Warning
This is my idea for I2P uses on Qubes os, its not yet tutorial level.
So there are many drawbacks in this set up, it probably needs to many revise, I am looking for your advice.
Create Parrot Security template
Firstly, debian-12-minimal
template changes to Parrot Security template.
Parrot Security is Debian based of security penetration test and virtual privacy focused distro.
Parrot Security has parrot-meta-privacy package, this package uses for security and privacy harden.
Template should keep it to a minimum for security, so using debian-12-minimal
template.
Install debian-12-minimal
template.
Clone debian-12-template
, and name it parrot-minimal.
By default, debian-12-template
is not set system locale, perl shows error message, so it sets first.
qvm-run -u root parrot-minimal xterm
dpkg-reconfigure locales
Select EN-US
poweroff
Using other AppVM, Download parrot-archive-keyring.gpg
file from repository of Parrot Security.
This file must need for add Repository of Parrot Security into template.
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 curl -fsSL https://deb.parrot.sh/parrot/keyring.gpg | gpg --dearmor -o ~/parrot-archive-keyring.gpg
After key check, this file moves to parrot-minimal template (User can use GUI tool).
Run parrot-minimal template again.
mv /home/user/QubesIncoming/(vmname)/parrot-archive-keyring.gpg /etc/apt/trusted.gpg.d/
rm -r /home/user/QubesIncoming
nano /etc/apt/sources.list
Add address of Parrot Security repository.
deb https://deb.parrot.sh/parrot lory main contrib non-free non-free-firmware
deb https://deb.parrot.sh/direct/parrot lory-security main contrib non-free non-free-firmware
deb https://deb.parrot.sh/parrot lory-backports main contrib non-free non-free-firmware
Warning:Must not comment out already existing Debian repositories, if their comment out, it fails to apt full-upgrade command.
Save and exit.
apt update
Add repositories of Parrot Security.
apt install parrot-archive-keyring
apt full-upgrade
Installed all packages are replaced to Parrot Security version.
apt install parrot-core
Template changed Parrot Security is complete, Debian repositories auto remove by Parrot Security.
Warning:Please be sure run apt full-upgrade command at first, if it don’t run apt full-upgrade command, Qubes os packages are broken.
apt update
parrot-upgrade
Parrot Security provides parrot-upgrade instead apt full-upgrade command.
It is secure than apt full-upgrade, so it recommends to use parrot-upgrade command for install packages.
apt install qubes-core-agent-networking qubes-core-agent-passwordless-root
poweroff
Completed of parrot-minimal template making, this template clones to i2p-gateway and i2p-workstation templates.
Run and setting i2p-gateway template.
apt update
parrot-upgrade
apt install curl gnupg ca-certificate lsb-release qubes-core-agent-thunar parrot-meta-privacy hackthebox-icon-theme xfce4-notifyd libvte-2.91-0 libpcre3
echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p.net/ $(dpkg --status tzdata | grep Provides | cut -f2 -d'-') main" | tee /etc/apt/sources.list.d/i2p.list
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 curl -o i2p-archive-keyring.gpg https://geti2p.net/_static/i2p-archive-keyring.gpg
gpg --keyid-format long --import --import-options show-only --with-fingerprint i2p-archive-keyring.gpg
mv i2p-archive-keyring.gpg /usr/share/keyrings
apt update
apt install i2p i2p-keyring
dpkg-reconfigure i2p
systemctl enable anonsurfd.service
poweroff
I2P and AnonSurf are auto start on start template, Tor and I2P both auto connect.
After make sys-i2p vm, this vm is I2P version of sys-whonix.
After run sys-i2p, AnonSurf-gtk run from GUI menu, icon of AnonSurf appears on Dom0 panel, check Tor status and own IP address.
Run and setting i2p-workstation template.
apt update
parrot-upgrade
apt install curl wget gnupg ca-certificate lsb-release qubes-core-agent-thunar parrot-meta-privacy parrot-meta-crypto qbittorrent hexchat sylpheed hackthebox-icon-theme xfce4-notifyd libvte-2.91-0 libpcre3 i2pd
If Tor Browser is set as default browser, it is Tor over Tor (Tor Browser over AnonSurf), so it doesn’t use Tor Browser on i2p-workstation.
LibreWolf is hardened FireFox, so it use default Browser instead of Tor Browser.
distro=$(if echo " una bookworm vanessa focal jammy bullseye vera uma " | grep -q " $(lsb_release -sc) "; then lsb_release -sc; else echo focal; fi)
https_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 wget -O- https://deb.librewolf.net/keyring.gpg | gpg --dearmor -o /usr/share/keyrings/librewolf.gpg
tee /etc/apt/sources.list.d/librewolf.sources << EOF > /dev/null
Types: deb
URIs: https://deb.librewolf.net
Suites: $distro
Components: main
Architectures: amd64
Signed-By: /usr/share/keyrings/librewolf.gpg
EOF
apt update
apt install librewolf
nano /etc/i2pd/i2pd.conf
bandwidth = L > bandwidth = X
httpproxy.outproxy = http://false.i2p > http://exit.stormycloud.i2p
socksproxy.outproxy =false > true
i2pcontrol.enabled = false > true
#address = 127.0.0.1 > address = 127.0.0.1
#port = 7654 > port = 7654
Save and exit.
systemctl start i2pd.service
systemctl enable i2pd.service
poweroff
i2pd is auto start on start template.
After make anon-i2p vm, this vm is I2P version of anon-whonix.
NetVM of anon-i2p sets sys-i2p.
After run anon-i2p, LibreWolf run from GUI menu, change Browser for I2P using.
https-only-mode disable
Enable IPv6 disable
Proxy setting > Manual proxy configuration
HTTP and HTTPS proxy 127.0.0.1 4444
Socks proxy 127.0.0.1 4447
No Proxy for > 127.0.0.1
about:config
media.peerConnection.ice.proxy false > true
After access 127.0.0.1:7070 from address bar, show I2P status : Firewall.
User can I2P eepsite and Clearnet sites on anon-i2p through sys-i2p.
Tor and I2P both connect in sys-i2p.
Question
Why don’t use Prestium OS?
Privacy concept of Whonix is sepalation between Gateway and Workstation.
Prestium OS is already existing I2P focus OS, but its concept is Tails like, difference from Whonix model.
And development of Prestium OS is stagnating, and project reader refuses to exhibit of its source code.
User can not read source code of Prestium OS, so we should not trust it.
Why don’t use Whonix template?
Whonix focuses to Tor, not I2P, and its privacy design is hidden model by Tor.
If user install and custom into Whonix template, it makes vm fingerprint of user, this is very danger.
If accessing both Tor and I2p use of Tor Browser, its make to disable of Whonix privacy model.
Making I2P vm like of Whonix template, I think best way is using to Parrot Security template.
Why don’t use Kali Linux?
Many peoples misunderstand to Kali Linux is secure and private, but this is not true.
Kali Linux is designed for security penetration test, not designed for security and privacy.
Many penetration tools are installed default, security and privacy of Kali Linux is very vulnerable, so user must not use as daily driver.
Kali Linux is very very danger.
The official development team of Kali Linux is alerted it.
Why do you think to use Parrot Security is best way?
If user uses I2p-Gateway as Whonix-Gateway (Scenario of I2P over Tor), using AnonSurf becomes to scenario of Tor over Tor, its very danger.
Parrot Security has Security Edition and Home Edition.
Security Edition is designed for penetration testing, default installed many penetration tools, so this is very danger same to Kali Linux.
But Home Edition is designed as secure and private, penetration tools are not installed, default installed are privacy tools only, so this is secure and private as default.
Parrot Security is distro of based Debian, so Home Edition is substantially hardened Debian.
Whonix also uses Debian as based distro as same to Parrot Security, but change of Whonix default setting is danger, and Whonix is not designed for I2P.
And Parrot Security team made AnonSurf, this is wrapping all traffics to force connections through Tor.
And OSes of Onionshare team recommend are Qubes os, Tails, Whonix, Parrot Security.
Issues
I can not yet set I2P-Gateway template to use i2pd.
Because Documents of I2P are few, and I2P setting is more difficult than Tor, so I often can not be understood to technical design of I2P.
Implements of I2P exist I2P and i2pd, I2P is written by Java, i2pd is written by C++.
Because C++ is low level language unlike Java, i2pd is lightweight than I2P.
So i2pd router is suitable Template of sys-i2p, but I could not set a sys-i2p using i2pd router.
My idea is I2P router runs on sys-i2p, AppVM uses sys-i2p as NetVM, all I2P traffics of user are through sys-i2p, to separate I2P traffics from Clearnet and Whonix networks.
This is possible using I2P router runs on sys-i2p, but I try i2pd router using, it is fail.
I don’t grasp to issue of set i2pd up correctly, so I need to help.
Is I2P over Tor safety?
VPN over Tor and Tor over VPN is higher risk than Tor only networking.
This reason is the number of layers increase, privacy risk also increases.
There are two roots, one is user surfs only .i2p sites, safety of user is guarded on this root without Tor.
Other one is user accesses Clearnet through I2P, this root is like using Tor as proxy.
But I2P is not designed as Clearnet proxy, and I2P uses exit.stormycloud.i2p as default outgoing tunnel (Outgoing tunnel is comparison to Tor exit node.) now.
If user accesses Clearnet through I2P, Cleanet services can not perceive true IP address and DNS of user, but exit.stormycloud.i2p works as single point of failure of I2P, so Stormycroud is know all of user IP and DNS of access Cleanet through I2P.
But if user uses Tor before access to I2P, Stomycloud can not true IP address and DNS of user, accessing Clearnet through I2P becomes safely.
But this way is I2P over Tor, there are not one layers but two, is I2P over Tor safely than I2P only root?
Is I2P over I2P safely?
Tor over Tor is very danger, the Tor project alerts it.
But network of Tor and I2P is designed along difference models, I2P router sets to participate bandwidth sharing as default (If user needs anonymity of Snowden level, user can stop bandwidth sharing.).
And I2P separates inbound and outbound traffics, I2P Router uses differ peer tunnels for send and receive, it is difference from design of Tor.
So I think I2P over I2P is safely, inbound tunnels and outbound tunnels become double in I2P over I2P root, I2P doesn’t have equivalent to circuit of Tor, I2P make new tunnel every time user accesses to network.
Security and privacy models of I2P is depending to many number of unidirectional tunnels, so I2P over I2P is harden to security and privacy of user (But performance becomes to too slowly.).
Is my understanding correct?