- 1 Introduction
- 2 Technical Overview
- 3 Liability
- 4 Overview on ways to use Freenet with Whonix ™
- 5 Freenet inside the Whonix-Workstation ™ - Freenet over Tor (Preferred)
- 6 Using an inproxy inside your Whonix-Workstation ™
- 7 Freenet SSH Workaround
- 8 Footnotes
Freenet is a peer-based, encrypted datastore with version control that aims to give anonymity to both publishers and readers. Launched in 1999, it is the eldest of the 'big four' anonymity networks alongside Tor, I2P and GNUnet (GNUnet is based on similar concepts). Its robustness has brought it in the cross-hairs of advanced adversaries. Though it has less users compared to Tor and I2P, it is still the largest network of its kind.
Freenet's design is very different from the other networks. Instead of obfuscating traffic streams between endpoints, the data itself is sliced up into encrypted blocks and distributed across other peers' datastores for redundancy and plausible deniability. After uploading, the publisher obtains a key which acts as the content's URI that can be optionally shared to allow others access. These are known as Freesites. The data remains available even after the uploader goes offline (asynchrounous). Freenet is a self-contained network with no access to the wider web.
Reader requests are routed through multiple hops. Each hop acts as a caching proxy for some of the requested data blocks, propagating the material and providing scalability and availability when demand grows. Understand that Freenet's data storage is not permanent and cannot be, otherwise an attacker can flood it with garbage data and render it useless for users. It is lossy and "forgets" unpopular content that is rarely accessed. Censors can no longer rely on DoS to block content because it spreads the information further. You can think of it as a digital embodiment of the Streisand Effect [archive]
Note that there are no telescopic tunnels like Tor but requests are bundled together for cover traffic and routed through a varying number of hops to confuse adversaries as to who is forwarding vs requesting the data.
Freenet can operate in a Darknet mode that turns it into a private friend-only network, Opennet mode which connects to a public network and a hybrid mode that includes both.
Freenet's properties make it an excellent and safer choice for disseminating data because it tackles "The Hosting Problem". Centralized hosting remains an Achilles Heel for onionspace. Strong cryptography guarantees the integrity of the files fetched.
The Hosting Problem:
Traditional anonymous publishing mechanisms like onion services or eepsites require a resource commitment (an always online server) from users which puts them out of reach for most people. Securing a server is no easy task, more so in the hostile environment of the dark web. It requires extensive hardening, auditing and sys-admin skills. Even then, all bets are off with a certain class of adversaries. A server is a sitting duck for attackers to probe and test their weapons against. Its also a single point of failure that can be DoS'd offline. Once rooted, the server can be used to mount water-hole attacks on site visitors.
In the EU users have strong liability protections when caching content as a side-effect of participating in a network according to a Freenet developer in Germany.
Overview on ways to use Freenet with Whonix ™
- Freenet inside the Whonix-Workstation ™ - Freenet over Tor (Prefered)
- #Using an inproxy inside your Whonix-Workstation ™
- #Freenet SSH Workaround
Freenet inside the Whonix-Workstation ™ - Freenet over Tor (Preferred)
Configure Connection Workaround
In the "classical sense" (directly and only over Tor) is impossible.  As a workaround you can Tunnel UDP over Tor. Note that Other Anonymizing Networks over Tor UDP Tunnel applies. Easiest solution probably is to use a VPN. See Connecting to Tor before a VPN (User → Tor → VPN → Internet)
Installation of Freenet
Unfortunately Freenet is unlikely to be available from Debian repos in the foreseeable future because its fast development cycle is incompatible with stable's policies.  It must be installed manually instead.
Check fingerprints/owners without importing anything.
gpg --keyid-format long --with-fingerprint keyring.gpg
Before adding the keyring, verify fingerprints. Always check the fingerprint for yourself. The output at the moment is:
pub 2048R/0xEAC5EBF07AA9C2A3 2013-04-29 Florent Daigniere <email@example.com> Key fingerprint = DBB7 7338 3BC3 49C9 5203 ED91 EAC5 EBF0 7AA9 C2A3 uid Florent Daigniere (NextGen$) <firstname.lastname@example.org> uid Florent Daigniere (Personal address) <email@example.com> sub 2048R/0x65B7118375AB23F2 2013-04-29 sub 2048R/0xD21621FD7FA16469 2013-04-29 pub 4096R/0x00100D897EDBA5E0 2013-09-21 Steve Dougherty (operhiem1 Release Signing Key) <firstname.lastname@example.org> Key fingerprint = 0046 195B 2DCA B176 D394 09CD 0010 0D89 7EDB A5E0 sub 4096R/0x7BF0F7B36AC8B380 2013-09-21 [expires: 2016-09-15] pub 4096R/0xFF24CA421946AA94 2013-09-24 Matthew Toseland (2013-2018 key, higher key length) <email@example.com> Key fingerprint = B76D 4AA7 96D8 403E ED78 C9F9 FF24 CA42 1946 AA94 uid Matthew Toseland (2013-2018 key, higher key length) <firstname.lastname@example.org> sub 4096R/0xF877E62895C42009 2013-09-24 [expires: 2018-09-23] pub 4096R/0xB67C19E817A8D846 2016-01-02 Stephen Oliver <email@example.com> Key fingerprint = 5D77 D9A4 2E28 0F5A FF8F 2EBF B67C 19E8 17A8 D846 sub 4096R/0x9BCDD1614041F59E 2016-01-02 [expires: 2017-01-01] sub 4096R/0x1652EBA5AC1BB386 2016-01-02 [expires: 2017-01-01] sub 4096R/0x38A62E479684F2F2 2016-01-02 [expires: 2017-01-01]
If it looks good import it with GPG.
gpg --import keyring.gpg
sudo apt-get update sudo apt-get install openjdk-11-jre-headless
Create install directory.
mkdir Freenet cd Freenet
Download offline installer and signature.
wget 'https://github.com/freenet/fred/releases/download/build01484/new_installer_offline_1484.jar' -O new_installer_offline.jar
wget 'https://github.com/freenet/fred/releases/download/build01484/new_installer_offline_1484.jar.sig' -O new_installer_offline.jar.sig
Verify the installer.
gpg --verify new_installer_offline.jar.sig
You should see Good signature from "Florent Daigniere <firstname.lastname@example.org>" before installing anything.
Follow the prompts and install in it current folder.
java -jar new_installer_offline.jar -console
Note that Freenet includes its own secure internal updater that downloads new versions from inside the network. Repeating these steps after initial installation are not necessary.
Prepare Tor Browser for browsing Freenet
Note: The following steps will no longer be required once Whonix releases a custom Tor Browser for connecting to alternative networks. 
Configure Tor Browser to connect to localhost.
In Tor Browser:
about:configinto the URL bar.
- Search for
- Set to
To start manually after reboot afterwards:
cd Freenet ./run.sh start
Plugins provide much of the rich functionality of the Freenet experience. They act as an abstraction layer that present text in different layouts for different use cases including forums, mail, blogs, code repositories, social networking, IRC and more [archive]. The Freenet Social Networking Guide [archive] explains how to set them up. Also other relevant guides.
This section documents some Whonix ™ specific tips that you should be aware of for a smoother user experience.
- Torbirdy must be disabled for Thunderbird to connect locally to Freemail's SMTP server. As a side-effect HTML emails are rendered by Thunderbird. To disable, go to:
Message Body As→
Plain Text. Freemail takes care of privacy concerns by scrubbing mail headers.
- Freemail encrypts metadata and subject lines by default. However for extra assurance and to future-proof your mail against quantum computers you may layer E2E on-top of Freemail with Codecrypt.
- Technically each plugin's generated data is self contained under its own folder under the Freenet directory. For example, to archive your mail spool, copy the /freenet/freemail-wot to your backups.
- The menu layout in Freenet changed slightly since the Freenet Social Networking Guide [archive] was written. For WoT identities backup the 'Insert URI' to a safe place. This is your identity's private key and should never be shared. This info is under
Editof an existing identity. To restore it on a new node paste it in:
Create an identity→
Use an existing SSK URI key pair for the identity
Using an inproxy inside your Whonix-Workstation ™
Freenet SSH Workaround
Another workaround: Buy, administrate and connect the SSH server anonymously though your Whonix-Workstation ™. Install Freenet on the remote location and connect from your Whonix-Workstation ™ (SSL or SSH tunnel). See also SSH.
- https://freenetproject.org/ [archive]
- https://en.wikipedia.org/wiki/Freenet [archive]
- https://www.planetpeer.de/wiki/index.php/Main_Page [archive]
- https://daserste.ndr.de/panorama/aktuell/nsa230_page-4.html [archive]
- https://search.edwardsnowden.com/docs/TorOverviewofExistingTechniques2014-12-28nsadocs [archive]
- https://mascherari.press/onionscan-report-june-2016/ [archive]
- Note that you’re not actively storing: The storage is just a byproduct of transmission in the network. As an example for a similar assessment, the European Court of Justice ruled in 2014 that third parties who reproduce a work in an “integral and essential part of a technological process and carried out for the sole purpose of enabling either efficient transmission in a network between third parties by an intermediary” are exempt from copyright concerns (only the uploader is liable). See http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=153302&occ=first&dir=&cid=93105 [archive]
- This is tested. Freenet installs normally, but even with lowest security settings, connection will never be established. The problem is, that Tor does not support UDP. (There has been a discussion [archive] about this topic. Although it is from 2008, it doesn't look like, the situation has changed or will change.)
- https://email@example.com/msg26975.html [archive]
- https://freenetproject.org/download.html#keyring [archive]
- Except in the case of YaCy, which needs internet access.
- https://d6.gnutella2.info/freenet/USK@xedmmitRTj9-PXJxoPbD7RY1gf9pKi0OcsRmjNPPIU4,AzFWTYV~9-I~eXis14tIkJ4XkF17gIgZrB294LjFXjc,AQACAAE/fmsguide/6/ [archive]
- https://github.com/freenet/plugin-Freemail/blob/master/src/org/freenetproject/freemail/MailHeaderFilter.java [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)