I would like to have a sys-i2p
qube that I can use to browse i2p network. Here are some rough wishlist that I expect to have with this:
-
Connect my i2p-dvm
disposable template as its net qube. Thus, automatically route any dispXXX qubes that are spawned from i2p-dvm
template through the i2p network, allow the web browser that runs inside that dispXXX (example, mullvad browser) to connect to eepsites.
-
Have no clearnet connections whatsoever. Only connect to the i2p network, have no clearnet leaks, neither DNS nor anything else.
-
make it debian 12 based. It can be a minimal one, but that’s not an absolute necessity. The only thing I really really want is that neither sys-i2p
qube nor the disposable qubes I create from i2p-dvm
template has not clearnet connectivity whatsoever.
Any takers for this task? I know in the past there has been an attempt by one of the community members (see “Introducing sys-i2pd” thread) but that project is gone now. And I think we can come up with a new one that doesn’t have anny attached drama around it.
Let’s use this thread for discussion about how we can create such a net qube accoding to the abovementioned requirements.
3 Likes
I just found this link: HowTo/Qubes – i2pwiki.mk16.de which states the following:
## I2P in a ProxyVM[[Bearbeiten](https://web.archive.org/web/20211130081927/http://i2pwiki.mk16.de/index.php?title=HowTo/Qubes&action=edit§ion=12)]
This is a basic guide that can probably be improved.
1. Create the ProxyVM that will run I2P. Debian or Fedora-minimal would be a good template to create it from.
2. Install I2P and forward ports.
* Port forwarding instructions can be found at the Qubes-OS website:
Onion address [[4]](https://web.archive.org/web/20211130081927/http://qubesos4rrrrz6n4.onion/doc/firewall/) Clearnet address [[5]](https://web.archive.org/web/20211130081927/https://www.qubes-os.org/doc/firewall/)
2. Edit the ProxyVM startup scripts. Firewall rules must be added to /rw/config/qubes-firewall-user-script when using a ProxyVM. Use /rw/config/rc.local for non-firewall startup commands.
* List the existing iptables rules. New rules on the INPUT chain need to be inserted after rule 4.
$ sudo iptables -S
* Example additions to qubes-firewall-user-script. Add rules for port forwarding before you add these rules.
# Flush forwarding chain rules, set policy to reject. This should prevent accidental leaks from any connected AppVM.
iptables -F FORWARD
iptables -P FORWARD REJECT
# INPUT chain rules to allow connections from the AppVM.
# See [http://i2p-projekt.i2p/en/faq#ports](https://web.archive.org/web/20211130081927/http://i2p-projekt.i2p/en/faq#ports) for a list of local I2P ports.
# The address in "-s 10.137.x.x" will be that of anon-i2p.
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 4444 -j ACCEPT ## HTTP proxy
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7654 -j ACCEPT ## console
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7656 -j ACCEPT ## SAM
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 6668 -j ACCEPT ## irc
3. Change I2P's address bindings for desired services and tunnels.
* Example clients.config settings:
clientApp.0.main=net.i2p.router.web.RouterConsoleRunner
clientApp.0.name=I2P Router Console
clientApp.0.args=7657 0.0.0.0 ./webapps/
* Example i2ptunnel.config settings:
tunnel.0.description=HTTP proxy for browsing eepsites and the web
tunnel.0.interface=0.0.0.0
tunnel.0.listenPort=4444
tunnel.0.name=I2P HTTP Proxy
4. Create an AppVM using the I2P ProxyVM for network access.
5. Configure programs in the AppVM to connect to the ProxyVM. For example, in a browser, use the ProxyVM's address for the HTTP proxy and webconsole.
I have some questions about it:
- iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 4444 -j ACCEPT ## HTTP proxy
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7654 -j ACCEPT ## console
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7656 -j ACCEPT ## SAM
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 6668 -j ACCEPT ## irc
on this part do I add as many 10.137.x.x IP addresses as the number of qubes I want to route through this sys-i2pd?
- How does more than one qube routing its internet connection through sys-i2pd play with each other? Is there something like tangling up of i2p tunnels between the isolated qubes that would pose some infosec harm?
Tried setting up sys-i2pd, and failed.
It is kinda complicated. Especially the iptables stuff. I have no idea how it works nor how to set them up properly.
The problems are:
- how to forward the relevant HTTP, SAM, SOCKS ports from the sys-i2pd to the target appVM
- how to do the above but now with the disposable template VM. Do I need a dynamic way to assign internal IPs to the iptables setup of sys-i2pd each time a new dispXXXX (which uses sys-i2pd as its net qube) gets summoned
- on sys-i2pd, how to constrain its internet access only to the what the i2pd daemon connects to? I don’t want to have a clearnet connection from the sys-i2pd going out, ever. So the only outgoing internet comms should be through i2pd in sys-i2pd. How to achieve that?