Related [a "connect to other anonymity network than Tor directly" modification for Whonix-Gateway], FYI:
killyourtv managed to set up an I2PBOX. I.e. installing I2P
on the gateway and accessing it from the workstation. So users would be
using I2P directly rather than tunneling I2P through Tor.
I2PBOX - user → i2p → destination
[ without i2p over Tor (user → Tor → i2p → destination) ]
Fist of all, thanks for this. However, I am wondering if you have had any recent success or even better, have any suggestions, as to how to patch whonix_firewall with the instructions from KillYourTV’s Whonix support page. I did not meet success.
I wonder if it’s because the instructions and patches are aimed at an older version of Whonix (and whonix_firewall). If so, perhaps there is a particular branch or tag to check out from one Git repository (most likely, the whonix_firewall git repo… but perhaps this is also necessary for his patch to his init startup scripts.
I didn’t try myself but it looks plausible. The one to ask and maintain this would be killyourtv. I am wondering, because he never replied to the mail so I would not hold my breath for seeing this simplified / upstreamed / etc.
hi halo9en
I was trying the same some time ago , but didnt managed to get it fully working (some firewall issue i guess)
if you want i could send you my updated patch that i prepared back then .
If you manage to get this working please share how you did it.
Im going to revisit where i left when i get some spare time and post if i get any progress.
Hi,
Short Status Update regarding I2P on the Whonix Gateway:
FYI Killyourtv is missing and all his Services went offline (thats why he didnt reply) see http://zzz.i2p/topics/2098-all-kytv-services-down
Going to write it all into a guide when i tested it a bit more.
Current Problems are :
I2P needs to Resolve some Addresses to Reseed to get Routers this means the I2P User needs to access the DNS (at least at first boot) , I changed the resolve.conf to fix this but i know this is not recommended .
I2P like Tor suffers under the Suspend/Resume Time Skew so the Connection break
@goldstein, your firewall patch looks simple enough so this can be simplified to not require a firewall patch in future anymore.
In Whonix 13,
you will be able to add these additional SocksPorts easier.
All socks port related variables now follow a naming scheme SOCKS_PORT_.
Those would be just a configuration additions.
If you adhere to the naming scheme, no firewall patch will required and the ports will be opened automagically.
As for ## No NAT for I2P itself. and ## I2P is allowed to connect any outside target., I am experimenting at the moment with making that generic by introducing a new variable NO_NAT_USERS that you could extend from the config file.
As for rinetd config file patch, that will be extensible by configuration files in future also. Not before Whonix 14. → ⚓ T464 replace rinetd with socat
ok , going to create a Thread once i get my guide sorted and cleaned up .Going to try to maintain this further , but as I am only running Qubes on my Systems i can only Test for this Setup.
@goldstein Great work. Will I2P run concurrently with Tor on the GW in this setup? If yes then you might find FoxyProxy useful in directing traffic (headed for 10.152.152.10) based on how the URL looks:
Yes I2P runs besides Tor on the GW , thanks didnt knew about this . (I need to do more digging in the whonix files)
Currently I’m using this Foxyproxy config https://thetinhat.com/tutorials/darknets/foxyproxy.xml from Kytv
I’m sorry to say no not much , I had just a little spare time to work on this as my Main Work keeps distracting me. I’m going to work more on it, this Weekend or the next one.
Current Status:
The Guide is kinda finished but i want to simplify it more and add the instructions for the later Whonix Version
There are some settings that needs to be set after the Install to make it work
I am testing the Option to Setup Reseed Nodes via Hidden Services to Bootstrap the Router via Tor . (This should fix censored Reseed Servers)
I am working on a Script to install and configure all the needed files
Would it be possible to add the I2P Repo or the I2P Router Package per Default?
I would like to have a chat with you regarding some Ideas i had maybe we can arrange a mumble or irc session soon .
Short:
No, because then all Whonix users would trust the i2p repository by default. I.e. in case of compromise, they could compromise all Whonix users.
The functionality is abstracted into the https://github.com/Whonix/apt-during-apt package. (Which is currently not being used for anything as of Whonix 13 as this idea has been eventually dropped.)
apt-during-apt essentially downloads the additional packages from third party repositories during lets say i2p-gateway package postinst. And since apt-get/dpkg installation is not (sanely) possible while apt-get is already running (during i2p-gatewa package installation) the additional third party package is installed during next boot. This is because there is no apt-get post execution hook. And because I did not find another reliable hook that will not lead to a broken package management (user could shut down right after package install so the additional package installation could get killed in the middle).
Probably, yes. Qubes bind-dirs will become available in Qubes R3.2. (And that should come out “soon”. (?)) (Up to you if you still want to invest energy into the old Whonix bind-directories.)
Yes it has no config at all. Can only be edited by changing it directly.
One one hand, i2p is supposed to connect in the clear, you cannot configure it to use Tor as a proxy or force it by using a socksifier. So it will use system DNS. But on the other hand, Whonix-Gateway by default does not provide any kind of system DNS, torified or not. You could enable torified system DNS, but that of course would require editing and a functional /etc/resolv.conf. I see no way around that. Unless you can teach i2p to somehow not require DNS. Or somehow only allow torified system DNS for i2p and blocking system DNS traffic for everyone else.
(For completeness sake only: would also be possible to modify Whonix-Gateway to a point where it does clearnet system DNS but I guess that is besides the point here.)