💾 Archived View for pub.phreedom.club › ~localhost › misc › external_articles › article-i2p-intro.gm… captured on 2023-07-22 at 16:30:42. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

Source: gopher://dataswamp.org:70/1/~solene/article-i2p-intro

Title: Using the I2P network with OpenBSD and NixOS

Author: Solène

Date: 20 June 2021

Tags: i2p tor openbsd nixos networking

NIL# Introduction

In this text I will explain what is the I2P network and how to provide

a service over I2P on OpenBSD and how to use to connect to an I2P

service from NixOS.

I2P

This acronym stands for Invisible Internet Project and is a network

over the network (Internet). It is quite an old project from 2003 and

is considered stable and reliable. The idea of I2P is to build a

network of relays (people running an i2p daemon) to make tunnels from a

client to a server, but a single TCP session (or UDP) between a client

and a server could use many tunnels of n hops across relays.

Basically, when you start your I2P service, the program will get some

information about the relays available and prepare many tunnels in

advance that will be used to reach a destination when you connect.

Some benefits from I2P network:

• your network is reliable because it doesn't take care of operator

peering

• your network is secure because packets are encrypted, and you can

even use usual encryption to reach your remote services (TLS, SSH)

• provides privacy because nobody can tell where you are connecting to
• can prevent against habits tracking (if you also relay data to

participate to i2p, bandwidth allocated is used at 100% all the time,

and any traffic you do over I2P can't be discriminated from standard

relay!)

• can only allow declared I2P nodes to access a server if you don't

want anyone to connect to a port you expose

It is possible to host a website on I2P (by exposing your web server

port), it is called an eepsite and can be accessed using the SOCKs

proxy provided by your I2P daemon. I never played with them though but

this is a thing and you may be interested into looking more in depth.

I2P project and I2P implementation (java) page

i2pd project (a recent C++ implementation that I use for this tutorial)

Wikipedia page about I2P

I2P vs Tor

Obviously, many people would question why not using Tor which seems

similar. While I2P can seem very close to Tor hidden services, the

implementation is really different. Tor is designed to reach the

outside while I2P is meant to build a reliable and anonymous network.

When started, Tor creates a path of relays named a Circuit that will

remain static for an approximate duration of 12 hours, everything you

do over Tor will pass through this circuit (usually 3 relays), on the

other hand I2P creates many tunnels all the time with a very low

lifespan. Small difference, I2P can relay UDP protocol while Tor only

supports TCP.

Tor is very widespread and using a tor hidden service for hosting a

private website (if you don't have a public IP or a domain name for

example) would be better to reach an audience, I2P is not very well

known and that's partially why I'm writing this. It is a fantastic

piece of software and only require more users.

Relays in I2P doesn't have any weight and can be seen as a huge P2P

network while Tor network is built using scores (consensus) of relaying

servers depending of their throughput and availability. Fastest and

most reliable relays will be elected as "Guard server" which are entry

points to the Tor network.

I've been running a test over 10 hours to compare bandwidth usage of

I2P and Tor to keep a tunnel / hidden service available (they have not

been used). Please note that relaying/transit were desactivated so

it's only the uploaded data in order to keep the service working.

• I2P sent 55.47 MB of data in 114 430 packets. Total / 10 hours = 1.58

kB/s average.

• Tor sent 6.98 MB of data in 14 759 packets. Total / 10 hours = 0.20

kB/s average.

Tor was a lot more bandwidth efficient than I2P for the same task:

keeping the network access (tor or i2p) alive.

Quick explanation about how it works

There are three components in an I2P usage.

- a computer running an I2P daemon configured with tunnels servers (to

expose a TCP/UDP port from this machine, not necessarily from localhost

though)

- a computer running an I2P daemon configured with tunnel client (with

information that match the server tunnel)

- computers running I2P and allowing relay, they will receive data from

other I2P daemons and pass the encrypted packets. They are the core of

the network.

In this text we will use an OpenBSD system to share its localhost ssh

access over I2P and a NixOS client to reach the OpenBSD ssh port.

OpenBSD

The setup is quite simple, we will use i2pd and not the i2p java

program.

pkg_add i2pd

# read /usr/local/share/doc/pkg-readmes/i2pd for open files limits

cat <<EOF > /etc/i2pd/tunnels.conf
[SSH]
type = server
port = 22
host = 127.0.0.1
keys = ssh.dat
EOF

rcctl enable i2pd
rcctl start i2pd

You can edit the file /etc/i2pd/i2pd.conf to uncomment the line

"notransit = true" if you don't want to relay. I would encourage

people to contribute to the network by relaying packets but this would

require some explanations about a nice tuning to limit the bandwidth

correctly. If you disable transit, you won't participate into the

network but I2P won't use any CPU and virtually no data if your tunnel

is in use.

Visit http://localhost:7070/ for the admin interface and check the menu

"I2P Tunnels", you should see a line "SSH => " with a long address

ending by .i2p with :22 added to it. This is the address of your

tunnel on I2P, we will need it (without the :22) to configure the

client.

Nixos

As usual, on NixOS we will only configure the

/etc/nixos/configuration.nix file to declare the service and its

configuration.

We will name the tunnel "ssh-solene" and use the destination seen on

the administration interface on the OpenBSD server and expose that port

to 127.0.0.1:2222 on our NixOS box.

services.i2pd.enable = true;
services.i2pd.notransit = true;

services.i2pd.outTunnels = {
  ssh-solene = {

enable = true;

name = "ssh";

destination = "gajcbkoosoztqklad7kosh226tlt5wr2srr2tm4zbcadulxw2o5a.b32.i2p";

address = "127.0.0.1";

port = 2222;

};

};

Now you can use "nixos-rebuild switch" as root to apply changes.

Note that the equivalent NixOS configuration for any other OS would

look like that for any I2P setup in the file "tunnel.conf" (on OpenBSD

it would be in /etc/i2pd/tunnels.conf).

[ssh-solene]
type = client
address = 127.0.0.1  # optional, default is 127.0.0.1
port = 2222
destination = gajcbkoosoztqklad7kosh226tlt5wr2srr2tm4zbcadulxw2o5a.b32.i2p

Test the setup

From the NixOS client you should be able to run "ssh -p 2222 localhost"

and get access to the OpenBSD ssh server.

Both systems have a http://localhost:7070/ interface because it's a

default setting that is not bad (except if you have multiple people who

can access the box).

Conclusion

I2P is a nice way to share services on a reliable and privacy friendly

network, it may not be fast but shouldn't drop you when you need it.

Because it can easily bypass NAT or dynamic IP it's perfectly fine for

a remote system you need to access when you can use NAT or VPN.