[Feature request] Native i2p support

[ghost]

General notes:

Chris gave me some ways by which one can setup an i2p ProxyVM but unfortunately it's out of my knowledge, and I wont know how to do that. It would be great if we could have native support for i2p in Qubes.

[entr0py]

By "native support", I think the most that could be reasonably expected is detailed documentation, which I agree would be nice to have. In the meantime, you have a couple options:

1. I2P in ProxyVM: As you found, this is challenging because you need routing and firewall rules to send the traffic to the right places. You can get an idea of how things work by following Qubes VPN guide and watching Qubes SOCKS proxy issue.

2. I2P in AppVM: Easy (set it up like you would normally) but less secure (misbehaving apps might be able to bypass).

3. I2P in Whonix-Workstation AppVM: Slower (traffic flows through Tor, then I2P: user -> tor -> i2p -> internet) but secure in that any leakage goes through Tor. Also fully documented (https://www.whonix.org/wiki/I2P) and somewhat supported (https://forums.whonix.org/search?q=i2p).

[entr0py]

By "native support", I think the most that could be reasonably expected is detailed documentation, which I agree would be nice to have. In the meantime, you have a couple options:

1. I2P in ProxyVM: As you found, this is challenging because you need routing and firewall rules to send the traffic to the right places. You can get an idea of how things work by following Qubes VPN guide and watching Qubes SOCKS proxy issue.

2. I2P in AppVM: Easy (set it up like you would normally) but less secure (misbehaving apps might be able to bypass).

3. I2P in Whonix-Workstation AppVM: Slower (traffic flows through Tor, then I2P: user -> tor -> i2p -> internet) but secure in that any leakage goes through Tor. Also fully documented (https://www.whonix.org/wiki/I2P) and somewhat supported (https://forums.whonix.org/search?q=i2p).

[ghost]

I meant by "native support" that you can get a pre-configured i2p ProxyVM when you install Qubes from scratch, just like you get sys-whonix.

I think option 3 wont work, indeed Tor doesn't support UDP and i2p does and it needs to send some UDP packets to build tunnels to properly work.

[ghost]

I meant by "native support" that you can get a pre-configured i2p ProxyVM when you install Qubes from scratch, just like you get sys-whonix.

I think option 3 wont work, indeed Tor doesn't support UDP and i2p does and it needs to send some UDP packets to build tunnels to properly work.

[andrewdavidwong]

Would be nice to have, but unlikely to happen without a patch contribution from the community.

[andrewdavidwong]

Would be nice to have, but unlikely to happen without a patch contribution from the community.

[entr0py]

I meant by "native support" that you can get a pre-configured i2p ProxyVM when you install Qubes from scratch, just like you get sys-whonix.

Yes, I understood that. Unfortunately, an I2P ProxyVM-Template would require maintenance, meaning a Maintainer. Which is why I said that it's more likely that you'll get instructions on how to construct one yourself since documentation is easier to maintain. There is much more interest in Tor than I2P. Someday, it's possible that Whonix-Gateway will come with I2P support out-of-the-box[1] but I wouldn't wait for it if you need it now.

I think option 3 wont work, indeed Tor doesn't support UDP and i2p does and it needs to send some UDP packets to build tunnels to properly work.

I2P does work without UDP (which is why I posted those links). Whether Bittorrent over I2P will work without UDP is a different question - I don't know. More generally, UDP can be tunneled through Tor by using a VPN like: user -> tor -> vpn -> i2p -> internet but that sounds like a solution looking for a problem. (Although using a VPN might allow you to open Inbound ports as well.)

If you require UDP, then I would suggest installing I2P in an AppVM or using a TailsVM. You might be able to tighten sys-firewall rules to prevent non-malicious, sloppy apps from leaking but it won't be as leak-resistant as using a separate I2P ProxyVM.

I would be interested in exploring I2P further and documenting my progress but it won't happen any time soon. :(

1 https://forums.whonix.org/t/i2p-running-on-whonix-gateway/2163

[entr0py]

I meant by "native support" that you can get a pre-configured i2p ProxyVM when you install Qubes from scratch, just like you get sys-whonix.

Yes, I understood that. Unfortunately, an I2P ProxyVM-Template would require maintenance, meaning a Maintainer. Which is why I said that it's more likely that you'll get instructions on how to construct one yourself since documentation is easier to maintain. There is much more interest in Tor than I2P. Someday, it's possible that Whonix-Gateway will come with I2P support out-of-the-box[1] but I wouldn't wait for it if you need it now.

I think option 3 wont work, indeed Tor doesn't support UDP and i2p does and it needs to send some UDP packets to build tunnels to properly work.

I2P does work without UDP (which is why I posted those links). Whether Bittorrent over I2P will work without UDP is a different question - I don't know. More generally, UDP can be tunneled through Tor by using a VPN like: user -> tor -> vpn -> i2p -> internet but that sounds like a solution looking for a problem. (Although using a VPN might allow you to open Inbound ports as well.)

If you require UDP, then I would suggest installing I2P in an AppVM or using a TailsVM. You might be able to tighten sys-firewall rules to prevent non-malicious, sloppy apps from leaking but it won't be as leak-resistant as using a separate I2P ProxyVM.

I would be interested in exploring I2P further and documenting my progress but it won't happen any time soon. :(

1 https://forums.whonix.org/t/i2p-running-on-whonix-gateway/2163

[dmgamingstudios]

Hmm, sounds a bit challenging. Going to look into it as Im an I2P fanboy :)

[dmgamingstudios]

Hmm, sounds a bit challenging. Going to look into it as Im an I2P fanboy :)

[tasket]

As with Whonix, an I2P config for Qubes would have to separate the I2P 'router' from the I2P apps... at least in order to be of much value. The goals are to isolate the app client so it can't leak, and also isolate the router from the risk of app exploitation.

My recommendation is to try setting up I2P in Whonix VMs, in parallel to Tor. It could be a couple of add-on packages for Whonix.

[tasket]

As with Whonix, an I2P config for Qubes would have to separate the I2P 'router' from the I2P apps... at least in order to be of much value. The goals are to isolate the app client so it can't leak, and also isolate the router from the risk of app exploitation.

My recommendation is to try setting up I2P in Whonix VMs, in parallel to Tor. It could be a couple of add-on packages for Whonix.

[bheru27]

An I2P vm should be use solely for connecting to the i2p network, IMO it should be how whonix work, a lightweight vm running a proxy to the i2p network, and another vm creates from the templates vm that only connects to the i2p vm that way the i2p goals aren't compromised (not having personal stuff on i2p or anything that can correlate you with the identity, now any other personal files) a vm only for i2p. Anyone working on this? (Just so i dont start from scratch)

[bheru27]

An I2P vm should be use solely for connecting to the i2p network, IMO it should be how whonix work, a lightweight vm running a proxy to the i2p network, and another vm creates from the templates vm that only connects to the i2p vm that way the i2p goals aren't compromised (not having personal stuff on i2p or anything that can correlate you with the identity, now any other personal files) a vm only for i2p. Anyone working on this? (Just so i dont start from scratch)

[andrewdavidwong]

@bheru27: I'm not aware of anyone currently working on this.

[andrewdavidwong]

@bheru27: I'm not aware of anyone currently working on this.

[ghost]

@bheru27 there is a guide up on i2p wiki but it doesn't cover port forwarding

[ghost]

@bheru27 there is a guide up on i2p wiki but it doesn't cover port forwarding

[mutedstorm]

@andrewdavidwong @bheru27
Sorry for digging up this old Issue.
I've been updating the old KYTV Whonix I2P Guide and posted it on the Whonix Forum(https://forums.whonix.org/t/i2p-integration/4981), it's still a WIP but i would love some Feedback or Help from the Community to integrate it into Whonix (and Qubes)

[mutedstorm]

@andrewdavidwong @bheru27
Sorry for digging up this old Issue.
I've been updating the old KYTV Whonix I2P Guide and posted it on the Whonix Forum(https://forums.whonix.org/t/i2p-integration/4981), it's still a WIP but i would love some Feedback or Help from the Community to integrate it into Whonix (and Qubes)

[andrewdavidwong]

@mutedstorm: Thanks for working on it! I'm afraid I know almost nothing about I2P, but perhaps others who are knowledgeable around here will be able to help.

[andrewdavidwong]

@mutedstorm: Thanks for working on it! I'm afraid I know almost nothing about I2P, but perhaps others who are knowledgeable around here will be able to help.