Disable automatic IP fetching # We dont want/need to publish the Exit-Node IP
i2np.ntcp.autoip=false
Disable Ipv6 for the NTCP #Unsupported by Tor so we dont need it
i2np.ntcp.ipv6=false
Number of concurrent NTCP connections # Reduced Connections so we dont overload the Tor node with connection attempts
i2np.ntcp.maxConnections=20
###Disable Udp #Unsupported by Tor
i2np.udp.enable=false
###Sets the source of IP detection
i2np.udp.addressSources=hidden # We dont want/need to publish the Exit-Node IP
###Disable Ipv6 for Udp
i2np.udp.ipv6=false
toggles UPNP on/off # No need for Upnp
i2np.upnp.enable=false
###Don’t save your IP in the netDB and publish to other I2P routers( https://trac.i2p2.de/ticket/1314#comment:3)
router.isHidden=true
###Sets the bandwidth that is max used by particiapting tunnels # We dont participate in Traffic so no need to share
router.sharePercentage=0
###Disable In-network Updates # We use apt for that
router.updateDisabled=true
###Disable time comparisation in I2P router
time.disabled=true
Set ntp timesource to localhost
time.sntpServerList=127.0.0.1
Is this sufficient ? Or should I go into more Detail ?
FIY The Path of the Command changes from /var/lib/i2p/i2p-config/ to /home/user/.i2p/ when i2p is run by i2prouter start(by the user)
I would say make it optional to start it by the user and change the step where the i2p router is started to configuring it as deamon.
Note: if its running on Qubes all commands should be run in the Template and the path must be set in bind-dirs
with .
(for the current Qubes version (3.1)) sed -i "70i \ '/rw/srv/whonix/etc/i2p:/etc/i2p'" /usr/lib/qubes-whonix/bind-directories sed -i "71i \ '/rw/srv/whonix/var/lib/i2p/i2p-config:/var/lib/i2p/i2p-config'" /usr/lib/qubes-whonix/bind-directories
For Connecting to Tor before I2P, i.e. user -> Tor -> I2P -> Internet, i.e. I2P inside Whonix-Workstation it is not so trivial. anon-ws-i2p-config could either refer to
a) user -> Tor -> I2P -> Internet or
b) Whonix-Workstation using I2P running on Whonix-Gateway.
You might turn b) into a configuration package, but perhaps one day we also get a (conflicting) configuration package for a) also. So I wonder about package naming.
Very good. It briefly explains the setting and why we are doing it. I like it. Please add it to the wiki.
(In other places in Whonix we just explain why we are doing it, but not the setting itself - researching that would be up to the auditor. Which way is better, I don’t really know. Perhaps we do as best as we think on a by case basis.)
Please do not modify any files in .d folders. These conflict / are lost when packages are upgraded. A package should use for example /usr/lib/qubes-bind-dirs.d/40_whonix-i2p.conf or a sysadmin /user should use for example /rw/config/qubes-bind-dirs.d/50_whonix-i2p.conf.
/usr/lib/qubes-bind-dirs.d/40_whonix-i2p.conf
Full technical background:
I have a slight preference for running I2P as automatically started daemon - once I2P mode was enabled. Since I2P on Whonix-Gateway is similar to Tor on Whonix-Gateway. And Tor is running as daemon. Using default config and data folders as per Debian defaults. (I2P would still run under user i2p.) Seems closer to what the user wants who enabled such a configuration.
No, didn’t know about that(or i forgot about it), thanks [quote=“Patrick, post:56, topic:2163”]
Forward thinking… Package names… anon-gw-i2p-config?
For Connecting to Tor before I2P, i.e. user -> Tor -> I2P -> Internet, i.e. I2P inside Whonix-Workstation it is not so trivial. anon-ws-i2p-config could either refer to
a) user -> Tor -> I2P -> Internet or
b) Whonix-Workstation using I2P running on Whonix-Gateway.
You might turn b) into a configuration package, but perhaps one day we also get a (conflicting) configuration package for a) also. So I wonder about package naming.
[/quote]
maybe b)
anon-gw-i2p-router-config
and
anon-ws-i2p-client-config
a)
anon-ws-i2p-router-config
I dont know if it really fits . Because the User whose using I2P isnt requesting clearnet Websites(only a few Outproxys) so i would change that to
user -> Tor -> I2P -> I2P Service (or someting similar)
Sorry about that, reading it now
Going to add it once i tested the Workstation I2P setup
I see[quote=“Patrick, post:56, topic:2163”]
I have a slight preference for running I2P as automatically started daemon - once I2P mode was enabled. Since I2P on Whonix-Gateway is similar to Tor on Whonix-Gateway
[/quote]
Me too, it would also speed up the Tunnel build up
don’t know about those, could be more misleading (i.e. a windows user may understand something different under standalone)
I think this fits best for b) because It defines where the client apps should be run (i.e. retroshare or thunderbird for mail) and where the router is run.
Good, going to test some more later and post them after testing that they work accordingly.
About the Clock Skew Issues, you stated(in the wiki) that its fixed and it wouldn’t need to set time.sntpServerList= to localhost anymore, is this still correct ? Then we wouldn’t need the time.sntpServerList=127.0.0.1 setting anymore if it works in the Workstation without it.
Yes ,but it contains only the wrapper.config[quote=“Patrick, post:63, topic:2163”]
or even better /etc/i2p.d?
[/quote]
Sadly no
/usr/share/i2p/ is the install dir /var/lib/i2p/i2p-config/ is the used config dir for the deamon /home/user/.i2p/ is used for config when i2p ist started by i2prouter start
From the clients.config:
If you have a 'split' directory installation, with configuration
files in ~/.i2p (Linux) or %APPDATA%\I2P (Windows), be sure to
edit the file in the configuration directory, NOT the install directory.
When running as a Linux daemon, the configuration directory is /var/lib/i2p
and the install directory is /usr/share/i2p .
Is there a ticket for /etc/i2p.d or could you post a feature request please? Having this feature would simplify creating configuration packages for Whonix a lot, because then we would not have to touch config files owned by other packages (here: i2p) which is always problematic.
Correction: I had not reloaded the I2P daemon for these changes to take effect and had been running with the original default settings the whole time. Rookie mistake The custom settings do not work - the router does connect but websites remain unreachable indefinitely. I haven’t looked hard enough to know why and think we should omit this section for simplicity. There are too many variables to change to find out what breaks.
@Patrick I will move the settings to Deprecated unless there are strong objections. They are dysfunctional at the moment.
Shit, sorry about that, it did work for me but after doing a new setup again it breaks. I’ve reproduced the error and tried all night to find the settings that break the connectivity but I’ve failed to find the exact setting(it takes a long time until the router builds tunnels and I’ve restarted it 20+ times to debug the error)
I’ve reverted every setting but it still fails, there are active client tunnel but it looks like something is blocking requests or responses.
Going to look at the issue more after work, sorry for the trouble this shouldn’t happend.
There is no ticket yet, I created a account yesterday at the tracker and I’m still waiting for the verification mail.
Edit:
Finally it works (it took the router 10-15 min after the start to reach a site), @HulaHoop could you please test these settings and confirm that they work for you too ?:
I have been giving some thought on how to interact with the I2P on Whonix gateway while preserving the same security guarantees like we do with Tor. here’s what I think and how it could work.
Problems:
There should be no way to interact with the I2P router settings on the gateway from the workstation. Setting default passwords is a terrible idea, letting users pick their own even worse. Generating a random one might work but all it takes is a user to log in once and cross contaminate their workstation which would leak their password to a keylogger and allow an adversary to change settings and destroy their anonymity.
There has to be some form of the services page available to users in the workstation without allowing access to the router settings.
Proposed Solutions:
Allow some form of localhost browser interactioin with the I2P router on the gateway - a custom configured Iceweasel install, running under its own user account with only loopback/localhost connections whitelisted.
Recreate/Copy the I2P service page locally in the workstation that looks and feels like the original familiar to users.
I think the I2P router web interface should be only accessible from Whonix-Gateway. So it should only bind locally to 127.0.0.1 in Whonix-Gateway. Other services that I2P is providing (socks, …) on Whonix-Gateway can be made accessible from Whonix-Workstation.
Iceweasel on Whonix-Gateway is unproblematic as long as transparent proxying / dns for Whonix-Gateway’s own traffic does not get enabled. Anyhow. A user localhost introduced on Whonix-Gateway could make sense. Enforced by firewall to be able to connect to 127.0.0.1 only. Then the Whonix-Gateway I2P package could provider a launcher to run iceweasel under that user. Not sure if localhost would be a sane linux user account name, perhaps there is something better descriptive.
There should be no way to interact with the I2P router settings on the gateway from the workstation. Setting default passwords is a terrible idea, letting users pick their own even worse. Generating a random one might work but all it takes is a user to log in once and cross contaminate their workstation which would leak their password to a keylogger and allow an adversary to change settings and destroy their anonymity.
[/quote]
We could make the Router Console unavailable to the Workstation by setting the console to only listen to localhost and not forwarding the 7657 port to the WS.[quote=“HulaHoop, post:70, topic:2163”]
Allow some form of localhost browser interactioin with the I2P router on the gateway - a custom configured Iceweasel install, running under its own user account with only loopback/localhost connections whitelisted.
[/quote]
I wonder what Use case that would be for ? Please explain, besides changing settings. The Rest could be done without the need of the Router Console.
For completeness Killyourtv’s old statement about this :
It’s been said that the Whonix dev doesn’t recommend this set-up to avoid IP address leaks due to the IP address being shown at http://127.0.0.1:7657/netdb?r=. when not running in hidden mode, and that the workstation should not know what its IP is. If that’s a problem, why not set a password for the router console at http://127.0.0.1:7657/configui? Or set up I2P and then disable access to the router console?
Torrenting with I2PSnark will work, and the files will be saved on the Whonix-Gateway to /var/lib/i2p/i2p-config/i2psnark. See File Transfer - Whonix for information about transfering the files to your host or to the workstation. Another option would be to use libguestfs on your host.
You mean the Start page from the Router Console with Links to various Websites ? Agreed, maybe integrate it into the Browsers Homepage like the Whonix Links ?
Takes longer to connect than default but works eventually. I still don’t think its worth the degraded user experience to add these settings. Longer connection delays might push potential users away.
The custom settings do not work - the router does connect but websites remain unreachable indefinitely. I haven’t looked hard enough to know why and think we should omit this section for simplicity. There are too many variables to change to find out what breaks.