Introduction[edit]

Network[edit]

The Invisible Internet Project (I2P) is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other through "tunnels". The network itself is strictly message based (IP), but there is a library available to allow reliable streaming communication on top of it (TCP). All communication is end to end encrypted (in total there are four layers of encryption used when sending a message), and even the end points ("destinations") are cryptographic identifiers (essentially a pair of public keys).^[1] This is known as Garlic routing which is a variant of Onion routing and benefits from the research on the latter but makes some different tradeoffs.^[2] Each client application has their I2P "router" that finds other clients by querying against the fully distributed "network database" - a custom structured distributed hash table (DHT) based off the Kademlia algorithm. Every router transports traffic for its peers which it uses as cover traffic for its own.

Read more about I2P's technical details here.

I2P is focused on creating a community around P2P darknet services rather than providing "outproxies"(exits) to the clearnet.

The I2P development team is an open group, welcome to all who are interested in getting involved, and all of the code is open source. The core I2P SDK and the current router implementation is done in Java (currently working with both sun and kaffe, gcj support planned for later), and there is a simple socket based API for accessing the network from other languages (with a C library available, and both Python and Perl in development). The network is actively being developed and has not yet reached the 1.0 release, but the current roadmap describes their schedule.

Overview on ways to use I2P with Whonix[edit]

• You can either use inproxies inside Whonix-Workstation to browse Eepsites or install I2P inside Whonix-Workstation.
  • The inproxy method is more suited for a causal use of I2P, where you just want to anonymously view an Eepsite and don't care about eavesdroppers as long you are anonymous.
• Using the I2P client inside Whonix-Workstation (Preferred) is safer, all I2P traffic gets tunneled through Tor, fully featured but a tiny bit more difficult than installing I2P the ordinary way, i.e. using I2P in the clear, not over Tor.

Concepts[edit]

Much of Tor's concepts carry over to I2P despite the terminology being somewhat different.

Other interesting concepts of note:

• Tor HS "stealth mode" == I2P client whitelist^[3] or using Encrypted LeaseSets^[4] (I2P documentation is lacking but there are plans to improve)

• Tor "Single Onion Service" == I2P 0-hop tunnels^[5]

Searching I2P[edit]

The onion service search engine https://ahmia.fi now supports I2P eepsites and Tor2Web plans on adding I2P support.^[6] http://seeker.i2p is a search engine for I2P eepsites.

Eepsite directories: http://stats.i2p lists registered i2p websites. http://identiguy.i2p - lists many known and alive I2P websites. http://no.i2p lists known latest and alive i2p websites. Site list made from registered sites and external sources. http://inr.i2p lists known latest and alive i2p websites. Site list made from registered sites and external sources.

Inproxies inside Whonix-Workstation[edit]

There are several I2P inproxies, those are similar to tor2web^[7]. Simply use Tor Browser, which comes with Whonix by default.

Note that you will lose the end-to-end encryption to the eepsites, which I2P would provide, if you would install it directly inside Whonix-Workstation, or if you would use it the ordinary way. Depending on if the inproxy uses http (unencrypted), https (or is reachable through an onion service), also Exit Nodes Eavesdropping applies. In any case, the I2P inproxy admin can also see all of your traffic in the I2P network and there is no way to prevent that.

List of I2P inproxy domains (bolded):

• • Example: http://forum.i2p.rocks ^[8]
  • Example: http://forum.i2p.re
  • Example: http://forum.i2p.xyz
  • Example: http://forum.i2p2piszzzndhfvr.onion^[9]
  • https://www.hiddenservice.net/
• many others are down ^[10]

Use I2P client inside Whonix-Workstation (Preferred)[edit]

Connecting to Tor before I2P[edit]

It is possible to run I2P inside the Whonix-Workstation.
user -> Tor -> I2P -> Internet

In case you want to do that, it is recommended to read the following two related wiki articles:

• Tunnels/Introduction
• Tunnels/Connecting_to_Tor_before_a_proxy

Advantages:

• Anonymity is provided by Tor.
• I2P router console works normal inside Tor Browser. No need to install a graphical user interface on the Whonix-Gateway.
• Eepsites (.i2p) can be reached directly from Tor Browser.
• I2P's end-to-end encryption will be used like usual.

Warnings:

• No Stream-Isolation Support
  • I2P does not have stream isolation support meaning that visits to Eepsites are linkable and fingerprintable; each request includes the same X-I2P-Dest* headers, which are unique only to yourself. This might be true for outproxy requests as well.
  • If you access site1.i2p and then site2.i2p, site3.i2p … and so on, each one of those operators will see the exact same X-I2P-Dest* values. Meaning if they are colluding, they will know that they were all accessed by the same person.
  • The longer you leave I2P running, the better profile those operators can build on you. The X-I2P-Dest* values only change on restart of the I2P instance or on stop/start of the HTTP Proxy tunnel. I2P has no fix for this at the moment^[11][12], however someone is writing an experimental plugin to provide a stream-isolating mechanism for http-over-I2P. The si-i2p-plugin is an I2P SAM application which presents an http proxy(on port 4443 by default) that acts as an intermediate between your browser and the I2P network. It uses the SAM library to create a unique destination for each I2P site that you visit. This way, your base32 destination couldn't be used to track you with a network of colluding sites.^[13]

Disadvantages:

• Adds load to Tor.
• Adds load to I2P.
• It is slower than I2P directly on Whonix-Gateway or the ordinary usage.
• No contribution to the I2P network (leeching). ^[14]

Installation and Setup:

Security warning: Adding a third party repository allows the vendor to replace any package on your system. Proceed at your own risk! See Foreign Sources for further information. For greater safety, users adding third party repositories should always use Multiple Whonix-Workstations to compartmentalize VMs with additional software.

Currently supported architectures include amd64, i386, armel, armhf (for Raspbian), and powerpc.

1. Before adding the repo^[15], fetch the key and verify^[16] fingerprints. Always check the fingerprint for yourself. The output at the moment is:

TO-DO: Update signing key info when migration from KYTV infrastructure happens.

pub  4096R/0x67ECE5605BCF1346 2013-10-10 I2P Debian Package Repository <killyourtv@i2pmail.org>
      Key fingerprint = 7840 E761 0F28 B904 7535  49D7 67EC E560 5BCF 1346

Download key with scurl to home folder.

scurl -o i2p-pubkey.asc https://geti2p.net/_static/i2p-debian-repo.key.asc

Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint i2p-pubkey.asc

If it looks good import into trusted.gpg.d.^[17]

gpg --no-default-keyring --keyring ./i2p-pubkey.gpg --import i2p-pubkey.asc
sudo cp i2p-pubkey.gpg /etc/apt/trusted.gpg.d/i2p-pubkey.gpg

For default Whonix using Debian stable:

sudo su -c "echo -e 'deb http://deb.i2p2.no/ jessie main\ndeb-src http://deb.i2p2.no/ jessie main' > /etc/apt/sources.list.d/i2p-release.list"

For Whonix build using Debian Testing or Unstable (Sid):

sudo su -c "echo -e 'deb http://deb.i2p2.no/ unstable main\ndeb-src http://deb.i2p2.no/ unstable main' > /etc/apt/sources.list.d/i2p-release.list"

Update the package lists.

sudo apt-get update

Install I2P and dependencies.

sudo apt-get install i2p i2p-keyring

2. Configure I2P as a service that automatically runs when your system boots, set the amount of Ram to your needs and leave the User as i2psvc

sudo dpkg-reconfigure i2p

3. Configure Tor Browser to connect to localhost.

Warning: This step changes the web fingerprint of Tor Browser! Leave all other settings as is!

In Tor Browser type about:config into the URL bar -> press Enter -> search for network.proxy.no_proxies_on -> Set to 0

4. Start/Stop the I2P service:

Start the I2P service

sudo systemctl start i2p

Stop the I2P service

sudo systemctl stop i2p

Status of the I2P service

sudo systemctl status i2p

OPTIONAL

To run I2P manually as User:

• Note: The config folder changes to /home/user/.i2p/

i2prouter start

Please review and adjust the bandwidth settings on the configuration page, as the default settings of 300 KB/s down / 60 KB/s up are fairly conservative.

Services[edit]

Many interesting features and functionality are implemented for I2P in the form of stand-alone packages or plugins that can be optionally installed from their official plugin eepsite. The instructions are simple to follow. The signing keys for these plugins is already built into the official I2P package and so are already white-listed. This is not a complete list.

See this page for documentation about default port numbers of I2P plugins.

I2P-Bote[edit]

I2P-Bote is a serverless, encrypted email plugin that uses I2P for anonymity. Messages are stored in the distributed hash table (DHT) for 100 days, during which the recipient is able to download them.

To back up I2P-Bote data, copy the i2pbote folder inside the I2P config directory (~/.i2p/i2pbote on Unix systems or /var/lib/i2p/i2p-config when running as a daemon).

Compartmentalize activities and only use the I2P-Bote/Susimail VM snapshot for this purpose. Generally, applications that run with a browser interface are vulnerable to a whole class of bugs, including cross-site request forgery (CSRF).^[19][20]

Features:

• A webmail interface.
• A user interface translated into 15 languages.
• One-click creation of email accounts (called email identities).
• Emails can be sent either under a sender identity or anonymously.
• 2048-bit ElGamal, 256/521-bit Elliptic Curve and NTRU-1087 encryption.
• Transparent, automatic encryption and signing without relying on third-party software such as PGP/GnuPG.
• Sending and receiving via relays with delay periods set by the user, similar to Mixmaster.
• Theme support.
• POP3 / IMAP / SMTP.
• Cc and Bcc support.
• Delivery confirmation.
• Attachments.
• Basic support for short recipient names.
• Android support (via I2P's Android client).

Planned Features:

• An outproxy to interoperate with clearnet mail servers.
• Custom folders.
• Multi-device identity syncing.
• Support for short email addresses like myname@bote.i2p
• HashCash as an anti-spam solution should it become a problem.
• Lots of other small improvements.

Syndie[edit]

Syndie^[21] is I2P's distributed forum software, allowing asynchronous conversations between anonymous participants. It was the focus of I2P's creator shortly before he ceased public activity. It supports single and multiple author modes, adjustable visibility of posts and post moderation. Syndie features its own minimalist and secure reader to protect against browser exploitation.

On the whole, Syndie works at the *content layer* - individual posts are contained in encrypted zip files, and participating in the forum means simply sharing these files. There are no dependencies upon how the files are transferred (over I2P, Tor, Freenet, gnutella, bittorrent, RSS, usenet, email), but simple aggregation and distribution tools are bundled with the standard Syndie release.^[22]

Download Syndie from the official I2P plugin site (echelon.i2p). Its more secure than fetching from HTTPS sites on the clearnet.

After downloading, run it with:

java -jar syndie-installer-*.jar

Update: Syndie is seeing a modern rewrite.

RetroShare[edit]

RetroShare is an alternative to Syndie which can be tunneled through I2P for enhanced anonymity.

Follow the steps in this guide to connect to others over I2P.

Syncthing[edit]

Syncthing is a popular libre software for file syncing based on the bittorrent protocol. Its possible to tunnel its traffic over I2P as shown in this guide.

ZeroNet[edit]

As part of a summer coding project (as of 2016), ZeroNet is being modified to natively support tunneling over I2P.

Coming soon.

Installing I2P on Whonix-Gateway (I2P and Tor simultaneously)[edit]

both simultaneously:
user -> Tor -> Internet
user -> I2P -> Internet

Development discussion:
https://forums.whonix.org/t/i2p-integration/4981

old development discussion:
https://forums.whonix.org/t/i2p-running-on-whonix-gateway

Footnotes[edit]

Whonix I2P documentation thread:
https://forums.whonix.org/t/whonix-i2p-documentation/1729

1. ↑ https://geti2p.net/en/about/intro
2. ↑ https://geti2p.net/en/research
3. ↑ https://twitter.com/i2p/status/756952247662239744
4. ↑ https://geti2p.net/sv/docs/how/network-database
5. ↑ https://twitter.com/i2p/status/756948810790821888
6. ↑ https://lists.torproject.org/pipermail/tor-talk/2016-January/039814.html
7. ↑ https://trac.torproject.org/projects/tor/wiki/doc/tor2web
8. ↑ * http://i2p.rocks/
9. ↑ http://i2p2piszzzndhfvr.onion - simply append the Onion Service name after the short eepsite name, omitting the .i2p TLD as shown.
10. ↑
    • awxcnx I2P eepsite inproxy
      • clearnet SSL version
      • Tor onion service version
      • I2P eepsite version
    • awxcnx I2P IRC inproxy (See Chat for general chat safety advice.)
      • clearnet SSL version
      • Tor onion service version
      • I2P eepsite version
    • 6dyi4t72u7y6g763.onion
    • or simply add '.to' after '.i2p'. For example, instant of http://forum.I2P you can use http://forum.i2p.to.
11. ↑ http://i2p2piszzzndhfvr.onion/doku.php/start
12. ↑ https://www.reddit.com/r/i2p/comments/579idi/warning_i2p_is_linkablefingerprintable/
13. ↑ https://github.com/cmotc/si-i2p-plugin
14. ↑ Sounds worse than it is. Only very few people are expected to use I2P over Tor. I2P offers those options itself. It is not like a leeching mod.
15. ↑ https://geti2p.net/en/download/debian
16. ↑ https://geti2p.net/_static/i2p-debian-repo.key.asc
17. ↑ To import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.
18. ↑ I2P .deb Packages installation instructions from I2P's third party repository
19. ↑ https://chaoswebs.net/blog/2016/12/01/Exploiting-I2P-Bote/
20. ↑ https://chaoswebs.net/blog/2016/10/15/Stealing-Your-I2P-Email/
21. ↑ https://www.syndie.de/
22. ↑ https://www.syndie.de/features.html

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)