I2pd netvm based on debian guide

This guide demonstrates how to set up i2pd as a netvm, allowing you to easily proxy traffic through the i2p network to access the clearnet or i2p services. This significantly enhances security and privacy.

This method is an improved implementation compared to I2pd netvm guide, utilizing debian-12 and avoiding the outdated i2pd-qt and archlinux community template.

Installation

1. First, you need a debian-12-xfce template VM.
2. Clone this template and name it debian-12-xfce-i2pd.
   

Execute the following commands within the debian-12-xfce-i2pd :

sudo apt install wget
wget -q -O - https://repo.i2pd.xyz/.help/add_repo | sudo bash -s -
sudo apt update
sudo apt install i2pd

This utilizes the i2pd team’s repository, which automatically provides the latest i2pd version.

3. Proceed to install clash-verge-rev:

Visit Releases · clash-verge-rev/clash-verge-rev · GitHub to find the appropriate version of clash-verge-rev. This guide uses the latest stable version, v2.0.2. Ensure your debian-12-xfce-i2pd VM has a suitable netvm configured for internet access (you can download the .deb in another VM and transfer it to debian-12-xfce-i2pd).

wget https://github.com/clash-verge-rev/clash-verge-rev/releases/download/v2.0.2/Clash.Verge_2.0.2_amd64.deb
sudo apt install ./Clash.Verge_2.0.2_amd64.deb
shutdown now

Creating New appvm

Creating sys-i2pd-out

Execute the following commands within sys-i2pd-out:

sudo systemctl enable i2pd.service
sudo nft add rule ip qubes custom-input meta l4proto tcp ct state new,established tcp dport 4500 accept

Wait 10-20 minutes for i2pd to start accepting connections.

In another terminal tab, run the following command for simple monitoring:

watch curl --socks5-hostname 127.0.0.1:4447 acetone.i2p

Proceed to the next step once the above command receives a response.

Modifying Startup Commands

1. Paste the following into /rw/config/rc.local:

#!/bin/bash
sudo nft add rule ip qubes custom-input meta l4proto tcp ct state new,established tcp dport 4500 accept

2. Add the following to /rw/config/qubes-bind-dirs.d/50_user.conf:

binds+=( '/etc/i2pd' )

3. Restart the sys-i2pd-out VM.
4. Paste the following into /etc/i2pd/tunnels.conf:

[socks-outproxy-tcp]
type = client
address = 0.0.0.0
port = 4500
keys = transient-outproxy
destination = outproxy.acetone.i2p
destinationport = 1080
inbound.length = 1
outbound.length = 1
inbound.lengthVariance = 1
outbound.lengthVariance = 1

[socks-outproxy-udp]
type = udpclient
address = 127.0.0.1
port = 4500
keys = transient-outproxy
destination = outproxy.acetone.i2p
destinationport = 1080

You can modify some of these parameters if you need to use a different outproxy.

5. Add the following to the [socksproxy] section of /etc/i2pd/i2pd.conf:

outproxy.enabled = true
outproxy = 127.0.0.1
outproxyport = 4500

6. Restart the sys-i2pd-out VM.

Creating sys-i2pd-in

Open a terminal and type clash-verge to launch the application.

image909×732 32.4 KB

image912×732 50.1 KB

image913×737 58.5 KB

1. Create a new profile in the Clash Verge application:
   • Click Profiles > New
   • Select Local as the type and save.
     
     

     image913×734 40.9 KB
2. Edit proxy settings:
   • Click MRB > Edit Proxies.
     
     

     image910×736 45.2 KB
   • Check the IP address of sys-i2pd-out in Qube Manager.
     
     

     image1920×1046 259 KB
   • Enter socks5://<YOUR_IP>:4500 and save.
     
     

     image910×737 31.1 KB
3. Enable the proxy in Proxies > Global.
   
   

   image918×735 39.8 KB
4. Enable autostart in Setting > System Setting > Auto Launch.

Adding Firewall Rules (Kill Switch)

Execute the following commands in dom0:

qvm-firewall sys-i2pd-in reset
qvm-firewall sys-i2pd-in add accept <sys-i2pd-out-ip-here> dstports=4500 proto=tcp
qvm-firewall sys-i2pd-in del --rule-no 0

Additional Information

Verification

Create a new test VM and select sys-i2pd-in as its netvm to verify network functionality. You should be able to access both .i2p services and the clearnet.

image1027×839 86.6 KB

image834×648 22 KB

Donation

I’m still considering this.

References

• https://repo.i2pd.xyz/.help/readme.html
• i2pd documentation
• How to make any file persistent (bind-dirs) | Qubes OS
• GitHub - clash-verge-rev/clash-verge-rev: A modern GUI client based on Tauri, designed to run in Windows, macOS and Linux for tailored proxy experience
• I2pd netvm guide

Unofficial Qubes OS Discussion Group

Welcome to join!

This doesn’t work for me. not sure why. I’ve triple checked that everything is exact but it still doesn’t work.

Hi, thank you for your guides!

I am unable to get connection in sys-i2pd-in. I can access the i2p console & eepsites in sys-i2pd-out, but once I enable the clash verge global proxy in sys-i2pd-in I have no connection

I remade the qubes a couple times, and I actually tried this back when you posted the archlinux version and failed there too

hopeful we can get this figured out

The problem may be that you didn’t enter the IP address of sys-i2pd-out correctly,If you can use Telegram, please come to Telegram: Contact @qubeszh with me

Please ignore the archlinux template in the image I borrowed, in fact I use the debian template, and I will fix this error

If you can’t solve this problem, you can solve it online with me at Telegram: Contact @qubeszh

Accessing non i2p sites through i2p has nothing with improving security and privacy, IMO.

Why not?

why ,the target website only knows outproxy