I2P Integration

Asked on the mailing list:

https://lists.torproject.org/pipermail/tor-dev/2018-April/013131.html


@Goldstein you might want to edit your top post to add these two so people can reproduce the latest settings you have.

1 Like

http://kb.mozillazine.org/Network.proxy.share_proxy_settings

Instead of replicating the http settings for https you can just set

network.proxy.share_proxy_settings to true to automatically share http proxy settings with the SSL, FTP, SOCKS, and Gopher protocols

1 Like

Thanks

Done, except the second one.

Like socat TCP-LISTEN:2375,fork UNIX-CONNECT:/var/tmp/docker.sock, except this is literally the only thing this program does.

Sorry i don’t get why we would need this, since we already use socat for that, please explain.

Right this would work but would need socat to be configured differently than how we use it now?

In this thread we discuss how redsocks can be used to make non Tor supporting DNS work safely in Whonix. Maybe socat can be replaced by redsocks to reduce redundancy.


EDIT:

Looking around there seems to be a problem with privoxy working on Debian. Can you rule out this is not the problem?

https://unix.stackexchange.com/questions/393547/why-localhost8118-cant-work-in-my-debians-privoxy

1 Like

Yes, i tried that, with no success.

I don’t get why gpg removed these arguments, do you know why ? Running it without a argumemt and only the .asc file still prints the pubkey.

Also is there a Reason why we should not use
apt-key add to add the i2p key ?

Because this isn’t working anymore

They changed the parameter naming between verion IIRC. I pulled out the correct ones and put them in a phabricator ticket for gpg instruction templates.

apt-key stores data in uncleanly and hars to manipulate and reverse the added keys easily. Also we want to always verify the asc data before ever adding anything to trust.

1 Like

Aaaa this is so frustrating. I hope I can find a solution to this in time.


@Goldstein I take it that you are seeing the message “Invalid header received from browser” like I can? In this case Tor Browser is able to connect to localhost daemons without changing any http proxy settings in about:config. I tested in firefox with same result.

The problem is in privoxy itself or some setting it ships with.


UPDATE:

Changing these privoxy settings make it work:

http://www.privoxy.org/user-manual/config.html#ACCEPT-INTERCEPTED-REQUESTS

Changing to this solves the first error:
accept-intercepted-requests 1

Pushing connection no. up solves the next error “Maximum number of open connections reached”:
max-client-connections 512

Now I can reach privoxy which spits out a 500 internal proxy error - expected since I haven’t configured it to forward anywhere.

1 Like

yeah , its 1 step forward and 2 steps back :tired_face:

No, i cant get TBB to use privoxy as Proxy it always says “Unable to find proxy Server”
I tested it it with Firefox, the Proxy settings work but Privoxy isn’t able to forward .i2p (“502 No such Domain”) BS

What Privoxy config file did you change ? user.action isn’t doing anything and when i change /etc/privoxy/config it won’t start.

my Privoxy config: (privoxy is running on the WS)
listen-address 127.0.0.1:8118
forward .i2p localhost:4444
accept-intercepted-requests 1
max-client-connections 512

I tested it with Foxyproxy to see if there is some kind of problem with I2P or the Port-Forwarding, but it works flawless with Foxyproxy.

1 Like

https://sourceforge.net/p/ijbswa/bugs/767/

The problem at least when using firefox is a DNS resolution error since .i2p is not recognized by the resolver used. So in this case you can apply a work around like in the second link by assigning a local IP (say 10.191.0.1) to the I2P TLD with a local resolver package called unbound, then redirecting requests to privoxy with iptables.

The same technique can probably be applied to zeronet and freenet too.

On the workstation this is 100% safe but I don’t know the full implications of having another DNS resolver daemon on the GW for potential leaks.

2 Likes

Thanks for the Info, this explains why FF fails to resolve .i2p but i don’t think we need to fix that since we don’t want to use FF.

Could you explain this, is TBB able to use a local Proxy without setting the proxy setting ? I guess you set
network.proxy.no_proxies_on 0 and then connect to p.p to see if it works ?

Using TBB or FF ?

Thank you for your ongoing help, i would have quit all this without your Help, it’s so damn frustrating and it would’ve been worse doing this all alone.

I just found this GitHub - eyedeekay/i2p-browser-for-cheaters: The path of least resistance to a Linux-only i2p browser. Modifies a tor browser and spits out a tar.gz @eyedeekay your awesome :slight_smile:

@HulaHoop
Since we don’t use Tor and I2P in the same browser, why do we even bother to use Privoxy ?

Yeah and I troubleshooted the messages and changed privoxy settings until they stopped appearing.

Both but in TBB in particular since this is of interest.

Thank you for pursing this project. IA lot of many great applications will open up for everyone once it’s done :slight_smile:

Good point. All other networks should work fine when local proxy is enabled without needing it. This looks interesting indeed. Do you know if its a script that runs and modifies a specified copy of the Tor Browser or is it a modified version of TBB.

1 Like

It’s a modified TBB, but if it works it’s going to be easy to see what he has changed and put the needed changes into a script.
I will take a close look when i’m back at my work PC.

Great, so we can eliminate another error source, the less software we have to keep an eye on the better and easier to maintaine

Well, the modified TBB works and AFAICT the only important changed setting is the Proxy setting and there is no Torbutton.
Torbutton is the problem, when i disable it the stock TBB uses the set Proxy.

@HulaHoop did you disable it when you tested Privoxy? How did you get TBB to use the Proxy without disabling it, i tried every mentioned setting and only disabling Torbutton has worked now.
I did also test disabling Tor Launcher like Mark Smith suggested with no effect, it still ignores the set Proxy when Torbutton is Enabled.

I’m confused

Tested this to be working. Please update top post. I can connect to zzz.i2p with Tor Browser. Visiting 127.0.01:8118 will still give a 500 internal error but who cares as long as it does what we need it to do?

These settings for privoxy MUST be defined in this file /etc/privoxy/config. user.action, config.d and others have no effect. Also you must forward to 127.0.0.1 and not localhost.

Privoxy:
forward .i2p 127.0.0.1:4444
accept-intercepted-requests 1
max-client-connections 512

TBB about:config:
extensions.torbutton.use_nontor_proxy;true
network.proxy.no_proxies_on;0
network.proxy.http;127.0.0.1
network.proxy.http_port;8118

1 Like

@Goldstein please configure the auxiliary packages setup (like the I2P monitoring GUI and others) for the I2P on the WS as well for users who want to use the instance in the WS independently.

Valid reasons are stacking with Tor for censorship circumvention or as defense in depth.

1 Like

I can confirm that, finally… thank you so much :smile: you made my day
Updating top Post now

Edit:
Updated top Post, there are still some problems regarding the gpg key import and adding the Repo, but i’ll get to that tomorrow

gpg verification command is broken but this updated one should do the trick: Posted the new working instructions for adding the key but it must be templatized for ease of changes in the future:

scurl https://geti2p.net/_static/i2p-debian-repo.key.asc

gpg -n --import --import-options import-show i2p-debian-repo.key.asc

gpg --no-default-keyring --keyring ./i2p-pubkey.gpg --import i2p-debian-repo.key.asc
sudo cp i2p-pubkey.gpg /etc/apt/trusted.gpg.d/i2p-pubkey.gpg

sudo su -c “echo -e ‘deb http://deb.i2p2.de/ stretch main\ndeb-src http://deb.i2p2.de/ stretch main’ > /etc/apt/sources.list.d/i2p-release.list”

1 Like

Update:

To blackhole any clearnet connections set the variable below to nothing (blank) in about:config. That will stop users from mistakenly surfing the clearnet with a browser that has a modified fingerprint.

network.proxy.socks;

Good Point, i guess we could also use privoxy’s black- and whitelist, what do you think ?