkg-reconfigure i2p” and then run “sudoedit /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config”, i get the same error : “no such file or directory”. However, if i start from scratch and follow steps 1-4 in a newly cloned template, shut that template down, build and start an appvm based off of that same template, configure the tor browser by changing the various parameters in “about:config” and then close tor browser, i can run the “dpkg-reconfigure” and “sudoedit /var/lib…” commands IN the appvm successfully. And, only once. If i close the sudoeditor and try to edit that file again, i get the same error “no such file or directory”. If i run those two commands in the template first, i get the same error, and trying to then re-run them in the appvm fails.
TLDR key problems:
- command “sudoedit /var/lib…config” only works for a moment in the appvm when ran at a certain time
- this would only work for standalonevms because appvms do not persist changes to the root directory
- there is no “.i2p” in the home directory to try to edit as an alternative
Thanks very much for explaining this, it will help me debug on the I2P side.
So, after some more poking around, this is what i have found.
If i run steps 1-4 in a template, shut that template down, start a fresh appvm and configure the tor browser, shut the tor browser down and run “sudo dpkg-reconfigure i2p” and “sudoedit /var/lib…” inside of the appvm, i can change the 127.0.0.1 to 127.0.0.2. After saving and closing, I ran “sudo service i2p restart”, and then “sudo systemctl status i2p” to see that I2P was inactive(dead). So, i then ran “sudo systemctl start i2p” and then “i2prouter start”. “sudo systemctl status i2p” shows I2P is running and then torbrowser pops up to the router-console (except it opens to 127.0.0.1 instead of 127.0.0.2). So after manually changing the .1 to .2, the java router-console displays perfectly, and i can access ‘notbob’. I then checked the home directory and “.i2p” is now available. I can only edit the correct file as root though (even if i change the permissions), but at least i can edit that file while it is in the home directory so it persists.
TLDR again:
- in a fresh template, ran steps 1-4
- closed template, built and ran appvm and configured TorBrowser
- closed TB, “sudo dpkg-reconfigure i2p” and “sudoedit /var/lib…” is successful
- ran “sudo systemctl start i2p” and then “i2prouter start”. The router console starts but using the wrong proxy. manually switching to 127.0.0.2:7657 is successful, and i can access other eepsites
- as root, run “nano /.i2p/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config” and edit parameter. run “sudo service i2p restart”
- poweroff appvm, start it back up, “sudo systemctl start i2p && i2prouter start” gets i2p going nicely
- router-console still opens to the wrong proxy, but at least its working otherwise