Installation and Fix of i2p inside Whonix-Workstation by Default

torjunkie · December 7, 2019, 2:12pm

I2P packages are available in buster, so why do we have manual download steps on the I2P wiki page?

Does package availability help to solve this?

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/i2p-integration/4981

And presumably issue of “Installing I2P on Whonix-Gateway ™ (I2P and Tor simultaneously)”

HulaHoop · December 7, 2019, 2:59pm

Outdated instructions Great to see them in upstream now.

The main problems this was attempting to solve was to have a preconfigured TBB copy for accessing .i2p domains and other non-clearnet special TLDs and optimizing I2P operation when tunneled over Tor.

There was also the goal of having an I2P GW, but IMO it is too much work for what is likely inferior security.

Patrick · December 7, 2019, 4:50pm

Could you review I2P: Difference between revisions - Whonix please? @HulaHoop

HulaHoop · December 7, 2019, 5:10pm

Excellent. Thanks @torjunkie

Patrick · December 7, 2019, 8:50pm

Removed i2p repository. Using Debian package now.

Invisible Internet Project (I2P)

But the Tor Browser local connection workaround is broken? Does not work for me.

Got some apparmor denied messages. Had to disable apparmor. Probably upstream issue but nobody else run into that yet? No Debian bug report yet. Or I just messed up.

Could you please get the i2p installation instructions back up to speed? @HulaHoop

torjunkie · December 8, 2019, 4:38am

No problem

I tidied up the rest of that page, so it’s just Patrick’s query re: local connection workaround which you can hopefully fix.

For installation steps in Qubes-Whonix, I presume steps 1 - 3 are in the TemplateVM, while the others will be in the AppVM (we’ll need to explicitly define that too).

Patrick · December 8, 2019, 7:19am

Yes, sudo apt-get update, sudo apt-get install i2p, sudo dpkg-reconfigure i2p in TemplateVM in Qubes. I would hope that step sudo dpkg-reconfigure i2p isn’t even required anymore now that there is a package from packages.debian.org.

HulaHoop · December 8, 2019, 4:25pm

The good news is I discovered this new setting that needs to be disabled to access the console on localhost:

network.proxy.allow_hijacking_localhost -> false

The bad news is no eepsites are reachable at all despite tunnels being formed. Maybe this needs privoxy to work? Will dig more.

HulaHoop · December 8, 2019, 4:58pm

Not working with privoxy either or after tweaking a lot of settings. I’m out of ideas. The connectivity is absolute shit. No tunnels are forming to sustain a healthy connection.

Patrick_mobile · December 9, 2019, 5:05am

Anything in logs? Clock too inaccurate due to sdwdate? Debian package i2p version too outdated for the network?

torjunkie · December 9, 2019, 9:55am

OK - I can’t connect to any .i2p sites either.

Downloaded sid I2P version (v9.42 instead of v9.38 in Buster stable) (required dependency libjbigi-jni first before installing I2P)
sudo dpkg-reconfigure I2P
couldn’t connect to anything (Nyx logs show “Have tried resolving or connecting to address [scrubbed] at 3 different places. Giving up.”
re-ran sudo dpkg-reconfigure I2P and disable AppArmor setting
service status check on command line shows I2P is running okay
I can see lots of peers etc. but the main error in router config section is “Network ERR-UDP disabled and inbound TCP host/port not set”
They suggest: “You have not configured an inbound TCP with a hostname and port on the Network config page, however you have disabled UDP. Therefore your router cannot accept inbound connections. Please configure a TCP host and port on the Network configuration page or enable UDP”
Played with various I2P router network settings e.g. enable/disable UDP, prefer IPv4 or IPv6, set TCP ports etc. then reset the connection.

But you can never get a connection to work to any I2P site - Tor Browser says “Error connecting to site XYZ. Try again later etc.” Nyx keeps showing the same error “Have tried resolving or connecting to address [scrubbed] at 3 different places. Giving up.” over and over.

Annoying.

Do we have to set up something special in the I2P router network config or something else?
More Tor Browser config tweaks?
Too much clock skew? (they do warn about that needing to be very accurate in their FAQ somewhere - could be the source of the problem)
Maybe we’d have better luck with latest version 9.44 directly from I2P website? But I doubt it.

Doesn’t like something about being tunneled over Tor and/or something in Whonix config.

HulaHoop · December 9, 2019, 2:21pm

It did not use to be that way. Perhaps they changed something that depends on UDP? Can you please try with a VPN (if you can)?

It would have been the case if it was properly connecting but .i2p pages don’t open - but not the case here.

Was a common error, but never fatal in the past.

HulaHoop · December 9, 2019, 6:22pm

Update:

Some progress. Got I2P to connect to its network. Some optimized settings probably help performance and tunnel setup speed. No VPN hack needed.

The TBB -> localhost:4444 step is broken because of some internal changes in Tor Browser. I confirmed it is working in plain firefox.

HulaHoop · December 9, 2019, 6:29pm

I want to see if secbrowser doesn’t need as much work to get it working. I’ve installed it in the WS but no icon for it anywhere appears.

Patrick · December 9, 2019, 7:25pm

That’s a “feature” to avoid showing up in Whonix.

github.com

Whonix/anon-apps-config/blob/master/debian/anon-apps-config.hide#L13


      
          
          #### meta start
          #### project Whonix
          #### category apps and security
          #### description
          ## config-package-dev hide the following files
          
          ## gajim plugin installer does not cryptographically verify downloads.
          /usr/share/gajim/plugins/plugin_installer/__init__.py
          
          ## XChat
          /usr/lib/xchat/plugins/python.so
          /usr/lib/xchat/plugins/tcl.so
          /usr/lib/xchat/plugins/perl.so
          
          #### meta end

The secbrowser package is just a metapackage. The “hidden” scripts can be run from here for testing:

/usr/share/anon-apps-config/usr++bin++secbrowser
/usr/share/anon-apps-config/usr++bin++download-secbrowser

HulaHoop · December 9, 2019, 8:42pm

Setting:
extensions.torbutton.use_nontor_proxy true

Allows an I2P page to show up with this message:

The website was not reachable. The website is offline, there is network congestion, or your router is not yet well-integrated with peers. You may want to retry.

EDIT:

It works!

After changing:
network.proxy.share_proxy_settings true

Other settings:

network.proxy.http 127.0.0.1
network.proxy.http_port 8118
network.proxy.no_proxies_on 1
network.proxy.socks_remote_dns false

Privoxy installed and configured with forwarding settings from:

HulaHoop · December 9, 2019, 8:45pm

Secbrowser download attempt

user@host:~$ sudo sh /usr/share/anon-apps-config/usr++bin++download-secbrowser
/usr/share/anon-apps-config/usr++bin++download-secbrowser: 10: /usr/share/anon-apps-config/usr++bin++download-secbrowser: source: not found

HulaHoop · December 9, 2019, 8:57pm

Got I2P + TBB working see second post above.

I hope we can get this scripted and have I2P and a configured privoxy included OOTB to transform TBB into a I2P Browser on demand in a dedicated snapshot.

Patrick · December 9, 2019, 9:13pm

It’s bash. Not sh. And thanks to shebang neither sh nor bash needs to be prepended. Running a bash script with sh will break.

source: not found

sh doesn’t know command source.

Also no sudo required.

This approach may be better to restore SecBrowser in Whonix.

sudo dpkg-divert --rename --remove /usr/share/applications/secbrowser.desktop
sudo dpkg-divert --rename --remove /usr/bin/secbrowser
sudo dpkg-divert --rename --remove /usr/bin/download-secbrowser

Won’t survive upgrades.

Patrick · December 9, 2019, 9:18pm

There is i2pbrowser but nobody maintaining it.

github.com

Kicksecure/tb-starter/blob/master/usr/bin/i2pbrowser

#!/bin/bash

## Copyright (C) 2018 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

export SCRIPTNAME="$(basename "$BASH_SOURCE")"

export IDENTIFIER="i2pbrowser"

if [ "$TOR_DEFAULT_HOMEPAGE" = "/usr/share/doc/homepage/whonix-welcome-page/whonix.html" ]; then
   ## unset default by whonix-welcome-page /usr/libexec/whonix-welcome-page/env_var.sh
   unset TOR_DEFAULT_HOMEPAGE
fi

## https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160
[ -n "$TOR_DEFAULT_HOMEPAGE" ] || export TOR_DEFAULT_HOMEPAGE="/usr/share/doc/homepage/i2pbrowser/i2p-diffs.html"

[ -n "$ICON" ] || export ICON="/usr/share/icons/icon-pack-dist/tbupdate.ico"
[ -n "$TOR_NO_DISPLAY_NETWORK_SETTINGS" ] || export TOR_NO_DISPLAY_NETWORK_SETTINGS=1
[ -n "$TOR_HIDE_BROWSER_LOGO" ] || export TOR_HIDE_BROWSER_LOGO=1

This file has been truncated. show original

github.com

Kicksecure/tb-starter/blob/master/usr/bin/torbrowser#L505-L549


      
                   touch "$done_file"
                fi
             fi
          }
          
          maybe_install_tor_browser() {
             if [ -d "$tb_browser_folder" ]; then
                return 0
             fi
          
             local MSG="<p>$tb_title is currently not installed.
          <br></br>(Folder $tb_browser_folder does not exist.)</p>"
             local question="Start $tb_title Downloader (by $tb_downloader_developers developers)?"
             local button="yesno"
             local answer
             answer="$(/usr/libexec/msgcollector/generic_gui_message "error" "$TITLE" "$MSG" "$question" "$button")"
             #answer="0"
             #zenity --title="$TITLE" --question --text "$MSG" || { answer="$?" ; true; };
             ## zenity exit codes
             ## no 1

This file has been truncated. show original