Installation

First of all you have to install archlinux template. (You could install it using Template Manager)
After that, create archlinux-i2pd template VM

image757×458 32.9 KB

Execute these commands in archlinux-i2pd qube:

sudo pacman -S archlinux-keyring
sudo pacman-key --init
sudo pacman-key --populate archlinux
sudo pacman -S micro

uncomment line #ParallelDownloads = 5 in pacman configuration file:

sudo micro /etc/pacman.conf # (Ctrl+q for quit)

Continue installation

sudo pacman -Suy --noconfirm --needed base-devel git firefox
cd /tmp
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si --noconfirm
yay --noconfirm -S i2pd-qt-git clash-verge-rev-bin
shutdown now

Create a new qube sys-i2pd-out

Execute commands in sys-i2pd-out:

mkdir -p ~/.config/autostart
cp /usr/share/applications/website.i2pd.i2pd.desktop .config/autostart/
mkdir -p ~/.i2pd
touch ~/.i2pd/tunnels.conf
touch /home/user/autostart.sh
chmod +x /home/user/autostart.sh
sudo nft add rule ip qubes custom-input meta l4proto tcp ct state new,established tcp dport 4500 accept
i2pd_qt

Now you should wait about 10-20 minutes, while i2pd starts accept connections

For simple monitoring execute in another terminal tab

watch curl --socks5-hostname 127.0.0.1:4447 acetone.i2p

When the command above returns response go to the next steps

Modify exec command. In file .config/autostart/website.i2pd.i2pd.desktop, replace Exec=i2pd_qt to Exec=/home/user/autostart.sh

Paste content below into file /home/user/autostart.sh:

#!/bin/bash
sudo nft add rule ip qubes custom-input meta l4proto tcp ct state new,established tcp dport 4500 accept
i2pd_qt

paste content below in .i2pd/tunnels.conf:

[socks-outproxy-tcp]
type = client
address = 0.0.0.0
port = 4500
keys = transient-outproxy
destination = outproxy.acetone.i2p
destinationport = 1080
inbound.length = 1
outbound.length = 1
inbound.lengthVariance = 1
outbound.lengthVariance = 1

[socks-outproxy-udp]
type = udpclient
address = 127.0.0.1
port = 4500
keys = transient-outproxy
destination = outproxy.acetone.i2p
destinationport = 1080

Add to section [socksproxy] in .i2pd/i2pd.conf:

outproxy.enabled = true
outproxy = 127.0.0.1
outproxyport = 4500

Restart sys-i2pd-out qube

Create a new sys-i2pd-in qube

In sys-i2pd-in execute:

mkdir -p .config/autostart
cp /usr/share/applications/Clash\ Verge.desktop .config/autostart/

image909×732 32.4 KB

image912×732 50.1 KB

image913×737 58.5 KB

Profiles > New > Type: Local > Save

image913×734 40.9 KB

MRB > Edit Proxies

image910×736 45.2 KB

Check the sys-i2pd-out qube IP in Qube Manager

image1920×1046 259 KB

Write socks5://<YOUR_IP>:4500 and click Save

image910×737 31.1 KB

Proxies > Global > undefined

image918×735 39.8 KB

Add killswitch, execute commands in dom0:

qvm-firewall sys-i2pd-in reset
qvm-firewall sys-i2pd-in add accept <sys-i2pd-out-ip-here> dstports=4500 proto=tcp
qvm-firewall sys-i2pd-in del --rule-no 0

thanks @solene for fix

Verify is it works

image834×648 22 KB

Optional create a new test qube and select sys-i2pd-in as a network qube

image1027×839 86.6 KB

Verify network

image833×611 22.9 KB

image984×676 72.7 KB

image1087×673 45.3 KB

More configuring options for i2pd avaliable here: Configuring - i2pd documentation

Thanks for reading

donations

• ETH 0xa8C72e40D17671695Eaf5D7A5aE5a965CB52F28
• BTC bc1qcqq5vu98g5zjds6e7c4j4af5v0zyg0z4qmlzu3
• USDT TRC20 TQa4HEayA7JpjTNCfReQ4zXBDevk9TRYor
• LTC ltc1qwhakmnj7mu9wry4u5lkzujf99g9h825fqp4730

Using the “firewall rules” tabs still allow DNS queries and ICMP to go through (it is explained at the bottom of the page)

You should use qvm-firewall from dom0 to block everything by default for that qube, then allow 10.137.0.33/32 on port tcp/4500

Ok thank you, i’ve fixed my guide using your solution from this thread Wireguard VPN setup
Now qvm-firewall sys-i2pd-in command response:

NO  ACTION  HOST            PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  10.137.0.33/32  tcp       4500     -               -          -       -

I posted some questions here: Request for a sys-i2pd setup guide - #7 by tanky0u

The two VMs do not need to allocate too much memory, 500mb is enough,

Note: I do not recommend that some users run i2pd directly in countries with strict Internet blockades because there are many honeypots, so please configure a pre-installed VPN

Cannot even install “micro”, getting 404 error… Template is connected to sys-firewall…

Make sure to update the entire system. Please ignore the errors for the corrupted files because they are irrelevant to this process.

Why do you use Archlinux-template?
My guide is using Debian-minimal as sys-i2pd, and Fedora-minimal as i2pd-workstation.
User don’t need Archlinux-template.

Already answered here Request for a sys-i2pd setup guide - #8 by anone381. And finally if you don’t like my solution you can do you own.

Something is wrong, Qubes Update fails too with the template…

In the archlinux machines, please install archlinux-keyring:

$ sudo pacman -S archlinux-keyring

This is to install the latest keyring first before updating the system.

If there is no errors, just continue with the guide.

"I’ve made a new implementation of this guide, which is based on debian-12 from I2pd netvm based on debian guide

Did I miss something & there is a preinstalled VPN option for any modern Qubes OS user?

No, you didn’t miss anything!
That said, there are many easy-to-follow guides to install the popular VPNs with their “Linux apps”, and any Wireguard/OpenVPN/IPsec tunnel with manual hardening/“kill switch”.

Hi there, I get an error when I restart my sys-i2pd-out qube the first time:

user@archlinux ~> i2pd_qt
unrecognised option 'outproxy.enabled'

what am I doing wrong?

I had the same issue, your i2pd.conf should look like this to work
.i2pd/i2pd.conf:

[socksproxy]
outproxy.enabled = true
outproxy = 127.0.0.1
outproxyport = 4500

Lets all love lain