2025-03-28

Connecting to home through i2p

Invisible Internet Project (I2P) is an anonymous network layer. It allows for assigning your local network to addresses that are accessible from the i2p network.

Contrary to tor protocol you don't need a public ip to host things. Anyone can and everyone does share traffic, as every client is a node which works with network by always transferring other users traffic. That's a much better approach as everyone in network cooperates in securing it and making it faster. It also prevents dos attacks as the attacking ones would also have to handle other traffic to send their own requests. You can read more about it's similarities here.

The only oddity is that it's isolated from normal web.

It's a great tool for encrypting your traffic and hosting your own things, it's also quite performant for file transfer.

i2pd

To access the network you need a client which will work as a proxy. You can either choose the official i2p client or i2pd. i2pd is a port to c++ as the original client is written in java, and i do prefer it.

You can easily install them from your package manager, for arch:

sudo pacman -S i2pd

for debian/ubuntu:

sudo apt-get install i2pd

even for termux:

pkg install i2pd

It's a small package, the binary itself weights around 628KB.

After installation you can run it by invoking

i2pd --daemon

The --daemon flag makes it go into background, without it you would see it's logs in your terminal.

You can also run it as a system daemon through systemd. Read more about the program itself by running

man i2pd

The first run of i2pd creates the ~/.i2pd directory where both config files and cache is stored.

In it you can find i2pd.conf file which is the client config, the defaults are sane so you probably won't change much but you can look at it as it has a lot of self documenting comments, and it can tell you about implemented functionalities.

tunnels.conf and tunnels.d where you save your tunnels. tunnels.d is a directory where all files created under it will be treated as tunnels files, unless you have thousands of tunnels you should stick to saving them in tunnels.conf.

All other files are basically cache.

Accessing the web

By default i2pd creates a lot of protocols/services:

http://127.0.0.1:7070/ is a web console where information is shown about the current session.

127.0.0.1:4444 is the default address of the web proxy, you can use it to access the common sites. You can test if your client is working by running:

curl -x 127.0.0.1:4444 'http://reg.i2p/'

http://reg.i2p/ is an eepsite registry. It's basically allows you to register an alias for your tunnel (similar to dns). Instead of large adresses like u2l6y27dcdkpft5qkyetypihp4otsjcaoodfr6fjkelinm2c2mma.b32.i2p you can have tuvimen.i2p. If you want to browse some sites you can browse the new ones on http://reg.i2p/latest, but be prepared that a lot of them might not work (the registry requires you to host your site continuously but people just register and forget about it after a couple of days).

You can find more curated list of sites on https://nekhbet.com/i2p_links.shtml or a list with more info about eepsites on http://notbob.i2p/cgi-bin/defcon.cgi?filter=great.

You cannot send non i2p traffic so running

curl -x 127.0.0.1:4444 google.com

Will return an 404 error message from your client


<html>
<head>
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>I2Pd HTTP proxy</title>
  <style type="text/css">
    body { font: 100%/1.5em sans-serif; margin: 0; padding: 1.5em; background: #FAFAFA; color: #103456; }
    h1 { font-size: 1.7em; color: #894C84; }
    @media screen and (max-width: 980px) { h1 { font-size: 1.7em; text-align: center; color: #894C84; }}
  </style>
</head>
<body><h1>Proxy error: Outproxy failure</h1>
<p>Host google.com is not inside I2P network, but outproxy is not enabled</p>
</body>
</html>

Browsers

There probably isn't a mainstream browser that supports i2p addresses by default. For such addresses traffic should be passed through the proxy, but the browsers don't even recognize them.

Well if you do private things on i2p maybe it's not a good idea to access it through a thing that could easily deanonymize you, so maybe it's not something we should strive for. But you can run a browser in a proxy mode where it will use the proxy for all the traffic.

Because .i2p domains are not recognized when you type in some address without the http:// prefix browsers will send it to the search engine which will fail instead of directly accessing it, be aware of that.

Chromium

chromium --proxy-server='http://127.0.0.1:4444'

Firefox

Firefox is bloat so there's no cli option for this.

You have to manually click through their gui:

Settings -> General -> Network Settings -> choose Manual proxy configuration, enter HTTP proxy 127.0.0.1, port 4444

step1 step2 step3

Since the proxy doesn't work for clear net, if you want to access it later you'll have to do that again to disable the proxy.

Because of that i recommend you to create a new firefox profile. Basically run

firefox -P

and you get a profile options window

window

then create a i2p profile. After creation a firefox session for it will open where all your settings and extensions are separated from other profiles.

You can setup in it your proxy, and add some extensions, you probably don't need any adblocker but i recommend using NoScript. If after closing firefox new one starts as the i2p profile you can run

firefox -P

and select your default profile (firefox opens last selected profile, default doesn't change if you call the profile directly by it's name).

Now whenever you want to browse through some i2p you can run

firefox -P i2p

or even better just

i2p

if you create a wrapper script for it

!/bin/sh

firefox -P i2p & disown

Making tunnels

Documentation is best

My tunnels.conf looks like this:

[tuvimen]
type=http
host=127.0.0.1
port=8082
keys=tuvimen.dat

[ssh]
type = server
host = 127.0.0.1
port = 22
inbound.length = 1
outbound.length = 1
inbound.quantity = 5
outbound.quantity = 5
i2cp.reduceOnIdle = true
keys=ssh.dat

[ssh-jenousra]
type = server
host = jenousra.ves
port = 22
inbound.length = 1
outbound.length = 1
inbound.quantity = 5
outbound.quantity = 5
i2cp.reduceOnIdle = true
keys=ssh-jenousra.ves

[ssh-rasp]
type = client
host = 127.0.0.1
port = 7822
inbound.length = 1
outbound.length = 1
inbound.quantity = 5
outbound.quantity = 5
i2cp.dontPublishLeaseSet = true
destination = myprivateaddressaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.b32.i2p
keys=rasp.dat

You probably can guess the definitions of the fields. type can be set to some custom values but the most important are the server and client. server type takes traffic from the host at port and hosts it on tunnel address, client get's traffic from destination tunnel address and outputs it on your local network as host on port.

The keys fields specify the name of a file created in ~/.i2pd/, these files will not change and should be your secret if someone else has them they can impersonate your tunnels. If you delete them there's no coming back, your address will change.

For any changes in tunnels.conf to take place you have to restart your i2p client like

kill $(pidof i2pd)
i2pd --daemon

this will also generate the *.dat files for new tunnels.

To get an address of a tunnel file run

i2p_link() {
    printf "%s.b32.i2p\n" "$(head -c 391 "$1" | sha256sum | xxd -r -p | base32 | sed 's/=//g' | tr 'A-Z' 'a-z')"
}

i2p_link ~/.i2pd/my-tunnel.dat

I've saved the i2p_link function in my .bashrc.

Tunnel addresses aren't something you should always hide, but if you don't want people to try and poke on your private services don't share them and no one will know they exist (making an eepsite of an address is basically screaming it out to the public).

hosting a site

This is the tunnel conf for my site

[tuvimen]
type=http
host=127.0.0.1
port=8082
keys=tuvimen.dat

I use nginx on port 8082 on my local network.

You can also read a short i2pd http tutorial

ssh

This is the most used kind of a tunnel for me, I don't have a public ip so it's the only real way of doing it for me. You can pay for ddns service or use ngrok which is technically free to use, but these make you rely on a third party, that might log your activity.

i2p has a high ping so if you want to host some game server you should go with ddns, but for ssh it's fast enough.

My conf for ssh is

[ssh]
type = server
host = 127.0.0.1
port = 22
inbound.length = 1
outbound.length = 1
inbound.quantity = 5
outbound.quantity = 5
i2cp.reduceOnIdle = true
keys=ssh.dat

[ssh-jenousra]
type = server
host = jenousra.ves
port = 22
inbound.length = 1
outbound.length = 1
inbound.quantity = 5
outbound.quantity = 5
i2cp.reduceOnIdle = true
keys=ssh-jenousra.ves

[ssh-rasp]
type = client
host = 127.0.0.1
port = 7822
inbound.length = 1
outbound.length = 1
inbound.quantity = 5
outbound.quantity = 5
i2cp.dontPublishLeaseSet = true
destination = myprivateaddressaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.b32.i2p
keys=rasp.dat

These fields reduce the buffer size so that ssh is more responsive

inbound.length = 1
outbound.length = 1
inbound.quantity = 5
outbound.quantity = 5

In case of ssh-jenousra tunnel the host field is set to local network address jenousra.ves (i use the .ves domain as my local domain).

On each device that you will be connecting from, you have to create client tunnel like ssh-rasp (that's how i connect to my raspberry pi), the destination field takes the address of hosting tunnel. ssh won't be able to recognize the i2p address so you have to create a mapping on your local network. Then in this case you can connect by running:

ssh -p 7822 rasp@127.0.0.1

If you want to copy files scp has a different syntax for port

scp -P 7822 rasp@127.0.0.1

You might want to make aliases or key bindings for these.

I strongly recommend doing a ssh-copy-id and disabling password authentication for such connections.

Most of my connections happen through termux and since i don't run it continuously i have to start i2pd every time. It takes more than 30 seconds for it to fully connect with i2p network, but after that making a connection takes half a second.

making an eepsite

As mentioned before an eepsite is basically a dns record on i2p. You can make one by registering your site on http://reg.i2p/.

Read their terms and rules for keeping your address. Don't make eepsites if you aren't going to host.

At the registration they will ask you for a auth string, go to http://127.0.0.1:7070/?page=i2p_tunnels, select server tunnel and click on Address registration line. This will ask you for domain name and generate the auth string. It also allows for automatic registration but i haven't tested that.

keeping i2pd running

I've had a bad experience with systemd since I wanted to keep my config in user directory. No matter what i did running modified service always returned permission denied.

Tunnel files are something that should be safe so i don't like putting them in a directory that i could forget about when reinstalling my system.

If you have no such concerns then use the standard systemd daemon.

I as of now have put

pidof i2pd >/dev/null || i2pd --daemon

in my .bashrc.

shout out to schnuffel bunny

I don't know why but they have an official website on i2p and i couldn't find a clear net one.

schnuffel

Here's one of their videos on youtube.

schnuffel-vid

German language is beautiful ;)