Installation and Fix of i2p inside Whonix-Workstation by Default

Patrick · December 8, 2019, 7:19am

Yes, sudo apt-get update, sudo apt-get install i2p, sudo dpkg-reconfigure i2p in TemplateVM in Qubes. I would hope that step sudo dpkg-reconfigure i2p isn’t even required anymore now that there is a package from packages.debian.org.

HulaHoop · December 8, 2019, 4:25pm

The good news is I discovered this new setting that needs to be disabled to access the console on localhost:

network.proxy.allow_hijacking_localhost -> false

The bad news is no eepsites are reachable at all despite tunnels being formed. Maybe this needs privoxy to work? Will dig more.

HulaHoop · December 8, 2019, 4:58pm

Not working with privoxy either or after tweaking a lot of settings. I’m out of ideas. The connectivity is absolute shit. No tunnels are forming to sustain a healthy connection.

Patrick_mobile · December 9, 2019, 5:05am

Anything in logs? Clock too inaccurate due to sdwdate? Debian package i2p version too outdated for the network?

torjunkie · December 9, 2019, 9:55am

OK - I can’t connect to any .i2p sites either.

Downloaded sid I2P version (v9.42 instead of v9.38 in Buster stable) (required dependency libjbigi-jni first before installing I2P)
sudo dpkg-reconfigure I2P
couldn’t connect to anything (Nyx logs show “Have tried resolving or connecting to address [scrubbed] at 3 different places. Giving up.”
re-ran sudo dpkg-reconfigure I2P and disable AppArmor setting
service status check on command line shows I2P is running okay
I can see lots of peers etc. but the main error in router config section is “Network ERR-UDP disabled and inbound TCP host/port not set”
They suggest: “You have not configured an inbound TCP with a hostname and port on the Network config page, however you have disabled UDP. Therefore your router cannot accept inbound connections. Please configure a TCP host and port on the Network configuration page or enable UDP”
Played with various I2P router network settings e.g. enable/disable UDP, prefer IPv4 or IPv6, set TCP ports etc. then reset the connection.

But you can never get a connection to work to any I2P site - Tor Browser says “Error connecting to site XYZ. Try again later etc.” Nyx keeps showing the same error “Have tried resolving or connecting to address [scrubbed] at 3 different places. Giving up.” over and over.

Annoying.

Do we have to set up something special in the I2P router network config or something else?
More Tor Browser config tweaks?
Too much clock skew? (they do warn about that needing to be very accurate in their FAQ somewhere - could be the source of the problem)
Maybe we’d have better luck with latest version 9.44 directly from I2P website? But I doubt it.

Doesn’t like something about being tunneled over Tor and/or something in Whonix config.

HulaHoop · December 9, 2019, 2:21pm

It did not use to be that way. Perhaps they changed something that depends on UDP? Can you please try with a VPN (if you can)?

It would have been the case if it was properly connecting but .i2p pages don’t open - but not the case here.

Was a common error, but never fatal in the past.

HulaHoop · December 9, 2019, 6:22pm

Update:

Some progress. Got I2P to connect to its network. Some optimized settings probably help performance and tunnel setup speed. No VPN hack needed.

The TBB -> localhost:4444 step is broken because of some internal changes in Tor Browser. I confirmed it is working in plain firefox.

HulaHoop · December 9, 2019, 6:29pm

I want to see if secbrowser doesn’t need as much work to get it working. I’ve installed it in the WS but no icon for it anywhere appears.

Patrick · December 9, 2019, 7:25pm

That’s a “feature” to avoid showing up in Whonix.

github.com

Whonix/anon-apps-config/blob/master/debian/anon-apps-config.hide#L13


      
          
          #### meta start
          #### project Whonix
          #### category apps and security
          #### description
          ## config-package-dev hide the following files
          
          ## gajim plugin installer does not cryptographically verify downloads.
          /usr/share/gajim/plugins/plugin_installer/__init__.py
          
          ## XChat
          /usr/lib/xchat/plugins/python.so
          /usr/lib/xchat/plugins/tcl.so
          /usr/lib/xchat/plugins/perl.so
          
          #### meta end

The secbrowser package is just a metapackage. The “hidden” scripts can be run from here for testing:

/usr/share/anon-apps-config/usr++bin++secbrowser
/usr/share/anon-apps-config/usr++bin++download-secbrowser

HulaHoop · December 9, 2019, 8:42pm

Setting:
extensions.torbutton.use_nontor_proxy true

Allows an I2P page to show up with this message:

The website was not reachable. The website is offline, there is network congestion, or your router is not yet well-integrated with peers. You may want to retry.

EDIT:

It works!

After changing:
network.proxy.share_proxy_settings true

Other settings:

network.proxy.http 127.0.0.1
network.proxy.http_port 8118
network.proxy.no_proxies_on 1
network.proxy.socks_remote_dns false

Privoxy installed and configured with forwarding settings from:

HulaHoop · December 9, 2019, 8:45pm

Secbrowser download attempt

user@host:~$ sudo sh /usr/share/anon-apps-config/usr++bin++download-secbrowser
/usr/share/anon-apps-config/usr++bin++download-secbrowser: 10: /usr/share/anon-apps-config/usr++bin++download-secbrowser: source: not found

HulaHoop · December 9, 2019, 8:57pm

Got I2P + TBB working see second post above.

I hope we can get this scripted and have I2P and a configured privoxy included OOTB to transform TBB into a I2P Browser on demand in a dedicated snapshot.

Patrick · December 9, 2019, 9:13pm

It’s bash. Not sh. And thanks to shebang neither sh nor bash needs to be prepended. Running a bash script with sh will break.

source: not found

sh doesn’t know command source.

Also no sudo required.

This approach may be better to restore SecBrowser in Whonix.

sudo dpkg-divert --rename --remove /usr/share/applications/secbrowser.desktop
sudo dpkg-divert --rename --remove /usr/bin/secbrowser
sudo dpkg-divert --rename --remove /usr/bin/download-secbrowser

Won’t survive upgrades.

Patrick · December 9, 2019, 9:18pm

There is i2pbrowser but nobody maintaining it.

github.com

Kicksecure/tb-starter/blob/master/usr/bin/i2pbrowser

#!/bin/bash

## Copyright (C) 2018 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

export SCRIPTNAME="$(basename "$BASH_SOURCE")"

export IDENTIFIER="i2pbrowser"

if [ "$TOR_DEFAULT_HOMEPAGE" = "/usr/share/doc/homepage/whonix-welcome-page/whonix.html" ]; then
   ## unset default by whonix-welcome-page /usr/libexec/whonix-welcome-page/env_var.sh
   unset TOR_DEFAULT_HOMEPAGE
fi

## https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160
[ -n "$TOR_DEFAULT_HOMEPAGE" ] || export TOR_DEFAULT_HOMEPAGE="/usr/share/doc/homepage/i2pbrowser/i2p-diffs.html"

[ -n "$ICON" ] || export ICON="/usr/share/icons/icon-pack-dist/tbupdate.ico"
[ -n "$TOR_NO_DISPLAY_NETWORK_SETTINGS" ] || export TOR_NO_DISPLAY_NETWORK_SETTINGS=1
[ -n "$TOR_HIDE_BROWSER_LOGO" ] || export TOR_HIDE_BROWSER_LOGO=1

This file has been truncated. show original

github.com

Kicksecure/tb-starter/blob/master/usr/bin/torbrowser#L505-L549


      
                   touch "$done_file"
                fi
             fi
          }
          
          maybe_install_tor_browser() {
             if [ -d "$tb_browser_folder" ]; then
                return 0
             fi
          
             local MSG="<p>$tb_title is currently not installed.
          <br></br>(Folder $tb_browser_folder does not exist.)</p>"
             local question="Start $tb_title Downloader (by $tb_downloader_developers developers)?"
             local button="yesno"
             local answer
             answer="$(/usr/libexec/msgcollector/generic_gui_message "error" "$TITLE" "$MSG" "$question" "$button")"
             #answer="0"
             #zenity --title="$TITLE" --question --text "$MSG" || { answer="$?" ; true; };
             ## zenity exit codes
             ## no 1

This file has been truncated. show original

HulaHoop · December 9, 2019, 9:24pm

Is it a matter of making sure he prefs are current and working? I can do that.

Patrick · December 9, 2019, 9:32pm

I don’t think SecBrowser makes any sense inside Whonix. It’s branded as A Security-hardened, Non-anonymous Browser and will always priorize clearnet browsing and security over privacy/anonymity with no regard to other goals such as i2p or ZeroNet. Using it in Whonix will lead to confusion. That’s why I did hide it in Whonix by default.

What would make sense is reviewing those i2pbrowser related files. See if these make sense. Trying that out. See if it is still working. Needing any changes. And documenting it.

HulaHoop · December 9, 2019, 9:33pm

Oops I meant I2P browser whne I said that

torjunkie · December 10, 2019, 8:25am

Damn you are good +1

Will play with your fix above to see if us plebs can achieve it with manual tinkering in the meantime. But proper I2P browser with necessary settings would be amazing if you can manage it.

torjunkie · December 13, 2019, 1:05pm

OK - you gotta step it out as I still can’t connect to eepsites.

Tell me what’s wrong. (BTW I guessed we ignore all mutedstorm changes inside Whonix-Gateway stuff - 1000 steps - since you didn’t mention it)

1. Create new whonix-ws-15 TemplateVM clone just for installing I2P

(In TemplateVM)
2. sudo apt-get update
3. sudo apt-get install i2p
4. sudo dpkg-reconfigure i2p

keep user as i2psvc
have I2P run as daemon when starting
have AppArmor applied
adjust RAM upwards e.g. 512MB

5. sudo apt-get install privoxy
6. Edit the /etc/privoxy/config add i2p forwarding

(didn’t bother with accept-intercepted-requests 1 and max-clientconnections 512 since you didn’t mention it?)

forward .i2p 127.0.0.1:4444

7. Forward Whonix-Workstation Ports to Whonix-Gateway local Ports

Open /etc/anon-ws-disable-stacked-tor.d/50_user.conf with a editor in the Worksation-Template and insert the following:

I2P_PORTS=“2827 3456 4444 4445 6668 7622 7650 7651 7654 7656 7658 7659 7660 7661 7662 8998 8118”

for i2p_port in $I2P_PORTS ; do
$pre_command socat TCP-LISTEN:$i2p_port,fork,bind=127.0.0.1 TCP:$GATEWAY_IP:$i2p_port &
done

8. Create new AppVM (anon-whonix-I2P)

(In AppVM)

9. Launch Tor Browser
10. Change about:config settings

network.proxy.allow_hijacking_localhost false
network.proxy.share_proxy_settings true
extensions.torbutton.use_nontor_proxy true
network.proxy.http 127.0.0.1
network.proxy.http_port 8118
network.proxy.no_proxies_on 0
network.proxy.socks_remote_dns false
network.proxy.socks (blank)

11. Go to http://127.0.0.1:7657 for console setup

(Allow javascript for this I suppose)

12. Browse to main I2P Router Console page after connection speed test (which never seems to complete properly)

Network Error is:

Network: ERR-Client Manager I2CP Error - check logs

Explantory notes say:

This is usually due to a port 7654 conflict. Check the logs to verify. Do you have another I2P instance running? Stop the conflicting program and restart I2P.

Can see a bunch of Active Peers, a small number of exploratory tunnels etc.

13. Try to connect to eepsite e.g. http://i2p-projekt.i2p/en/faq

Error appears instantly:

502
This is Privoxy 3.0.28 on localhost (127.0.0.1), port 8118, enabled
No server or forwarder data received

Your request for http://i2p-projekt.i2p/en/faq could not be fulfilled, because the connection to i2p-projekt.i2p (127.0.0.1) has been closed before Privoxy received any data for this request.

This is often a temporary failure, so you might just try again.

If you get this message very often, consider disabling connection-sharing (which should be off by default). If that doesn’t help, you may have to additionally disable support for connection keep-alive by setting keep-alive-timeout to 0.

Critical logs show:

PM CRIT [istener:7654] er.client.ClientListenerRunner: I2CP error listening to port 7654 - is another I2P instance running? Resolve conflicts and restart

PM CRIT [JettyStarter] outer.startup.RouterAppManager: Client Jetty [/var/lib/i2p/i2p-config/eepsite/jetty.xml] START_FAILED
java.io.IOException: Failed to bind to /127.0.0.1:7658
at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:346)
at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:308)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:394)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at net.i2p.jetty.JettyStart$Starter.run(JettyStart.java:138)
Caused by: java.net.BindException: Address already in use
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:227)
at java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:80)
at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:342)

etc. (similar)

Summary

Does all this mean you have to play with all the Whonix-Gateway Steps on MutedStorm + 100 other things he mentions in Workstation etc?

If so, way too hard and no normal user will ever achieve it in Whonix i.e. I2P browser needed. Otherwise you and Patrick (population = 2) will be the only ones to ever browse I2P sites from within the Workstation. Oh yeh, and that MutedStorm guy

Patrick_mobile · December 13, 2019, 1:39pm

No, this thread is for user -> Tor -> i2p.
i2p inside ws.

What was attempted in the other thread was Tor in parallel to i2p. user -> i2p
i2p on gw.

What’s missing here can only be something “small”. Previous instructions worked for a while. I don’t expect much changes. Doesn’t imply figuring out what’s missing is easy.