{{Header}} {{Title|title= Invisible Internet Project (I2P) }} {{#seo: |description=I2P over Tor. Tunneling the I2P Anonymizing Network over the Tor Anonymizing Network. Connection Schema: Tor → I2P → Destination. |image=I2Pmainlogo.svg.png }} [[File:I2Pmainlogo.svg.png|I2P Logo|thumb]] {{intro| I2P over Tor. Tunneling the I2P Anonymizing Network over the Tor Anonymizing Network. Connection Schema:
TorI2PDestination }} {{Anchor|I2P anonymizing network - Introduction}} = Introduction = == Network == The [https://geti2p.net/en/about/intro Invisible Internet Project (I2P) homepage] provides a simple overview of the protocol:
I2P is an anonymous network built on top of the internet. It allows users to create and access content and build online communities on a network that is both distributed and dynamic. It is intended to protect communication and resist monitoring by third parties such as ISPs. Aside from anonymizing traffic within the network, I2P functions with the same capabilities as the Internet, however its design and decentralization create a censorship resistant environment for the free-flow of information. Mirrored sites hosted on the network allow access to news outlets and other resources in areas where information is being filtered or denied. Online communities wishing to organize in restrictive environments can do so anonymously to mitigate political threat and protect each other.
The I2P anonymous network exposes a simple layer that applications can use to anonymously and securely send messages to each other through "tunnels". The network itself is strictly message-based (IP), but there is a library available to allow reliable streaming communication on top of it (TCP). All communication is encrypted end-to-end -- in total there are four layers of encryption used when sending a message -- and even the end points ("destinations") are cryptographic identifiers (essentially a pair of public keys). https://geti2p.net/en/about/intro This design is known as [https://en.wikipedia.org/wiki/Garlic_routing garlic routing] which is a variant of [https://en.wikipedia.org/wiki/Onion_routing onion routing] (used in the Tor network) and benefits from the research on the latter but makes some different tradeoffs. https://geti2p.net/en/research Each client application has their own I2P 'router' that finds other clients by querying against the fully distributed 'network database' - a custom structured distributed hash table (DHT) based on the [https://en.wikipedia.org/wiki/Kademlia Kademlia algorithm]. Every router transports traffic for its peers which it uses as cover traffic for its own. To learn more about I2P technical details, see [https://geti2p.net/en/docs here]. In contrast to the Tor network, I2P is focused on creating a community around P2P darknet services rather than providing "outproxies"(exits) to the clearnet. The I2P development [https://geti2p.net/en/about/team team] is an open group that welcomes all parties who are interested in [https://geti2p.net/en/get-involved getting involved]. All the code is [https://geti2p.net/en/get-involved/develop/licenses open source]. The core I2P Software Development Kit (SDK) and the current router implementation is accomplished in Java, Currently working with both sun and kaffe; gcj support is planned for later. and there is a [https://geti2p.net/en/docs/api/sam simple socket based API] for accessing the network from other languages (with a C library available, and both Python and Perl in development). The network is actively being developed and has not yet reached the 1.0 release, but the current [https://geti2p.net/en/get-involved/roadmap roadmap] describes their active schedule. == Tor vs I2P == Many of Tor's concepts have (virtual) equivalents in I2P, despite the [https://geti2p.net/en/comparison/tor terminology] being somewhat different. '''Table:''' ''Tor vs. I2P Terminology'' https://geti2p.net/en/comparison/tor {| class="wikitable" |- ! scope="col"| '''Tor Terminology''' ! scope="col"| '''I2P Equivalent''' |- ! scope="row"| Cell | Message |- ! scope="row"| Circuit | Tunnel |- ! scope="row"| Client | Router or Client |- ! scope="row"| Directory | NetDb |- ! scope="row"| Directory Server | Floodfill Router |- ! scope="row"| [[Tor_Entry_Guards|Entry Guards]] | Fast Peers |- ! scope="row"| Entry Node | Inproxy |- ! scope="row"| Exit Node | Outproxy |- ! scope="row"| [[Onion_Services|Hidden (Onion) Service]] | Hidden Service, Eepsite or Destination |- ! scope="row"| Hidden Service Descriptor | LeaseSet |- ! scope="row"| [[Onion_Services#Onion_Service_Authentication|Hidden Service 'Stealth Mode']] | I2P Client Whitelist https://twitter.com/i2p/status/756952247662239744 or Encrypted LeaseSets https://geti2p.net/sv/docs/how/network-database I2P documentation is lacking in describing these features, but there are plans to improve the situation. |- ! scope="row"| Introduction Point | Inbound Gateway |- ! scope="row"| Node | Router |- ! scope="row"| Onion Proxy | I2PTunnel Client (more or less) |- ! scope="row"| Relay | Router |- ! scope="row"| Rendezvous Point | Similar to Inbound Gateway + Outbound Endpoint |- ! scope="row"| Router Descriptor | RouterInfo |- ! scope="row"| Server | Router |- ! scope="row"| Single Onion Service | I2P 0-hop Tunnel https://twitter.com/i2p/status/756948810790821888 |} The I2P comparison page notes the relative strengths of Tor and I2P; those are summarized below. Tor's primary strengths are: a larger user base; greater academic interest and research; significant funding; a large development team; greater resistance to state-level censorship (TLS transport and bridges); large number of exit nodes; better memory usage; thorough documentation; low client bandwidth overhead; higher throughput and lower latency. In comparison, I2P's primary strengths are: optimization for hidden services; a fully distributed design; better peer selection; varied and untrusted directory servers; peer-to-peer friendly nature; improved load balancing and resilience; unidirectional tunnels; This should make it more difficult for adversaries to compromise the relevant information. protection against client activity detection; short-lived tunnels; Making it harder for adversaries to sample for attack purposes. low bandwidth overhead for full peers; TCP and UDP transports; and being based on the Java programming language. = How-to: Use I2P in {{project_name_long}} = There are two methods of using I2P in {{project_name_short}}: # [[#Inproxies inside Whonix-Workstation|Inproxies inside Whonix-Workstation]]; or # [[#I2P client inside Whonix-Workstation|I2P client inside Whonix-Workstation]] (recommended) The inproxy method is better suited for causal use of I2P. In this instance, users just want to anonymously view an Eepsite and are not concerned about eavesdroppers so long as anonymity is assured. It is safer to use the I2P client inside {{project_name_short}}, since all I2P traffic is tunneled through Tor and access is fully featured. This is a little more difficult than installing I2P the ordinary way, that is using I2P in the clear, not over Tor. Readers who are considering using I2P in {{project_name_short}} are suggested to review the related [https://forums.whonix.org/t/whonix-i2p-documentation/1729 forum thread]. == Inproxies inside Whonix-Workstation == There are several I2P inproxies and they have similar functionality to [https://www.tor2web.org/ Tor2web]. Tor2web is a project which allows Internet users access to Tor Onion Services without Tor Browser. Simply use [[Tor Browser]] which is installed in {{project_name_short}} by default to directly access the I2P proxies listed. Although this is the easiest method, on the downside end-to-end encryption is lost when connecting to the eepsites. This is not the case when I2P is installed directly inside {{project_name_workstation_long}} or if I2P is used in the ordinary way. Further, potentially [[Warning#Exit_Relays_can_Eavesdrop_on_Communications|Tor Exit Nodes can Eavesdrop on Communications]] if an inproxy uses plain http, since it is an unencrypted connection. This risk is averted if the inproxy uses http'''s''' or is reachable via an onion service. In any case, the I2P inproxy administrator can see all of your traffic in the I2P network and it is impossible to prevent that. Example of I2P inproxy domains might be found in (or might be not if removed or down): * https://mk16.de/ * https://www.awxcnx.de/ * https://web.archive.org/web/20170411140534/https://www.hiddenservice.net/ {{Anchor|I2P Client inside Whonix-Workstation}} == I2P Client inside Whonix-Workstation == {{Anchor|Connecting to Tor before I2P}} === Introduction === The preferred configuration is to connect to Tor before I2P inside {{project_name_workstation_short}}: userTorI2PInternet Before configuring this tunnel link, it is recommended to read the following related wiki entries for general educational purposes on tunnel links. There is no need to apply any instructions from these wiki entries. * [[Tunnels/Introduction|Combining Tunnels with Tor]] * [[Tunnels/Connecting_to_Tor_before_a_proxy|Connecting to Tor before a Proxy]] === Post-Tor I2P Tunnel Effects === '''Table:''' ''Post-Tor I2P Connections'' {| class="wikitable" |- ! scope="col"| '''Domain''' ! scope="col"| '''Information''' |- ! scope="row"| Advantages | * Anonymity is provided by Tor.
* The [http://127.0.0.1:7657/confignet I2P router console] works normally inside Tor Browser. There is no need to install a graphical user interface on {{project_name_gateway_long}}.
* Eepsites (.i2p) can be reached directly from Tor Browser.
* I2P's end-to-end encryption will be used as usual. |- ! scope="row"| Disadvantages | * Adds load to Tor.
* Adds load to I2P.
* This is slower than using I2P directly on {{project_name_gateway_short}} or the ordinary configuration.
* No contributions are provided to the I2P network ('leeching'). This sounds worse than it really is because very few people are expected to use I2P over Tor. Further, I2P itself offers this option. It is not like a leeching mod. |- ! scope="row"| Warning: No Stream-isolation Support | * I2P does not have stream isolation support which means that visits to Eepsites are linkable and fingerprintable -- each request includes the same X-I2P-Dest* headers, which are unique to each user. This might be true for outproxy requests as well.
* If you access site1.i2p followed by site2.i2p, site3.i2p and so on, each one of those operators will see the exact same X-I2P-Dest* values. This means if they are colluding, they will know that the same person accessed all of them.
* I2P operators can build a more detailed profile the longer I2P is left running. The X-I2P-Dest* values only change upon restart of the I2P instance or when the HTTP Proxy tunnel is stopped/started. I2P does not have a fix for this at present, https://www.reddit.com/r/i2p/comments/579idi/warning_i2p_is_linkablefingerprintable/ however an experimental plugin is being written to provide a stream-isolating mechanism for http-over-I2P, see: [https://github.com/eyedeekay/eeProxy eeProxy]. |} === Installation and Setup === {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Note: * When following these instructions, the about:config changes in Tor Browser worsen the [[Data_Collection_Techniques#Browser_Fingerprinting|browser fingerprint]]. This is unavoidable if the user intents to use I2P. The modified Tor Browser should only be used for I2P purposes. ** In [[Qubes|{{q_project_name_long}}]], a separate {{project_name_workstation_vm}}-I2P App Qubes is recommended. }} {{Third_Party_Repository}} '''1.''' Add the I2P signing key. ([[Qubes|{{q_project_name_short}}]]: {{project_name_workstation_template}}-clone-1 Template). {{apt_key_add_derivative |download_command=scurl-download --tlsv1.2 https://geti2p.net/_static/i2p-archive-keyring.gpg |source_filename=i2p-archive-keyring.gpg |target_filename=/usr/share/keyrings/i2p-archive-keyring.gpg |download_command_qubes_templatevm=http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 scurl-download --tlsv1.2 https://geti2p.net/_static/i2p-archive-keyring.gpg |gpg_fingerprint=7840 E761 0F28 B904 7535 49D7 67EC E560 5BCF 1346 }} '''2.''' Add the I2P APT repository. ([[Qubes|{{q_project_name_short}}]]: {{project_name_workstation_template}}-clone-1 Template). {{CodeSelect|code= echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] tor+https://deb.i2p.net/ $(lsb_release -sc) main" \ {{!}} sudo tee /etc/apt/sources.list.d/i2p.list }} '''3.''' I2P installation. ([[Qubes|{{q_project_name_short}}]]: {{project_name_workstation_template}}-clone-1 Template). {{Install Package| package=i2p i2p-keyring }} '''4.''' Platform specific notices. * Non-Qubes-Whonix: No special notices. * Qubes-Whonix: Shutdown {{project_name_workstation_template}}-clone-1 Template. '''5.''' Create {{project_name_workstation_vm}}-I2P based on {{project_name_workstation_template}}-clone-1 Template and Configure [[Tor Browser]] in {{project_name_workstation_vm}}-I2P App Qube to allow connections to I2P by following the instructions below. {{Box|text= Note: The following steps will no longer be required once {{project_name_short}} releases a custom Tor Browser for connecting to alternative networks. Except in the case of [[YaCy]], which needs internet access. {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = '''Warning:''' * This step changes the [[Fingerprint#web_fingerprint|web fingerprint]] of Tor Browser! * Onion services [https://forums.whonix.org/t/i2p-integration/4981/369 wont connect to Tor within Whonix] * Leave all other settings as is! }} '''A.''' Tor Browser → URL bar → Type: {{CodeSelect|code= about:config }} → Press Enter '''B.''' Search for and modify: {{CodeSelect|code= extensions.torbutton.use_nontor_proxy }} → set to true '''C.''' Search for and modify: {{CodeSelect|code= network.proxy.http }} → set to {{CodeSelect|code= 127.0.0.1 }} '''D.''' Search for and modify: {{CodeSelect|code= network.proxy.http_port }} → set to {{CodeSelect|code= 4444 }} '''E.''' Search for and modify: {{CodeSelect|code= network.proxy.no_proxies_on }} → set to {{CodeSelect|code= 127.0.0.1 }} '''F.''' Search for and modify: {{CodeSelect|code= dom.security.https_first_pbm }} → set to false '''G.''' Search for and modify: {{CodeSelect|code= dom.security.https_only_mode }} → set to false '''H.''' Search for and modify: {{CodeSelect|code= dom.security.https_only_mode_pbm }} → set to false }} '''6.''' Done. The process of installing I2P has been completed. === Steps for I2P Configuration and Usage After Installation === 1. Open xfce-terminal in {{project_name_workstation_vm}}-I2P App Qube 2. Start I2P {{CodeSelect|code= i2prouter start }} [[File:i2p.png|400px]] 3. A popup going to ask you to open [http://127.0.0.1:7657 I2P Console] in Tor Browser, Press on Yes [[File:i2p1.png|400px]] 4. A setup wizard will show up. Complete it and then proceed to the I2P Console. 5. Go to Settings by either going to [http://127.0.0.1:7657/config I2P Console config] [[File:i2p2.png|480px]] '''OR''' Press on Settings [[File:i2p2s.png|400px]] 6. Press on Network [[File:i2p3.png|480px]] 7. Change the network settings according to the images below (click on Save Changes once you finished) [[File:i2p4.png|450px]] [[File:i2p5.png|450px]] 8. Go to Reseeding [[File:i2p6.png|480px]] 9. Change the reseeding settings according to the image below (click on Save Changes once you have finished) [[File:i2p7.png|450px]] 10. It is preferable to restart I2P from the Xfce Terminal using the following command {{CodeSelect|code= i2prouter restart }} 11. Done! Now you can browse eepsites with I2P and access clearnet websites connected directly to Tor separately. === Notes === * Known Error Messages: If errors appear like: "Network: ERR-UDP Disabled and Inbound TCP host/port not set" or "ERR-Clock Skew of X min" or "WARN [Timestamper] .router.time.RouterTimestamper: Unable to reach any of the NTP servers ...", they can be safely ignored. * Network Bootstrap Waiting Time: Once the Local Tunnels (shared clients) section shows a green connection, I2P should be fully functional and it is possible to browse eepsites like http://idk.i2p. Some users report this process can be sorta lengthy and can take more than 10 minutes before the tunnels are stable/available. * I2P over Tor viewpoint by I2P upstream developers: I2P is functional over Tor but user should be aware that I2P developers do not really support it nor recommending it to be used over Tor. Just because it is functional does not mean it is supported. In other words I2P upstream developers will not change any I2P behavior just for the sake of connectivity issues of I2P over Tor because I2P is not designed to be running over Tor. * Whonix pre-configuration: settings for I2P (because its over Tor) can be viewed here: https://github.com/Whonix/anon-apps-config/tree/master/var/lib/i2p/i2p-config * Broken Onion Services: Setting network.proxy.http → set to 127.0.0.1 will break the connection to onion. services. Read more [https://forums.whonix.org/t/i2p-integration/4981/347 here]. There is no known way to avoid this issue. == I2P Eepsites (I2P websites) == * Eepsites (I2P services) lists: ** http://stormycloud.i2p ** http://notbob.i2p ** http://bote.i2p ** http://inr.i2p ** http://planet.i2p ** http://natter.i2p '''Figure:''' ''I2P Browsing in {{project_name_short}}'' [[File:I2Pbrowsing.png]] = Services = {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = The [https://geti2p.net/en/about/software I2P supported applications webpage] warns that no guarantee can be provided about the safety of compatible applications, plugins and services -- they must be properly configured and might jeopardize anonymity due to design faults or carelessness. Carefully vet these tools and research them diligently beforehand. }} Many interesting features and functionality are implemented for I2P in the form of stand-alone packages or plugins that can be optionally installed from their [http://echelon.i2p official plugin eepsite]. Various tools are available for:
* blogging, forums and wikis * decentralized file storage * development tools * domain naming * email * file sharing * network administration * real-time chat * web browsing * website hosting
The instructions are simple to follow. The signing keys for these plugins are already built into the official I2P package and so are already white-listed. This is not a complete list. For documentation about default port numbers of I2P plugins, see [https://geti2p.net/en/docs/ports this page]. == IRC == I2P has ready irc tunnel to be used and connect to their official irc servers go to: http://127.0.0.1:7657/help#faq If you scroll down you will find:
How do I connect to IRC within I2P? A tunnel to the main IRC server network within I2P, Irc2P, is automatically started when the I2P router starts. To connect to it, tell your IRC client to connect to server: 127.0.0.1 port: 6668. HexChat-like client users can create a new network with the server 127.0.0.1/6668, or you can connect with the command /server 127.0.0.1 6668. Different IRC clients may require a different command, consult the client documentation.
'''Practical practice:''' * Hexchat inside whonix need specific small tweak: ** Go to Settings → Preferences ** Then Network setup → Proxy Server then follow the image instruction then press ok [[File:HexchatI2P1.png|400px]] [[File:HexchatI2P2.png|400px]] * Back to hexchat press on Hexchat → Network list [[File:HexchatI2P3.png|400px]] * Press on Add button and name it anything you like e.g I2P then hit Enter [[File:HexchatI2P4.png|400px]] * Press on I2P then press on Edit... button [[File:HexchatI2P5.png|400px]] * Double click the top field to change it or press on it then press on Edit button then change the value to 127.0.0.1/6668 then hit Enter and press on close [[File:HexchatI2P6.png|400px]] * Make sure I2P is the one highlighted then press on Connect button [[File:HexchatI2P7.png|400px]] * Wait for couple of minutes then here you go [[File:HexchatI2P8.png|400px]] == I2P-Bote == {{Template:I2P-Bote}} {{Anchor|I2PBOX}} == RetroShare == [[RetroShare]] is a [https://en.wikipedia.org/wiki/Friend-to-friend friend-to-friend] (F2F) network that enables end-to-end encrypted communications, including general messaging, mail, forums, publish-subscribe messaging ('pubsub'), file exchange and even telephony. It can be used as an alternative to [[#Syndie|Syndie]] (see further below) and can be tunneled through I2P for enhanced anonymity. {{Template:I2P_Retroshare}} Also see: [https://retroshare.readthedocs.io/en/latest/tutorial/i2p-hidden-rs-node/ I2P Hidden RetroShare Nodes]. {{Anchor|Installing I2P on {{project_name_gateway_short}} (I2PBOX)}} To install RetroShare, see: [[RetroShare#Installation|Installation]]. == Syncthing == [https://syncthing.net/ Syncthing] is a popular libre software for file syncing based on the bittorrent protocol.
Syncthing is a continuous file synchronization program. It synchronizes files between two or more computers and replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it's transmitted over the internet.
Syncthing provides several benefits: https://syncthing.net/ * cross-platform availability * data is not stored on a central server, but only on your computer(s) * all communication is secured with TLS and [https://www.perfectforwardsecrecy.com/ perfect forward secrecy] * every node is identified by a strong cryptographic certificate * a completely open protocol -- open source, open development and open discourse * portable and simple to use Web GUI It is possible to tunnel Syncthing traffic over I2P as shown in [https://web.archive.org/web/20171008035012/https://barry.im/post/2017/10/6/syncthing-over-i2p/ this guide]. This guide is also reposted [https://web.archive.org/web/20220630104537/https://i2p.rocks/blog/syncthing-over-i2p.html here]. To install Syncthing, run. {{CodeSelect|code= sudo apt install syncthing }} == Syndie == [https://syndie.de/ Syndie] is I2P's distributed (decentralized) forum software, allowing asynchronous conversations between anonymous participants. It was the focus of I2P's creator shortly before he ceased public activity. It supports single and multiple author modes, adjustable visibility of posts and post moderation. Syndie features its own minimalist and secure reader to protect against browser exploitation. In 2018, Syndie was being rewritten in another programming language to provide a more modern and simple interface, along with basic image rendering. https://i2pforum.net/viewtopic.php?f=25&t=9 A key benefit of Syndie is that unlike centralized forums, it cannot be easily taken offline via denial of service attacks or administrative action, and there is no single point to monitor group activity. Offline forum participation is possible, by 'syncing up' any accumulated changes when it is convenient (days, weeks or even months later). In addition to simple text messages, entire webpages or the full content of sites can be packaged into a single post, which can even be browsed offline. The Syndie Technical Features section notes: https://syndie.de/features.html
On the whole, Syndie works at the *content layer* - individual posts are contained in encrypted zip files, and participating in the forum means simply sharing these files. There are no dependencies upon how the files are transferred (over [https://geti2p.net/ I2P], [https://www.torproject.org/ Tor], [https://www.freenetproject.org/ Freenet], [https://en.wikipedia.org/wiki/Gnutella gnutella], [https://www.bittorrent.com/ bittorrent], [https://en.wikipedia.com/wiki/RSS RSS], [https://en.wikipedia.com/wiki/Usenet usenet], [https://en.wikipedia.com/wiki/Email email]), but simple aggregation and distribution tools will be bundled with the standard Syndie release.
To install Syndie, run. {{CodeSelect|code= sudo apt install syndie }} == Torrent == [[Undocumented]] due to Tor network capacity concerns, see [[File_Sharing#The_Tor_Project_Opinion]] and forum discussion [https://forums.whonix.org/t/i2p-in-workstation-torrenting-and-the-whonix-i2p-guide/17137 i2p in Workstation - torrenting and the Whonix i2p guide]. == ZeroNet == Unfortunately, I2P is not yet natively supported as a tunneling option in [[ZeroNet]]. No real progress has been made towards this goal for years; see footnotes to follow developments. https://github.com/HelloZeroNet/ZeroNet/issues/57 https://github.com/HelloZeroNet/ZeroNet/issues/45 = Installing I2P on Whonix-Gateway = It is possible to run I2P and Tor simultaneously on {{project_name_gateway_short}}: * userTorInternet; and * userI2PInternet Users who are interested in this configuration should follow the detailed instructions found [https://web.archive.org/web/20180802221447/https://github.com/mutedstorm/Whonix-I2P here]. This configuration is untested by {{project_name_short}} developers and it is considered experimental. Also, {{project_name_short}} developer HulaHoop has noted it is difficult to have a preconfigured Tor Browser for accessing .i2p domains and other non-clearnet top-level domains, as well as optimizing I2P operations when tunneled over Tor. For further information and to report successes/failures of this approach, refer to the [https://forums.whonix.org/t/i2p-integration/4981 development discussion] and [https://forums.whonix.org/t/i2p-running-on-whonix-gateway old development discussion]. = Development = This chapter is for developers for informational purposes only. Users can skip it. {{project_name_short}} integration: * https://github.com/Whonix/anon-apps-config/blob/master/var/lib/i2p/i2p-config/router.config * [https://forums.whonix.org/t/tor-browser-customization-using-user-js-for-example-for-i2pbrowser/13719 Tor Browser Customization using user.js (for example for i2pbrowser)] * [https://forums.whonix.org/t/i2p-integration/4981 development discussion] * [https://forums.whonix.org/t/i2p-running-on-whonix-gateway old development discussion] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]