Introducing sys-i2pd

The package (spec file in parent dir) is still missing (so package is not yet published) but I was wondering (have not compared solutions, just read this thread) of the differences between implementations from @unman’s implementation with this sys-i2p?

I hadn’t seen @unman work on this until now so, thanks for this @Insurgo! I’ve only reviewed Unman’s solution quickly now so, apologies in advance if there’s any misstatements following …

The fundamental difference being the QT GUI frontend built from source pulled from github via autostart which is leveraging i2pd in order to support on-the-fly config changes for those that enjoy extra dock icons. From the looks of things, Unman’s implementation uses i2p from the official debian repos of the i2p project supplemented with firefox-esr to provide a frontend. Additionally, this implementation uses RPC allow rule(s) to support TCP connectivity while, Unman’s uses nft/iptables rules. As well, I’m sure I’ve missed a few things.

That said, Unman is THE man and, I’ve got nothing but respect and gratitude for dude. He’s a legend for sure. I trust his work over mine any day so, I’ll probably see how I can make improvements or ditch it altogether depending on how useable Unman’s is for me.

Update:

In lieu of Unman’s effort, the project/repo have been renamed to sys-i2pd in order to avoid confusion. Most references to i2p within this thread, made by myself can effectively be replaced with i2pd (ie: sys-i2p would become sys-i2pd).

Great! Things are definitely getting better and improving. Two more left. I hope they’ll come soon, so users in the know wouldn’t need to customize them themselves (dvm-template and policy). Thanks again for this nice and quick solution.

Two more what? Please STOP posting in this thread before you’ve tested the solution and without value. From the handful of days I’ve been signed up on this forum, I’m amazed that moderators let you sink the overvalue time and time again.

If I understand @enmus points, outside of trying to interpret FUD or jump in non-constructive criticism, without having tested your solution nor @unman and having passed literally less then 5 minutes comparung codebases:

@cayce this would be @enmus first point (I agree with this one if an additional policy file is created instead of modifying central 30 user policy file. Otherwise it created confusion for other projects already which I guess is base of what I see as constructive criticism) .

@cayce that would be @enmus second criticism which without testing/deeper review, I cannot comment on as of now. But my curiosity is poked, I will do check and comment later. Hope constructive comments are welcome, since the tone of this thread is not that welcoming for others to comment?

This contribution is welcome @cayce ! No doubt there!

Edit: @cayce you should modify links in OP to point to renamed project

I’ve already addressed this within the salt formula (which a certain somebody can’t seem to bother reading before postulating), policy file is created if non-existent and appended when present. As stated previously, if existing; the policy is simply updated via the tee -a (append) command. What @enmus would like is an automagical script that determines any user’s customization of policy files and modify that. Because an existing, alternately named policy file would be an indication of an “advanced user”, modifying the source to accommodate such is left up to said “advanced user”.

I already tried but, ability to edit seems to be disabled after some days. For now, I’ve done what I can to highlight the issue by changing the thread’s “solution”. I’ve already flagged it for moderation with an explanation of the desired changes. Hoping the request will be seen soon than later.

Hope constructive comments are welcome, since the tone of this thread is not that welcoming for others to comment?

Of course it is but, I probably won’t be sticking around/contributing too much longer based on the lack of moderation. It’s just holiday season so, kind of bored and trying to make myself useful somewhere. If I wanted interaction like what I’ve seen over the past few days, I’d be on 4chan.

Even if something could be read like this in what I wrote, it wasn’t my intention and I apologize. I was rather referring to official docs, for which I am sure you read it too.

You can summon @deeplow to do that for you, or better, to create wiki from the OP, so it could be modified accordingly.

You did it. I already kindly asked you not to give up. Because you have things to offer. I sincerely hope it won’t pass another 5-6 years to your next Github repo.

Again, you are continuing with your uninformed, disrespectful arrogance wasting bandwidth. If you had the wherewithal to bother implementing the solution or reading the source you would already know that the policy IS in fact updated. If any user has chosen another location for policy updates, they are free to adjust the source with their favorite text editor to achieve said goal.

And I never implied that I expected you to change your script there.

What you did is suggest is that a solution wasn’t in place which, in fact is which, you would know if you posted based on understanding & comprehension as opposed to uniformed ignorance.

As I and many others have asked you countless time publicly & privately, STOP posting without value.

Trust me when I make it clear to you that you are NOT a motivator, quite literally the opposite.

Hmm checked both codebases quickly and it seems that @unman’s implementation is actually never calling in.sh script to open up ports.

I got curious, on my phone here waiting for christmas people to arrive and checked, but trying (failing now) to get away of screen for a forced retreat.

But I might try both implementations.
The thing I like about unman’s approach is that even if he said he would never package salt recipes, he’s actually doing it. What makes it amazing is that one can actually (not for i2p now as said above) normally install/uninstall/update salt policies deployed directly from dom0 which eases UX next level, which is quite needed now. Its nice to simply read a spec file to understand what salt recipes are called, how and when to quickly jump into the recipes themselves and then inspect code and do review online.

As said I will try to take the time to test both implementations. I’m getting sick of tor for personal reasons and would love alternatives to get more accessible. And those projects are exactly that.

@cayce Not sure Bob and timestamps to 1999 are relevant. Other commment: I love unman"s approach with in.sh (if it was called) where http proxy only seems limited, yet again last time I played with i2p was years ago, and “play” is the right term, considering it as a toy back then. Those projects make it easier to deploy and use, if bar to deployment was eased. I would invite you to challenge unman’s implementation through github issues if you will from your common experience this i2p deployment would be definitely more solid and enjoyable from a UX perspective.

Keep up the good work! And merry christmas!

Eventually,

qubes.ConnectTCP * untrusted @default allow target=sys-i2pd

should be the default policy entry, leaving users to customize it to their will/needs, and I’ll stop here.

Merry Christmas.

There are a few points available for hardening within the solution I posted. This being one of them.

This would have been made clear in the git Wiki by now had I not had to exhaust soooooo much time addressing your ignorance.

Yet again, you CONTINUE posting out of ignorance. The example you’ve copy/pasted from the docs speaks to a qube with the name of untrusted which, I nor others very well may NOT have implemented thus, would NOT work out of the box for many.

How a user would like to tighten this up would be something more like:

qubes.ConnectTCP +4444 @dispvm:<USERS_PREFERED_I2P_DISPVM_HERE> sys-i2pd allow

Upon initial testing this failed to work as, this convention doesn’t seem to work for source. nor did @dispvm.

Because which VM a user would like to leverage is an unknown, @anyvm was chosen as default to allow users to get up and running, leaving the exercise of the selection of which hosts to allow access to the i2p proxy.

The only threat I could imagine is malware phoning home to C2 via the i2p proxy but, this would be a task for the user’s IDS to identify. If this were the case; said user has bigger issues with supply chain than a single outbound port being poked.

Furthermore, despite the allow rule being @anyvm; the only VMs which are actually able to pass traffic successfully through the open proxy are those which have sys-i2p (now sys-i2pd) selected as the NetVM. Thus, I’m comfortable with managing the risk by only attaching this NetVM to designated minimal DispVMs.

I prefer Ansible over SaltStack for deployment management but, maybe I’ll work on adding a spec file per your request if it could improve the informed user experience. The existing install.sh/uninstall.sh ought to offer the clarity & control you are after.

@Insurgo

I encourage you to try the solution out and provide some feedback. Thus far, for browsing it works a treat out of the box and, as I stated upthread, I’m comfortable with the threat profile.

@enmus

FFS or, for the love of Jehovah, respect something other than your compulsion to top-post at least until you’ve actually implemented the solution!!!

THIRTY POSTS, with little to none informed feedback. May this thread serve as an example of the “noise” you generate.

I tried of course, but it didn’t work.

What a surprise! @enmus top-posting for the sake of top-posting, AGAIN! Thank you Jesus for this xmas blessing!

Which part did you not follow instructions and thus, “didn’t work”?

Create an issue on github or it didn’t happen.