 |
Title: Using the I2P network with OpenBSD and NixOS |
|
Author: Solène |
|
Date: 20 June 2021 |
|
Tags: i2p tor openbsd nixos networking |
|
Description: |
|
|
|
# Introduction |
|
|
|
In this text I will explain what is the I2P network and how to provide |
|
a service over I2P on OpenBSD and how to use to connect to an I2P |
|
service from NixOS. |
|
|
|
# I2P |
|
|
|
This acronym stands for Invisible Internet Project and is a network |
|
over the network (Internet). It is quite an old project from 2003 and |
|
is considered stable and reliable. The idea of I2P is to build a |
|
network of relays (people running an i2p daemon) to make tunnels from a |
|
client to a server, but a single TCP session (or UDP) between a client |
|
and a server could use many tunnels of n hops across relays. |
|
Basically, when you start your I2P service, the program will get some |
|
information about the relays available and prepare many tunnels in |
|
advance that will be used to reach a destination when you connect. |
|
|
|
Some benefits from I2P network: |
|
|
|
* your network is reliable because it doesn't take care of operator |
|
peering |
|
* your network is secure because packets are encrypted, and you can |
|
even use usual encryption to reach your remote services (TLS, SSH) |
|
* provides privacy because nobody can tell where you are connecting to |
|
* can prevent against habits tracking (if you also relay data to |
|
participate to i2p, bandwidth allocated is used at 100% all the time, |
|
and any traffic you do over I2P can't be discriminated from standard |
|
relay!) |
|
* can only allow declared I2P nodes to access a server if you don't |
|
want anyone to connect to a port you expose |
|
|
|
It is possible to host a website on I2P (by exposing your web server |
|
port), it is called an eepsite and can be accessed using the SOCKs |
|
proxy provided by your I2P daemon. I never played with them though but |
|
this is a thing and you may be interested into looking more in depth. |
|
|
 |
I2P project and I2P implementation (java) page |
|
i2pd project (a recent C++ implementation that I use for this tutorial) |
|
Wikipedia page about I2P |
|
|
|
# I2P vs Tor |
|
|
|
Obviously, many people would question why not using Tor which seems |
|
similar. While I2P can seem very close to Tor hidden services, the |
|
implementation is really different. Tor is designed to reach the |
|
outside while I2P is meant to build a reliable and anonymous network. |
|
When started, Tor creates a path of relays named a Circuit that will |
|
remain static for an approximate duration of 12 hours, everything you |
|
do over Tor will pass through this circuit (usually 3 relays), on the |
|
other hand I2P creates many tunnels all the time with a very low |
|
lifespan. Small difference, I2P can relay UDP protocol while Tor only |
|
supports TCP. |
|
|
|
Tor is very widespread and using a tor hidden service for hosting a |
|
private website (if you don't have a public IP or a domain name for |
|
example) would be better to reach an audience, I2P is not very well |
|
known and that's partially why I'm writing this. It is a fantastic |
|
piece of software and only require more users. |
|
|
|
Relays in I2P doesn't have any weight and can be seen as a huge P2P |
|
network while Tor network is built using scores (consensus) of relaying |
|
servers depending of their throughput and availability. Fastest and |
|
most reliable relays will be elected as "Guard server" which are entry |
|
points to the Tor network. |
|
|
|
I've been running a test over 10 hours to compare bandwidth usage of |
|
I2P and Tor to keep a tunnel / hidden service available (they have not |
|
been used). Please note that relaying/transit were desactivated so |
|
it's only the uploaded data in order to keep the service working. |
|
|
|
* I2P sent 55.47 MB of data in 114 430 packets. Total / 10 hours = 1.58 |
|
kB/s average. |
|
* Tor sent 6.98 MB of data in 14 759 packets. Total / 10 hours = 0.20 |
|
kB/s average. |
|
|
|
Tor was a lot more bandwidth efficient than I2P for the same task: |
|
keeping the network access (tor or i2p) alive. |
|
|
|
# Quick explanation about how it works |
|
|
|
There are three components in an I2P usage. |
|
|
|
- a computer running an I2P daemon configured with tunnels servers (to |
|
expose a TCP/UDP port from this machine, not necessarily from localhost |
|
though) |
|
- a computer running an I2P daemon configured with tunnel client (with |
|
information that match the server tunnel) |
|
- computers running I2P and allowing relay, they will receive data from |
|
other I2P daemons and pass the encrypted packets. They are the core of |
|
the network. |
|
|
|
In this text we will use an OpenBSD system to share its localhost ssh |
|
access over I2P and a NixOS client to reach the OpenBSD ssh port. |
|
|
|
# OpenBSD |
|
|
|
The setup is quite simple, we will use i2pd and not the i2p java |
|
program. |
|
|
|
```shell commands |
|
pkg_add i2pd |
|
|
|
# read /usr/local/share/doc/pkg-readmes/i2pd for open files limits |
|
|
|
cat <<EOF > /etc/i2pd/tunnels.conf |
|
[SSH] |
|
type = server |
|
port = 22 |
|
host = 127.0.0.1 |
|
keys = ssh.dat |
|
EOF |
|
|
|
rcctl enable i2pd |
|
rcctl start i2pd |
|
``` |
|
|
|
You can edit the file /etc/i2pd/i2pd.conf to uncomment the line |
|
"notransit = true" if you don't want to relay. I would encourage |
|
people to contribute to the network by relaying packets but this would |
|
require some explanations about a nice tuning to limit the bandwidth |
|
correctly. If you disable transit, you won't participate into the |
|
network but I2P won't use any CPU and virtually no data if your tunnel |
|
is in use. |
|
|
|
Visit http://localhost:7070/ for the admin interface and check the menu |
|
"I2P Tunnels", you should see a line "SSH => " with a long address |
|
ending by .i2p with :22 added to it. This is the address of your |
|
tunnel on I2P, we will need it (without the :22) to configure the |
|
client. |
|
|
|
# Nixos |
|
|
|
As usual, on NixOS we will only configure the |
|
/etc/nixos/configuration.nix file to declare the service and its |
|
configuration. |
|
|
|
We will name the tunnel "ssh-solene" and use the destination seen on |
|
the administration interface on the OpenBSD server and expose that port |
|
to 127.0.0.1:2222 on our NixOS box. |
|
|
|
```nixos configuration file |
|
services.i2pd.enable = true; |
|
services.i2pd.notransit = true; |
|
|
|
services.i2pd.outTunnels = { |
|
ssh-solene = { |
|
enable = true; |
|
name = "ssh"; |
|
destination = "gajcbkoosoztqklad7kosh226tlt5wr2srr2tm4zbcadulxw2o5a.b32.i2p… |
|
address = "127.0.0.1"; |
|
port = 2222; |
|
}; |
|
}; |
|
``` |
|
|
|
Now you can use "nixos-rebuild switch" as root to apply changes. |
|
|
|
Note that the equivalent NixOS configuration for any other OS would |
|
look like that for any I2P setup in the file "tunnel.conf" (on OpenBSD |
|
it would be in /etc/i2pd/tunnels.conf). |
|
|
|
```i2pd tunnels.conf |
|
[ssh-solene] |
|
type = client |
|
address = 127.0.0.1 # optional, default is 127.0.0.1 |
|
port = 2222 |
|
destination = gajcbkoosoztqklad7kosh226tlt5wr2srr2tm4zbcadulxw2o5a.b32.i2p |
|
``` |
|
|
|
# Test the setup |
|
|
|
From the NixOS client you should be able to run "ssh -p 2222 localhost" |
|
and get access to the OpenBSD ssh server. |
|
|
|
Both systems have a http://localhost:7070/ interface because it's a |
|
default setting that is not bad (except if you have multiple people who |
|
can access the box). |
|
|
|
# Conclusion |
|
|
|
I2P is a nice way to share services on a reliable and privacy friendly |
|
network, it may not be fast but shouldn't drop you when you need it. |
|
Because it can easily bypass NAT or dynamic IP it's perfectly fine for |
|
a remote system you need to access when you can use NAT or VPN. |
