Installation and Fix of i2p inside Whonix-Workstation by Default

Is it a matter of making sure he prefs are current and working? I can do that.

1 Like

I don’t think SecBrowser makes any sense inside Whonix. It’s branded as A Security-hardened, Non-anonymous Browser and will always priorize clearnet browsing and security over privacy/anonymity with no regard to other goals such as i2p or ZeroNet. Using it in Whonix will lead to confusion. That’s why I did hide it in Whonix by default.

What would make sense is reviewing those i2pbrowser related files. See if these make sense. Trying that out. See if it is still working. Needing any changes. And documenting it.

1 Like

Oops I meant I2P browser whne I said that

1 Like

Damn you are good +1 :slight_smile:

Will play with your fix above to see if us plebs can achieve it with manual tinkering in the meantime. But proper I2P browser with necessary settings would be amazing if you can manage it.

2 Likes

OK - you gotta step it out as I still can’t connect to eepsites.

Tell me what’s wrong. (BTW I guessed we ignore all mutedstorm changes inside Whonix-Gateway stuff - 1000 steps - since you didn’t mention it)

1. Create new whonix-ws-15 TemplateVM clone just for installing I2P

(In TemplateVM)
2. sudo apt-get update
3. sudo apt-get install i2p
4. sudo dpkg-reconfigure i2p

  • keep user as i2psvc
  • have I2P run as daemon when starting
  • have AppArmor applied
  • adjust RAM upwards e.g. 512MB

5. sudo apt-get install privoxy
6. Edit the /etc/privoxy/config add i2p forwarding

(didn’t bother with accept-intercepted-requests 1 and max-clientconnections 512 since you didn’t mention it?)

  • forward .i2p 127.0.0.1:4444

7. Forward Whonix-Workstation Ports to Whonix-Gateway local Ports

Open /etc/anon-ws-disable-stacked-tor.d/50_user.conf with a editor in the Worksation-Template and insert the following:

I2P_PORTS=“2827 3456 4444 4445 6668 7622 7650 7651 7654 7656 7658 7659 7660 7661 7662 8998 8118”

for i2p_port in $I2P_PORTS ; do
$pre_command socat TCP-LISTEN:$i2p_port,fork,bind=127.0.0.1 TCP:$GATEWAY_IP:$i2p_port &
done

8. Create new AppVM (anon-whonix-I2P)

(In AppVM)

9. Launch Tor Browser
10. Change about:config settings

  • network.proxy.allow_hijacking_localhost false
  • network.proxy.share_proxy_settings true
  • extensions.torbutton.use_nontor_proxy true
  • network.proxy.http 127.0.0.1
  • network.proxy.http_port 8118
  • network.proxy.no_proxies_on 0
  • network.proxy.socks_remote_dns false
  • network.proxy.socks (blank)

11. Go to http://127.0.0.1:7657 for console setup

(Allow javascript for this I suppose)

12. Browse to main I2P Router Console page after connection speed test (which never seems to complete properly)

Network Error is:

Network: ERR-Client Manager I2CP Error - check logs

Explantory notes say:

This is usually due to a port 7654 conflict. Check the logs to verify. Do you have another I2P instance running? Stop the conflicting program and restart I2P.

Can see a bunch of Active Peers, a small number of exploratory tunnels etc.

13. Try to connect to eepsite e.g. http://i2p-projekt.i2p/en/faq

Error appears instantly:

502
This is Privoxy 3.0.28 on localhost (127.0.0.1), port 8118, enabled
No server or forwarder data received

Your request for http://i2p-projekt.i2p/en/faq could not be fulfilled, because the connection to i2p-projekt.i2p (127.0.0.1) has been closed before Privoxy received any data for this request.

This is often a temporary failure, so you might just try again.

If you get this message very often, consider disabling connection-sharing (which should be off by default). If that doesn’t help, you may have to additionally disable support for connection keep-alive by setting keep-alive-timeout to 0.

Critical logs show:

PM CRIT [istener:7654] er.client.ClientListenerRunner: I2CP error listening to port 7654 - is another I2P instance running? Resolve conflicts and restart

PM CRIT [JettyStarter] outer.startup.RouterAppManager: Client Jetty [/var/lib/i2p/i2p-config/eepsite/jetty.xml] START_FAILED
java.io.IOException: Failed to bind to /127.0.0.1:7658
at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:346)
at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:308)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:394)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at net.i2p.jetty.JettyStart$Starter.run(JettyStart.java:138)
Caused by: java.net.BindException: Address already in use
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:227)
at java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:80)
at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:342)

etc. (similar)

Summary

Does all this mean you have to play with all the Whonix-Gateway Steps on MutedStorm + 100 other things he mentions in Workstation etc?

If so, way too hard and no normal user will ever achieve it in Whonix i.e. I2P browser needed. Otherwise you and Patrick (population = 2) will be the only ones to ever browse I2P sites from within the Workstation. Oh yeh, and that MutedStorm guy :wink:

2 Likes

No, this thread is for user -> Tor -> i2p.
i2p inside ws.

What was attempted in the other thread was Tor in parallel to i2p. user -> i2p
i2p on gw.

What’s missing here can only be something “small”. Previous instructions worked for a while. I don’t expect much changes. Doesn’t imply figuring out what’s missing is easy.

1 Like

OK what I did:

  1. Install I2P in the WS. I didn’t bother doing ‘sudo dpkg-reconfigure i2p’ though it would be needed for the service to start on reboot.

  2. sudo apt-get install privoxy

  3. Edit the /etc/privoxy/config add i2p forwarding snippet - I only added this part to the config. No trust file configuration or max client connections changes.

  4. Changed only these about:config prefs:

extensions.torbutton.use_nontor_proxy true
network.proxy.share_proxy_settings true
network.proxy.http 127.0.0.1
network.proxy.http_port 8118
network.proxy.no_proxies_on 1
network.proxy.socks_remote_dns false

  1. You should be able to connect to the console to set it up 127.0.0.1:7657. I did some things to improve perf like prefer IPv4 and disable UDP and set bandwidth quotas very high

Once the shared client tunnels turns gree it should be conncted and you can test by connecting to echelon.i2p


The stuff with port forwarding was in the case of running I2P on the GW. Won’t be relevant to us ever.

I am prepared to maintain the prefs for this script, however I believe the lack of packaging is what is preventing its inclusion? (@Patrick)

I2P has some very interesting applications and services that can solve problems like permanent take down attacks, distributed Email and so on. It’s a real jewel.

1 Like

Did you look into existing i2pbrowser? (Even included in stable Whonix.)

Did you look at these files from post Installation and Fix of i2p inside Whonix-Workstation by Default - #20 by Patrick?

Please look at all of these files and send pull requests wherever changes are required.

tb-starter/usr/share/tb-profile-i2p/profile.i2p/user.js at master ¡ Kicksecure/tb-starter ¡ GitHub already has prefs. Why not add there?

Also tb-starter/usr/share/tb-profile-i2p/profile.i2p/user.js at master ¡ Kicksecure/tb-starter ¡ GitHub has a ton of noscript and https everywhere settings. Is that really necessary?

What changed in i2p so we now have to resurrect old privoxy? Ideally avoided. I guess the days of privoxy are counted. It’s from a time where there wasn’t much https. And a local proxy outside of the browser cannot filter https which nowadays is almost everything (non-https even gets google seo score reduction).

OK - that works!! Great. :smile:

The only thing was in Qubes-Whonix, I needed to run sudo dpkg-reconfigure i2p step, or I couldn’t connect to the I2P router console at all.

Also, we need to warn users that it can take 10 minutes or more to get stable, established tunnels before you can start connecting to eepsites.

I blocked UDP and preferred IPv4 as well, and majorly bumped up bandwidth before I got any stable connections to various .i2p sites.

What do you think we should be recommending for in/out so people don’t have issues for that (how many kb/sec?). I just randomly put in large values until it worked…

Let me know what you think on above points and I’ll fix up the wiki entry over the weekend.

1 Like

I had no idea. How do you activate the profile?

Yes this is the ideal place.

No I think it was some optimizations @eyedeekay did to improve sec as fingerprints between i2p and tbb will differ anyhow.

Nothing. I’ll test and confirm once I know how to activate the profile. The whole point was to allow i2pbrowser to be able to open multiple different domains in the future simultaneously without having to change prefs for every different network client

1 Like

Alright let’s include this step for sure.

Why not? A dialog on i2p first run.

We’d need to ship a optimized config then.

I pushed it up to 9999s and let it rip.

1 Like

in theory, run

i2pbrowser

Please remove then. Happy you like to take over maintenance of that component. Please edit/remove anything from these config files. Anything that you don’t understand either ask and/or remove.

1 Like

Could you review I2P: Difference between revisions - Whonix please?

1 Like

Looks good. Steps like privoxy and prefs could be omitted once I get around to testing i2pbrowser.

1 Like

Tested i2pbrowser with a clean install of TBB just to be sure. It works seamlessly out of the box despite being developed a while ago.

I found the rationale for HTTPSEverywhere and NoScript custom settings in that thread:

On the bright side, though, the settings are preserved and I think I can sidestep the parts of torlauncher not relevant to i2p by pre-configuring to disable the plugin instead of removing it. I don’t think leaving https-everywhere in will do anything bad, I’m still able to browse eepSites and not seeing any attempt to connect to the Observatory or any other clearnet resource. The meek http helper folder is not added back in by an update.

Edit: I’ve re-incorporated the extensions that I had deleted before, and instead I’ve set them to use custom preferences that won’t interfere with i2p. TorLauncher is configured to not attempt to start tor or use a bridge, and I’ve explicitly disabled automatic ruleset updates and contact with the SSL Observatory in HTTPS-Everywhere just in case. Settings also appear to be preserved across updates here. HTTPS-Everywhere has support for custom proxies, that might be something worth exploring. Besides that they seem to be working and updates have nothing to silently add anymore since it’s been left in and pre-configured.

The only problem I come across is the inability to access the I2P console because it forbids connecting from 4444. Also accessing alternative proxy/client is likely impossible - will test and report back.

Error: Local Access

Your browser is misconfigured. Do not use the proxy to access the router console, localhost, or local LAN destinations.

EDIT:

i2pbrowser profile seamlessly survives TBB updates 9.0.1 → 9.0.2

No access to free net console possible or any proxy other than 127.0.0.1:4444

1 Like

@Patrick are you saying privoxy approach is non-viable in the longterm? I don’t see how they can realistically mandate ssl for local connections - that would break a ton of things.

The current i2pbrowser kills any proxy multiplexing we need for maximum functionality instead of having to come up with a third browser config for zeronet, Freenet and whatever else or even to configure I2P Itself.

Yes. I don’t see that coming either.

Yes. I guess privoxy might be abandoned soon. privoxy’s main use case was filtering the web which is getting less and less possible due to https everywhere for the web. Nowadays addons such as adblock plus / edge have to do that job. The ability to use privoxy to stuff for localhost / i2p seems to be just a by-product of privoxy.

Sure. Feel free to reconfigure/rename/rebrand.

The next option that makes sense is to include a web addon and point i2p-TBB to it somehow to manage multiple proxies - hopefully with a default config included with all the clients we want to support.

This is GPL licensed and doesn’t have the advertising crap foxyproxy comes with.

I was thinking of calling it local browser but I’m not sure the amount of effort in renaming everything in i2pbrowser script is worth it?

1 Like

Probably worth it. Not just a local browser? Are there some use cases where it would be used for non-local connection too? Any connections to clearnet or onions?

1 Like

That’s just a placeholder. The name is not that great as you pointed out - because it implies lack of support for these other scenarios.

1 Like