[Whonix-devel] I2PBOX | user -> i2p -> destination

Patrick Schleizer adrelanos at riseup.net
Mon Jan 4 23:30:20 CET 2016


Hi killyourtv!

It was great to talk to the i2p people at 32c3.

Unfortunately, I did not talk about I2PBOX with you. I.e. installing I2P
on the gateway and accessing it from the workstation. So users would be
using I2P directly rather than tunneling I2P through Tor.

I2PBOX - user -> i2p -> destination

[ without i2p over Tor (user -> Tor -> i2p -> destination) ]

I did not know, you already fully documented how to accomplish that.

http://killyourtv.i2p/howtos/whonix/
http://killyourtv.i2p.re/howtos/whonix/

Great work!

To prevent IP discovery through the I2P web interface, I suggest to only
make the I2P web interface reachable from Whonix-Gateway and to advice
to use Whonix-Gateway to access the web interface. Or as you suggest,
adding a password to the web interface; and then accessing it through
Whonix-Gateway should also be secure.

This is a nice use case. And users who wish to use I2P and
Whonix-Gateway in that way should be free to do so. Therefore I linked
your guide from Whonix's I2P page. Actually, I am glad, that you
maintain it.

To simply the process for users, to spare them from requiring to apply a
patch to /usr/bin/whonix_firewall, would you be interested to upstream
your work to Whonix? Let's start with the firewall.

https://github.com/Whonix/whonix-gw-firewall

Then let's see what we do about the IP forwarding from the workstation
127.0.0.1 to the gateway. Maybe we that init script to systemd and
socat. Then add it to the following package.

https://github.com/Whonix/anon-ws-disable-stacked-tor

I was contemplating socat anyhow. [1]

Even if we left it disabled by default, for the user it could become as
simple as switching a [few] setting[s] in a config file on.

Cheers,
Patrick

[1] https://github.com/Whonix/Whonix/issues/341


More information about the Whonix-devel mailing list