For reference:
I was hoping you would document I2P on Whonix-Gateway here some day:
https://www.whonix.org/wiki/I2P#Installing_I2P_on_Whonix-Gateway_.28i2p_and_Tor_simultaneously.29
For reference:
I was hoping you would document I2P on Whonix-Gateway here some day:
https://www.whonix.org/wiki/I2P#Installing_I2P_on_Whonix-Gateway_.28i2p_and_Tor_simultaneously.29
I’m going to, I just don’t want to post it before its easy and failsafe, the manual guide is almost finished (I need to fix the Reseed issue before that and update it to my current progress ).
Testing it atm…
wow , i totally missed that page
Nice work, have you ever tried running it on the whonix gateway ?
Thanks.
No I hadn’t experimented with it on the Gateway because I didn’t want to risk leaks because of misconfigurations.
Its really good what you are doing. You’re turning Whonix into a anonymity network agnostic OS and expanding our userbase while also growing the I2P network.
@HulaHoop Maybe change the 4. step "Adjust I2P Settings:"
to :
###change Tunnel length :
sudo sed -i "s/\(.*outbound.length=\).*/\10/g;s/\(.*inbound.length=\).*/\10/g" "/var/lib/i2p/i2p-config/i2ptunnel.config"
###change router config :
sudo su -c “cat > “/var/lib/i2p/i2p-config/router.config” << EOF
i2np.laptopMode=true
i2np.ntcp.enable=true
i2np.ntcp.autoip=false
i2np.ntcp.ipv6=false
i2np.ntcp.maxConnections=20
i2np.udp.enable=false
i2np.udp.addressSources=hidden
i2np.udp.ipv6=false
i2np.upnp.enable=false
router.isHidden=true
router.sharePercentage=0
router.updateDisabled=true
time.disabled=true
time.sntpServerList=127.0.0.1
EOF”
Edit: the Forum striped some chars from the command, I changed that now on the Wiki (sorry I should have tested it after posting here)
Excellent changes. Added.
Can you please add comments for why each and every setting is changed? (For technical design explanations.)
Yes, here you go : (from http://www.ugha.i2p.xyz/AdvancedConfigurationOptions, http://echelon.i2p.re/docs/advanced.options.txt, Sign in · GitLab and http://docs.i2p-projekt.de/javadoc/constant-values.html)(we can add some more options later)
###change router identity and UDP port when IP changes
i2np.laptopMode=true
i2np.ntcp.enable=true
i2np.ntcp.autoip=false
i2np.ntcp.ipv6=false
i2np.ntcp.maxConnections=20
###Disable Udp #Unsupported by Tor
i2np.udp.enable=false
###Sets the source of IP detection
i2np.udp.addressSources=hidden # We dont want/need to publish the Exit-Node IP
###Disable Ipv6 for Udp
i2np.udp.ipv6=false
i2np.upnp.enable=false
###Don’t save your IP in the netDB and publish to other I2P routers( Sign in · GitLab)
router.isHidden=true
###Sets the bandwidth that is max used by particiapting tunnels # We dont participate in Traffic so no need to share
router.sharePercentage=0
###Disable In-network Updates # We use apt for that
router.updateDisabled=true
###Disable time comparisation in I2P router
time.disabled=true
time.sntpServerList=127.0.0.1
Is this sufficient ? Or should I go into more Detail ?
FIY The Path of the Command changes from
/var/lib/i2p/i2p-config/
to /home/user/.i2p/
when i2p is run by
i2prouter start
(by the user)
I would say make it optional to start it by the user and change the step where the i2p router is started to configuring it as deamon.
Note: if its running on Qubes all commands should be run in the Template and the path must be set in bind-dirs
with .
(for the current Qubes version (3.1))
sed -i "70i \ '/rw/srv/whonix/etc/i2p:/etc/i2p'" /usr/lib/qubes-whonix/bind-directories
sed -i "71i \ '/rw/srv/whonix/var/lib/i2p/i2p-config:/var/lib/i2p/i2p-config'" /usr/lib/qubes-whonix/bind-directories
(for Qubes 3.2)
sudo su -c "cat >> '/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf' << EOF binds+=( '/etc/i2p' ) binds+=( '/var/lib/i2p/i2p-config/' ) EOF"
I guess you know the anondist idea. (reference: GitHub - Kicksecure/dist-base-files: base files for distributions - several important miscellaneous files, such as /etc/hostname, /etc/hosts, /var/lib/dbus/machine-id and more)
Forward thinking… Package names… anon-gw-i2p-config
?
For Connecting to Tor before I2P
, i.e. user -> Tor -> I2P -> Internet
, i.e. I2P inside Whonix-Workstation it is not so trivial. anon-ws-i2p-config
could either refer to
user -> Tor -> I2P -> Internet
orYou might turn b)
into a configuration package, but perhaps one day we also get a (conflicting) configuration package for a)
also. So I wonder about package naming.
Very good. It briefly explains the setting and why we are doing it. I like it. Please add it to the wiki.
(In other places in Whonix we just explain why we are doing it, but not the setting itself - researching that would be up to the auditor. Which way is better, I don’t really know. Perhaps we do as best as we think on a by case basis.)
Please do not modify any files in .d
folders. These conflict / are lost when packages are upgraded. A package should use for example /usr/lib/qubes-bind-dirs.d/40_whonix-i2p.conf
or a sysadmin /user should use for example /rw/config/qubes-bind-dirs.d/50_whonix-i2p.conf
.
/usr/lib/qubes-bind-dirs.d/40_whonix-i2p.conf
Full technical background:
I have a slight preference for running I2P as automatically started daemon - once I2P mode was enabled. Since I2P on Whonix-Gateway is similar to Tor on Whonix-Gateway. And Tor is running as daemon. Using default config and data folders as per Debian defaults. (I2P would still run under user i2p.) Seems closer to what the user wants who enabled such a configuration.
@goldstein
Hi, after testing the command I get:
user@host:~$ sudo sed -i “s/(.outbound.length=)./\10/g;s/(.inbound.length=)./\10/g” "/var/lib/i2p/i2p-config/i2ptunnel.config"
sed: -e expression #1, char 29: invalid reference \1 on `s’ command’s RHS
Can you please fix it?
Fixed it already, the Forum stripped some chars
sudo sed -i "s/\(.*outbound.length=\).*/\10/g;s/\(.*inbound.length=\).*/\10/g" "/var/lib/i2p/i2p-config/i2ptunnel.config"
I changed it in the wiki, you need to approve the change (I also changed the Bandwidth to the new Default)
Have you tested the router settings too ?
No, didn’t know about that(or i forgot about it), thanks [quote=“Patrick, post:56, topic:2163”]
Forward thinking… Package names… anon-gw-i2p-config?
For Connecting to Tor before I2P, i.e. user -> Tor -> I2P -> Internet, i.e. I2P inside Whonix-Workstation it is not so trivial. anon-ws-i2p-config could either refer to
a) user -> Tor -> I2P -> Internet or
b) Whonix-Workstation using I2P running on Whonix-Gateway.
You might turn b) into a configuration package, but perhaps one day we also get a (conflicting) configuration package for a) also. So I wonder about package naming.
[/quote]
maybe b)
anon-gw-i2p-router-config
and
anon-ws-i2p-client-config
a)
anon-ws-i2p-router-config
I dont know if it really fits . Because the User whose using I2P isnt requesting clearnet Websites(only a few Outproxys) so i would change that to
user -> Tor -> I2P -> I2P Service (or someting similar)
Sorry about that, reading it now
Going to add it once i tested the Workstation I2P setup
I see[quote=“Patrick, post:56, topic:2163”]
I have a slight preference for running I2P as automatically started daemon - once I2P mode was enabled. Since I2P on Whonix-Gateway is similar to Tor on Whonix-Gateway
[/quote]
Me too, it would also speed up the Tunnel build up
OK great
Yeah, they work. Do you have some suggestions for improving them? Feel free to add changes you see fit.
More ideas for package names…
a)
anon-ws-i2p-standalone
or
a)
anon-ws-i2p-standalone-config
b)
anon-gw-i2p-split-gateway
anon-ws-i2p-split-workstation
or
b)
anon-gw-i2p-router-config
anon-ws-i2p-client-config
don’t know about those, could be more misleading (i.e. a windows user may understand something different under standalone)
I think this fits best for b) because It defines where the client apps should be run (i.e. retroshare or thunderbird for mail) and where the router is run.
@HulaHoop What do you say ?
Good, going to test some more later and post them after testing that they work accordingly.
About the Clock Skew Issues, you stated(in the wiki) that its fixed and it wouldn’t need to set time.sntpServerList=
to localhost anymore, is this still correct ? Then we wouldn’t need the time.sntpServerList=127.0.0.1
setting anymore if it works in the Workstation without it.
/var/lib/i2p/i2p-config
Is there something like:
/etc/i2p
,/etc/i2p.d
?Yes ,but it contains only the wrapper.config[quote=“Patrick, post:63, topic:2163”]
or even better /etc/i2p.d?
[/quote]
Sadly no
/usr/share/i2p/
is the install dir
/var/lib/i2p/i2p-config/
is the used config dir for the deamon
/home/user/.i2p/
is used for config when i2p ist started by i2prouter start
From the clients.config:
If you have a 'split' directory installation, with configuration
files in ~/.i2p (Linux) or %APPDATA%\I2P (Windows), be sure to
edit the file in the configuration directory, NOT the install directory.
When running as a Linux daemon, the configuration directory is /var/lib/i2p
and the install directory is /usr/share/i2p .
Is there a ticket for /etc/i2p.d
or could you post a feature request please? Having this feature would simplify creating configuration packages for Whonix a lot, because then we would not have to touch config files owned by other packages (here: i2p) which is always problematic.
Correction: I had not reloaded the I2P daemon for these changes to take effect and had been running with the original default settings the whole time. Rookie mistake The custom settings do not work - the router does connect but websites remain unreachable indefinitely. I haven’t looked hard enough to know why and think we should omit this section for simplicity. There are too many variables to change to find out what breaks.
@Patrick I will move the settings to Deprecated unless there are strong objections. They are dysfunctional at the moment.