I2P for QubesOS updates

There has been a sustained ddos attack on the general tor infrastructure. It has been causing many tor websites to be unreachable (Dread darknet forum, for example), and making QubesOS updates over Tor really slow and failing.

In light of these, I would like to start a discussion around using I2P for QubesOS updates. How would such a mechanism for QubesOS updates work? For starters, QubesOS would need an sys-i2p qube, similar to sys-whonix. And then the QubesOS updates could be served over i2p? Would debian and fedora repos also need to be persuaded to host their updates to their packages over i2p?

For people unfamiliar with I2P (The Invisible Internet Project) here’s two explainers:


You are looking at torrent updates similar to SilverBlue and somewhere in the 3 digit range for i2p mirror locations. The sys-i2p is the easy part.

We could go in small steps…

1 Like

Can you explain what you mean by “torrent updates” ? The update files are distributed using the torrent tech?

Geographical locations? Relative to where?

i2p is even slower than ddosed tor mate :laughing:
300KB max on top torrents

more precisely it would need an i2pd qube, because java router is an absolute abomination

Sorry, I don’t see this happening. File transfer over i2p sounds like an absolute nightmare. Imagine pulling 2GB template over i2p :fearful:

Yes. The problem only is that you need a special torrent client specifically for i2p. And there is none really that works with i2pd and is somewhat stable. And official torrent client I2PSnark is integrated into a java router :rofl:

Also, in general i2p router needs to be able to accept connection to work somewhat reliably, and that means port forwarding and nat hole punching.

Google does torrent updates for their servers.
I forgot which torrent client Silve Blue uses but some docs are here:
I did not use it in 3-4 years. I would have to reinstall and to give you that info or you can use their forum if there is one anymore.

At least with i2p, the bandwidth of the whole network increases as more users join in the network.
With Tor, the available bandwidth is not guaranteed to be provided by other benevolent people.


Qubes OS: GUIX Overlay Debian 11 i2p Template and DVM

The password is: a

Magnet i2p Link:

Postman Link: http://tracker2.postman.i2p/index.php?view=TorrentDetail&id=67717

Size: 6.1 GiB (6,577,838,080 bytes)
sha256sum: qubes-backup-2022-12-10T000205
554b60239a48f6882c4b312649802718dfec3fdf2b00b4297ce2b41a93e08782 qubes-backup-2022-12-10T000205

In the Qubes OS context, the template is 85% secure. This means that it is more secure than 85% of Qubes users templates. It is up to you to screw it up!
In the i2p context, a dvm will be around 42% secure. This means that 58% of i2p users have more secure setups.

Some Whys or FAQs:

What is it? It is a Guix overlay of Debian 11 Template updated. It has the OUTGOING Qubes functions INHIBITED. It has USB GPS support and GUIX NTP. Will mention some ops later.

Why the low i2p security? The learning curve is best at this level. Less secure or more secure will result in a longer learning curve. This is NOT as secure as a VM based on a HVM template of an OS that you REALLY KNOW!

How much testing has been done? 2 years but of course Qubes developers and GUIX maintainers can screw you in one swipe.

How I use it:

This is my default template and DVM.
I start sys-net with sudo gufw and enable firewall (DENY-DENY).
Dito for sys-firewall.

I start sys-usb that is connected to sys-firewall with sudo etherape and check that only NTP connection and ICMP are displayed. I start terminal in sys-usb and run the command cgps. If my Time Offset is 0.0*, I run in Dom0 terminal sudo qvm-sync-clock (the USB qube is my time VM). If you are a jack-ass and don’t have accurate time use Google TimeSync (available in Documents of dvm) and it will put you around 0.3 seconds accuracy range which is just below time attacks (Do you feel lucky, PUNK?).

I don’t have a sys-whonix but some other similar arrangements. If you use sys-whonix clone and run sudo apt remove thunar and sudo apt autoremove when the Finish connection to Tor appears. That will inhibit some Qubes function in that dvm and make it secure for Qubes updates.

Yes I also use it for default-mgm-dvm.

The i2p part should be self explanatory. You have Dillo and Icecat already configured. DO NOT INSTALL the i2p+ router or run i2pd in the actual DVM but in the disp*.

I do expect some level of knowledge and testing before comments. I will NOT support this contraption for long because I’m not your bitch. I did it only for my own benefit. The safer and more knowledgeable, you are the better it is for me.

The template is ready now you need the Mosquitto messenger for the update network.


Why it is and how connected to sys-firewall?

How did you measure this?

And this?

In Qubes, or…?

Isn’t PVH actually more secured?

What function, and how it’ll make it more secure?

Please use this as an exercise in critical thinking.

  1. Have a look at past contributions by @i2p

  2. Ask yourself how believable any of this is including the oddly precise percentages of improvement in security without ever even eluding to how one would measure such a thing.


Gestapo Sven I guess. Do you run a fleet of i2p routers with Mosquito messengers/servers? Why don’t you create an i2p template and DVM run a fleet of routers before you just attack my credibility. Facebook is hiring former moderators such as yourself. Twiteer is firing people like you. Put out a secure Template if you crap yourself.

1 Like

Your credibility? Even your name @i2p is stolen valor.

  1. To test your i2p router security. You open etherape and attack the routers available. Can your router withstand the same attacks? You get a percentage.

  2. To test Qubes VMs and templates you get a malware list or go to sites that are on the block lists. You get a percentage.

I would like people that are not on i2p to stay out of it. Gestapo Sven was stripped of his moderator badge and likes power trips. I have no idea about Rusty but seems to be in the same league. Download and test the template. SB might stand from Silver Blue. i2p people know!

I linked to a summary or your past contributions and pointed out that you haven’t described HOW you arrived at your claims. In my memory that is somewhat of a theme with your posts. I wouldn’t call this an attack but a request to establish your credibility.

The issue with your account name on the other hand is that you give the impression to represent a project, which I am not sure you have any right to do. That is in fact something we don’t want here and we have asked users in the past to clarify or change their alias. Would you please provide information to @deeplow or another moderator of your choice that you are authorized to speak for the i2p project? If that’s not the case please change your alias.

Contrary to your impression I am neither a moderator (in this and most other categories) nor an admin of this forum. I also do not speak for this or any other project.

Although I was born and grew up in Germany, it wasn’t the half that had a Gestapo :wink:


Don’t care never asked. Started using i2p. Sue me.