I would like to have a sys-i2p qube that I can use to browse i2p network. Here are some rough wishlist that I expect to have with this:
Connect my i2p-dvm disposable template as its net qube. Thus, automatically route any dispXXX qubes that are spawned from i2p-dvm template through the i2p network, allow the web browser that runs inside that dispXXX (example, mullvad browser) to connect to eepsites.
Have no clearnet connections whatsoever. Only connect to the i2p network, have no clearnet leaks, neither DNS nor anything else.
make it debian 12 based. It can be a minimal one, but thatâs not an absolute necessity. The only thing I really really want is that neither sys-i2p qube nor the disposable qubes I create from i2p-dvm template has not clearnet connectivity whatsoever.
Any takers for this task? I know in the past there has been an attempt by one of the community members (see âIntroducing sys-i2pdâ thread) but that project is gone now. And I think we can come up with a new one that doesnât have anny attached drama around it.
Letâs use this thread for discussion about how we can create such a net qube accoding to the abovementioned requirements.
## I2P in a ProxyVM[[Bearbeiten](https://web.archive.org/web/20211130081927/http://i2pwiki.mk16.de/index.php?title=HowTo/Qubes&action=edit§ion=12)]
This is a basic guide that can probably be improved.
1. Create the ProxyVM that will run I2P. Debian or Fedora-minimal would be a good template to create it from.
2. Install I2P and forward ports.
* Port forwarding instructions can be found at the Qubes-OS website:
Onion address [[4]](https://web.archive.org/web/20211130081927/http://qubesos4rrrrz6n4.onion/doc/firewall/) Clearnet address [[5]](https://web.archive.org/web/20211130081927/https://www.qubes-os.org/doc/firewall/)
2. Edit the ProxyVM startup scripts. Firewall rules must be added to /rw/config/qubes-firewall-user-script when using a ProxyVM. Use /rw/config/rc.local for non-firewall startup commands.
* List the existing iptables rules. New rules on the INPUT chain need to be inserted after rule 4.
$ sudo iptables -S
* Example additions to qubes-firewall-user-script. Add rules for port forwarding before you add these rules.
# Flush forwarding chain rules, set policy to reject. This should prevent accidental leaks from any connected AppVM.
iptables -F FORWARD
iptables -P FORWARD REJECT
# INPUT chain rules to allow connections from the AppVM.
# See [http://i2p-projekt.i2p/en/faq#ports](https://web.archive.org/web/20211130081927/http://i2p-projekt.i2p/en/faq#ports) for a list of local I2P ports.
# The address in "-s 10.137.x.x" will be that of anon-i2p.
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 4444 -j ACCEPT ## HTTP proxy
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7654 -j ACCEPT ## console
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7656 -j ACCEPT ## SAM
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 6668 -j ACCEPT ## irc
3. Change I2P's address bindings for desired services and tunnels.
* Example clients.config settings:
clientApp.0.main=net.i2p.router.web.RouterConsoleRunner
clientApp.0.name=I2P Router Console
clientApp.0.args=7657 0.0.0.0 ./webapps/
* Example i2ptunnel.config settings:
tunnel.0.description=HTTP proxy for browsing eepsites and the web
tunnel.0.interface=0.0.0.0
tunnel.0.listenPort=4444
tunnel.0.name=I2P HTTP Proxy
4. Create an AppVM using the I2P ProxyVM for network access.
5. Configure programs in the AppVM to connect to the ProxyVM. For example, in a browser, use the ProxyVM's address for the HTTP proxy and webconsole.
I have some questions about it:
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 4444 -j ACCEPT ## HTTP proxy
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7654 -j ACCEPT ## console
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7656 -j ACCEPT ## SAM
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 6668 -j ACCEPT ## irc
on this part do I add as many 10.137.x.x IP addresses as the number of qubes I want to route through this sys-i2pd?
How does more than one qube routing its internet connection through sys-i2pd play with each other? Is there something like tangling up of i2p tunnels between the isolated qubes that would pose some infosec harm?
Tried setting up sys-i2pd, and failed.
It is kinda complicated. Especially the iptables stuff. I have no idea how it works nor how to set them up properly.
The problems are:
how to forward the relevant HTTP, SAM, SOCKS ports from the sys-i2pd to the target appVM
how to do the above but now with the disposable template VM. Do I need a dynamic way to assign internal IPs to the iptables setup of sys-i2pd each time a new dispXXXX (which uses sys-i2pd as its net qube) gets summoned
on sys-i2pd, how to constrain its internet access only to the what the i2pd daemon connects to? I donât want to have a clearnet connection from the sys-i2pd going out, ever. So the only outgoing internet comms should be through i2pd in sys-i2pd. How to achieve that?
why do you setup an outproxy? Is it possible to make the sys-i2pd as ONLY limited to i2p destination connections?
What is the leakage situation with your setup? How can you be sure that there is no clearnet connection leakage (from other background applications running in the background, etc.)
Other distros donât support AUR, itâs harder to install custom software
I donât want reinstall software for new debian/fedora version, rolling release is better for my opinion
I want to be able to use it with any software: ssh/telegram/jabber/etc⌠Probably you can configure it to use only for internal i2p network. But maybe for you better just use browser + i2pd in the same qube to do what you want.
In current setup sys-i2pd-in can use only proxy for connections, i used qvm-firewall killswitch for that purposes. But probably sys-i2pd-out really can leak some requests to clearnet. Here i just trust i2pd software, i using their proxy for every connections. Also you can check background leaks using wireshark/tcpdump
For example how sys-whonix avoids leaks? Idk.
PS: They just use proxy + killswitch in the same qube, lol.
Can you also add the following points to his implementation, if possible/making sense/you can do/etc:
no outproxy at all. sys-i2pd should be ONLY for connecting to b32.i2p URLs. Not clearnet .tld addresses
it should be able to work with qbittorrent running on some other qube. That is, letâs say I run qbittorrent in qbit-qube and I use sys-i2pd as qbit-qubeâs net-vm. The qbittorrent in qbit-qube should be able to seed/leech torrents over the i2p network using http://tracker2.postman.i2pâs tracker
Do these demands/wishies make sense? Can such a thing work? I donât know. All I know is that I want a qube that I can run qbittorrent to seed/leech i2p torrents, and that has no clearnet connection leaks at all.
Too easy.
You make i2pd-template from Fedora-template, after install i2pd to template.
This reason is applications of Fedora are newer than Debian.
qBittorrent v4.6 supports to i2p and it in Fedora repository, but Debian is in v4.5.
Next, you access to 127.0.0.1:7070 on FireFox.
Reach and appear i2pd router to your eye.
If you hope torrent over i2p, after you access to http://tracker2.postman.i2p/ .
You can play torrent in i2p network.
My point with starting this thread was this: I observed that without a sys-i2pd, I would be running i2pd in every one of my qube that I use it. One qube for eepsite browsing would be running an instance of i2pd, and another qube in which I do torrenting over i2p network would ne runing another instance of i2pd.
This seems redundant to me.
In qubes-whonix, you only have a sys-whonix, which runs the tor daemon. And your qubes using it as the sys-net qube automatically use the tor daemonâs connections.
My inquiry with this thread was mimicking this behavior but for running i2pd.
@tanky0u
You make template-vm from fedora-41-minimal template.
This template-vm is called âi2pd-templateâ.
You go to dom0-terminal.
You input âqvm-run -u root i2pd-template xtermâ in dom0 terminal.
It runs xterm of i2pd-template.
You input âdnf install qubes-core-agent-networking qubes-core-agent-passwordless-root qubes-core-agent-thunar firefox i2pd qBittorrentâ in xterm of i2pd-templateâŚ
You input âshutdown -h nowâ.
You click Open Qubes Application Menu.
You make AppVM from i2pd-template, called âi2pdâ.
You click and run FireFox of i2pd.
You access to 127.0.0.1:7070 on FireFox.
Reach and appear i2pd router to your eye.
If you hope torrent over i2p, after you access to http://tracker2.postman.i2p/ .
You can play torrent in i2p network only.
i2pd is not running other Qubes.
This doesnât make sense. With your recipe, I will be having a qube running i2pd and firefox and qbittorrent.
I specifically have said: I want to have one sys-i2pd qube running i2pd daemon, and other qubes using this as their sys-net, using sys-i2pdâs i2pd daemon for firefox, qbittorrent, irc, etc.
