Packaging for Tails #9

Open
opened 1 year ago by konrad · 4 comments
konrad commented 1 year ago
Owner

Project: I2Pd package for Tails

Related: https://gitlab.tails.boum.org/tails/tails/-/issues/12264#note_150424

Target: having an up-to-date I2Pd package (a deb) for tails available from a suitable repo.

The problems:

  • Tails is debian based (which is great) - but as of today - the I2P package is rather outdated.
  • Tails is heavily relying on iptables to control and secure the network of the system. This approach is fine from a tails perspective. I2P should therefore simply run in a sandbox with clearly defined interfaces to the host. The I2P sandbox itself needs full network access (tcp/udp). In the I2P jargon this is called NTCP and SSU.

As a prototype this approach is working (tested on tails 4.7):

Execute as root:

apt-get install i2pd
systemctl stop i2pd

THEN:

  1. fix the systemd i2pd.service file, see below
  2. fix /etc/i2pd/i2pd.conf, see below
  3. empty /etc/i2pd/tunnels.conf (currently not needed for the prototype)

Execute as root:

iptables -I OUTPUT 3 -p tcp -d 127.0.0.1 -j ACCEPT -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -m multiport --destination-ports 4444,4447,7070 -m owner --uid-owner amnesia
iptables -I OUTPUT 4 -p tcp -j ACCEPT -m owner --uid-owner i2pd
iptables -I OUTPUT 5 -p udp -j ACCEPT -m owner --uid-owner i2pd
systemctl start i2pd

Go get a tea and wait for a few minutes until I2Pd has integrated into the I2P network.

Test as user amnesia:

curl -x localhost:4444 http://diva.i2p > diva.i2p.html
more diva.i2p.html 

systemd i2pd.service file

[Unit]
Description=I2P Router written in C++
Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/
After=network.target

[Service]
User=i2pd
Group=i2pd
RuntimeDirectory=i2pd
RuntimeDirectoryMode=0700
LogsDirectory=i2pd
LogsDirectoryMode=0700
Type=forking
ExecStart=/usr/sbin/i2pd --conf=/etc/i2pd/i2pd.conf --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --daemon --service
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/i2pd/i2pd.pid
### Uncomment, if auto restart needed
#Restart=on-failure

KillSignal=SIGQUIT
# If you have the patience waiting 10 min on restarting/stopping it, uncomment this.
# i2pd stops accepting new tunnels and waits ~10 min while old ones do not die.
#KillSignal=SIGINT
#TimeoutStopSec=10m

# If you have problems with hanging i2pd, you can try increase this
LimitNOFILE=4096
# To enable write of coredump uncomment this
#LimitCORE=infinity
PrivateDevices=yes

[Install]
WantedBy=multi-user.target

/etc/i2pd/i2pd.conf file

## Configuration file for a typical i2pd user
## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
## for more options you can use in this file.

## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.

## Tunnels config file
## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf
# tunconf = /var/lib/i2pd/tunnels.conf

## Tunnels config files path
## Use that path to store separated tunnels in different config files.
## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d
# tunnelsdir = /var/lib/i2pd/tunnels.conf.d

## Where to write pidfile (don't write by default)
# pidfile = /var/run/i2pd.pid

## Logging configuration section
## By default logs go to stdout with level 'info' and higher
##
## Logs destination (valid values: stdout, file, syslog)
##  * stdout - print log entries to stdout
##  * file - log entries to a file
##  * syslog - use syslog, see man 3 syslog
# log = file
## Path to logfile (default - autodetect)
# logfile = /var/log/i2pd.log
## Log messages above this level (debug, *info, warn, error, none)
## If you set it to none, logging will be disabled
loglevel = debug
## Write full CLF-formatted date and time to log (default: write only time)
# logclftime = true

## Daemon mode. Router will go to background after start
# daemon = true

## Specify a family, router belongs to (default - none)
# family =

## External IP address to listen for connections
## By default i2pd sets IP automatically
# host = 1.2.3.4

## Port to listen for connections
## By default i2pd picks random port. You MUST pick a random number too,
## don't just uncomment this
# port = 4567

## Enable communication through ipv4
ipv4 = true
## Enable communication through ipv6
ipv6 = false

## Network interface to bind to
# ifname =
## You can specify different interfaces for IPv4 and IPv6
# ifname4 = 
# ifname6 = 

## Enable NTCP transport (default = true)
ntcp = true
## If you run i2pd behind a proxy server, you can only use NTCP transport with ntcpproxy option 
## Should be http://address:port or socks://address:port
# ntcpproxy = socks://localhost:9050
## Enable SSU transport (default = true)
ssu = true

## Should we assume we are behind NAT? (false only in MeshNet)
# nat = true

## Bandwidth configuration
## L limit bandwidth to 32KBs/sec, O - to 256KBs/sec, P - to 2048KBs/sec,
## X - unlimited
## Default is X for floodfill, L for regular node
bandwidth = P
## Max % of bandwidth limit for transit. 0-100. 100 by default
share = 50

## Router will not accept transit tunnels, disabling transit traffic completely
## (default = false)
# notransit = true

## Router will be floodfill
# floodfill = true

[http]
## Web Console settings
## Uncomment and set to 'false' to disable Web Console
# enabled = true
## Address and port service will listen on
address = 127.0.0.1
port = 7070
## Path to web console, default "/"
# webroot = /
## Uncomment following lines to enable Web Console authentication 
# auth = true
# user = i2pd
# pass = changeme

[httpproxy]
## Uncomment and set to 'false' to disable HTTP Proxy
# enabled = true
## Address and port service will listen on
address = 127.0.0.1
port = 4444
## Optional keys file for proxy local destination
# keys = http-proxy-keys.dat
## Enable address helper for adding .i2p domains with "jump URLs" (default: true)
# addresshelper = true
## Address of a proxy server inside I2P, which is used to visit regular Internet
# outproxy = http://false.i2p
## httpproxy section also accepts I2CP parameters, like "inbound.length" etc.

[socksproxy]
## Uncomment and set to 'false' to disable SOCKS Proxy
# enabled = true
## Address and port service will listen on
address = 127.0.0.1
port = 4447
## Optional keys file for proxy local destination
# keys = socks-proxy-keys.dat
## Socks outproxy. Example below is set to use Tor for all connections except i2p
## Uncomment and set to 'true' to enable using of SOCKS outproxy
# outproxy.enabled = false
## Address and port of outproxy
# outproxy = 127.0.0.1
# outproxyport = 9050
## socksproxy section also accepts I2CP parameters, like "inbound.length" etc.

[sam]
## Uncomment and set to 'true' to enable SAM Bridge
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 7656

[bob]
## Uncomment and set to 'true' to enable BOB command channel
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 2827

[i2cp]
## Uncomment and set to 'true' to enable I2CP protocol
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 7654

[i2pcontrol]
## Uncomment and set to 'true' to enable I2PControl protocol
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 7650
## Authentication password. "itoopie" by default
# password = itoopie

[precomputation]
## Enable or disable elgamal precomputation table
## By default, enabled on i386 hosts
# elgamal = true

[upnp]
## Enable or disable UPnP: automatic port forwarding (enabled by default in WINDOWS, ANDROID)
enabled = false
## Name i2pd appears in UPnP forwardings list (default = I2Pd)
# name = I2Pd

[reseed]
## Options for bootstrapping into I2P network, aka reseeding
## Enable or disable reseed data verification.
verify = false
## URLs to request reseed data from, separated by comma
## Default: "mainline" I2P Network reseeds
# urls = https://reseed.i2p-projekt.de/,https://i2p.mooo.com/netDb/,https://netdb.i2p2.no/
urls = https://reseed.diva.exchange/
## Path to local reseed data file (.su3) for manual reseeding
# file = /path/to/i2pseeds.su3
## or HTTPS URL to reseed from
# file = https://legit-website.com/i2pseeds.su3
## Path to local ZIP file or HTTPS URL to reseed from
# zipfile = /path/to/netDb.zip
## If you run i2pd behind a proxy server, set proxy server for reseeding here
## Should be http://address:port or socks://address:port
proxy = socks://localhost:9050
## Minimum number of known routers, below which i2pd triggers reseeding. 25 by default
# threshold = 25

[addressbook]
## AddressBook subscription URL for initial setup
## Default: inr.i2p at "mainline" I2P Network
# defaulturl = http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt
## Optional subscriptions URLs, separated by comma
# subscriptions = http://inr.i2p/export/alive-hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt,http://rus.i2p/hosts.txt

[limits]
## Maximum active transit sessions (default:2500)
# transittunnels = 2500
## Limit number of open file descriptors (0 - use system limit)  
# openfiles = 0
## Maximum size of corefile in Kb (0 - use system limit) 
# coresize = 0
## Threshold to start probabalistic backoff with ntcp sessions (0 - use system limit) 
# ntcpsoft = 0
## Maximum number of ntcp sessions (0 - use system limit) 
# ntcphard = 0

[trust]
## Enable explicit trust options. false by default
# enabled = true
## Make direct I2P connections only to routers in specified Family.
# family = MyFamily
## Make direct I2P connections only to routers specified here. Comma separated list of base64 identities.
# routers = 
## Should we hide our router from other routers? false by default
# hidden = true

[exploratory]
## Exploratory tunnels settings with default values
# inbound.length = 2 
# inbound.quantity = 3
# outbound.length = 2
# outbound.quantity = 3

[persist]
## Save peer profiles on disk (default: true)
# profiles = true
# Project: I2Pd package for Tails Related: https://gitlab.tails.boum.org/tails/tails/-/issues/12264#note_150424 Target: having an up-to-date I2Pd package (a deb) for tails available from a suitable repo. The problems: * Tails is debian based (which is great) - but as of today - the I2P package is rather outdated. * Tails is heavily relying on iptables to control and secure the network of the system. This approach is fine from a tails perspective. I2P should therefore simply run in a sandbox with clearly defined interfaces to the host. The I2P sandbox itself needs full network access (tcp/udp). In the I2P jargon this is called NTCP and SSU. As a **prototype** this approach is working (tested on tails 4.7): Execute as root: ``` apt-get install i2pd systemctl stop i2pd ``` THEN: 1. fix the systemd i2pd.service file, see below 2. fix /etc/i2pd/i2pd.conf, see below 3. empty /etc/i2pd/tunnels.conf (currently not needed for the prototype) Execute as root: ``` iptables -I OUTPUT 3 -p tcp -d 127.0.0.1 -j ACCEPT -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -m multiport --destination-ports 4444,4447,7070 -m owner --uid-owner amnesia iptables -I OUTPUT 4 -p tcp -j ACCEPT -m owner --uid-owner i2pd iptables -I OUTPUT 5 -p udp -j ACCEPT -m owner --uid-owner i2pd systemctl start i2pd ``` Go get a tea and wait for a few minutes until I2Pd has integrated into the I2P network. Test as user amnesia: ``` curl -x localhost:4444 http://diva.i2p > diva.i2p.html more diva.i2p.html ``` ## systemd i2pd.service file ``` [Unit] Description=I2P Router written in C++ Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/ After=network.target [Service] User=i2pd Group=i2pd RuntimeDirectory=i2pd RuntimeDirectoryMode=0700 LogsDirectory=i2pd LogsDirectoryMode=0700 Type=forking ExecStart=/usr/sbin/i2pd --conf=/etc/i2pd/i2pd.conf --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --daemon --service ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/i2pd/i2pd.pid ### Uncomment, if auto restart needed #Restart=on-failure KillSignal=SIGQUIT # If you have the patience waiting 10 min on restarting/stopping it, uncomment this. # i2pd stops accepting new tunnels and waits ~10 min while old ones do not die. #KillSignal=SIGINT #TimeoutStopSec=10m # If you have problems with hanging i2pd, you can try increase this LimitNOFILE=4096 # To enable write of coredump uncomment this #LimitCORE=infinity PrivateDevices=yes [Install] WantedBy=multi-user.target ``` ## /etc/i2pd/i2pd.conf file ``` ## Configuration file for a typical i2pd user ## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/ ## for more options you can use in this file. ## Lines that begin with "## " try to explain what's going on. Lines ## that begin with just "#" are disabled commands: you can enable them ## by removing the "#" symbol. ## Tunnels config file ## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf # tunconf = /var/lib/i2pd/tunnels.conf ## Tunnels config files path ## Use that path to store separated tunnels in different config files. ## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d # tunnelsdir = /var/lib/i2pd/tunnels.conf.d ## Where to write pidfile (don't write by default) # pidfile = /var/run/i2pd.pid ## Logging configuration section ## By default logs go to stdout with level 'info' and higher ## ## Logs destination (valid values: stdout, file, syslog) ## * stdout - print log entries to stdout ## * file - log entries to a file ## * syslog - use syslog, see man 3 syslog # log = file ## Path to logfile (default - autodetect) # logfile = /var/log/i2pd.log ## Log messages above this level (debug, *info, warn, error, none) ## If you set it to none, logging will be disabled loglevel = debug ## Write full CLF-formatted date and time to log (default: write only time) # logclftime = true ## Daemon mode. Router will go to background after start # daemon = true ## Specify a family, router belongs to (default - none) # family = ## External IP address to listen for connections ## By default i2pd sets IP automatically # host = 1.2.3.4 ## Port to listen for connections ## By default i2pd picks random port. You MUST pick a random number too, ## don't just uncomment this # port = 4567 ## Enable communication through ipv4 ipv4 = true ## Enable communication through ipv6 ipv6 = false ## Network interface to bind to # ifname = ## You can specify different interfaces for IPv4 and IPv6 # ifname4 = # ifname6 = ## Enable NTCP transport (default = true) ntcp = true ## If you run i2pd behind a proxy server, you can only use NTCP transport with ntcpproxy option ## Should be http://address:port or socks://address:port # ntcpproxy = socks://localhost:9050 ## Enable SSU transport (default = true) ssu = true ## Should we assume we are behind NAT? (false only in MeshNet) # nat = true ## Bandwidth configuration ## L limit bandwidth to 32KBs/sec, O - to 256KBs/sec, P - to 2048KBs/sec, ## X - unlimited ## Default is X for floodfill, L for regular node bandwidth = P ## Max % of bandwidth limit for transit. 0-100. 100 by default share = 50 ## Router will not accept transit tunnels, disabling transit traffic completely ## (default = false) # notransit = true ## Router will be floodfill # floodfill = true [http] ## Web Console settings ## Uncomment and set to 'false' to disable Web Console # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 7070 ## Path to web console, default "/" # webroot = / ## Uncomment following lines to enable Web Console authentication # auth = true # user = i2pd # pass = changeme [httpproxy] ## Uncomment and set to 'false' to disable HTTP Proxy # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 4444 ## Optional keys file for proxy local destination # keys = http-proxy-keys.dat ## Enable address helper for adding .i2p domains with "jump URLs" (default: true) # addresshelper = true ## Address of a proxy server inside I2P, which is used to visit regular Internet # outproxy = http://false.i2p ## httpproxy section also accepts I2CP parameters, like "inbound.length" etc. [socksproxy] ## Uncomment and set to 'false' to disable SOCKS Proxy # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 4447 ## Optional keys file for proxy local destination # keys = socks-proxy-keys.dat ## Socks outproxy. Example below is set to use Tor for all connections except i2p ## Uncomment and set to 'true' to enable using of SOCKS outproxy # outproxy.enabled = false ## Address and port of outproxy # outproxy = 127.0.0.1 # outproxyport = 9050 ## socksproxy section also accepts I2CP parameters, like "inbound.length" etc. [sam] ## Uncomment and set to 'true' to enable SAM Bridge enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7656 [bob] ## Uncomment and set to 'true' to enable BOB command channel enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 2827 [i2cp] ## Uncomment and set to 'true' to enable I2CP protocol enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7654 [i2pcontrol] ## Uncomment and set to 'true' to enable I2PControl protocol enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7650 ## Authentication password. "itoopie" by default # password = itoopie [precomputation] ## Enable or disable elgamal precomputation table ## By default, enabled on i386 hosts # elgamal = true [upnp] ## Enable or disable UPnP: automatic port forwarding (enabled by default in WINDOWS, ANDROID) enabled = false ## Name i2pd appears in UPnP forwardings list (default = I2Pd) # name = I2Pd [reseed] ## Options for bootstrapping into I2P network, aka reseeding ## Enable or disable reseed data verification. verify = false ## URLs to request reseed data from, separated by comma ## Default: "mainline" I2P Network reseeds # urls = https://reseed.i2p-projekt.de/,https://i2p.mooo.com/netDb/,https://netdb.i2p2.no/ urls = https://reseed.diva.exchange/ ## Path to local reseed data file (.su3) for manual reseeding # file = /path/to/i2pseeds.su3 ## or HTTPS URL to reseed from # file = https://legit-website.com/i2pseeds.su3 ## Path to local ZIP file or HTTPS URL to reseed from # zipfile = /path/to/netDb.zip ## If you run i2pd behind a proxy server, set proxy server for reseeding here ## Should be http://address:port or socks://address:port proxy = socks://localhost:9050 ## Minimum number of known routers, below which i2pd triggers reseeding. 25 by default # threshold = 25 [addressbook] ## AddressBook subscription URL for initial setup ## Default: inr.i2p at "mainline" I2P Network # defaulturl = http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt ## Optional subscriptions URLs, separated by comma # subscriptions = http://inr.i2p/export/alive-hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt,http://rus.i2p/hosts.txt [limits] ## Maximum active transit sessions (default:2500) # transittunnels = 2500 ## Limit number of open file descriptors (0 - use system limit) # openfiles = 0 ## Maximum size of corefile in Kb (0 - use system limit) # coresize = 0 ## Threshold to start probabalistic backoff with ntcp sessions (0 - use system limit) # ntcpsoft = 0 ## Maximum number of ntcp sessions (0 - use system limit) # ntcphard = 0 [trust] ## Enable explicit trust options. false by default # enabled = true ## Make direct I2P connections only to routers in specified Family. # family = MyFamily ## Make direct I2P connections only to routers specified here. Comma separated list of base64 identities. # routers = ## Should we hide our router from other routers? false by default # hidden = true [exploratory] ## Exploratory tunnels settings with default values # inbound.length = 2 # inbound.quantity = 3 # outbound.length = 2 # outbound.quantity = 3 [persist] ## Save peer profiles on disk (default: true) # profiles = true ```
Collaborator
Resources: * Tails Contribute: https://tails.boum.org/contribute/index.de.html * Merge Policy: https://tails.boum.org/contribute/merge_policy/ * Tails GitLab: https://tails.boum.org/contribute/working_together/GitLab/ * Tails Repo: https://gitlab.tails.boum.org/tails/tails * Contributor Glossary: https://tails.boum.org/contribute/glossary/ * Tor Source Build: https://tails.boum.org/contribute/tor/ * Custom APT Repository: https://tails.boum.org/contribute/APT_repository/custom/ * Custom APT Sources: https://gitlab.tails.boum.org/tails/tails/-/blob/master/auto/scripts/tails-custom-apt-sources * APT Repo: https://deb.tails.boum.org/ * Deb Package: https://packages.debian.org/search?keywords=i2p * Deb Buster: https://packages.debian.org/buster/i2p
Poster
Owner

Deb Package (I2Pd): https://packages.debian.org/search?keywords=i2pd
(peferred package - instead of i2p) - supporting both would be nice, obviously.

Deb Package (I2Pd): https://packages.debian.org/search?keywords=i2pd (peferred package - instead of i2p) - supporting both would be nice, obviously.
Poster
Owner

Prerequisites: see above (install i2pd using apt, update iptables)

Current state of Tails (tails-amd64-4.22):

  1. Currently i2pd and tor is working by using the Tor Browser as /usr/bin/tor-browser on Tails - it's NOT working with /usr/local/bin/tor-browser (which is the default on Tails and which is starting the Tor Browser in a sandbox, using bwrap). Up to now we could NOT setup/configure bwrap in a way that 127.0.0.1 might be reached using the Tor Browser as confiured by Tails. This is quite irritating.

  2. The setup:
    a. using python3 as local webserver to serve the .pac file, like this python3 -m http.server --bind 127.0.0.1 8181. This is the content of the pac file:

function FindProxyForURL(url, host)
{
  if ( shExpMatch(host, "*.i2p$") ) {
    return "SOCKS5 127.0.0.1:4447"
  }
  return "SOCKS 127.0.0.1:9050";
}

Please note: the .pac file above uses SOCKS5 for I2P - a pure HTTP proxy could also be used, like this:

function FindProxyForURL(url, host)
{
  if ( shExpMatch(host, "*.i2p$") ) {
    return "PROXY 127.0.0.1:4444"
  }
  return "SOCKS 127.0.0.1:9050";
}

This proxy.pac file is stored in the home folder of the default user (/home/amnesia/proxy.pac). This is - AFAIK - not persistant. Because the proxy.pac file is stored within the home folder, the python3 http server is able to serve it. This is probably not a production grade setup :).

b. An additional iptables rule MUST be added (required to access the local http server and getting the .pac file):

iptables -I OUTPUT 3 -p tcp -d 127.0.0.1 -j ACCEPT --dport 8181

Please note: this is additional to the iptables rules as lined out above.

After having this rule in place (check it with "iptables --list") wget or curl can be used to test the access to the local proxy.pac file.

c. these settings within about:config of the browser:

extensions.torbutton.use_nontor_proxy true
network.proxy.allow_hijacking_localhost false
network.proxy.autoconfig_url http://127.0.0.1:8181/proxy.pac
network.proxy.type 2

d. Several tests with prefs.js and user.js within the profile folder (~/.tor-browser/profile.default/...) have been done to make these settings persistent after restarting the Tor Browser. However, network.proxy.type=2, is NOT persistant - which is extremely annoying and looks like a bug of the Tails scripts. If network.proxy.type has a different value than 2, the proxy.pac file is not loaded and hence the whole setup is not working.

  1. Test it using the Tor Browser and access some .onion site and some .i2p site.
Prerequisites: see above (install i2pd using apt, update iptables) Current state of Tails (tails-amd64-4.22): 1. Currently i2pd and tor is working by using the Tor Browser as /usr/bin/tor-browser on Tails - it's NOT working with /usr/local/bin/tor-browser (which is the default on Tails and which is starting the Tor Browser in a sandbox, using bwrap). Up to now we could NOT setup/configure bwrap in a way that 127.0.0.1 might be reached using the Tor Browser as confiured by Tails. This is quite irritating. 2. The setup: a. using python3 as local webserver to serve the .pac file, like this `python3 -m http.server --bind 127.0.0.1 8181`. This is the content of the pac file: ``` function FindProxyForURL(url, host) { if ( shExpMatch(host, "*.i2p$") ) { return "SOCKS5 127.0.0.1:4447" } return "SOCKS 127.0.0.1:9050"; } ``` Please note: the .pac file above uses SOCKS5 for I2P - a pure HTTP proxy could also be used, like this: ``` function FindProxyForURL(url, host) { if ( shExpMatch(host, "*.i2p$") ) { return "PROXY 127.0.0.1:4444" } return "SOCKS 127.0.0.1:9050"; } ``` This proxy.pac file is stored in the home folder of the default user (/home/amnesia/proxy.pac). This is - AFAIK - not persistant. Because the proxy.pac file is stored within the home folder, the python3 http server is able to serve it. This is probably not a production grade setup :). b. An additional iptables rule MUST be added (required to access the local http server and getting the .pac file): ``` iptables -I OUTPUT 3 -p tcp -d 127.0.0.1 -j ACCEPT --dport 8181 ``` Please note: this is additional to the iptables rules as lined out above. After having this rule in place (check it with "iptables --list") wget or curl can be used to test the access to the local proxy.pac file. c. these settings within about:config of the browser: ``` extensions.torbutton.use_nontor_proxy true network.proxy.allow_hijacking_localhost false network.proxy.autoconfig_url http://127.0.0.1:8181/proxy.pac network.proxy.type 2 ``` d. Several tests with prefs.js and user.js within the profile folder (~/.tor-browser/profile.default/...) have been done to make these settings persistent after restarting the Tor Browser. However, network.proxy.type=2, is NOT persistant - which is extremely annoying and looks like a bug of the Tails scripts. If network.proxy.type has a different value than 2, the proxy.pac file is not loaded and hence the whole setup is not working. 3. Test it using the Tor Browser and access some .onion site and some .i2p site.
Poster
Owner

I2P on Tails, 4.23 - 20211005

Target: having tor and i2p both and in parallel available within the Tor Browser (so the Browser confined within the so-called "tbb" net namespace).

Requirements:

  • Start with a fresh Tails install - this procudure is tested on Tails 4.23 - 20211005
  • Root access (with a password is required) - so set the necessary option within the welcome screen
  • Don't start the Tor Browser on startup (connection to the Tor network is OK tough). Before starting the Tor Browser, complete the steps below first.

How to:

  1. Open a root terminal
  2. Stop the i2pd service: systemctl stop i2pd
  3. Remove the i2pd log: rm /var/log/i2pd/i2pd.log
  4. Execute /usr/local/lib/tails-create-netns stop
  5. Download the attached version of "tails-create-netns" and take a look at the diff the files, like diff /usr/local/lib/tails-create-netns ./tails-create-netns.
  6. Execute the downloaded ./tails-create-netns start - this will now add the necessary nat rules to iptables within the netns tbb. Check the rules using ip netns exec tbb iptables -t nat --list
  7. Download the attached version of "iptables-rules.sh" and study the file - it modifies the iptables of your Tails OS by adding three new rules. In a nutshell: it enables i2pd to communicate over tcp and udp. It also enables to run services on port 4447, 7070 and 8181 accessible from within the netns tbb.
  8. Execute the downloaded iptables-rules.sh and check the updated rules using iptables --list -v
  9. Download the attached version of "i2pd.conf" and examine it using diff, like diff /etc/i2pd/i2pd.conf ./i2pd.conf. In a nutshell: the socks proxy is bound to 10.200.1.1:4447 and the config param "http / strictheaders = false" got added. "strictheaders = false" will give you access to the I2Pd router console from the Tor Browser.
  10. If you're happy with the configuration, copy i2pd.conf to /etc/i2pd/.
  11. Now start i2pd again, systemctl start i2pd.
  12. Switch the user (to non-priviledged), like su amnesia
  13. mkdir /home/amnesia/Persistent/localhost-tbb-proxy-pac
  14. Download the attached file "proxy.pac" to the newly created folder. Study it. In a nutshell: it directs .i2p traffic to the local i2pd socks proxy and all other traffic to the local tor socks proxy.
  15. Download the attached "start-local-http-server.sh". Study it and then execute the script. It will start a simple python3 local web server, which is now serving the folder "/home/amnesia/Persistent/localhost-tbb-proxy-pac" on port 8181 and bound to 10.200.1.1.
  16. Now open the Tor Browser from the menu. The tails default page will show up.
  17. In a new tab, open "about:config" and make all the changes as shown within the attached file "user.js".
  18. After all about:config changes are done, restart the Tor Browser.
  19. In a new browser tab, navigate to http://127.0.0.1:7070 and you must see the i2pd router console. If you don't, something went wrong.
  20. In a new browser tab, navigate to http://127.0.0.1:8181/proxy.pac and you must be offered to download the proxy.pac file. If you don't, something went wrong.
  21. Within the test installation, it took more than 15 minutes for I2P to integrate into the network - so please be patient. This might be a problem of the outdated i2pd version (2.23.0 - which is old).
  22. Now - after a longer while - both .i2p sites and .onion sites are available (as all other sites too, via tor).

WARNING: check the about:config setting "network.proxy.type" after every Tor Browser restart. It MUST be set to 2 (otherwise the proxy.pac file is not loaded and .i2p sites won't work). That this setting gets lost, seems to be some bug in the Tor Browser setup and must be fixed.

# I2P on Tails, 4.23 - 20211005 Target: having tor and i2p both and in parallel available within the **Tor Browser** (so the Browser confined within the so-called "tbb" net namespace). Requirements: * Start with a fresh Tails install - this procudure is tested on Tails 4.23 - 20211005 * Root access (with a password is required) - so set the necessary option within the welcome screen * Don't start the Tor Browser on startup (connection to the Tor network is OK tough). Before starting the Tor Browser, complete the steps below first. How to: 1. Open a root terminal 2. Stop the i2pd service: `systemctl stop i2pd` 3. Remove the i2pd log: rm /var/log/i2pd/i2pd.log 4. Execute `/usr/local/lib/tails-create-netns stop` 5. Download the attached version of "tails-create-netns" and take a look at the diff the files, like `diff /usr/local/lib/tails-create-netns ./tails-create-netns`. 6. Execute the downloaded `./tails-create-netns start` - this will now add the necessary nat rules to iptables within the netns tbb. Check the rules using `ip netns exec tbb iptables -t nat --list` 7. Download the attached version of "iptables-rules.sh" and study the file - it modifies the iptables of your Tails OS by adding three new rules. In a nutshell: it enables i2pd to communicate over tcp and udp. It also enables to run services on port 4447, 7070 and 8181 accessible from within the netns tbb. 8. Execute the downloaded `iptables-rules.sh` and check the updated rules using `iptables --list -v` 9. Download the attached version of "i2pd.conf" and examine it using diff, like `diff /etc/i2pd/i2pd.conf ./i2pd.conf`. In a nutshell: the socks proxy is bound to 10.200.1.1:4447 and the config param "http / strictheaders = false" got added. "strictheaders = false" will give you access to the I2Pd router console from the Tor Browser. 10. If you're happy with the configuration, copy i2pd.conf to /etc/i2pd/. 11. Now start i2pd again, `systemctl start i2pd`. 12. Switch the user (to non-priviledged), like `su amnesia` 13. `mkdir /home/amnesia/Persistent/localhost-tbb-proxy-pac` 14. Download the attached file "proxy.pac" to the newly created folder. Study it. In a nutshell: it directs .i2p traffic to the local i2pd socks proxy and all other traffic to the local tor socks proxy. 15. Download the attached "start-local-http-server.sh". Study it and then execute the script. It will start a simple python3 local web server, which is now serving the folder "/home/amnesia/Persistent/localhost-tbb-proxy-pac" on port 8181 and bound to 10.200.1.1. 16. Now open the Tor Browser from the menu. The tails default page will show up. 17. In a new tab, open "about:config" and make all the changes as shown within the attached file "user.js". 18. After all about:config changes are done, restart the Tor Browser. 19. In a new browser tab, navigate to http://127.0.0.1:7070 and you must see the i2pd router console. If you don't, something went wrong. 20. In a new browser tab, navigate to http://127.0.0.1:8181/proxy.pac and you must be offered to download the proxy.pac file. If you don't, something went wrong. 21. Within the test installation, it took more than 15 minutes for I2P to integrate into the network - so please be patient. This might be a problem of the outdated i2pd version (2.23.0 - which is old). 22. Now - after a longer while - both .i2p sites and .onion sites are available (as all other sites too, via tor). WARNING: check the about:config setting "network.proxy.type" after every Tor Browser restart. It MUST be set to 2 (otherwise the proxy.pac file is not loaded and .i2p sites won't work). That this setting gets lost, seems to be some bug in the Tor Browser setup and must be fixed.
Sign in to join this conversation.
No Label
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.