Jump to: navigation, search


This page contains changes which are not marked for translation.



Freenet[1][2] is a peer-based, encrypted datastore with version control that aims to give anonymity to both publishers and readers. Launched in 1999, it is the eldest of the 'big four' anonymity networks[3] alongside Tor, I2P and GNUnet (GNUnet is based on similar concepts). Its robustness has brought it in the cross-hairs of advanced adversaries.[4][5] Though it has less users compared to Tor and I2P, it is still the largest network of its kind.

Technical Overview[edit]

This is meant as a brief introduction for Freenet's technical properties. For more depth on the subject please see the official documentation.

Freenet's design is very different from the other networks. Instead of obfuscating traffic streams between endpoints, the data itself is sliced up into encrypted blocks and distributed across other peers' datastores for redundancy and plausible deniability. After uploading, the publisher obtains a key which acts as the content's URI that can be optionally shared to allow others access. These are known as Freesites. The data remains available even after the uploader goes offline (asynchrounous). Freenet is a self-contained network with no access to the wider web (with one exception)[6][7].

Reader requests are routed through multiple hops. Each hop acts as a caching proxy for some of the requested data blocks, propagating the material and providing scalability and availability when demand grows. Understand that Freenet's data storage is not permanent and cannot be, otherwise an attacker can flood it with garbage data and render it useless for users. It is lossy and "forgets" unpopular content that is rarely accessed. Censors can no longer rely on DoS to block content because it spreads the information further. You can think of it as a digital embodiment of the Streisand Effect

Freenet's FProxy (the component that allows browsers to interact and view pages in the datastore) takes many precautions to protect users from malicious pages. JavaScript is completely unavailable on Freenet, only a safe subset of HTML standard is whitelisted and users are prompted before downloading files or when they are being redirected to a clearnet site.

Note that there are no telescopic tunnels like Tor but requests are bundled together for cover traffic and routed through a varying number of hops to confuse adversaries as to who is forwarding vs requesting the data.

Freenet can operate in a Darknet mode that turns it into a private friend-only network, Opennet mode which connects to a public network and a hybrid mode that includes both.

Freenet's properties make it an excellent and safer choice for disseminating data because it tackles "The Hosting Problem". Centralized hosting remains an Achilles Heel for onionspace.[8] Strong cryptography guarantees the integrity of the files fetched.

The Hosting Problem:

Traditional anonymous publishing mechanisms like onion services or eepsites require a resource commitment (an always online server) from users which puts them out of reach for most people. Securing a server is no easy task, more so in the hostile environment of the dark web. It requires extensive hardening, auditing and sys-admin skills. Even then, all bets are off with a certain class of adversaries. A server is a sitting duck for attackers to probe and test their weapons against. Its also a single point of failure that can be DoS'd offline. Once rooted, the server can be used to mount water-hole attacks on site visitors.


In the EU users have strong liability protections when caching content as a side-effect of participating in a network according to a Freenet developer in Germany.[9]

Overview on ways to use Freenet with Whonix[edit]

Freenet inside the Whonix-Workstation - Freenet over Tor (Preferred)[edit]

Configure Connection Workaround[edit]

In the "classical sense" (directly and only over Tor) is impossible. [10] As a workaround you can Tunnel UDP over Tor. Note that Other Anonymizing Networks over Tor UDP Tunnel applies. Easiest solution probably is to use a VPN. See Connecting to Tor before a VPN (User -> Tor -> VPN -> Internet)

Installation of Freenet[edit]

Unfortunately Freenet is unlikely to be available from Debian repos in the forseeable future because its fast development cycle is incompatible with stable's policies. [11] It must be installed manually instead.

Before adding the keyring[12], verify fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  2048R/0xEAC5EBF07AA9C2A3 2013-04-29 Florent Daigniere <florent.daigniere@trustmatta.com>
      Key fingerprint = DBB7 7338 3BC3 49C9 5203  ED91 EAC5 EBF0 7AA9 C2A3
uid                            Florent Daigniere (NextGen$) <nextgens+gpg@freenetproject.org>
uid                            Florent Daigniere (Personal address) <florent-gpg@daigniere.com>
sub  2048R/0x65B7118375AB23F2 2013-04-29
sub  2048R/0xD21621FD7FA16469 2013-04-29
pub  4096R/0x00100D897EDBA5E0 2013-09-21 Steve Dougherty (operhiem1 Release Signing Key) <steve@asksteved.com>
      Key fingerprint = 0046 195B 2DCA B176 D394  09CD 0010 0D89 7EDB A5E0
sub  4096R/0x7BF0F7B36AC8B380 2013-09-21 [expires: 2016-09-15]
pub  4096R/0xFF24CA421946AA94 2013-09-24 Matthew Toseland (2013-2018 key, higher key length) <matthew@toselandcs.co.uk>
      Key fingerprint = B76D 4AA7 96D8 403E ED78  C9F9 FF24 CA42 1946 AA94
uid                            Matthew Toseland (2013-2018 key, higher key length) <toad@amphibian.dyndns.org>
sub  4096R/0xF877E62895C42009 2013-09-24 [expires: 2018-09-23]
pub  4096R/0xB67C19E817A8D846 2016-01-02 Stephen Oliver <steve@infincia.com>
      Key fingerprint = 5D77 D9A4 2E28 0F5A FF8F  2EBF B67C 19E8 17A8 D846
sub  4096R/0x9BCDD1614041F59E 2016-01-02 [expires: 2017-01-01]
sub  4096R/0x1652EBA5AC1BB386 2016-01-02 [expires: 2017-01-01]
sub  4096R/0x38A62E479684F2F2 2016-01-02 [expires: 2017-01-01]

Download key with scurl to home folder.

scurl -o freenet-pubkey.gpg https://freenetproject.org/assets/keyring.gpg

Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint freenet-pubkey.gpg

If it looks good import it with GPG.

gpg --import freenet-pubkey.gpg

Install dependencies.

sudo apt-get update
sudo apt-get install openjdk-7-jre-headless

Create install directory.

mkdir freenet
cd freenet

Download offline installer and signature.

wget 'https://freenetproject.org/assets/jnlp/freenet_installer.jar' -O new_installer_offline.jar

wget 'https://github.com/freenet/fred/releases/download/build01475/new_installer_offline_1475.jar.sig' -O new_installer_offline.jar.sig

Verify the installer.

gpg --verify new_installer_offline.jar.sig

You should see Good signature from "Florent Daigniere <florent.daigniere@trustmatta.com>" before installing anything.

Follow the prompts and install in it current folder.

java -jar new_installer_offline.jar

Note that Freenet includes its own secure internal updater that downloads new versions from inside the network. Repeating these steps after initial installation are not necessary.

Prepare Tor Browser for browsing Freenet[edit]

Add FoxyProxy to Tor Browser in Whonix.

Warning: Installing FoxyProxy worsens the user's browser fingerprint and adversely affects anonymity since it is not a default Tor Browser add-on. The Tor Project's anonymity warning is explicit: [13]

Can I install other Firefox extensions?

Tor Browser is free software, so there is nothing preventing you from modifying it any way you like. However, we do not recommend installing any additional Firefox add-ons with Tor Browser. Add-ons can break your anonymity in a number of ways, including browser fingerprinting and bypassing proxy settings.

When using a browser and FoxyProxy in combination, a user's web fingerprint becomes more unique. The potential fingerprinting harm to user anonymity depends on how many others are running Tor Browser in conjunction with FoxyProxy.

This configuration is so specialized that probably very few are doing it, reducing the user pool to a small subset. Due to the risk, this approach is generally recommended against. If a user decides to proceed anyhow, the tunnel configuration should not be combined with any browser other than Tor Browser (like Firefox or Chrome), due to an even greater browser fingerprinting risk.

This warning equally applies to configurations such as Tor Browser and I2P, or Tor Browser and remote (http(s)/socks4/5) proxies.

To install FoxyProxy, follow these steps in the Whonix-Workstation (Qubes-Whonix: Whonix-Workstation AppVM). [14] [15]

Make the tbb-foxyproxy config file available to Tor Browser. [16] [17]

cp /usr/share/usability-misc/tbb-foxyproxy/foxyproxy.xml /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/

Navigate to addons.mozilla.org.

Tor Browser Menu -> Tools -> Add-ons

Download and install the FoxyProxy add-on. [18]

Search: "foxyproxy" -> Install: FoxyProxy Standard

Restart Tor Browser.

When prompted, select Restart now.

After restart, the FoxyProxy icon should appear in the Tor Browser toolbar and be enabled. Check you can interact with it and change proxy settings as required.

After FoxyProxy is installed, you may see an app-armory warning you about the denied creation of dconf/user. The current Debian profile for Firefox does not yet include the modern temporary file location /run/user. However, this can be safely ignored since FoxyProxy never needs access to this dconf/user. However, if you'd like give the Tor Browser permission to use tempory file directory /run/user/ and not receive the warning, edit the file

kdesudo kwrite /etc/apparmor.d/home.tor-browser.firefox

And uncomment line

# owner /run/user/[0-9]*/** rwkl,
by removing the #.

To reverse this procedure and restore the default Tor Browser fingerprint:

  • Non-Qubes-Whonix: It is best to use a VM snapshot taken before installing the add-on.
  • Qubes-Whonix: FoxyProxy should be installed to a specific Whonix-Workstation AppVM set up for proxy purposes. The AppVM can be discarded at leisure.

If Non-Qubes-Whonix users did not take a snapshot prior to these changes, Tor Browser can be downloaded again. Alternatively, FoxyProxy can be removed via the about:addons -> Extensions menu.

For further technical discussion of FoxyProxy, see the Whonix forum.


Finally, visit in Tor Browser to access Freenet. Further changes to settings and plugin installation is also done through this UI.


Plugins provide much of the rich functionality of the Freenet experience. They act as an abstraction layer that present text in different layouts for different use cases including forums, mail, blogs, code repositories, social networking, IRC and more. The Freenet Social Networking Guide explains how to set them up. Also other relevant guides.[19]


This section documents some Whonix specific tips that you should be aware of for a smoother user experience.

  • Torbirdy must be disabled for Icedove to connect locally to Freemail's SMTP server. (Its also highly recommended to disable Foxyproxy in Icedove addons). As a side-effect HTML emails are rendered by Icedove. To disable, go to: Options -> View -> Message Body As -> Plain Text. Freemail takes care of privacy concerns by scrubbing mail headers.[20]
  • Freemail encrypts metadata and subject lines by default. However for extra assurance and to future-proof your mail against quantum computers you may layer E2E on-top of Freemail with Codecrypt and the Icedove AnnealMail addon.
  • Technically each plugin's generated data is self contained under its own folder under the Freenet directory. For example, to archive your mail spool, copy the /freenet/freemail-wot to your backups.
  • The menu layout in Freenet changed slightly since the Freenet Social Networking Guide was written. For WoT identities backup the 'Insert URI' to a safe place. This is your identity's private key and should never be shared. This info is under Edit of an existing identity. To restore it on a new node paste it in: Create an identity -> Use an existing SSK URI key pair for the identity

Using an inproxy inside your Whonix-Workstation[edit]

A Freenet gateway. Tested to be functional. However this is a restricted inproxy which only allows access to a whitelisted selection of Freesites. No other active inproxies known.

Freenet SSH Workaround[edit]

Another workaround: Buy, administrate and connect the SSH server anonymously though your Whonix-Workstation. Install Freenet on the remote location and connect from your Whonix-Workstation (SSL or SSH tunnel). See also SSH.


  1. https://freenetproject.org/
  2. https://en.wikipedia.org/wiki/Freenet
  3. https://www.planetpeer.de/wiki/index.php/Main_Page
  4. https://daserste.ndr.de/panorama/aktuell/nsa230_page-4.html
  5. https://search.edwardsnowden.com/docs/TorOverviewofExistingTechniques2014-12-28nsadocs
  6. https://censorship.no/
  7. https://github.com/equalitie/ceno#installing-ceno
  8. https://mascherari.press/onionscan-report-june-2016/
  9. Note that you’re not actively storing: The storage is just a byproduct of transmission in the network. As an example for a similar assessment, the European Court of Justice ruled in 2014 that third parties who reproduce a work in an “integral and essential part of a technological process and carried out for the sole purpose of enabling either efficient transmission in a network between third parties by an intermediary” are exempt from copyright concerns (only the uploader is liable). See http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=153302&occ=first&dir=&cid=93105
  10. This is tested. Freenet installs normally, but even with lowest security settings, connection will never be established. The problem is, that Tor does not support UDP. (There has been a discussion about this topic. Although it is from 2008, it doesn't look like, the situation has changed or will change.)
  11. https://www.mail-archive.com/devl@freenetproject.org/msg26975.html
  12. https://freenetproject.org/download.html#keyring
  13. https://www.torproject.org/docs/faq.html.en
  14. The following instructions have been tested as functional in Tor Browser versions 6.5, 7.0a1 and 7.0a2 "hardened". https://lists.torproject.org/pipermail/tbb-dev/2017-February/000471.html
  15. Some users report xpinstall.signatures.required needs to be disabled in Tor Browser about:config settings to enable FoxyProxy, when it is installed from the Debian repository. This workaround is not required when installing FoxyProxy from addons.mozilla.org. https://forums.whonix.org/t/new-version-of-tbb-no-longer-accepts-foxyproxy-plugin
  16. https://github.com/Whonix/usability-misc
  17. https://github.com/Whonix/usability-misc/blob/master/usr/share/usability-misc/tbb-foxyproxy/foxyproxy.xml
  18. This procedure is safe. Since Firefox 43, all add-ons on Mozilla's servers are signed and verified. https://wiki.mozilla.org/Add-ons/Extension_Signing
  19. https://d6.gnutella2.info/freenet/USK@xedmmitRTj9-PXJxoPbD7RY1gf9pKi0OcsRmjNPPIU4,AzFWTYV~9-I~eXis14tIkJ4XkF17gIgZrB294LjFXjc,AQACAAE/fmsguide/6/
  20. https://github.com/freenet/plugin-Freemail/blob/master/src/org/freenetproject/freemail/MailHeaderFilter.java

Random News:

Have you read our Documentation, Technical Design and Developer Portal links yet?

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)