Not sure. Not too important. If easily doable, I guess yes why not. Less questions, more out of the box experience, the better.
1 Like
1 Like
OK here it is:
forward .bit 127.0.0.1:43110
forward .i2p 127.0.0.1:4444
accept-intercepted-requests 1
max-client-connections 512
Added early zeronet support too. This belonged in /etc/privoxy/config.
Any mention of custom configs leads to recommendations to edit the user.action files which still needs editing existing files.
I experimented with creating a file with just these setings above and then installing privoxy from scratch and dpkg would ask if I wanted to replace our existing file or use it instead. It is not sufficient on its own to make privoxy work as it needs other settings in the default config.
1 Like
This is I2Pjava or I2Pd ?
over Tor or parallel with Tor (over clearnet)?
if its I2Pj for security reasons adjust the following:
- Remove 127.0.0.1:4445 tunnel as 127.0.0.1:4444 is resolving TLS over it. (legacy tunnel thus still in the i2pconsole) #2562
- Disable âshared clientsâ for tunnels as it will switch the tunnel by force to use SHA-1 even if you configured to use Ed25519-SHA-512 #2525
- Make sure all tunnels using signature âEd25519-SHA-512â (Though SHA-1 which is used by very old routers you will find them in the netDB liking that or not #2643)
(others like disabling UPNP and seed over Tor and stuff i think already mentioned by @Goldstein)
For usability might better to know that:
2 Likes
I2PJava over Tor
Nothing ever gets sent to port 4445 as we are using the http proxy only via privoxy.
Thanks for your suggestions however I will defer any crypto tweaks to upstream as it might break operations. With newer versions I2P is using an improved NTCP protocol anyhow.
1 Like
I found a Privoxy wrapper script designed to run it with a conf in an alternative location on Mac but it should be usable on Linux with little to no tweaking. Introducing privoxyctl. Licensed under public domain but the code is hopelessly garbled. When we straighten out the script it will be a matter of adding a default conf + my changes in /home/user/.privoxy and figuring out how to always execute the daemon with it upon start and updates.
More on privoxyctl usage here: NovoSial.org: Privoxy Configuration
1 Like
/etc/privoxy/config is managed by package privoxy postinst script ins a special way see /var/lib/dpkg/info/privoxy.postinst. Therefore the usual config-package-dev displace probably wonât work.
But I found an OK solution using a Environment= systemd unit file drop-in.
/etc/privoxy/config by Debian privoxy can stay as is. We wonât modify it. It will be effectively do nothing beside linger around there. The default privoxy instance will be reconfigured to use /etc/privoxy/config_anon-apps-config.conf. Untested but quite confident this will work. (It doesnât restart privoxy and I am not sure that would be sane/useful/needed. Probably better to assume anon-apps-config already installed or already system rebooted before privoxy start.)
Please add privoxy config here:
Html issue. The source code is readable in the website source code. Probably not needed by us. (Running privoxy as system daemon vs under same user account vs installation path vs weâre not supporting multiple privoxyâs running at the same time.)
/var/lib/i2p/i2p-config/router.config could be troublesome as per this post. Can /etc/i2p/i2p-config/router.config or any other location in /etc be used?
1 Like
https://github.com/Whonix/anon-apps-config/pull/8/commits/0384581694c33c27f4b9b2f743c4a5e9b7e0d349
I wonder if the setting confdir /etc/privoxy should be changed or should it just work with your technique? Letâs try as is. If it doesn;t work then Iâve made a note as to why.
1 Like
Should just work. confdir didnât change.
This will be the effective settings:
cat etc/privoxy/config_anon-apps-config.conf | grep --invert-match "\#"
Grepped for everything that does not start with a hash (#).
forward .bit 127.0.0.1:43110
forward .i2p 127.0.0.1:4444
accept-intercepted-requests 1
max-client-connections 512user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
logdir /var/log/privoxy
filterfile default.filter
logfile logfile
listen-address 127.0.0.1:8118
listen-address [::1]:8118
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
enable-proxy-authentication-forwarding 0
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
tolerate-pipelining 1
socket-timeout 300
1 Like
https://github.com/Whonix/anon-apps-config/pull/9/commits/ad24e9287d47546d774b2ac52c9702d361172dab
OK posted the barebones version.
1 Like
No. It refuses to recognize any changes made in /etc/. Tried to add it to wrapper.config and same result.
Itâs created by default i2p install from scratch., even without any settings changes after.
1 Like
Hi Goldstein here, nice to see you working on I2P
Wouldnt it make sense to use â~/.i2pâ for your usecase instead ?
Have you guys taken a look at I2PBrowser?
geti2p(dot)net/ en/ browser
It may be easier to use in the i2p->tor case.
It needs the same config changes regular i2p needs.
AFAIK most of my old config stuff still works (at least the tor&i2p gw)
It would also make sense to set âi2np.laptopMode=â to true, in this usecase.
ârouter.sharePercentage=â should be 0
also
ârouterconsole.welcomeWizardComplete=trueâ
doesnt seem to be necessary.
1 Like
The Debian i2p / i2p-router package which is using systemd to start i2p is very unlikely to look at ~/.i2p folder. For that, weâd need to not use i2p-router package systemd daemon way but start i2p manually as user.
What happens if i2p isnât installed, file /var/lib/i2p/i2p-config/router.config exists and i2p is installed then? Will i2p keep /var/lib/i2p/i2p-config/router.config intact or overwrite it with the default config? If it overwrites it, there would maybe be nothing that I could do to prevent that. Letâs see.
1 Like
Our changes are preserved. Only the router randomkey is appended to the exising config.
Are we not going to ship I2P by default? I was hoping to have it run out of the box and have Tahoe configured to use it too so we can implement a permanent takedown defense at least for dev-user comms.
1 Like
Yes i know this, it was just an idea so we dont use /var/libâŚ
The config remains
Most of these Settings are meant for a GW setup, Seeding and UPNP are not are worry in a WS setup.
What about the default tunnel lenght ?
3 seem way to slow when routed trough tor, 1 or 2 would help speed and wont harm privacy (at least not more than i2p->tor already do)
Hi! Nice to see you still lurking around here 
Yes already done
What does this do? Is it redundant since we disable all inbound?
If you have any advice on bandwidth settings please share. I imagine setting maximal bandwidth should help performace while not impacting I2P traffic?
1 Like
1 Like
Always, a muted Storm cant be stopped
Yeah, kinda redundant, but shouldnt do any harm.
Cant find the Docs about that atm, but if i remember correctly it does set the upload speed or something similar.
Havent done any testing with that setup but i can do some tests and see if it even matters and what works best.
1 Like
I see , this will make WS disastrous with adding OpenJDK and its stuff + I2Pj is a mess of combining tools which needs to be disabled in order for I2P to serve well over Tor.
I have tested this , nothing is breakable because this is one of the design options within I2Pj we are not making something outside of it.
Things also to be considered:
-
in Web Apps http://127.0.0.1:7657/configwebapps
**Disable autostart and stop I2Psnark service (No Torrent support over Tor)
**Disable autostart and stop Imagegen service as this is used for Eepsites (if i remember). But it depends if Eepsites going to be useful in our case or not.
** Disable autostart and stop I2PControl - Remote Control Service / json-rpc as i find it useless in our case. -
in Network http://127.0.0.1:7657/confignet :
** Disable UPnP as most routers dont allow it by default and its a security disaster anyhow (unless someone know what hes doing).
** Enable Hidden mode - do not publish IP (prevents participating traffic), Yes publishing Tor IP address is not harmful but I2Prouter over Tor is not useful for participating anyway.
** IPv6 Configuration: âPrefer IPv4 over IPv6â OR " Disable IPv6" because default option which is " Prefer IPv6 over IPv4" not for Tor. (Yes Tor support lately some IPv6 , but not the majority of its traffic)
** Enable Laptop Mode: This is useful as the IP going to change over Tor thus changing the I2P identity as well resulting in enhancing the anonymity. (Though enabling it doesnt has the same impact of anonymity enhancement as using it over clearnet, because its already over anonymized traffic.)
** UDP Configuration: Completely disable (select only if behind a firewall that blocks outbound UDP) - This is our case anyway with Tor as it lacks completely the use of UDP. -
in Local tunnels configurations http://127.0.0.1:7657/i2ptunnelmgr
** Remove 127.0.0.1:4445 = useless tunnel
** Hidden Service/Eepsite tunnel = do we need it ? is it useful in our case? if no please remove/disable by default.
** POP3/SMTP tunnels: This is really depend if Susimail is going to be working/useful in our scenario , if its going to work fine then leave them if not then remove/disable them. (also dont forget as well to stop autostart of susimail web app as well in case disabled)
** Disable out proxies from 127.0.0.1:4444 + Shared Client ability (mentioned above) -
in http://127.0.0.1:7657/configstats:
** Disable all statistics , as all of them are only local/internal usage and wont be useful to anyone unless for the one who will look at it. So consuming resources by default for no needed reason. -
in http://127.0.0.1:7657/configupdate
**Refresh frequency: make it never, as it take bandwidth to always check on that plus its like every router in i2p in every couple of time will hit that news URL server which is i believe its not nice to have that.
This is what i believe are the harden options when using I2Pj.
Notes:
- I2Pd has way less headache than I2Pj , but their developers i doubt about doing things always right or very much active.
- Wait for 0.9.45 version of I2Pj because it will have some good improvements (gonna be released in one month or so).
Heya buddy! welcome back 
Yeah but still they better for security/usability to be modified.
Maybe , i have played before long time with âTunnel Optionsâ it gave too much errors. I think for this to keep default better.
but if we want to go deep, then we need to check the rest options if they are useful as well like Count,Backup,Variance how much to give for each (sorta extra headache, upstream citation might be useful as well).
1 Like