Request for a sys-i2pd setup guide

I would like to have a sys-i2p qube that I can use to browse i2p network. Here are some rough wishlist that I expect to have with this:

  1. Connect my i2p-dvm disposable template as its net qube. Thus, automatically route any dispXXX qubes that are spawned from i2p-dvm template through the i2p network, allow the web browser that runs inside that dispXXX (example, mullvad browser) to connect to eepsites.

  2. Have no clearnet connections whatsoever. Only connect to the i2p network, have no clearnet leaks, neither DNS nor anything else.

  3. make it debian 12 based. It can be a minimal one, but that’s not an absolute necessity. The only thing I really really want is that neither sys-i2p qube nor the disposable qubes I create from i2p-dvm template has not clearnet connectivity whatsoever.

Any takers for this task? I know in the past there has been an attempt by one of the community members (see “Introducing sys-i2pd” thread) but that project is gone now. And I think we can come up with a new one that doesn’t have anny attached drama around it.

Let’s use this thread for discussion about how we can create such a net qube accoding to the abovementioned requirements.


I just found this link: HowTo/Qubes – which states the following:

## I2P in a ProxyVM[[Bearbeiten](]

This is a basic guide that can probably be improved.

1. Create the ProxyVM that will run I2P. Debian or Fedora-minimal would be a good template to create it from.

2. Install I2P and forward ports.

* Port forwarding instructions can be found at the Qubes-OS website:

Onion address [[4]]( Clearnet address [[5]](

2. Edit the ProxyVM startup scripts. Firewall rules must be added to /rw/config/qubes-firewall-user-script when using a ProxyVM. Use /rw/config/rc.local for non-firewall startup commands.

* List the existing iptables rules. New rules on the INPUT chain need to be inserted after rule 4.

$ sudo iptables -S

* Example additions to qubes-firewall-user-script. Add rules for port forwarding before you add these rules.

# Flush forwarding chain rules, set policy to reject. This should prevent accidental leaks from any connected AppVM. 
iptables -F FORWARD 
# INPUT chain rules to allow connections from the AppVM. 
# See [http://i2p-projekt.i2p/en/faq#ports]( for a list of local I2P ports. 
# The address in "-s 10.137.x.x" will be that of anon-i2p. 
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 4444 -j ACCEPT ## HTTP proxy 
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7654 -j ACCEPT ## console 
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7656 -j ACCEPT ## SAM 
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 6668 -j ACCEPT ## irc

3. Change I2P's address bindings for desired services and tunnels.

* Example clients.config settings:

clientApp.0.main=net.i2p.router.web.RouterConsoleRunner Router Console 
clientApp.0.args=7657 ./webapps/

* Example i2ptunnel.config settings:

tunnel.0.description=HTTP proxy for browsing eepsites and the web 
tunnel.0.listenPort=4444 HTTP Proxy

4. Create an AppVM using the I2P ProxyVM for network access.

5. Configure programs in the AppVM to connect to the ProxyVM. For example, in a browser, use the ProxyVM's address for the HTTP proxy and webconsole.

I have some questions about it:

  1. iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 4444 -j ACCEPT ## HTTP proxy
    iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7654 -j ACCEPT ## console
    iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7656 -j ACCEPT ## SAM
    iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 6668 -j ACCEPT ## irc
    on this part do I add as many 10.137.x.x IP addresses as the number of qubes I want to route through this sys-i2pd?
  2. How does more than one qube routing its internet connection through sys-i2pd play with each other? Is there something like tangling up of i2p tunnels between the isolated qubes that would pose some infosec harm?

Tried setting up sys-i2pd, and failed.
It is kinda complicated. Especially the iptables stuff. I have no idea how it works nor how to set them up properly.

The problems are:

  • how to forward the relevant HTTP, SAM, SOCKS ports from the sys-i2pd to the target appVM
  • how to do the above but now with the disposable template VM. Do I need a dynamic way to assign internal IPs to the iptables setup of sys-i2pd each time a new dispXXXX (which uses sys-i2pd as its net qube) gets summoned
  • on sys-i2pd, how to constrain its internet access only to the what the i2pd daemon connects to? I don’t want to have a clearnet connection from the sys-i2pd going out, ever. So the only outgoing internet comms should be through i2pd in sys-i2pd. How to achieve that?