I2P for QubesOS updates

tanky0u · October 23, 2022, 11:55am

There has been a sustained ddos attack on the general tor infrastructure. It has been causing many tor websites to be unreachable (Dread darknet forum, for example), and making QubesOS updates over Tor really slow and failing.

In light of these, I would like to start a discussion around using I2P for QubesOS updates. How would such a mechanism for QubesOS updates work? For starters, QubesOS would need an sys-i2p qube, similar to sys-whonix. And then the QubesOS updates could be served over i2p? Would debian and fedora repos also need to be persuaded to host their updates to their packages over i2p?

For people unfamiliar with I2P (The Invisible Internet Project) here’s two explainers:
https://lbry.bcow.xyz/@AlphaNerd:8/introduction-to-i2p:1
https://lbry.bcow.xyz/@AlphaNerd:8/how-i-run-darknets-from-my-home-internet:2

noti2p · October 24, 2022, 3:49am

You are looking at torrent updates similar to SilverBlue and somewhere in the 3 digit range for i2p mirror locations. The sys-i2p is the easy part.

fsflover · October 24, 2022, 7:49am

We could go in small steps…

tanky0u · October 24, 2022, 12:29pm

Can you explain what you mean by “torrent updates” ? The update files are distributed using the torrent tech?

Geographical locations? Relative to where?

Isolator · October 29, 2022, 4:02am

i2p is even slower than ddosed tor mate
300KB max on top torrents

more precisely it would need an i2pd qube, because java router is an absolute abomination

Sorry, I don’t see this happening. File transfer over i2p sounds like an absolute nightmare. Imagine pulling 2GB template over i2p

Yes. The problem only is that you need a special torrent client specifically for i2p. And there is none really that works with i2pd and is somewhat stable. And official torrent client I2PSnark is integrated into a java router

Also, in general i2p router needs to be able to accept connection to work somewhat reliably, and that means port forwarding and nat hole punching.

noti2p · November 2, 2022, 7:50pm

Google does torrent updates for their servers.
I forgot which torrent client Silve Blue uses but some docs are here:
https://docs.fedoraproject.org/en-US/fedora-silverblue/updates-upgrades-rollbacks/
I did not use it in 3-4 years. I would have to reinstall and to give you that info or you can use their forum if there is one anymore.

tanky0u · November 3, 2022, 6:56am

At least with i2p, the bandwidth of the whole network increases as more users join in the network.
With Tor, the available bandwidth is not guaranteed to be provided by other benevolent people.

noti2p · December 10, 2022, 4:26am

Qubes OS: GUIX Overlay Debian 11 i2p Template and DVM

The password is: a

Magnet i2p Link:
magnet:?xt=urn:btih:754c5ff1c01bc6aec3c4df1258b118c3a2e520a4&dn=Qubes+OS+i2p+template+and+dvm&tr=http://tracker2.postman.i2p/announce.php

Postman Link: http://tracker2.postman.i2p/index.php?view=TorrentDetail&id=67717

Size: 6.1 GiB (6,577,838,080 bytes)
sha256sum: qubes-backup-2022-12-10T000205
554b60239a48f6882c4b312649802718dfec3fdf2b00b4297ce2b41a93e08782 qubes-backup-2022-12-10T000205

Security:
In the Qubes OS context, the template is 85% secure. This means that it is more secure than 85% of Qubes users templates. It is up to you to screw it up!
In the i2p context, a dvm will be around 42% secure. This means that 58% of i2p users have more secure setups.

Some Whys or FAQs:

What is it? It is a Guix overlay of Debian 11 Template updated. It has the OUTGOING Qubes functions INHIBITED. It has USB GPS support and GUIX NTP. Will mention some ops later.

Why the low i2p security? The learning curve is best at this level. Less secure or more secure will result in a longer learning curve. This is NOT as secure as a VM based on a HVM template of an OS that you REALLY KNOW!

How much testing has been done? 2 years but of course Qubes developers and GUIX maintainers can screw you in one swipe.

How I use it:

This is my default template and DVM.
I start sys-net with sudo gufw and enable firewall (DENY-DENY).
Dito for sys-firewall.

I start sys-usb that is connected to sys-firewall with sudo etherape and check that only NTP connection and ICMP are displayed. I start terminal in sys-usb and run the command cgps. If my Time Offset is 0.0*, I run in Dom0 terminal sudo qvm-sync-clock (the USB qube is my time VM). If you are a jack-ass and don’t have accurate time use Google TimeSync (available in Documents of dvm) and it will put you around 0.3 seconds accuracy range which is just below time attacks (Do you feel lucky, PUNK?).

I don’t have a sys-whonix but some other similar arrangements. If you use sys-whonix clone and run sudo apt remove thunar and sudo apt autoremove when the Finish connection to Tor appears. That will inhibit some Qubes function in that dvm and make it secure for Qubes updates.

Yes I also use it for default-mgm-dvm.

The i2p part should be self explanatory. You have Dillo and Icecat already configured. DO NOT INSTALL the i2p+ router or run i2pd in the actual DVM but in the disp*.

I do expect some level of knowledge and testing before comments. I will NOT support this contraption for long because I’m not your bitch. I did it only for my own benefit. The safer and more knowledgeable, you are the better it is for me.

The template is ready now you need the Mosquitto messenger for the update network.

enmus · December 10, 2022, 5:10pm

Why it is and how connected to sys-firewall?

How did you measure this?

And this?

In Qubes, or…?

Isn’t PVH actually more secured?

What function, and how it’ll make it more secure?

Sven · December 10, 2022, 9:01pm

Please use this as an exercise in critical thinking.

Have a look at past contributions by @i2p
Ask yourself how believable any of this is including the oddly precise percentages of improvement in security without ever even eluding to how one would measure such a thing.

noti2p · December 11, 2022, 5:27pm

Gestapo Sven I guess. Do you run a fleet of i2p routers with Mosquito messengers/servers? Why don’t you create an i2p template and DVM run a fleet of routers before you just attack my credibility. Facebook is hiring former moderators such as yourself. Twiteer is firing people like you. Put out a secure Template if you crap yourself.

rustybird · December 11, 2022, 5:57pm

Your credibility? Even your name @i2p is stolen valor.

noti2p · December 12, 2022, 2:28am

To test your i2p router security. You open etherape and attack the routers available. Can your router withstand the same attacks? You get a percentage.
To test Qubes VMs and templates you get a malware list or go to sites that are on the block lists. You get a percentage.

I would like people that are not on i2p to stay out of it. Gestapo Sven was stripped of his moderator badge and likes power trips. I have no idea about Rusty but seems to be in the same league. Download and test the template. SB might stand from Silver Blue. i2p people know!

Sven · December 12, 2022, 2:29am

I linked to a summary or your past contributions and pointed out that you haven’t described HOW you arrived at your claims. In my memory that is somewhat of a theme with your posts. I wouldn’t call this an attack but a request to establish your credibility.

The issue with your account name on the other hand is that you give the impression to represent a project, which I am not sure you have any right to do. That is in fact something we don’t want here and we have asked users in the past to clarify or change their alias. Would you please provide information to @deeplow or another moderator of your choice that you are authorized to speak for the i2p project? If that’s not the case please change your alias.

Contrary to your impression I am neither a moderator (in this and most other categories) nor an admin of this forum. I also do not speak for this or any other project.

Although I was born and grew up in Germany, it wasn’t the half that had a Gestapo

Confused · December 12, 2022, 9:10pm

tanky0u · December 13, 2022, 6:37pm

Don’t care never asked. Started using i2p. Sue me.