#9 Packaging for Tails

Open
opened 1 month ago by konrad · 2 comments
konrad commented 1 month ago

Project: I2Pd package for Tails

Related: https://gitlab.tails.boum.org/tails/tails/-/issues/12264#note_150424

Target: having an up-to-date I2Pd package (a deb) for tails available from a suitable repo.

The problems:

  • Tails is debian based (which is great) - but as of today - the I2P package is rather outdated.
  • Tails is heavily relying on iptables to control and secure the network of the system. This approach is fine from a tails perspective. I2P should therefore simply run in a sandbox with clearly defined interfaces to the host. The I2P sandbox itself needs full network access (tcp/udp). In the I2P jargon this is called NTCP and SSU.

As a prototype this approach is working (tested on tails 4.7):

Execute as root:

apt-get install i2pd
systemctl stop i2pd

THEN:

  1. fix the systemd i2pd.service file, see below
  2. fix /etc/i2pd/i2pd.conf, see below
  3. empty /etc/i2pd/tunnels.conf (currently not needed for the prototype)

Execute as root:

iptables -I OUTPUT 3 -p tcp -d 127.0.0.1 -j ACCEPT -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -m multiport --destination-ports 4444,4447,7070 -m owner --uid-owner amnesia
iptables -I OUTPUT 4 -p tcp -j ACCEPT -m owner --uid-owner i2pd
iptables -I OUTPUT 5 -p udp -j ACCEPT -m owner --uid-owner i2pd
systemctl start i2pd

Go get a tea and wait for a few minutes until I2Pd has integrated into the I2P network.

Test as user amnesia:

curl -x localhost:4444 http://diva.i2p > diva.i2p.html
more diva.i2p.html 

systemd i2pd.service file

[Unit]
Description=I2P Router written in C++
Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/
After=network.target

[Service]
User=i2pd
Group=i2pd
RuntimeDirectory=i2pd
RuntimeDirectoryMode=0700
LogsDirectory=i2pd
LogsDirectoryMode=0700
Type=forking
ExecStart=/usr/sbin/i2pd --conf=/etc/i2pd/i2pd.conf --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --daemon --service
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/i2pd/i2pd.pid
### Uncomment, if auto restart needed
#Restart=on-failure

KillSignal=SIGQUIT
# If you have the patience waiting 10 min on restarting/stopping it, uncomment this.
# i2pd stops accepting new tunnels and waits ~10 min while old ones do not die.
#KillSignal=SIGINT
#TimeoutStopSec=10m

# If you have problems with hanging i2pd, you can try increase this
LimitNOFILE=4096
# To enable write of coredump uncomment this
#LimitCORE=infinity
PrivateDevices=yes

[Install]
WantedBy=multi-user.target

/etc/i2pd/i2pd.conf file

## Configuration file for a typical i2pd user
## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
## for more options you can use in this file.

## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.

## Tunnels config file
## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf
# tunconf = /var/lib/i2pd/tunnels.conf

## Tunnels config files path
## Use that path to store separated tunnels in different config files.
## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d
# tunnelsdir = /var/lib/i2pd/tunnels.conf.d

## Where to write pidfile (don't write by default)
# pidfile = /var/run/i2pd.pid

## Logging configuration section
## By default logs go to stdout with level 'info' and higher
##
## Logs destination (valid values: stdout, file, syslog)
##  * stdout - print log entries to stdout
##  * file - log entries to a file
##  * syslog - use syslog, see man 3 syslog
# log = file
## Path to logfile (default - autodetect)
# logfile = /var/log/i2pd.log
## Log messages above this level (debug, *info, warn, error, none)
## If you set it to none, logging will be disabled
loglevel = debug
## Write full CLF-formatted date and time to log (default: write only time)
# logclftime = true

## Daemon mode. Router will go to background after start
# daemon = true

## Specify a family, router belongs to (default - none)
# family =

## External IP address to listen for connections
## By default i2pd sets IP automatically
# host = 1.2.3.4

## Port to listen for connections
## By default i2pd picks random port. You MUST pick a random number too,
## don't just uncomment this
# port = 4567

## Enable communication through ipv4
ipv4 = true
## Enable communication through ipv6
ipv6 = false

## Network interface to bind to
# ifname =
## You can specify different interfaces for IPv4 and IPv6
# ifname4 = 
# ifname6 = 

## Enable NTCP transport (default = true)
ntcp = true
## If you run i2pd behind a proxy server, you can only use NTCP transport with ntcpproxy option 
## Should be http://address:port or socks://address:port
# ntcpproxy = socks://localhost:9050
## Enable SSU transport (default = true)
ssu = true

## Should we assume we are behind NAT? (false only in MeshNet)
# nat = true

## Bandwidth configuration
## L limit bandwidth to 32KBs/sec, O - to 256KBs/sec, P - to 2048KBs/sec,
## X - unlimited
## Default is X for floodfill, L for regular node
bandwidth = P
## Max % of bandwidth limit for transit. 0-100. 100 by default
share = 50

## Router will not accept transit tunnels, disabling transit traffic completely
## (default = false)
# notransit = true

## Router will be floodfill
# floodfill = true

[http]
## Web Console settings
## Uncomment and set to 'false' to disable Web Console
# enabled = true
## Address and port service will listen on
address = 127.0.0.1
port = 7070
## Path to web console, default "/"
# webroot = /
## Uncomment following lines to enable Web Console authentication 
# auth = true
# user = i2pd
# pass = changeme

[httpproxy]
## Uncomment and set to 'false' to disable HTTP Proxy
# enabled = true
## Address and port service will listen on
address = 127.0.0.1
port = 4444
## Optional keys file for proxy local destination
# keys = http-proxy-keys.dat
## Enable address helper for adding .i2p domains with "jump URLs" (default: true)
# addresshelper = true
## Address of a proxy server inside I2P, which is used to visit regular Internet
# outproxy = http://false.i2p
## httpproxy section also accepts I2CP parameters, like "inbound.length" etc.

[socksproxy]
## Uncomment and set to 'false' to disable SOCKS Proxy
# enabled = true
## Address and port service will listen on
address = 127.0.0.1
port = 4447
## Optional keys file for proxy local destination
# keys = socks-proxy-keys.dat
## Socks outproxy. Example below is set to use Tor for all connections except i2p
## Uncomment and set to 'true' to enable using of SOCKS outproxy
# outproxy.enabled = false
## Address and port of outproxy
# outproxy = 127.0.0.1
# outproxyport = 9050
## socksproxy section also accepts I2CP parameters, like "inbound.length" etc.

[sam]
## Uncomment and set to 'true' to enable SAM Bridge
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 7656

[bob]
## Uncomment and set to 'true' to enable BOB command channel
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 2827

[i2cp]
## Uncomment and set to 'true' to enable I2CP protocol
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 7654

[i2pcontrol]
## Uncomment and set to 'true' to enable I2PControl protocol
enabled = false
## Address and port service will listen on
# address = 127.0.0.1
# port = 7650
## Authentication password. "itoopie" by default
# password = itoopie

[precomputation]
## Enable or disable elgamal precomputation table
## By default, enabled on i386 hosts
# elgamal = true

[upnp]
## Enable or disable UPnP: automatic port forwarding (enabled by default in WINDOWS, ANDROID)
enabled = false
## Name i2pd appears in UPnP forwardings list (default = I2Pd)
# name = I2Pd

[reseed]
## Options for bootstrapping into I2P network, aka reseeding
## Enable or disable reseed data verification.
verify = false
## URLs to request reseed data from, separated by comma
## Default: "mainline" I2P Network reseeds
# urls = https://reseed.i2p-projekt.de/,https://i2p.mooo.com/netDb/,https://netdb.i2p2.no/
urls = https://reseed.diva.exchange/
## Path to local reseed data file (.su3) for manual reseeding
# file = /path/to/i2pseeds.su3
## or HTTPS URL to reseed from
# file = https://legit-website.com/i2pseeds.su3
## Path to local ZIP file or HTTPS URL to reseed from
# zipfile = /path/to/netDb.zip
## If you run i2pd behind a proxy server, set proxy server for reseeding here
## Should be http://address:port or socks://address:port
proxy = socks://localhost:9050
## Minimum number of known routers, below which i2pd triggers reseeding. 25 by default
# threshold = 25

[addressbook]
## AddressBook subscription URL for initial setup
## Default: inr.i2p at "mainline" I2P Network
# defaulturl = http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt
## Optional subscriptions URLs, separated by comma
# subscriptions = http://inr.i2p/export/alive-hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt,http://rus.i2p/hosts.txt

[limits]
## Maximum active transit sessions (default:2500)
# transittunnels = 2500
## Limit number of open file descriptors (0 - use system limit)  
# openfiles = 0
## Maximum size of corefile in Kb (0 - use system limit) 
# coresize = 0
## Threshold to start probabalistic backoff with ntcp sessions (0 - use system limit) 
# ntcpsoft = 0
## Maximum number of ntcp sessions (0 - use system limit) 
# ntcphard = 0

[trust]
## Enable explicit trust options. false by default
# enabled = true
## Make direct I2P connections only to routers in specified Family.
# family = MyFamily
## Make direct I2P connections only to routers specified here. Comma separated list of base64 identities.
# routers = 
## Should we hide our router from other routers? false by default
# hidden = true

[exploratory]
## Exploratory tunnels settings with default values
# inbound.length = 2 
# inbound.quantity = 3
# outbound.length = 2
# outbound.quantity = 3

[persist]
## Save peer profiles on disk (default: true)
# profiles = true
# Project: I2Pd package for Tails Related: https://gitlab.tails.boum.org/tails/tails/-/issues/12264#note_150424 Target: having an up-to-date I2Pd package (a deb) for tails available from a suitable repo. The problems: * Tails is debian based (which is great) - but as of today - the I2P package is rather outdated. * Tails is heavily relying on iptables to control and secure the network of the system. This approach is fine from a tails perspective. I2P should therefore simply run in a sandbox with clearly defined interfaces to the host. The I2P sandbox itself needs full network access (tcp/udp). In the I2P jargon this is called NTCP and SSU. As a **prototype** this approach is working (tested on tails 4.7): Execute as root: ``` apt-get install i2pd systemctl stop i2pd ``` THEN: 1. fix the systemd i2pd.service file, see below 2. fix /etc/i2pd/i2pd.conf, see below 3. empty /etc/i2pd/tunnels.conf (currently not needed for the prototype) Execute as root: ``` iptables -I OUTPUT 3 -p tcp -d 127.0.0.1 -j ACCEPT -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -m multiport --destination-ports 4444,4447,7070 -m owner --uid-owner amnesia iptables -I OUTPUT 4 -p tcp -j ACCEPT -m owner --uid-owner i2pd iptables -I OUTPUT 5 -p udp -j ACCEPT -m owner --uid-owner i2pd systemctl start i2pd ``` Go get a tea and wait for a few minutes until I2Pd has integrated into the I2P network. Test as user amnesia: ``` curl -x localhost:4444 http://diva.i2p > diva.i2p.html more diva.i2p.html ``` ## systemd i2pd.service file ``` [Unit] Description=I2P Router written in C++ Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/ After=network.target [Service] User=i2pd Group=i2pd RuntimeDirectory=i2pd RuntimeDirectoryMode=0700 LogsDirectory=i2pd LogsDirectoryMode=0700 Type=forking ExecStart=/usr/sbin/i2pd --conf=/etc/i2pd/i2pd.conf --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --daemon --service ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/i2pd/i2pd.pid ### Uncomment, if auto restart needed #Restart=on-failure KillSignal=SIGQUIT # If you have the patience waiting 10 min on restarting/stopping it, uncomment this. # i2pd stops accepting new tunnels and waits ~10 min while old ones do not die. #KillSignal=SIGINT #TimeoutStopSec=10m # If you have problems with hanging i2pd, you can try increase this LimitNOFILE=4096 # To enable write of coredump uncomment this #LimitCORE=infinity PrivateDevices=yes [Install] WantedBy=multi-user.target ``` ## /etc/i2pd/i2pd.conf file ``` ## Configuration file for a typical i2pd user ## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/ ## for more options you can use in this file. ## Lines that begin with "## " try to explain what's going on. Lines ## that begin with just "#" are disabled commands: you can enable them ## by removing the "#" symbol. ## Tunnels config file ## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf # tunconf = /var/lib/i2pd/tunnels.conf ## Tunnels config files path ## Use that path to store separated tunnels in different config files. ## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d # tunnelsdir = /var/lib/i2pd/tunnels.conf.d ## Where to write pidfile (don't write by default) # pidfile = /var/run/i2pd.pid ## Logging configuration section ## By default logs go to stdout with level 'info' and higher ## ## Logs destination (valid values: stdout, file, syslog) ## * stdout - print log entries to stdout ## * file - log entries to a file ## * syslog - use syslog, see man 3 syslog # log = file ## Path to logfile (default - autodetect) # logfile = /var/log/i2pd.log ## Log messages above this level (debug, *info, warn, error, none) ## If you set it to none, logging will be disabled loglevel = debug ## Write full CLF-formatted date and time to log (default: write only time) # logclftime = true ## Daemon mode. Router will go to background after start # daemon = true ## Specify a family, router belongs to (default - none) # family = ## External IP address to listen for connections ## By default i2pd sets IP automatically # host = 1.2.3.4 ## Port to listen for connections ## By default i2pd picks random port. You MUST pick a random number too, ## don't just uncomment this # port = 4567 ## Enable communication through ipv4 ipv4 = true ## Enable communication through ipv6 ipv6 = false ## Network interface to bind to # ifname = ## You can specify different interfaces for IPv4 and IPv6 # ifname4 = # ifname6 = ## Enable NTCP transport (default = true) ntcp = true ## If you run i2pd behind a proxy server, you can only use NTCP transport with ntcpproxy option ## Should be http://address:port or socks://address:port # ntcpproxy = socks://localhost:9050 ## Enable SSU transport (default = true) ssu = true ## Should we assume we are behind NAT? (false only in MeshNet) # nat = true ## Bandwidth configuration ## L limit bandwidth to 32KBs/sec, O - to 256KBs/sec, P - to 2048KBs/sec, ## X - unlimited ## Default is X for floodfill, L for regular node bandwidth = P ## Max % of bandwidth limit for transit. 0-100. 100 by default share = 50 ## Router will not accept transit tunnels, disabling transit traffic completely ## (default = false) # notransit = true ## Router will be floodfill # floodfill = true [http] ## Web Console settings ## Uncomment and set to 'false' to disable Web Console # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 7070 ## Path to web console, default "/" # webroot = / ## Uncomment following lines to enable Web Console authentication # auth = true # user = i2pd # pass = changeme [httpproxy] ## Uncomment and set to 'false' to disable HTTP Proxy # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 4444 ## Optional keys file for proxy local destination # keys = http-proxy-keys.dat ## Enable address helper for adding .i2p domains with "jump URLs" (default: true) # addresshelper = true ## Address of a proxy server inside I2P, which is used to visit regular Internet # outproxy = http://false.i2p ## httpproxy section also accepts I2CP parameters, like "inbound.length" etc. [socksproxy] ## Uncomment and set to 'false' to disable SOCKS Proxy # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 4447 ## Optional keys file for proxy local destination # keys = socks-proxy-keys.dat ## Socks outproxy. Example below is set to use Tor for all connections except i2p ## Uncomment and set to 'true' to enable using of SOCKS outproxy # outproxy.enabled = false ## Address and port of outproxy # outproxy = 127.0.0.1 # outproxyport = 9050 ## socksproxy section also accepts I2CP parameters, like "inbound.length" etc. [sam] ## Uncomment and set to 'true' to enable SAM Bridge enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7656 [bob] ## Uncomment and set to 'true' to enable BOB command channel enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 2827 [i2cp] ## Uncomment and set to 'true' to enable I2CP protocol enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7654 [i2pcontrol] ## Uncomment and set to 'true' to enable I2PControl protocol enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7650 ## Authentication password. "itoopie" by default # password = itoopie [precomputation] ## Enable or disable elgamal precomputation table ## By default, enabled on i386 hosts # elgamal = true [upnp] ## Enable or disable UPnP: automatic port forwarding (enabled by default in WINDOWS, ANDROID) enabled = false ## Name i2pd appears in UPnP forwardings list (default = I2Pd) # name = I2Pd [reseed] ## Options for bootstrapping into I2P network, aka reseeding ## Enable or disable reseed data verification. verify = false ## URLs to request reseed data from, separated by comma ## Default: "mainline" I2P Network reseeds # urls = https://reseed.i2p-projekt.de/,https://i2p.mooo.com/netDb/,https://netdb.i2p2.no/ urls = https://reseed.diva.exchange/ ## Path to local reseed data file (.su3) for manual reseeding # file = /path/to/i2pseeds.su3 ## or HTTPS URL to reseed from # file = https://legit-website.com/i2pseeds.su3 ## Path to local ZIP file or HTTPS URL to reseed from # zipfile = /path/to/netDb.zip ## If you run i2pd behind a proxy server, set proxy server for reseeding here ## Should be http://address:port or socks://address:port proxy = socks://localhost:9050 ## Minimum number of known routers, below which i2pd triggers reseeding. 25 by default # threshold = 25 [addressbook] ## AddressBook subscription URL for initial setup ## Default: inr.i2p at "mainline" I2P Network # defaulturl = http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt ## Optional subscriptions URLs, separated by comma # subscriptions = http://inr.i2p/export/alive-hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt,http://rus.i2p/hosts.txt [limits] ## Maximum active transit sessions (default:2500) # transittunnels = 2500 ## Limit number of open file descriptors (0 - use system limit) # openfiles = 0 ## Maximum size of corefile in Kb (0 - use system limit) # coresize = 0 ## Threshold to start probabalistic backoff with ntcp sessions (0 - use system limit) # ntcpsoft = 0 ## Maximum number of ntcp sessions (0 - use system limit) # ntcphard = 0 [trust] ## Enable explicit trust options. false by default # enabled = true ## Make direct I2P connections only to routers in specified Family. # family = MyFamily ## Make direct I2P connections only to routers specified here. Comma separated list of base64 identities. # routers = ## Should we hide our router from other routers? false by default # hidden = true [exploratory] ## Exploratory tunnels settings with default values # inbound.length = 2 # inbound.quantity = 3 # outbound.length = 2 # outbound.quantity = 3 [persist] ## Save peer profiles on disk (default: true) # profiles = true ```
pomalbisser commented 3 weeks ago
Collaborator
Resources: * Tails Contribute: https://tails.boum.org/contribute/index.de.html * Merge Policy: https://tails.boum.org/contribute/merge_policy/ * Tails GitLab: https://tails.boum.org/contribute/working_together/GitLab/ * Tails Repo: https://gitlab.tails.boum.org/tails/tails * Contributor Glossary: https://tails.boum.org/contribute/glossary/ * Tor Source Build: https://tails.boum.org/contribute/tor/ * Custom APT Repository: https://tails.boum.org/contribute/APT_repository/custom/ * Custom APT Sources: https://gitlab.tails.boum.org/tails/tails/-/blob/master/auto/scripts/tails-custom-apt-sources * APT Repo: https://deb.tails.boum.org/ * Deb Package: https://packages.debian.org/search?keywords=i2p * Deb Buster: https://packages.debian.org/buster/i2p
konrad commented 3 weeks ago
Owner

Deb Package (I2Pd): https://packages.debian.org/search?keywords=i2pd
(peferred package - instead of i2p) - supporting both would be nice, obviously.

Deb Package (I2Pd): https://packages.debian.org/search?keywords=i2pd (peferred package - instead of i2p) - supporting both would be nice, obviously.
Sign in to join this conversation.
No Label
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.