There have been several attempts made to create an i2p-gateway, none of which I liked. Of course you still can run any i2p router without a gateway, but for further hardening I propose:
1. Clone or install a Fedora-XX Template with i2p
Beginners should clone a Fedora-44 template, if you are an advanced user, use a minimal template. We will name it i2pd-gateway-f44.
Then install an i2p router. In this tutorial we will use i2pd because it’s the quickest.
sudo dnf copr enable supervillain/i2pd
sudo dnf install i2pd -y
sudo systemctl enable --now i2pd
For later configuration, we will need to create bind-dirs.
sudo mkdir -p /rw/config/qubes-bind-dirs.d
sudo touch /rw/config/qubes-bind-dirs.d/50_user.conf
sudo edit /rw/config/qubes-bind-dirs.d/50_user.conf
Paste:
binds+=( '/etc/i2pd' )
binds+=( '/var/lib/i2pd' )
2. Create a NetVM (AppVM)
Create a new qube, activate networking while doing so. Name: sys-i2pd, Template: i2pd-gateway-f44.
(Optional): Configure i2pd in /etc/i2pd/i2pd.conf and /etc/i2pd/tunnels.conf.
See i2pd’s documentation. For using mail, you need to uncomment pop and stmp in tunnels.conf, for torrenting, you need to enable i2cp/sam in i2pd.conf. Simple Web browsing will just work fine without that.
3. Connect your anon-i2pd to the gateway
This is the most interesting part because this Qube needs no networking. I assume you’re using something Fedora-based.
sudoedit /rw/config/rc.local
qvm-connect-tcp 4444:@default:4444
# qvm-connect-tcp 7070:@default:7070
# qvm-connect-tcp for any other ports you may need
echo "export http_proxy=127.0.0.1:4444" >> /home/user/.bashrc
echo "export https_proxy=127.0.0.1:4444" >> /home/user/.bashrc
## Disable ICMP
qvm-firewall <thenameofyourqube> add --before 0 drop proto=ic
If you are using an debian-based OS, remember that it does not respect /rw/config/rc.local. You may want to create some file in .config/autostart.
To actually allow your qube to do these connections, in the Policy Editor in dom0 create a 50_user file and write qubes.ConnectTCP * anon-i2pd @default allow target=sys-i2pd.
4. Setting up a browser to allow i2p connections.
This is vastly documented.
If you are Firefox, go into your settings and enable the http proxy 127.0.0.1:4444.
I advice using the Mullvad Browser or Tor. I have not tested this setup in Whonix yet.
This guide is heavily based on: i2nix/qubes.md at main · kn0sys/i2nix · GitHub
Consider contributing to the author: Automate Qubes rebuild for EOL templates · Issue #9 · kn0sys/i2nix · GitHub
Further documentation you can find here: i2pd documentation
For further hardening advice look in the comments, there are a lot of smart people in this forum. 