The Complete & Full I2P Guide - Working 2022/2023

[Darkpro]

Ultimate Guide to I2P

Table of Contents

• Introduction
• What is I2P?
• How safe is I2P?
• How can I run I2P?
• Android Setup - Easy
• Linux (Ubuntu) Setup - Intermediate
• Whonix on Qubes Setup - Advanced
• Hosting an eepSite
• Conclusion

Introduction

Welcome to the Ultimate Guide to I2P, in the following sections you will learn about I2P and how to safely use it on your devices. While reading this guide please keep the following legend in mind to maximize your learning proficiency. Text that is red is considered IMPORTANT and should always be understood, text that is blue is optional reading that provides additional information on a section. This guide has been designed so that you can skip around to sections that are relevant to your desired setup without the need to read sections which may not be relevant to you.


What is I2P?

I2P, otherwise known as The Invisible Internet Project, is a fully encrypted peer-to-peer network that hides the server from the user, and the user from the server. All I2P traffic is internal to the I2P network. Traffic inside I2P never interacts with the internet directly, it is a layer on top of the internet using encrypted unidirectional tunnels between you and other peers. No one can see where traffic is coming from or where it is going.


I2P is almost completely decentralized, once you're connected to the network, you only discover peers by building "exploratory" tunnels. These tunnels make your initial connection, then you get a peer list from trusted reseeding servers. Using the peer tunnels from the reseed server allows you to build more connections and get faster speeds the longer you are contributing to the network.


The I2P network does not officially "exit" traffic, it is primarily a hidden service network and outproxying is not an offical function, nor is it advised. The privacy benefits you get from participating in the I2P network come from remaining on the network and not accessing the internet. I2P recommends that you use Tor Browser instead when you want to browse the internet privately.

How safe is I2P?

Every node participates in packet routing for others, so your IP address must always be known to establish connections. While the fact that your computer runs I2P is public, nobody can see your activities through it. No one knows if you are browsing eepSites, sharing files, doing research, or just contributing bandwidth to the project. It is important to keep in mind that I2P alone does not mask your identity from the clearnet and should be used with other privacy technologies for your security (which will be covered in the following sections).

How can I run I2P?

• Android - Easy (least secure, least recommended)
• Linux (Ubuntu) - Intermediate (somewhat secure, beginner friendly)
• Whonix on Qubes - Advanced (very secure, maximum privacy)

Android Setup - Easy

While it is possible to run I2P on Android devices, this method is only recommended if you are running Graphene OS or do not have the ability to use any other setup methods. To learn how to install GrapheneOS, go to their website.

Prerequisites

• Install F-Droid app store
• Install InvZible Pro from F-Droid - Routes traffic through TOR, prevents DNS leakage through DNSCRYPT, and provides access to I2P sites (eepSites) with Purple I2P.
• Install Fennec F-Droid from F-Droid - Acts as a hardened web browser for browsing I2P sites (eepSites)

Once the required applications have been installed begin by opening InvZible Pro, once opened complete the initial setup, provide relevant permissions, and disable battery optimizations. Do NOT click `Start` at this time.

• Open Fennec F-Droid and enter `about:config` into the address bar
• Search for `javascript.enabled` set it to `false`
• Search for `network.proxy.http` set it to `127.0.0.1`
• Search for `network.proxy.http_port` set it to `4444`
• Search for `network.proxy.socks_remote_dns` set it to `false`
• Search for `dom.security.https_first_pbm` set it to `false`
• Search for `dom.security.https_only_mode` set it to `false`
• Some settings may change back to defaults when the application is restarted!
• It is recommended that you always use private browsing mode.

Go back to InviZible Pro and click `Start` you can now browse I2P sites, when done simple click `Stop`.


Linux (Ubuntu) Setup - Intermediate

This works for Ubuntu (Bionic 18.04 and newer), Linux Mint (Tara19 or newer), and their derivatives.

Prerequesites

• Ubuntu 18.04 or newer
• OpenSSL 1.1 or newer
• Basic Terminal Skills

Open a terminal (Ctrl Alt T) and enter

sudo apt-add-repository ppa:i2p-maintainers/i2p

This command will add the PPA to the `/etc/apt/sources.list.d/` directory and fetch the GPG key that the repository has been signed with. The GPG key ensures that the packages have not been tampered with since being built. Update your package manager by entering

sudo apt-get update && sudo apt-get upgrade -y

This command will retrieve the latest list of software from each repository that is enabled on your system, then update that software. Now you can install I2P! If you want a quick web interface, install `i2p`, if you want a configurable daemon, install `i2pd`. Enter the following into the console

sudo apt-get install i2p

or

sudo apt-get install i2pd

Do not install both or they will conflict If you installed `i2p`, then you can start the I2P router by entering

i2prouter start

If you installed the `i2pd` daemon service, you can enable it on startup and start it by entering both

sudo systemctl enable i2pd

and

sudo systemctl start i2pd

Now that the I2P network has started on your machine, navigate to `127.0.0.1:7657` (for *i2p*) or `127.0.0.1:7070` (for *i2pd*) in a browser to view your statistics. You will most likely need to wait 10 or more minutes before you can access any eepSites through a proxy. As you build more tunnels, you will get a faster and more reliable connection. Download the Tor Browser from their main website, extract it, run `./start-tor-browser.desktop` to start the Tor Browser. Navigate to `about:config` before connecting to the Tor Network. Search for and change the following settings

• Search for `extensions.torbutton.use_nontor_proxy` set it to `true`
• Search for `network.proxy.http` set it to `127.0.0.1`
• Search for `network.proxy.http_port` set it to `4444`
• Search for `network.proxy.no_proxies_on` set it to `127.0.0.1`
• Search for `network.proxy.socks_remote_dns` set it to `false`
• Search for `dom.security.https_first_pbm` set it to `false`
• Search for `dom.security.https_only_mode` set it to `false`
• Search for `javascript.enabled` set it to `false`

Restart the Tor Browser and enjoy your I2P browsing! As mentioned in "How safe is I2P?", your IP address is not hidden. Your clearnet traffic is not protected through I2P, install *torctl* or a similar Tor Network traffic-routing application.When following these instructions, the about:config changes in Tor Browser worsen the browser fingerprint. This is unavoidable if the user intends to use I2P. The modified Tor Browser should only be used for I2P purposes.

Whonix on Qubes Setup - Advanced
Works on Qubes OS 4.1 and newer, Whonix 16 or newer Prerequisites

• Install Qubes OS with Whonix templates

Setup a Whonix work station with the appropriate persistence options enabled (Without persistence correctly set up you will lose all progress on virtual machine restart) For a complete guide on setting up Whonix on Qubes, read /post/bac3ef2cdfd229cc1949

• Open the *System Menu* and hover over *Template: whonix-ws-XX* (IMPORTANT) and open the XFCE terminal.

Add the I2P signing key to your Whonix template

scurl-download --proxy http://127.0.0.1:8082 --tlsv1.2 https://geti2p.net/_static/i2p-archive-keyring.gpg

Then display the key's fingerprint and verify

gpg --keyid-format long --import --import-options show-only --with-fingerprint i2p-archive-keyring.gpg

The finger print should look something like (verify the fingerprint via the whonix wiki about I2P)

7840 E761 0F28 B904 7535 49D7 67EC E560 5BCF 1346

After confirming the signing key matches, copy the signing key to your APT keyring folder

sudo cp i2p-archive-keyring.gpg /usr/share/keyrings/i2p-archive-keyring.gpg

Now add the I2P APT repository

echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] tor+https://deb.i2p2.de/ bullseye main" | sudo tee /etc/apt/sources.list.d/i2p.list

Install both I2P packages

sudo apt update && sudo apt full-upgrade sudo apt install --no-install-recommends i2p i2p-keyring

Configure the I2P service to start automatically upon boot (Leave defaults and answer 'Yes')

sudo dpkg-reconfigure i2p

Edit the local worker connection address (to avoid Whonix Tor Proxy)

sudoedit ~/.i2p/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config

Change 127.0.0.*1* to 127.0.0.*2* Enable I2P on *anon-whonix* startup

sudo systemctl enable i2p

• Shutdown the *whonix-ws-XX* template.
• Start / restart the *anon-whonix* qube
• Open the *System Menu* and hover over *anon-whonix* (IMPORTANT) and open the XFCE terminal.

sudo systemctl start i2p

Now that I2P is installed on your whonix qube, you must configure Tor Browser to allow I2P connections. Navigate to `about:config` in Tor Browser. Search for and change the following settings

• Search for `extensions.torbutton.use_nontor_proxy` set it to `true`
• Search for `network.proxy.http` set it to `127.0.0.1`
• Search for `network.proxy.http_port` set it to `4444`
• Search for `network.proxy.no_proxies_on` set it to `127.0.0.2`
• Search for `network.proxy.socks_remote_dns` set it to `false`
• Search for `dom.security.https_first_pbm` set it to `false`
• Search for `dom.security.https_only_mode` set it to `false`
• Search for `javascript.enabled` set it to `false`

When following these instructions, the about:config changes in Tor Browser worsen the browser fingerprint. This is unavoidable if the user intends to use I2P. The modified Tor Browser should only be used for I2P purposes. Navigate to your I2P Router Console at `127.0.0.2:7657` to check statistics. You will most likely need to wait 20 or more minutes before you can access any eepsites through a proxy (first run only). As you build more tunnels, you will get a faster and more reliable connection. If errors appear like: `Network: ERR-UDP Disabled and Inbound TCP host/port not set` or `ERR-Clock Skew of X min` or `WARN [Timestamper] .router.time.RouterTimestamper: Unable to reach any of the NTP servers ...`, they can be safely ignored. Once the Local Tunnels (shared clients) section shows a green connection, I2P should be fully functional and it is possible to browse eepsites.. Some users report this process can be lengthy and can take more than 10 minutes before the tunnels are stable/available. I2P is functional over Tor but users should be aware that I2P developers do not support it nor recommend it to be used over Tor. Just because it is functional does not mean it is supported. In other words, I2P upstream developers will not change any I2P behaviours just for the sake of connectivity issues of I2P over Tor because I2P is not designed to be running over Tor in the first place. However this is used to mask your ip from the I2P network.

Hosting an eepSite

Prerequesites

• Linux Machine
• Nginx, Apache, or some other service on a port

Install the I2PD daemon Ubuntu:

sudo apt-get install i2pd

OpenBSD:

doas pkg_add i2pd

Start the I2PD daemon to write configurations Ubuntu:

sudo systemctl start i2pd

OpenBSD:

doas rcctl start i2pd

Wait 5-10 minutes Stop the I2PD daemon Ubuntu:

sudo systemctl stop i2pd

OpenBSD:

doas rcctl stop i2pd

Edit your i2pd configuration Ubuntu:

sudo gedit /etc/i2pd/i2pd.conf

OpenBSD:

doas vi /etc/i2pd/i2pd.conf

You can learn much about how the I2PD daemon works in detail by reading the default configuration file's comments. Change what you want here. Enable or disable certain services such as the console if you solely want to run the hidden service. Before creating a hidden service, if you already have a private key you would like to use, move the .dat binary key file to `/var/lib/i2pd/`. Make sure it has 0660 permissions and is owned by `_i2pd` user and `_i2pd` group. Edit your tunneling configuration for hidden services Ubuntu:

sudo gedit /etc/i2pd/tunnels.conf

OpenBSD:

doas vi /etc/i2pd/tunnels.conf

You will see examples already populated, comment them out or delete them and create a new one like the following

[WEBSITENAME] type = http host = BINDING_ADDRESS port = SERVICE_PORT inbound.length = INBOUND_HOP outbound.length = OUTBOUND_HOP keys = KEY_FILE_NAME

Change `WEBSITENAME` to any name for the service

• The `type` can be either `http`, `standard`, `irc`, or `streamr`. Only use others if you know what you're doing.
• The `host` is the binding address for your service, typically it is localhost or `127.0.0.1`.
• The `port` is the service port to listen to and broadcast on the I2P network.
• The `inbound.length` option can range from `0-8` and is how many peers a packet has to travel between when inbound.
• The `outbound.length` option can range from `0-8` and is how many peers a packet has to travel between when outbound
• The `keys` is the single key file that you placed in `/var/lib/i2pd`, just the name, such as `private.dat`. If the key file is not found, a random key will be written to the `keys` name.

Now that you've configured your hidden service, restart i2pd and wait 20 or so minutes for your tunnels to establish. Ubuntu:

sudo systemctl start i2pd

OpenBSD:
doas rcctl start i2pd

Enable the services on startup (optional) Ubuntu:

sudo systemctl enable i2pd

OpenBSD:

doas rcctl enable i2pd

Conclusion

Congratulations, you now have a general understanding of I2P and how to run it securely! It is highly recommended that you reread this guide to fully understand everything you have learned. It is your responsibility to stay up to date with technologies as they change to ensure your safety and security. Good luck and stay safe.

 

[BarclaysBoys13]

For Qubes-Whonix setup when I use "sudo nano /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config" it says the file does not exist.
So I can't change `127.0.0.1` to `127.0.0.2`.

 

[VictorBands98]

same problem + when I search 127.0.0.2:7657 for open I2P console it show - Unable to connect. So how can I open I2P console? Hope someone give advice

 

[BREADGANG]

I should also mention that the regular i2pd from Ubuntu's repositories is currently broken. It will not start the service, exiting with a kernel segmentation fault. You will need to add the i2pd{dot}xyz repository to your system and

sudo apt-get update && sudo apt-get install i2pd

after adding the repository to get the updated and fixed version. Now you should be able to configure and run i2pd daemon on Ubuntu or similar distributions and start browsing i2p.

Another distinction: I2P router hosts at port 7657, but the I2PD web console is hosted at port 7070

 

[KasherQuon]

Everyone's i2p guide tries to one up the previous guide. I suspect that next week the Super Ultimate Guide to i2p shall be released but nonetheless you deserve my upvote and thanks.

 

[h0oligan]

Thanks for the guide, will check if this will work on whonix.

 

[VictorBands98]

The issue today on Alphabayis bringing up this message 'Too many retries on 2FA page. Get a new identity and try again'
With TOR getting a new identity simply means closing then opening a new browser, this does not work with IP2.
Any help much appreciated.

 

[BarclaysBoys13]

Big thank you man! Now i know how using Tor for my i2p journey! Does that mean i don't need a vpn anymore?

But i havn't succeed to install i2pd, i got 0 return from my terminal when i was at this step :

sudo systemctl start i2pd

I use Debian 11 as OS.

 

[KasherQuon]

In order to cut out a VPN i recommend the addition of `torctl` into your security stack. This will route your network traffic through Tor and setup is fairly simple and straightforward.
Regarding the return 0. Typically in C programming, a return 0 means everything worked properly. However, there could be issues with your i2pd setup. On Debian operating systems, there are more dependencies you have to install such as `apt-transport-https` so i2pd will play nice
i2pd has a `readthedocs` section so you can research how to install i2pd on your OS since I'm not too familiar with Debian 11
stay safe!

 

[h0oligan]

oh sorry i explain so bad my technical problems! when i mean 0 return, i wanted to say that nothing happened when i typed sudo systemctl start i2pd. No reaction from the terminal.

I had an ubuntu device also, i felt more confortable with ubuntu than debian too.
Thanks for the reply anyway!

 

[PaulieDumps]

Just got this working today! Tired of this effing DDOS attacks.

Here were my steps:
1. Install and run I2P as described in this guide for Linux. Lets assume my router is at

http://127.0.0.1:1234

/home
2. Go to

http://127.0.0.1:1234

/configwebapps and start "jsonrpc" web app.
3. Go to

http://127.0.0.1:1234

/config and raise the bandwidth if its too low.
4. Install "FoxyProxy" add-on For FireFox.
- Add a new Proxy. Keep all settings as is except for "Proxy IP address or DNS name", add "localhost" and "port" add "4444". Give Proxy the name of "I2P". Press "save" button.
- For that new Proxy, press the "Patterns" button. Under "white patterns", you will see one entry called "all URLS". On the right of that, you will see a field to enter a pattern. Enter "*.12p*". Keep all other settings the same. Press the "save" button.
5. Open a new Firefox browsing tab. In the URL field, enter `about:config`. Search for `javascript.enabled` set it to `false` (as described in this article). Close the tab.
6. Open a new Firefox browsing tab. Click on the "FoxyProxy" plugin icon (should have a red line through the icon) and select the "I2P" proxy you just created. The "FoxyProxy" icon should show you the proxy you just selected in green.
7. Enter the I2P URL in the URL field and press enter.


You should reach the site now.