[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

I2P Running on Whonix Gateway

halo9en 2016-02-27 21:58:47 UTC #1

Continuing the discussion from whonix, torrents, and being a good tor citizen:

      Related [a "connect to other anonymity network than Tor directly" modification for Whonix-Gateway], FYI:

killyourtv managed to set up an I2PBOX. I.e. installing I2P
on the gateway and accessing it from the workstation. So users would be
using I2P directly rather than tunneling I2P through Tor.

I2PBOX - user -> i2p -> destination

[ without i2p over Tor (user -> Tor -> i2p -> destination) ]

https://www.whonix.org/pipermail/whonix-devel/2016-January/000501.html
http://killyourtv.i2p/howtos/whonix/
http://killyourtv.i2p.re/howtos/whonix/

Patrick,

Fist of all, thanks for this. However, I am wondering if you have had any recent success or even better, have any suggestions, as to how to patch whonix_firewall with the instructions from KillYourTV’s Whonix support page. I did not meet success.

I wonder if it’s because the instructions and patches are aimed at an older version of Whonix (and whonix_firewall). If so, perhaps there is a particular branch or tag to check out from one Git repository (most likely, the whonix_firewall git repo… but perhaps this is also necessary for his patch to his init startup scripts.

Basically, the patch here: http://killyourtv.i2p/howtos/whonix/i2p-whonix (I2P) or http://kytvi2pll2jw5gip.onion/howtos/whonix/whonix_firewall.patch
failed

The instructions to apt-get install i2p likewise failed because the proper reference package is i2p-router.

And I didn’t get as far, but would not be surprised if all the instructions fail for Whonix 12.0.0.3.2.

halo9en 2016-02-28 09:12:08 UTC #2

I manually patched it. That component of the process worked. Now trying to work with manual deb pkgs from KYT.

Patrick 2016-02-28 10:55:52 UTC #3

I didn’t try myself but it looks plausible. The one to ask and maintain this would be killyourtv. I am wondering, because he never replied to the mail so I would not hold my breath for seeing this simplified / upstreamed / etc.

halo9en 2016-02-28 20:06:27 UTC #4

OK - good to know. Thanks. I think I’ll get it working fine, but it’ll be a slight departure from his current instructions.

anon36816226 2016-02-28 21:10:24 UTC #5

hi halo9en
I was trying the same some time ago , but didnt managed to get it fully working (some firewall issue i guess)
if you want i could send you my updated patch that i prepared back then .
If you manage to get this working please share how you did it.
Im going to revisit where i left when i get some spare time and post if i get any progress.

anon36816226 2016-03-31 16:57:48 UTC #6

Hi,
Short Status Update regarding I2P on the Whonix Gateway:
FYI Killyourtv is missing and all his Services went offline (thats why he didnt reply) see http://zzz.i2p/topics/2098-all-kytv-services-down

I updated his patch ( https://github.com/cle4r/var/blob/master/whonix_firewall.patch ) and now managed to fix the main problems i ran into.

Going to write it all into a guide when i tested it a bit more.

Current Problems are :

I2P needs to Resolve some Addresses to Reseed to get Routers this means the I2P User needs to access the DNS (at least at first boot) , I changed the resolve.conf to fix this but i know this is not recommended .
I2P like Tor suffers under the Suspend/Resume Time Skew so the Connection break
some more minor problems

Patrick 2016-03-31 17:59:27 UTC #7

Not sure if useful… You may or may not have found the following page already that explains…

Perhaps also useful.

Patrick 2016-03-31 19:34:11 UTC #8

@goldstein, your firewall patch looks simple enough so this can be simplified to not require a firewall patch in future anymore.

In Whonix 13,

you will be able to add these additional SocksPorts easier.
All socks port related variables now follow a naming scheme SOCKS_PORT_.
Those would be just a configuration additions.
If you adhere to the naming scheme, no firewall patch will required and the ports will be opened automagically.
As for ## No NAT for I2P itself. and ## I2P is allowed to connect any outside target., I am experimenting at the moment with making that generic by introducing a new variable NO_NAT_USERS that you could extend from the config file.

As for rinetd config file patch, that will be extensible by configuration files in future also. Not before Whonix 14. -> https://phabricator.whonix.org/T464

Patrick 2016-03-31 20:31:33 UTC #9

I’ve produced a patch for NO_NAT_USERS. (not merged into master)

However, I think overkill and needlessly complex. I try to come up with a less complex and still usable solution for this.

Patrick 2016-03-31 20:49:27 UTC #10

This will do.

anon36816226 2016-04-01 15:55:27 UTC #11

Yes seen it . Helped me to fix some of my issues.

Great , going to go with that then

yeah , i knew of that ticket but i wanted it to meet the current whonix version but i already got the socat script from kytv ready for this change.

Thanks , I’m going to continue to work on it

Should I create another Thread for all this Development Related Stuff ?

Patrick 2016-04-01 16:57:38 UTC #12

As you prefer since I appreciate you working on it. I don’t mind either way and was wondering if this should moved to the development forum anyhow.

anon36816226 2016-04-01 17:45:46 UTC #13

ok , going to create a Thread once i get my guide sorted and cleaned up .Going to try to maintain this further , but as I am only running Qubes on my Systems i can only Test for this Setup.

HulaHoop 2016-04-01 23:10:04 UTC #14

@goldstein Great work. Will I2P run concurrently with Tor on the GW in this setup? If yes then you might find FoxyProxy useful in directing traffic (headed for 10.152.152.10) based on how the URL looks:

anon36816226 2016-04-02 03:49:19 UTC #15

Yes I2P runs besides Tor on the GW , thanks didnt knew about this . (I need to do more digging in the whonix files)
Currently I’m using this Foxyproxy config https://thetinhat.com/tutorials/darknets/foxyproxy.xml from Kytv

Any hint to whonix related files is welcome .

Patrick 2016-05-05 23:44:26 UTC #16

Any news?

anon36816226 2016-05-07 09:42:03 UTC #17

I’m sorry to say no not much , I had just a little spare time to work on this as my Main Work keeps distracting me. I’m going to work more on it, this Weekend or the next one.

Current Status:

The Guide is kinda finished but i want to simplify it more and add the instructions for the later Whonix Version
There are some settings that needs to be set after the Install to make it work
I am testing the Option to Setup Reseed Nodes via Hidden Services to Bootstrap the Router via Tor . (This should fix censored Reseed Servers)
I am working on a Script to install and configure all the needed files

Would it be possible to add the I2P Repo or the I2P Router Package per Default?
I would like to have a chat with you regarding some Ideas i had maybe we can arrange a mumble or irc session soon .

Patrick 2016-05-07 17:00:05 UTC #18

Short:
No, because then all Whonix users would trust the i2p repository by default. I.e. in case of compromise, they could compromise all Whonix users.

Long:
(Don’t be overwhelmed by the verbosity and complexity of this detail.) We could add a package to the Whonix repository that sets all of this up. Including adding the i2p repository, adding the i2p signing key followed by installation of the i2p router package. From the package implementation view, the first two steps are trivial and the download step also:
https://github.com/Whonix/anon-shared-build-apt-sources-tpo/blob/35d5fdb0faa89b3ce101b5c6c5750230c8c5487a/debian/anon-shared-build-apt-sources-tpo.postinst#L37-L53

The functionality is abstracted into the https://github.com/Whonix/apt-during-apt package. (Which is currently not being used for anything as of Whonix 13 as this idea has been eventually dropped.)

apt-during-apt essentially downloads the additional packages from third party repositories during lets say i2p-gateway package postinst. And since apt-get/dpkg installation is not (sanely) possible while apt-get is already running (during i2p-gatewa package installation) the additional third party package is installed during next boot. This is because there is no apt-get post execution hook. And because I did not find another reliable hook that will not lead to a broken package management (user could shut down right after package install so the additional package installation could get killed in the middle).

Can do.

anon36816226 2016-05-15 13:33:39 UTC #31

A couple of Questions :

I found https://github.com/Whonix/qubes-whonix/blob/master/usr/lib/qubes-whonix/bind-directories
and
https://groups.google.com/forum/m/#!topic/qubes-devel/tcYQ4eV-XX4
I guess it would make more sense that I prepare the Setup to the new method right ? As the old script doesn’t seem to read the 40_qubes-whonix.conf file and it would need to be editet/changed and this wouldn’t be needed when there is already a replacement.

I tried https://www.whonix.org/wiki/Whonix-Gateways_Own_Traffic_Transparent_Proxy to allow i2p to bootstrap via tor , but it cant resolve any Domain . Any Idea ?
I also tried https://www.whonix.org/wiki/Whonix-Gateway_System_DNS
The only Solution I found was to edit the resolve.conf (which seems wrong).

Patrick 2016-05-15 18:38:28 UTC #32

Probably, yes. Qubes bind-dirs will become available in Qubes R3.2. (And that should come out “soon”. (?)) (Up to you if you still want to invest energy into the old Whonix bind-directories.)

Yes it has no config at all. Can only be edited by changing it directly.

One one hand, i2p is supposed to connect in the clear, you cannot configure it to use Tor as a proxy or force it by using a socksifier. So it will use system DNS. But on the other hand, Whonix-Gateway by default does not provide any kind of system DNS, torified or not. You could enable torified system DNS, but that of course would require editing and a functional /etc/resolv.conf. I see no way around that. Unless you can teach i2p to somehow not require DNS. Or somehow only allow torified system DNS for i2p and blocking system DNS traffic for everyone else.

(For completeness sake only: would also be possible to modify Whonix-Gateway to a point where it does clearnet system DNS but I guess that is besides the point here.)