I2P Running on Whonix Gateway

Good question. I am not aware of any I2P interface like Tor’s control port but I could be wrong. @goldstein do you know? Would you mind confirming this?

Good. This should take care of Iceweasel’s built-in DNS resolver too right?

Maybe “localwebui” is more descriptive?

+1

Yes, accessing the router settings is the reason.

You bring up a good point about the problem of how plugins would work with our dual VM model. We may or may or may not solve it without explicit support from I2P upstream (I’m sure they would be happy to add features just to support us).

The solution: To run another instance of I2P in the workstation like we do with a dummy Tor to keep applications like TBB happy. Here is where plugins like snark and bote would be installed. The client networking is disabled to prevent I2P-over-I2P from happening. Plugin traffic is seamlessly routed to the gateway tunnels by rinetd. We preserve the separation between network and apps as we with all things Tor now.

If we pull this off we don’t have to worry about a dedicated links page since its provided by I2P itself.


Enabling the workstation client networking features should be very simple in case user wants to connect to Tor before I2P.

Summary: I2P on the workstation supports 2 modes of operation 1) compatibility with a I2P gateway where users want direct connections or 2) Connection from behind Tor. Switching between modes can be done with a simple user friendly wizard later on for finishing touches but it should be a few simple commands.

The i2p web interface is very similar to Tor control port. Conceptually. A filter could be created to not leak anything sensitive. Probably, in theory only!

Yes. But there is something else…

I know too little about i2p. It could fetch active contents through its daemon, let iceweasel connect fine to 127.0.0.1 and then display contents there. Nothing could be done about this on iptables level. [comparable far fetched: a webserver running on 127.0.0.1 that fetches contents from the internet and mirrors it locally] I do not know if i2p is actually doing something like that. Probably not as this would totally contradict modularity.

Makes more sense.


IIRC zzz told me at 32c3 it’s no problem at all and already possible to have the web interface listen at local network interface 127.0.0.1 only and at the same time make the plugins listen on the internal network interface.

I didn’t try that yesterday, testing and fixing this tomorrow.

+1, I need to find the source of this issue…
Could you post your working router.config and i2ptunnel.config ? (Without Inbound- and OutboundPool Keys and other Identifying settings )

Maybe we could use: i2pcontrol (plugin)
https://geti2p.com/en/docs/api/i2pcontrol

I need to think about that, but at first it sounds good.

+1

Sorry, but I don’t understand that.

No, we don’t want to make it available to the workstation. I just wanted to know if its enabled by default or not to block off access to it completely.

If I2P had something like arm/Nyx to monitor and configure the router locally on the Gateway even headlessly - that would have been useful but the Iceweasel workaround is not bad.

Please don’t spend time on this. Not worth the investment.

My observations are most of these settings are not necessary anyway. UDP gets disabled automatically when it can’t get through. The client reports no known static address/port but it still connects. The client does not try to open participatory tunnels because it doesn’t work and that’s good - so it doesn’t negatively affect the network if you disconnect suddenly.

Also the added protection of multiple tunnels in I2P can’t hurt in case you connect out of a malicious Tor Exit to a malicious or infected I2P node too.

Yeah very unlikely. No connections are ever made outside the I2P network or to visit webpages in the network without a user’s consent AFAIK. Somewhat related: It would be good if we can disable access to the Services Links page on I2P Gateway to prevent noobs from clicking stuff and browsing accidentally from there.

Awesome then the idea for a dummy I2P client on ws should work :slight_smile:

We don’t need to and that wasn’t my intent with that

AFAIK no.[quote=“HulaHoop, post:77, topic:2163”]
Please don’t spend time on this. Not worth the investment.

My observations are most of these settings are not necessary anyway. UDP gets disabled automatically when it can’t get through. The client reports no known static address/port but it still connects. The client does not try to open participatory tunnels because it doesn’t work and that’s good - so it doesn’t negatively affect the network if you disconnect suddenly.

Also the added protection of multiple tunnels in I2P can’t hurt in case you connect out of a malicious Tor Exit to a malicious or infected I2P node too.
[/quote]

ok

OK.

Nice find! i2p-tools and PY2PControl seem perfect for the headless use case. The plugin needs to be installed from the plugin site though. Is it possible to script this without i2pcontrol plugin installed to begin with or is it a catch22?

I believe the iceweasel method also has its place for newbies and also to future proof Whonix for other network clients who can only be accessed via webui. Having both can’t hurt :slight_smile:

You mean PY2PControl without i2pcontrol ?

Agreed :wink:

Testing the DTG(Desktop Gui) currently
http://zzz.i2p/topics/2122-proposal-enable-desktopgui-for-all

To test (requires 0.9.25-11 or higher), go to /configservice in the console and enable. To switch between AWT and Swing, set the advanced config desktopgui.swing=[true,false]. This is all disabled and hidden if I2P is running as a service, since it doesn’t have desktop permissions.

and
Proposal: Bundle I2PControl
http://zzz.i2p/topics/2030

http://zzz.i2p/topics/2114-how-to-access-command-line-utilities-easier

I’m playing around with those atm

Maybe we can help I2P with this ?

You mean PY2PControl without i2pcontrol ?

Correct me if I’m wrong, the only way for scripts to talk to I2P is through I2PControl. Given its not installed by default how would a script be able to interact with I2P and download it (and PY2PControl) in the first place? The only short-term workaround I see is to package I2PControl+PY2PControl in the Whonix repo and download them from there during builds.

Testing the DTG(Desktop Gui) currently

Looks good. Does it have a way to set an I2P Browser option to Icweasel or perhaps none at all? To prevent accidental browsing on the gw.

Proposal: Bundle I2PControl

That would be great when it happens. Its the best option.

I think you’r right but im not 100% sure, need to do more digging.

Until i2pcontrol is bundled i think this would be the easiest.

I think it doesn’t (haven’t found it)
I’m going to ask or take a look at the Code.

ZZZ’s post about that :

As discussed w/ tuna at CCC

Phase 1 would be for tuna to catch up on all the existing tickets and proposals, to update the spec to match, and release new plugin versions

Phase 2 would be to encourage development of new client apps that work with both the plugin and i2pd, to make it the standard remote control protocol, widely used.

Phase 3 would be to un-pluginize it and bundle it with the router, including removal of duplicate code and use of i2p.jar APIs wherever possible.

This would be over the course of the next year or more.

goldstein, Patrick, thank you for all this work. I am catching up presently.

halo9en:

goldstein, just read this now. The GitHub link you shared seems to return a 404. I did find this in your Repositories: https://github.com/cle4r/whonix-gw-firewall.git

That link works for me. Does it work for you again? Otherwise you and/or
goldstein have to contact github so they un-blacklist the repository.
(Perhaps a false positive spam tag, then such things happened in past.)

Also, adrelanos, thank you for the patches for Whonix 13.

Remind me to announce, btw https://phabricator.whonix.org/T464 is done,
will be released in Whonix 14, which is another feature that will
support this endeavor.

It will be easy to drop configuration snippets into
/etc/anon-ws-disable-stacked-tor folder that can spawn socat port
redirection of localhost ports in Whonix-Gateway to Whonix-Workstation.

For example see:
anon-ws-disable-stacked-tor/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf at master · Whonix/anon-ws-disable-stacked-tor · GitHub

@goldstein

Please don’t go. You’ve brought the I2P Whonix idea a long way.

Because of recent events and developments I no longer think that it’s a good Idea to do this in the first place.

Can you be more specific?

Even if some users stick with Tor there are many others interested in I2P. Your work will grow the Whonix user base and secure I2P native users and move them away from the plain browser + proprietary OS setup.

2 Likes

i2p.socket package now released on pypi:

https://pypi.python.org/pypi/12p.socket/0.2.2

1 Like

3 posts were merged into an existing topic: Leaked Tor Project chat logs reveal it struggled over hiring ex-CIA agent

I will post a response in the other thread. Please move this discussion there also so this dev thread stays on topic.

1 Like

First off all, thank you all for the responses.

You’re right, I’ve reconsidered my choice to leave.
It seems to important to let it die even when I do have quite some Issues with Tor but in the absence of anybody who would like to do this , i will continue .

Just Updated the Repository.
Let’s see where this all takes us

3 Likes

Hooray! :smiley:

Thanks for reconsidering. I look forward to some great contributions from you.

1 Like

Lets start again with some Questions:

It will be easy to drop configuration snippets into
/etc/anon-ws-disable-stacked-tor folder that can spawn socat port
redirection of localhost ports in Whonix-Gateway to Whonix-Workstation.

For example see:
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf1

Sorry but I don’t quite get what I can put in there , just the single socat commands or can i put a whole script in there ?

Is there a Version file for Whonix inside the Template and Appvm ?

About the Systray:

Does it have a way to set an I2P Browser option to Icweasel or perhaps none at all? To prevent accidental browsing on the gw.

Yes there is a config for the Browser , could be set to anything

Btw why is Quoting someones Text broken ?

About the localhost only Iceweasel

  1. Allow some form of localhost browser interactioin with the I2P router
    on the gateway - a custom configured Iceweasel install, running under
    its own user account with only loopback/localhost connections
    whitelisted.

I dont know much about Browsers, could you explain How we can do that ? or point me somewhere I can look it up ? I couldn’t find much searching.

Maybe setup a User with only access to localhost ? (If that`s possible)

Could you please try foxyproxy with the latest TBB i think they changed it again.

Great!

The purpose that I have in mind was one or multiple socat commands to redirect stuff from 127.0.0.1 Whonix-Workstation to Whonix-Gateway.

The script which processes the /etc/anon-ws-disable-stacked-tor.d configuration folder is rather simple.
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets

(systemd service: https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor.service)

That mechanism could be “abused” to comfortably launch any program into the background on boot and have it terminated at shutdown. [I was wondering to make it that generic, but I wanted to keep it simple.]

I guess anon-ws-disable-stacked-tor.service should not be run in TemplateVMs.

Configuration files could be in TemplateVM, in folder /etc/anon-ws-disable-stacked-tor.d/*.conf or in AppVM in folder /rw/anon-ws-disable-stacked-tor.d/*.conf. That is up to you / users.

I guess for your ip2-only use case it makes sense to add that file in TemplateVM so all whonix-ws TemplateBased Whonix-Workstation AppVMs benefit from that port redirection.

Not sure what you mean. The markup is sometimes broken such as bold and code? That is indeed sometimes annoying. I did not check yet if there already is an discourse upstream bug report.


iceweasel on Whonix-Gateway should be only capable to visit localhost by default - because there is no DNS access / no system default networking. However, if a user would enable transparent proxying for Whonix-Gateway itself ( Whonix-Gateway Traffic: Transparent Proxying ) then the user could connect anywhere.

It is possible using iptables. I would not mind a localhost-only user on Whonix-Gateway.