From Whonix



Freenet[1][2] is a peer-based, encrypted datastore with version control that aims to give anonymity to both publishers and readers. Launched in 1999, it is the eldest of the 'big four' anonymity networks[3] alongside Tor, I2P and GNUnet (GNUnet is based on similar concepts). Its robustness has brought it in the cross-hairs of advanced adversaries.[4][5] Though it has less users compared to Tor and I2P, it is still the largest network of its kind.

Technical Overview[edit]

This is meant as a brief introduction for Freenet's technical properties. For more depth on the subject please see the official documentation [archive].

Freenet's design is very different from the other networks. Instead of obfuscating traffic streams between endpoints, the data itself is sliced up into encrypted blocks and distributed across other peers' datastores for redundancy and plausible deniability. After uploading, the publisher obtains a key which acts as the content's URI that can be optionally shared to allow others access. These are known as Freesites. The data remains available even after the uploader goes offline (asynchrounous). Freenet is a self-contained network with no access to the wider web.

Reader requests are routed through multiple hops. Each hop acts as a caching proxy for some of the requested data blocks, propagating the material and providing scalability and availability when demand grows. Understand that Freenet's data storage is not permanent and cannot be, otherwise an attacker can flood it with garbage data and render it useless for users. It is lossy and "forgets" unpopular content that is rarely accessed. Censors can no longer rely on DoS to block content because it spreads the information further. You can think of it as a digital embodiment of the Streisand Effect [archive]

Freenet's FProxy (the component that allows browsers to interact and view pages in the datastore) takes many precautions to protect users from malicious pages. JavaScript is completely unavailable on Freenet, only a safe subset of HTML standard is whitelisted and users are prompted before downloading files or when they are being redirected to a clearnet site.

Note that there are no telescopic tunnels like Tor but requests are bundled together for cover traffic and routed through a varying number of hops to confuse adversaries as to who is forwarding vs requesting the data.

Freenet can operate in a Darknet mode that turns it into a private friend-only network, Opennet mode which connects to a public network and a hybrid mode that includes both.

Freenet's properties make it an excellent and safer choice for disseminating data because it tackles "The Hosting Problem". Centralized hosting remains an Achilles Heel for onionspace.[6] Strong cryptography guarantees the integrity of the files fetched.

The Hosting Problem:

Traditional anonymous publishing mechanisms like onion services or eepsites require a resource commitment (an always online server) from users which puts them out of reach for most people. Securing a server is no easy task, more so in the hostile environment of the dark web. It requires extensive hardening, auditing and sys-admin skills. Even then, all bets are off with a certain class of adversaries. A server is a sitting duck for attackers to probe and test their weapons against. Its also a single point of failure that can be DoS'd offline. Once rooted, the server can be used to mount water-hole attacks on site visitors.


In the EU users have strong liability protections when caching content as a side-effect of participating in a network according to a Freenet developer in Germany.[7]

Overview on ways to use Freenet with Whonix ™[edit]

Freenet inside the Whonix-Workstation ™ - Freenet over Tor (Preferred)[edit]

Configure Connection Workaround[edit]

In the "classical sense" (directly and only over Tor) is impossible. [8] As a workaround you can Tunnel UDP over Tor. Note that Other Anonymizing Networks over Tor UDP Tunnel applies. Easiest solution probably is to use a VPN. See Connecting to Tor before a VPN (User → Tor → VPN → Internet)

Installation of Freenet[edit]

Unfortunately Freenet is unlikely to be available from Debian repos in the foreseeable future because its fast development cycle is incompatible with stable's policies. [9] It must be installed manually instead.

Download key.


Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint keyring.gpg

Before adding the keyring[10], verify fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  2048R/0xEAC5EBF07AA9C2A3 2013-04-29 Florent Daigniere <>
      Key fingerprint = DBB7 7338 3BC3 49C9 5203  ED91 EAC5 EBF0 7AA9 C2A3
uid                            Florent Daigniere (NextGen$) <>
uid                            Florent Daigniere (Personal address) <>
sub  2048R/0x65B7118375AB23F2 2013-04-29
sub  2048R/0xD21621FD7FA16469 2013-04-29
pub  4096R/0x00100D897EDBA5E0 2013-09-21 Steve Dougherty (operhiem1 Release Signing Key) <>
      Key fingerprint = 0046 195B 2DCA B176 D394  09CD 0010 0D89 7EDB A5E0
sub  4096R/0x7BF0F7B36AC8B380 2013-09-21 [expires: 2016-09-15]
pub  4096R/0xFF24CA421946AA94 2013-09-24 Matthew Toseland (2013-2018 key, higher key length) <>
      Key fingerprint = B76D 4AA7 96D8 403E ED78  C9F9 FF24 CA42 1946 AA94
uid                            Matthew Toseland (2013-2018 key, higher key length) <>
sub  4096R/0xF877E62895C42009 2013-09-24 [expires: 2018-09-23]
pub  4096R/0xB67C19E817A8D846 2016-01-02 Stephen Oliver <>
      Key fingerprint = 5D77 D9A4 2E28 0F5A FF8F  2EBF B67C 19E8 17A8 D846
sub  4096R/0x9BCDD1614041F59E 2016-01-02 [expires: 2017-01-01]
sub  4096R/0x1652EBA5AC1BB386 2016-01-02 [expires: 2017-01-01]
sub  4096R/0x38A62E479684F2F2 2016-01-02 [expires: 2017-01-01]

If it looks good import it with GPG.

gpg --import keyring.gpg

Install dependencies.

sudo apt-get update
sudo apt-get install openjdk-11-jre-headless

Create install directory.

mkdir Freenet
cd Freenet

Download offline installer and signature.

wget '' -O new_installer_offline.jar

wget '' -O new_installer_offline.jar.sig

Verify the installer.

gpg --verify new_installer_offline.jar.sig

You should see Good signature from "Florent Daigniere <>" before installing anything.

Follow the prompts and install in it current folder.

java -jar new_installer_offline.jar -console

Note that Freenet includes its own secure internal updater that downloads new versions from inside the network. Repeating these steps after initial installation are not necessary.

Prepare Tor Browser for browsing Freenet[edit]

Note: The following steps will no longer be required once Whonix releases a custom Tor Browser for connecting to alternative networks. [11]

Configure Tor Browser to connect to localhost.

Ambox warning pn.svg.png Warning:

  • This step changes the web fingerprint of Tor Browser!
  • Leave all other settings as is!

In Tor Browser:

  1. Type about:config into the URL bar.
  2. Press Enter
  3. Search for network.proxy.no_proxies_on
  4. Set to 0


Finally, visit [archive] in Tor Browser to access Freenet. Further changes to settings and plugin installation is also done through this UI.

To start manually after reboot afterwards:

cd Freenet
./ start


Plugins provide much of the rich functionality of the Freenet experience. They act as an abstraction layer that present text in different layouts for different use cases including forums, mail, blogs, code repositories, social networking, IRC and more [archive]. The Freenet Social Networking Guide [archive] explains how to set them up. Also other relevant guides.[12]


This section documents some Whonix ™ specific tips that you should be aware of for a smoother user experience.

  • Torbirdy must be disabled for Thunderbird to connect locally to Freemail's SMTP server. As a side-effect HTML emails are rendered by Thunderbird. To disable, go to: OptionsViewMessage Body AsPlain Text. Freemail takes care of privacy concerns by scrubbing mail headers.[13]
  • Freemail encrypts metadata and subject lines by default. However for extra assurance and to future-proof your mail against quantum computers you may layer E2E on-top of Freemail with Codecrypt.
  • Technically each plugin's generated data is self contained under its own folder under the Freenet directory. For example, to archive your mail spool, copy the /freenet/freemail-wot to your backups.
  • The menu layout in Freenet changed slightly since the Freenet Social Networking Guide [archive] was written. For WoT identities backup the 'Insert URI' to a safe place. This is your identity's private key and should never be shared. This info is under Edit of an existing identity. To restore it on a new node paste it in: Create an identityUse an existing SSK URI key pair for the identity

Using an inproxy inside your Whonix-Workstation ™[edit]

A Freenet gateway [archive]. Tested to be functional. However this is a restricted inproxy which only allows access to a whitelisted selection of Freesites. No other active inproxies known.

Freenet SSH Workaround[edit]

Another workaround: Buy, administrate and connect the SSH server anonymously though your Whonix-Workstation ™. Install Freenet on the remote location and connect from your Whonix-Workstation ™ (SSL or SSH tunnel). See also SSH.


  1. [archive]
  2. [archive]
  3. [archive]
  4. [archive]
  5. [archive]
  6. [archive]
  7. Note that you’re not actively storing: The storage is just a byproduct of transmission in the network. As an example for a similar assessment, the European Court of Justice ruled in 2014 that third parties who reproduce a work in an “integral and essential part of a technological process and carried out for the sole purpose of enabling either efficient transmission in a network between third parties by an intermediary” are exempt from copyright concerns (only the uploader is liable). See [archive]
  8. This is tested. Freenet installs normally, but even with lowest security settings, connection will never be established. The problem is, that Tor does not support UDP. (There has been a discussion [archive] about this topic. Although it is from 2008, it doesn't look like, the situation has changed or will change.)
  9. [archive]
  10. [archive]
  11. Except in the case of YaCy, which needs internet access.
  12.,AzFWTYV~9-I~eXis14tIkJ4XkF17gIgZrB294LjFXjc,AQACAAE/fmsguide/6/ [archive]
  13. [archive]

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables [archive]. Please come and introduce yourself in the development forum [archive].

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png