I2P

Not to be confused with I2C.

Resources

The Invisible Internet Project (I2P) is [[Article description::an anonymous network, similar to Tor.]] The key difference is that I2P is internal, focusing on providing anonymous services within the network rather than proxying traffic to the regular internet (although some proxy services do exist).

Installation

Prerequisites

Java 7 or higher must be installed to run the main implementation of I2P. See the Java article for more instructions on how to get the system to that point. If this is not possible, try the newer but less mature C++ implementation: net-vpn/i2pd.

Java

net-vpn/i2p is currently marked as unstable. Special permission must be granted for it to install on stable systems:

root #echo "net-vpn/i2p" >> /etc/portage/package.accept_keywords

i2pd (C++)

net-vpn/i2pd is also marked as unstable:

root #echo "net-vpn/i2pd" >> /etc/portage/package.accept_keywords

USE flags

USE flags for net-vpn/i2p A privacy-centric, anonymous network

`nls`	Adds Native Language Support using GNU gettext.
`test`	Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)

Data provided by the Gentoo Package Database · Last update: 2021-03-16 16:42 More information about USE flags

Emerge

root #emerge --ask net-vpn/i2p

Setup

Services

OpenRC

To start the i2p service when the system boots:

root #rc-update add i2p default

To start the i2p service now:

root #rc-service i2p start

systemd

To start the i2p service when the system boots:

root #systemctl enable i2p.service

To start the i2p service now:

root #systemctl start i2p.service

Configuration

Most I2P configuration is done in the Router Console, accessible via web browser at localhost:7657 once the router service has been started.

Firewall

I2P selects a random port between 9000 and 31000 for inbound traffic when the router is first run. This port is forwarded automatically by UPnP, but if your gateway/firewall does not support UPnP, it will need to be manually forwarded (both TCP and UDP) for best performance. Visit http://localhost:7657/confignet to find out which port.

Browser

You can use a pac file to delegate browser requests to different proxies. Here connections to localhost are handled directly (no proxy). Eepsites are handled by I2P proxy on port 4444. Other traffic goes via Tor SOCKS proxy on running on port 9050.

FILE /usr/local/proxy.pac

<syntaxhighlight lang="javascript">function FindProxyForURL(url, host)
{
   if(host.match(/^(localhost|127[.]0[.]0[.]1|192[.]168[.]1[.]1)$/))
       return 'DIRECT';
   if(host.match(/[.]i2p$/))
       return 'PROXY 127.0.0.1:4444';

   return 'SOCKS 127.0.0.1:9050';
}</syntaxhighlight>

Save this file as /usr/local/proxy.pac, and point your browser to it. Most browsers accept Proxy configuration URL, where you can specify file:///usr/local/proxy.pac.

I2P's CSS can make browsers sluggish. You can add the following to your profile_dir/chrome/userContent.css to speed up rendering:

FILE profile_dir/chrome/userContent.css

<syntaxhighlight lang="css">@-moz-document url-prefix('http://localhost:7657/')
{
   * { filter: none !important; background-image: none !important; }
}</syntaxhighlight>

Usage

Eepsites

To access websites hosted on the I2P network, a web browser must be configured to use a proxy at localhost:4444 for HTTP and localhost:4445 for HTTPS. This can be accomplished globally in most browsers' proxy settings, or specifically for sites with the .i2p TLD using a plugin like FoxyProxy for Firefox or Chrome See also: https://geti2p.net/en/about/browser-config

Bittorrent

I2PSnark, the I2P Bittorrent client, is accessible at localhost:7657/i2psnark with no additional configuration. However, the above Eepsite configuration is necessary to reach the trackers on which the torrents are found.

IRC

Using any IRC client, set up a connection to localhost:6668 No account creation is required. If using Pidgin, be sure to fill in the Ident name and Real name fields in addition to Username, otherwise Pidgin may expose identity information from other configured accounts.

SSH

openssh doesn't have any native support for SOCKS5, so you will need to install openbsd-netcat. You'll need to modify your SSH config too. It is possible with netcat' also but the configuration below uses flags specific to the OpenBSD variant.

root #emerge --ask net-analyzer/openbsd-netcat

This enables proxying through a SOCKS5 I2P tunnel for all .i2p hosts. You will need to go to http://localhost:7657/i2ptunnelmgr and create a SOCKS5 client tunnel. Note the port you have used and replace '1234' in the below config with it.

FILE ~/.ssh/config

Host *.i2p
	# Tell SSH to pass its connections through netcat, using a SOCKS5 proxy at 127.0.0.1:1234.
	ProxyCommand nc -X 5 -x 127.0.0.1:1234 %h %p

	# Privacy protections
	# Prevents SSH from telling the remote server about all of your public keys, potentially revealing your ID
	ForwardAgent no
	IdentitiesOnly yes

        # Merges connections to a server to prevent expensive reconnections
        # To avoid this, invoke ssh asb: ssh -o 'ControlMaster no' ...
	ControlMaster auto
	ControlPath ~/.ssh/master-%r@%n:%p

        # Compression for low bandwidth lines (like I2P)
	Compression yes