adrelanos / whonix-i2p Goto Github PK

See https://forums.whonix.org/t/i2p-integration/4981 for more Informations

Create a separate Gateway (TemplateVM&) ProxyVm and Workstation (TemplateVM&) AppVM Installing I2P

We’ll install I2P using the Debian packages.

Before adding the repo https://geti2p.net/en/download/debian2, fetch the key and verify https://geti2p.net/_static/i2p-debian-repo.key.asc fingerprints.

The output at the moment is:

pub  4096R/0x67ECE5605BCF1346 2013-10-10 I2P Debian Package Repository <[email protected]>
      Key fingerprint = 7840 E761 0F28 B904 7535  49D7 67EC E560 5BCF 1346

Download key with scurl to home folder.

scurl -o i2p-debian-repo.key.asc https://geti2p.net/_static/i2p-debian-repo.key.asc

Check fingerprints/owners without importing anything.

gpg -n --import --import-options import-show i2p-debian-repo.key.asc

If it looks good add it to APT's Keyring

sudo apt-key add i2p-debian-repo.key.asc

For Whonix 13 using Debian stable:

echo -e "deb https://deb.i2p2.de/ jessie main\\ndeb-src https://deb.i2p2.de/ jessie main" | sudo tee /etc/apt/sources.list.d/i2p-release.list > /dev/null

For Whonix 14 using Debian Stretch

echo -e "deb https://deb.i2p2.de/ stretch main\\ndeb-src https://deb.i2p2.de/ stretch main" | sudo tee /etc/apt/sources.list.d/i2p-release.list > /dev/null

Update Packages

sudo apt-get update

Install I2P, its dependencies and (optional) iceweasel:

sudo apt-get install i2p i2p-keyring iceweasel

Configure I2P as a service that automatically runs when your system boots, set the amount of Ram to your needs and leave the User as i2psvc

sudo dpkg-reconfigure i2p

Make the I2P folders persistent in the ProxyVM by adding the following to /usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf

binds+=( '/etc/i2p' )
binds+=( '/var/lib/i2p/i2p-config/' )

Edit the firewall rules

Add the settings to the Whonix-Firewall User config /etc/whonix_firewall.d/50_user.conf (Uncomment any SocksPort you dont need)

NO_NAT_USERS+=" $(id -u i2psvc)"
SOCKS_PORT_I2P_BOB=2827
SOCKS_PORT_I2P_TAHOE=3456
SOCKS_PORT_I2P_WWW=4444
SOCKS_PORT_I2P_WWW2=4445
SOCKS_PORT_I2P_IRC=6668
SOCKS_PORT_I2P_XMPP=7622
SOCKS_PORT_I2P_CONTROL=7650
SOCKS_PORT_I2P_SOCKSIRC=7651
SOCKS_PORT_I2P_SOCKS=7652
SOCKS_PORT_I2P_I2CP=7654
SOCKS_PORT_I2P_SAM=7656
SOCKS_PORT_I2P_EEP=7658
SOCKS_PORT_I2P_SMTP=7659
SOCKS_PORT_I2P_POP=7660
SOCKS_PORT_I2P_BOTESMTP=7661
SOCKS_PORT_I2P_BOTEIMAP=7662
SOCKS_PORT_I2P_MTN=8998

Now reload the Whonix Firewall

sudo /usr/bin/whonix_firewall

Add these Lines to /var/lib/i2p/i2p-config/router.config to Reseed via Tor, disable Logs and UPNP

stat.full=false
stat.logFile=stats.log
stat.logFilters=
stat.summaries=
i2np.upnp.enable=false
router.reseedProxy.authEnable=false
router.reseedProxyEnable=false
router.reseedSSLDisable=false
router.reseedSSLProxy.authEnable=false
router.reseedSSLProxyEnable=true
router.reseedSSLProxyHost=127.0.0.1
router.reseedSSLProxyPort=9050
router.reseedSSLProxyType=SOCKS5
router.reseedSSLRequired=false

Disable the Outproxy

We don’t want to access the Clearnet with I2P run the following to disable Outproxies

Remove the outproxy from the tunnel on port 4444

sed -i '/^.*tunnel\.0\.\(proxyList\|option\.i2ptunnel\.httpclient\.SSLOutproxies\)/d' "/var/lib/i2p/i2p-config/i2ptunnel.config"

Disable the https outproxy (port 4445)

sed -i 's|^.*\(tunnel\.6\.startOnLoad\).*|\1=false|' "/var/lib/i2p/i2p-config/i2ptunnel.config"

Changing I2P’s listening interface

I2P listens for connections on 127.0.0.1. This won’t work for us since we want to access I2P from the Workstation. We’ll setup I2P to listen on the Gateway IP, which could be 10.137.x.10 depending on the Whonix version that you’re using. Note: By the time we’re finished here, you will be able to access I2P from the workstation via 127.0.0.1 as well.

GATEWAYIP=$(ip addr | grep 'eth1' | grep -v 'BROADCAST' | cut -d / -f 1 | awk '{print $2}') sudo sed -i "s/\(.*interface=\).*/\1$GATEWAYIP/g;s/\(.*targetHost=\).*/\1$GATEWAYIP/g" /var/lib/i2p/i2p-config/i2ptunnel.config

sudo sed -i "s/127\.0\.0\.1/$GATEWAYIP/g" /var/lib/i2p/i2p-config/clients.config echo -e "susimail.host=$GATEWAYIP" | sudo tee /var/lib/i2p/i2p-config/susimail.config > /dev/null

change the Router console listening IP back to localhost

sudo sed -i "s/clientApp\.0\.args\=7657 \:\:1\,$GATEWAYIP/clientApp\.0\.args\=7657 \:\:1\,127\.0\.0\.1 \./g" /var/lib/i2p/i2p-config/clients.config

Install Privoxy

sudo apt-get install privoxy

Edit the /etc/privoxy/config add i2p forwarding

forward .i2p 127.0.0.1:4444
accept-intercepted-requests 1
max-client-connections 512

if you want to use Zeronet add the Line below

forward .bit 127.0.0.1:43110

uncomment the line below to use the trust mechanism

trustfile trust

change the line below to enforce the trust mechanism and restart privoxy

enforce-blocks 0 to 1

Edit the newly created file and add the lines below:

kdesudo kwrite /etc/privoxy/trust

~*.i2p
~.torproject.org

Forwarding Whonix-Workstations Ports to Whonix-Gateway local Ports

Open /etc/anon-ws-disable-stacked-tor.d/50_user.conf with a editor in your Worksation-Template and insert the following:

I2P_PORTS="2827 3456 4444 4445 6668 7622 7650 7651 7654 7656 7658 7659 7660 7661 7662 8998 8118"

for i2p_port in $I2P_PORTS ; do
   $pre_command socat TCP-LISTEN:$i2p_port,fork,bind=127.0.0.1 TCP:$GATEWAY_IP:$i2p_port &
done

Edit TorBrowser to use Privoxy

Open the TorBrowser enter about:config and change these Settings

extensions.torbutton.use_nontor_proxy;true
network.proxy.no_proxies_on;0
network.proxy.http;127.0.0.1
network.proxy.http_port;8118
network.proxy.socks;         <--(blank)