Installation and Fix of i2p inside Whonix-Workstation by Default

Not sure. Not too important. If easily doable, I guess yes why not. Less questions, more out of the box experience, the better.

1 Like
1 Like

OK here it is:

forward .bit
forward .i2p
accept-intercepted-requests 1
max-client-connections 512

Added early zeronet support too. This belonged in /etc/privoxy/config.

Any mention of custom configs leads to recommendations to edit the user.action files which still needs editing existing files.

I experimented with creating a file with just these setings above and then installing privoxy from scratch and dpkg would ask if I wanted to replace our existing file or use it instead. It is not sufficient on its own to make privoxy work as it needs other settings in the default config.

1 Like


This is I2Pjava or I2Pd ?
over Tor or parallel with Tor (over clearnet)?

if its I2Pj for security reasons adjust the following:

  • Remove tunnel as is resolving TLS over it. (legacy tunnel thus still in the i2pconsole) #2562
  • Disable “shared clients” for tunnels as it will switch the tunnel by force to use SHA-1 even if you configured to use Ed25519-SHA-512 #2525
  • Make sure all tunnels using signature “Ed25519-SHA-512” (Though SHA-1 which is used by very old routers you will find them in the netDB liking that or not #2643)

(others like disabling UPNP and seed over Tor and stuff i think already mentioned by @Goldstein)

For usability might better to know that:

  • i2prouter doesnt recognize I2P running within Systemctl #2324
  • configuring i2p with dpkg autostart doesnt work #2323

I2PJava over Tor

Nothing ever gets sent to port 4445 as we are using the http proxy only via privoxy.

Thanks for your suggestions however I will defer any crypto tweaks to upstream as it might break operations. With newer versions I2P is using an improved NTCP protocol anyhow.

1 Like

I found a Privoxy wrapper script designed to run it with a conf in an alternative location on Mac but it should be usable on Linux with little to no tweaking. Introducing privoxyctl. Licensed under public domain but the code is hopelessly garbled. When we straighten out the script it will be a matter of adding a default conf + my changes in /home/user/.privoxy and figuring out how to always execute the daemon with it upon start and updates.

More on privoxyctl usage here: http://novosial.org/privoxy/index.html

1 Like

/etc/privoxy/config is managed by package privoxy postinst script ins a special way see /var/lib/dpkg/info/privoxy.postinst. Therefore the usual config-package-dev displace probably won’t work.

But I found an OK solution using a Environment= systemd unit file drop-in.

/etc/privoxy/config by Debian privoxy can stay as is. We won’t modify it. It will be effectively do nothing beside linger around there. The default privoxy instance will be reconfigured to use /etc/privoxy/config_anon-apps-config.conf. Untested but quite confident this will work. (It doesn’t restart privoxy and I am not sure that would be sane/useful/needed. Probably better to assume anon-apps-config already installed or already system rebooted before privoxy start.)

Please add privoxy config here:


Html issue. The source code is readable in the website source code. Probably not needed by us. (Running privoxy as system daemon vs under same user account vs installation path vs we’re not supporting multiple privoxy’s running at the same time.)

/var/lib/i2p/i2p-config/router.config could be troublesome as per this post. Can /etc/i2p/i2p-config/router.config or any other location in /etc be used?

1 Like

I wonder if the setting confdir /etc/privoxy should be changed or should it just work with your technique? Let’s try as is. If it doesn;t work then I’ve made a note as to why.

1 Like

Should just work. confdir didn’t change.

This will be the effective settings:

cat etc/privoxy/config_anon-apps-config.conf | grep --invert-match "\#"

Grepped for everything that does not start with a hash (#).

forward .bit
forward .i2p
accept-intercepted-requests 1
max-client-connections 512

user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
logdir /var/log/privoxy
filterfile default.filter
logfile logfile
listen-address [::1]:8118
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
enable-proxy-authentication-forwarding 0
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
tolerate-pipelining 1
socket-timeout 300

1 Like

OK posted the barebones version.

1 Like

No. It refuses to recognize any changes made in /etc/. Tried to add it to wrapper.config and same result.

It’s created by default i2p install from scratch., even without any settings changes after.

1 Like

Hi Goldstein here, nice to see you working on I2P

Wouldnt it make sense to use ‘~/.i2p’ for your usecase instead ?

Have you guys taken a look at I2PBrowser?
geti2p(dot)net/ en/ browser
It may be easier to use in the i2p->tor case.
It needs the same config changes regular i2p needs.

AFAIK most of my old config stuff still works (at least the tor&i2p gw)

It would also make sense to set ‘i2np.laptopMode=’ to true, in this usecase.

‘router.sharePercentage=’ should be 0
doesnt seem to be necessary.

1 Like

The Debian i2p / i2p-router package which is using systemd to start i2p is very unlikely to look at ~/.i2p folder. For that, we’d need to not use i2p-router package systemd daemon way but start i2p manually as user.

Merged https://github.com/Whonix/anon-apps-config/pull/7

What happens if i2p isn’t installed, file /var/lib/i2p/i2p-config/router.config exists and i2p is installed then? Will i2p keep /var/lib/i2p/i2p-config/router.config intact or overwrite it with the default config? If it overwrites it, there would maybe be nothing that I could do to prevent that. Let’s see.

1 Like

Our changes are preserved. Only the router randomkey is appended to the exising config.

Are we not going to ship I2P by default? I was hoping to have it run out of the box and have Tahoe configured to use it too so we can implement a permanent takedown defense at least for dev-user comms.

1 Like

Yes i know this, it was just an idea so we dont use /var/lib…

The config remains


Most of these Settings are meant for a GW setup, Seeding and UPNP are not are worry in a WS setup.

What about the default tunnel lenght ?
3 seem way to slow when routed trough tor, 1 or 2 would help speed and wont harm privacy (at least not more than i2p->tor already do)

Hi! Nice to see you still lurking around here :wink:

Yes already done

What does this do? Is it redundant since we disable all inbound?

If you have any advice on bandwidth settings please share. I imagine setting maximal bandwidth should help performace while not impacting I2P traffic?

1 Like
1 Like

Always, a muted Storm cant be stopped :wink:

Yeah, kinda redundant, but shouldnt do any harm.
Cant find the Docs about that atm, but if i remember correctly it does set the upload speed or something similar.

Havent done any testing with that setup but i can do some tests and see if it even matters and what works best.

1 Like

I see , this will make WS disastrous with adding OpenJDK and its stuff + I2Pj is a mess of combining tools which needs to be disabled in order for I2P to serve well over Tor.

I have tested this , nothing is breakable because this is one of the design options within I2Pj we are not making something outside of it.

Things also to be considered:

  • in Web Apps
    **Disable autostart and stop I2Psnark service (No Torrent support over Tor)
    **Disable autostart and stop Imagegen service as this is used for Eepsites (if i remember). But it depends if Eepsites going to be useful in our case or not.
    ** Disable autostart and stop I2PControl - Remote Control Service / json-rpc as i find it useless in our case.

  • in Network :
    ** Disable UPnP as most routers dont allow it by default and its a security disaster anyhow (unless someone know what hes doing).
    ** Enable Hidden mode - do not publish IP (prevents participating traffic), Yes publishing Tor IP address is not harmful but I2Prouter over Tor is not useful for participating anyway.
    ** IPv6 Configuration: “Prefer IPv4 over IPv6” OR " Disable IPv6" because default option which is " Prefer IPv6 over IPv4" not for Tor. (Yes Tor support lately some IPv6 , but not the majority of its traffic)
    ** Enable Laptop Mode: This is useful as the IP going to change over Tor thus changing the I2P identity as well resulting in enhancing the anonymity. (Though enabling it doesnt has the same impact of anonymity enhancement as using it over clearnet, because its already over anonymized traffic.)
    ** UDP Configuration: Completely disable (select only if behind a firewall that blocks outbound UDP) - This is our case anyway with Tor as it lacks completely the use of UDP.

  • in Local tunnels configurations
    ** Remove = useless tunnel
    ** Hidden Service/Eepsite tunnel = do we need it ? is it useful in our case? if no please remove/disable by default.
    ** POP3/SMTP tunnels: This is really depend if Susimail is going to be working/useful in our scenario , if its going to work fine then leave them if not then remove/disable them. (also dont forget as well to stop autostart of susimail web app as well in case disabled)
    ** Disable out proxies from + Shared Client ability (mentioned above)

  • in
    ** Disable all statistics , as all of them are only local/internal usage and wont be useful to anyone unless for the one who will look at it. So consuming resources by default for no needed reason.

  • in
    **Refresh frequency: make it never, as it take bandwidth to always check on that plus its like every router in i2p in every couple of time will hit that news URL server which is i believe its not nice to have that.

This is what i believe are the harden options when using I2Pj.


  • I2Pd has way less headache than I2Pj , but their developers i doubt about doing things always right or very much active.
  • Wait for 0.9.45 version of I2Pj because it will have some good improvements (gonna be released in one month or so).

Heya buddy! welcome back :blush:

Yeah but still they better for security/usability to be modified.

Maybe , i have played before long time with “Tunnel Options” it gave too much errors. I think for this to keep default better.

but if we want to go deep, then we need to check the rest options if they are useful as well like Count,Backup,Variance how much to give for each (sorta extra headache, upstream citation might be useful as well).

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]