Easy sys-i2p

There have been several attempts made to create an i2p-gateway, none of which I liked. Of course you still can run any i2p router without a gateway, but for further hardening I propose:

1. Clone or install a Fedora-XX Template with i2p

Beginners should clone a Fedora-44 template, if you are an advanced user, use a minimal template. We will name it i2pd-gateway-f44.
Then install an i2p router. In this tutorial we will use i2pd because it’s the quickest.
sudo dnf copr enable supervillain/i2pd
sudo dnf install i2pd -y
sudo systemctl enable --now i2pd

For later configuration, we will need to create bind-dirs.
sudo mkdir -p /rw/config/qubes-bind-dirs.d
sudo touch /rw/config/qubes-bind-dirs.d/50_user.conf
sudo edit /rw/config/qubes-bind-dirs.d/50_user.conf
Paste:

binds+=( '/etc/i2pd' )
binds+=( '/var/lib/i2pd' )

2. Create a NetVM (AppVM)

Create a new qube, activate networking while doing so. Name: sys-i2pd, Template: i2pd-gateway-f44.

(Optional): Configure i2pd in /etc/i2pd/i2pd.conf and /etc/i2pd/tunnels.conf.
See i2pd’s documentation. For using mail, you need to uncomment pop and stmp in tunnels.conf, for torrenting, you need to enable i2cp/sam in i2pd.conf. Simple Web browsing will just work fine without that.

3. Connect your anon-i2pd to the gateway

This is the most interesting part because this Qube needs no networking. I assume you’re using something Fedora-based.
sudoedit /rw/config/rc.local

qvm-connect-tcp 4444:@default:4444
# qvm-connect-tcp 7070:@default:7070
# qvm-connect-tcp for any other ports you may need
echo "export http_proxy=127.0.0.1:4444" >> /home/user/.bashrc
echo "export https_proxy=127.0.0.1:4444" >> /home/user/.bashrc

If it does not work, you may want to create some file in .config/autostart.

To actually allow your qube to do these connections, in the Policy Editor in dom0 create a 50_user file and write qubes.ConnectTCP * anon-i2pd @default allow target=sys-i2pd. For further hardening replace * with the actual ports.

4. Setting up a browser to allow i2p connections.

This is vastly documented.
If you use Firefox, go into your settings and enable the http proxy 127.0.0.1:4444.
I advice using the Mullvad Browser or Tor. I have not tested this setup in Whonix yet.

This guide is heavily based on: i2nix/qubes.md at main · kn0sys/i2nix · GitHub
Consider contributing to the author: Automate Qubes rebuild for EOL templates · Issue #9 · kn0sys/i2nix · GitHub
Further documentation you can find here: i2pd documentation

For further hardening advice look in the comments, there are a lot of smart people in this forum. :slightly_smiling_face:

9 Likes

Just a drive-by observation:

I think /rw/config/rc.local works the same way on both Debian and Fedora templates.

4 Likes

100%

Small correction:

These commands have to be run in dom0. And… you have to spell “icmp” (as “ic” is not enough).

And, as @Euwiiwueir wrote, rc.local works fine in all Debian templates provided with QubesOS.

3 Likes

Does this setup block all the clearnet connection? Like sys-whonix
does? That is, if my QubeA qube is using sys-i2p as its net-qube,
then, is your setup making every connection request either:

  1. be dropped if they are done to non (.b32).i2p addresses

  2. be routed through sys-i2p’s i2p daemon if they are done to
    (.b32).i2p addresses

I’m not @Schnur… but can answer this with some confidence: as long as you don’t configure/enable an “outproxy” in i2pd, clearnet connections are not allowed. So the answer is “yes”.

With networking set to “none”, yes. For further hardening you can block replace * with just 4444. Of course you can add several firewall rules to your sys-i2p netqube too.

be routed through sys-i2p’s i2p daemon if they are done to
(.b32).i2p addresses

Every connection you will make over port 4444 will be routed to sys-i2p. independent of if they are .i2p addresses.

1 Like

With networking set to “none”, yes. For further hardening you can
block replace * with just 4444. Of course you can add several firewall
rules to your sys-i2p netqube too.

be routed through sys-i2p’s i2p daemon if they are done to
(.b32).i2p addresses

Every connection you will make over port 4444 will be routed to
sys-i2p. independent of if they are .i2p addresses.

Sounds good. I should take a look at this later.

1 Like