Installation and Fix of i2p inside Whonix-Workstation by Default

HulaHoop · February 3, 2020, 11:42pm

You’re confusing openjdk with the shitty and unsecure java applets of a decade ago. Java is a memory safe language like Python and if anything, coding errors here result in a crash rather than RCE.

I2PSnark works over I2P.

Have you seen my conf? I already apply many of these.

Updater is disabled in the Debian version

We track Debian stable versioning so we’ll be on 9.38 for the foreseeable future.

The java version has a nice GUI that introduces the users to all the major sites and services of the network. I’m not sure there is an alternative if we give that up. i2d is also in Debian and is receiving new version updates if you look across Debian branches.

Patrick · February 4, 2020, 5:24am

HulaHoop via Whonix Forum:

https://github.com/Whonix/anon-apps-config/pull/10/commits/c9271f705a8329b81e008f0e032dd726524bbad5

Merged.

Patrick · February 4, 2020, 6:28am

No answer to [Whonix-devel] I2P Custom Router Conf yet.

It is important to mention that the Debian -- Details of package i2p in buster / Debian -- Details of package i2p-router in buster is being used since Debian patches configuration paths.

They had /etc/i2p in mind but it looks like it wasn’t completes by looking at debian/i2p.links · master · Debian / i2p · GitLab.

This is a problem. If the very file is modified that we ship than that will result in an dpkg interactive conflict resolution dialog.

Better to modify /usr/share/i2p/router.config. That one is probably not modified by the application. That file we can take over using config-package-dev displace. I speculate it will be used as a template and copied to /var/lib/i2p/i2p-config/router.config only once. Probably disadvantage: users won’t receive your changes to /usr/share/i2p/router.config when anon-apps-config is updated. At least not automatically / easily. That’s not easy without a proper .d folder.

Patrick · February 4, 2020, 7:17am

I wasn’t aware that this has been suggested earlier. Can be considered.

Please check:

~~If the applications issues network activity, there must be a way to properly configure it for Stream Isolation, to keep Tor’s TransPort clean for the user’s own stuff.~~ (Deprecated [archive])

Can i2p be configured to use a Tor SocksPort or a Tor HttpTunnelPort?

Must not issue network activity while the application is not in use.

Should i2p be autostarted and autoconnect? (Same behavior as installing i2p package.)

It would be running in every Whonix-Workstation? How much system resources does i2p eat?

How much traffic does i2p generate when not in use? I guess a fair share of Whonix users won’t be using i2p? How much load are we going to add ti the Tor network?

There is currently no such thing.

Ideally this could serve as an extra APT repository source (mirror). I don’t know much about Tahoe. Is traffic free if we upload there and all our users download from there?

HulaHoop · February 4, 2020, 2:36pm

Currently configure to use a max of 128MiB

A few kilobytes as per router stats.

We are not acting as a tunnel for other user’s traffic (only same mode as Tor client) so the load/traffic generated is absolutely negligible.

I meant a decentralized Whonix news.

Yes it’s a contributor public grid so free,

Thinkablemellow · February 4, 2020, 3:38pm

Wouldnt this be against what is stated in the config ?

 If you have a 'split' directory installation, with configuration
 # files in ~/.i2p (Linux), %LOCALAPPDATA%\I2P (Windows),
 # or /Users/(user)/Library/Application Support/i2p (Mac), be sure to
 # edit the file in the configuration directory, NOT the install directory.
 # When running as a Linux daemon, the configuration directory is /var/lib/i2p
 # and the install directory is /usr/share/i2p .

Wouldnt we lose the changes when i2p is updated/reinstalled?

I would say no, since we need to wait for Tor first anyway and to not waste system resources for People who dont use i2p.

Connecting doesnt take that long so it wont be a benefit to autostart.

It should be close to zero when not in use because we are not routing other peoples traffic

Did you check a fresh Router without Userinput? I would guess the only traffic that is send/recv without any input is the first Reseeding.

Not sure, i’ll take a look. Maybe @eyedeekay can help , can someone ping him on git ?

This might be useful GitHub - eyedeekay/i2pdistro: Re-creating an I2P Linux Distro

HulaHoop · February 4, 2020, 4:42pm

You are right. /usr/share/i2p/router.config survives app purges and serves as an initial template for /var/ upon install. Any changes after that are ignored. Should I move the file there?

Patrick · February 4, 2020, 5:33pm

I don’t think we have a spare 128MiB. Due to many issues, we’re on a very tight RAM budget.

Default RAM:

Whonix-Gateway: 512 MB
Whonix-Workstation: 768 MB

Already require to use a hack for Whonix-Gateway: swap - swap file - Whonix-Gateway freezing during apt-get dist-upgrade - encrypted swap-file-creator

There is no Whonix-Host yet. Therefore we can not be more clever an automatically assign more RAM to users VMs if available.

Memory de-duplication had to be disabled due to security issues.

Opening too many Tor Browser tabs can already make a VM slow or freeze.

Desktop environments realistically available for Whonix (from packages.debian.org, OK usability, …) require more RAM nowadays than in past.

Whonix system requirement is 4 GB.
4 GB - 768 MB (workstation RAM) - 512 MB (gateway RAM) - 16 MB (gateway video RAM) - 128 MB (workstation video RAM) leaves the host with only around 2576 MB RAM. That’s not much and not even including any multiple Whonix-Workstation’s.

There is currently no Whonix News integrated into whonixcheck.

Yes but config-package-dev displace will sort that out for us.

No. config-package-dev displace will effectivly assign management of that file to package anon-apps-config.

Yes. i2p could be started on demand. Such as when people start i2pbrowser or other i2p apps if any?

Interesting! Wasn’t aware of it.

“Is there an I2P Linux Distro” or “Is iPredia still alive” or questions about I2P use in Whonix or TAILS is a very frequently asked question on reddit

Had no idea.

Official inclusion in Whonix is dependent on inclusion in Debian,

Is this still applicable / up to date? Debian -- Details of package i2p-router in buster now exists and here we are discussing i2p installation by default in Whonix.They mean for i2p apps?

Btw what about Debian -- Details of package syndie in buster? I don’t recall testing it but it’s a suggested package by i2p-router package. Should be pre-installed too? Still a tool up to date / recommended / requested / in use / etc?

Yes.

Thinkablemellow · February 4, 2020, 9:19pm

We can try to lower that and see how it impacts performance, but these Defaults seem to me quite Outdated.
I remember a Poll about that here on the Forum, is this really an Issue ?

In what kind of Setup? I’ve never had an Issue even with 4GB RAM on an old Qubes Laptop.

Is there a special reason for that?
RAM isnt that expensive and older Hardware isnt Supported due to missing VT-XYZ Stuff so its kinda odd.

Nice good to know, i’ll take a look thx

I’ve seen this request a couple of times but i’m not a frequent reddit lurker

I think it was depending on your requirements, so i guess no?
No i think he means the I2P Router itself

I would say no, its not really that useful (at least what i’ve seen when i tested it) and its easily installed later if someone wants it.
Bote would be nice but AFAIK there is no package for that.

Patrick · February 5, 2020, 6:06am

github.com/Whonix/anon-apps-config

Eepsite docroot disable redux

Whonix:master ← eyedeekay:eepsite-docroot-disable-redux

opened 04:45PM - 05 Dec 22 UTC

eyedeekay

+4 -25

Disables the built-in hidden site by default, neither jetty nor the correspondin…g tunnel will start in this configuration, thereby eliminating the need for all the shipped jetty configuration files. Example config can still be found in /usr/share/i2p/eepsite, if the user wishes to use the built-in hidden site they need only copy those files to /var/lib/i2p/i2p-config and re-enable the site.

A quick test has shown that config values are inherited as expected.

Other file maybe useful for editing.

apt-file list i2p-router

/usr/share/i2p/blocklist.txt
/usr/share/i2p/clients.config
/usr/share/i2p/i2psnark.config
/usr/share/i2p/i2ptunnel.config
/usr/share/i2p/router.config

Patrick · February 5, 2020, 6:18am

Yes, can be (re-)considered.

https://twitter.com/Whonix/status/1070983624105676801

Debian, VirtualBox, Whonix default RAM settings.

Qubes / Qubes-Whonix manages RAM far more efficiently.

Simplified said, “There is no GUI running inside VM.” I mean by that, no “full X server”, lightdm, XFCE is running inside a VM. XFCE desktop environment packages aren’t even installed by default in VMs. X running inside Qubes VMs is connected to X running in dom0. The de-duplication of that saves a ton of RAM.
Qubes RAM management isn’t as static as “if VM is started, assign it to VM in full”. It dynamically assigns RAM. I.e. VMs that are just auto started but idle need far less RAM. Not sure this might be called memory ballooning.

Therefore Qubes / Qubes-Whonix cannot be compared much to Non-Qubes-Whonix as far as RAM requirements are going.

No idea. i2p-router is in packages.debian.org and there is now also:

Depends but things might have changed now.

As per https://geti2p.net/en/docs/applications/supported there are bundled apps, third party plugins. Perhaps it’s about these third party plugins which aren’t packaged but the point? Didn’t read much and not sure which ones he might be referring to.

Thinkablemellow · February 5, 2020, 3:53pm

https://eyedeekay.github.io/I2P-in-Private-Browsing-Mode-Firefox/

Just found this, damn its hard to keep up with this guy

This seems like a great way to replace privoxy if/when it gets deprecated and to have a visual distinction between TBB and I2P Browser, what do you think?

Edit: https://www.reddit.com/r/i2p/comments/eljqgd/experimental_webextension_i2p_in_private_browsing/
A few helpful comments from eyedeekay

Thinkablemellow · February 5, 2020, 4:26pm

Out of curiosity why do you think its inferior security, could you please elaborate ?

HulaHoop · February 5, 2020, 4:59pm

Almost all factors that have nothing to do with I2P code quality:

Increased theoretical attack surface

possibility of misconfiguring iptables and ending up with leaks

users mistakenly executing apps and plugins on the gw which would be a disaster for isolation design. (I have no idea if I2P can support a split design where apps can run on a different machine than where the router is)

the fact that most routers are run by people on home OSs like Windows, likely proprietary and surveillance friendly instead of Tor’s network mostly Debian based. Who knows what kind of traffic flow info MS collects?

Thinkablemellow · February 5, 2020, 6:51pm

@HulaHoop Thanks for the elaboration

Some more exiting stuff i’ve found regarding I2P Browser
https://www.reddit.com/r/i2p/comments/e7vnyx/i2p_browser/fa6qscz/

A little more info on what’s going to start happening in the next few months with the I2P browser: We’ve been thinking about the future of I2P Browser as a project, with regard to what is most important about it especially, and that has at times revealed a pretty boring picture. We can get better and better at backporting Tor patches and we are, but that really just leaves us with a Tor Browser clone where we’ve subbed in I2P for Tor. So now we’re in the final phases of adapting Tor Browser’s build infrastructure for our purposes, we have ways to confirm that we’ve done so successfully, what’s next is that we start modernizing the way you interact with the applications that come with I2P from the I2P browser. For instance, very soon we plan to make bittorrent(via I2PSnark) work as first-class downloads within Firefox, with familiar browser-like dialogs and menu integration, no more copy-and-pasting magnet links or copying torrent files into directories to operate the torrent client for I2P browser users. There are plenty of similar little rough edges in how I2P(Especially I2P web browsing) has always worked that we may have an opportunity to ease away with the browser. So it’s very hard to say when it will be “Stable” exactly, it’s not going to be stable for some time in that we’re carefully working on features and trying to make it all cohesive, which will take some time, and most definitely isn’t what we’ll have in January. What we’ll have in January is one where we’re very sure that we’re good enough at adapting the features we need in a timely manner to work on better things.

It looks like i(/we?) should focus more on the I2P Browser and the changes needed to it (especially for the WS) than the I2P Router for an easy to use I2P Setup,the problem then would be the low amount of RAM for running I2PB and TBB at the same time.
https://geti2p.net/en/browser

I played with it a couple of hours and it runs well like the “normal” i2p router, its a pretty out of the box solution.
I tested Torrent,mail,our router config,reseeding via Tor and a couple of other settings, it uses 1.5-2GB of RAM when in heavy use (thats to be expected for a Browser i would say).
The Update Fails for some reason but besides that i havent encountered any issues besides the usual I2P quirks.

Patrick · February 6, 2020, 10:53am

HulaHoop · February 6, 2020, 2:15pm

Thanks to @eyedeekay’s code I was able to tweak the default TBB to work with privoxy with the latest TBB. What extra benefits do we get from using their project instead of what we do right now?

A custom I2P landing page would be a nice little addition to the current i2pbrowser script but not necessary.

HulaHoop · February 8, 2020, 8:18pm

9 posts were split to a new topic: I2P Tweaks and Suggesitons

HulaHoop · February 8, 2020, 8:19pm

Let’s keep this thread dedicated to the progress and status of I2P support only. Any ideas or suggestions should be discussed in the other thread. Thanks.

Patrick · February 12, 2020, 9:02am

github.com/eyedeekay/i2pdistro

Status of this project? / Whonix-Workstation i2p Default Installation

opened 09:02AM - 12 Feb 20 UTC

adrelanos

Work was recently done towards installing i2p by default inside Whonix-Workstati…on. Packages i2p, i2p-router, preconfigured router config and [i2pbrowser](https://github.com/Whonix/tb-starter/blob/master/usr/bin/i2pbrowser) were brought up to speed. This discussion happened here: https://forums.whonix.org/t/installation-and-fix-of-i2p-inside-whonix-workstation-by-default/8610 Quote https://github.com/eyedeekay/i2pdistro#why-not-tails-or-whonix > Official inclusion in Whonix is dependent on inclusion in Debian, but we may be able to generate VM Images of the style used for Qubes-Whonix independently while working on that problem. Currently regarding this as a major stretch goal but I might be able to get some help on it. There is now https://packages.debian.org/i2p-router so that would be resolved? Is there other software than i2p-router that would be installed by default in i2pdistro? I said a lot things in past. Sometimes perhaps in confusing ways. Things might have changed. Context also depends on "Patrick should do it" vs "there's a maintainer". Let's see. Happy to discuss.