 |
Title: OpenBSD mirror over Tor / I2P |
|
Author: Solène |
|
Date: 25 May 2024 |
|
Tags: privacy openbsd tor i2p |
|
Description: In this article, you will learn how to reach an OpenBSD |
|
mirror over Tor or I2P |
|
|
|
# Introduction |
|
|
|
For an upcoming privacy related article about OpenBSD I needed to setup |
|
an access to an OpenBSD mirror both from a Tor hidden service and I2P. |
|
|
|
The server does not contain any data, it only act as a proxy fetch |
|
files from a random existing OpenBSD mirror, so it does not waste |
|
bandwidth mirroring everything, the server does not have the storage |
|
required anyway. There is a little cache to keep most requested files |
|
locally. |
|
|
 |
Wikipedia page about I2P protocol |
|
Wikipedia page about Tor |
|
|
|
It is only useful if you can not reach OpenBSD mirrors, or if you |
|
really need to hide your network activity. Tor or I2P will be much |
|
slower than connecting to a mirror using HTTP(s). |
|
|
|
However, as they exist now, let me explain how to start using them. |
|
|
|
# Tor |
|
|
|
Using a client with tor proxy enabled, you can reach the following |
|
address to download installers or sets. |
|
|
|
OpenBSD onion mirror over Tor |
|
|
|
If you want to install or update your packages from tor, you can use |
|
the onion address in `/etc/installurl`. However, it will not work for |
|
sysupgrade and syspatch, and you need to export the variable |
|
`FETCH_CMD="/usr/local/bin/curl -L -s -q -N -x |
|
socks5h://127.0.0.1:9050"` in your environment to make `pkg_*` programs |
|
able to use the mirror. |
|
|
|
To make sysupgrade or syspatch able to use the onion address, you need |
|
to have the program `torsocks` installed, and patch the script to use |
|
torsocks: |
|
|
|
* `sed -i 's,ftp -N,/usr/local/bin/torsocks &,' /usr/sbin/sysupgrade` |
|
for sysupgrade |
|
* `sed -i 's,ftp -N,/usr/local/bin/torsocks &,' /usr/sbin/syspatch` for |
|
syspatch |
|
|
|
These patches will have to be reapplied after each sysupgrade run. |
|
|
|
# I2P |
|
|
|
If you have a client with i2p proxy enabled, you can reach the |
|
following address to download installers or sets. |
|
|
|
OpenBSD mirror address over I2P |
|
|
|
If you want to install or update your packages from i2p, install i2pd |
|
with `pkg_add i2pd`, edit the file `/etc/i2pd/i2pd.conf` to set |
|
`notransit = true` except if you want to act as an i2p relay (high |
|
cpu/bandwidth consumption). |
|
|
|
Replace the file `/etc/i2pd/tunnels.conf` by the following content (or |
|
adapt your current tunnels.conf if you configured it earlier): |
|
|
|
``` |
|
[MIRROR] |
|
type = client |
|
address = 127.0.0.1 |
|
port = 8080 |
|
destination = 2st32tfsqjnvnmnmy3e5o5y5hphtgt4b2letuebyv75ohn2w5umq.b32.i2p |
|
destinationport = 8081 |
|
keys = mirror.dat |
|
``` |
|
|
|
Now, enable and start i2pd with `rcctl enable i2pd && rcctl start |
|
i2pd`. |
|
|
|
After a few minutes to let i2pd establish tunnels, you should be able |
|
to browse the mirror over i2p using the address |
|
`http://127.0.0.1:8080/`. You can configure the port 8080 to another |
|
you prefer by modifying the file `tunnels.conf`. |
|
|
|
You can use the address `http://127.0.0.1:8080/pub/OpenBSD/` in |
|
`/etc/installurl` to automatically use the I2P mirror for |
|
installing/updating packages, or keeping your system up to date with |
|
syspatch/sysupgrade. |
|
|
|
Note: from experience the I2P mirror works fine to install packages, |
|
but did not play well with fw_update, syspatch and sysupgrade, maybe |
|
because they use ftp command that seems to easily drop the connection. |
|
Downloading the files locally using a proper HTTP client supporting |
|
transfer resume would be better. On the other hand, this issue may be |
|
related to the current attack the I2P network is facing as of the time |
|
of writing (May 2024). |
|
|
|
# Firmware mirror |
|
|
|
OpenBSD pulls firmware from a different server than the regular |
|
mirrors, the address is `http://firmware.openbsd.org/firmware/`, the |
|
files on this server are signed packages, they can be installed using |
|
`fw_update $file`. |
|
|
|
Both i2p and tor hidden service hostname can be reused, you only have |
|
to change `/pub/OpenBSD/` by `/firmware/` to browse the files. |
|
|
|
The proxy server does not cache any firmware, it directly proxy to the |
|
genuine firmware web server. They are on a separate server for legal |
|
matter, it seems to be a grey area. |
|
|
|
## Disable firmware.openbsd.org |
|
|
|
For maximum privacy, you need to neutralize `firmware.openbsd.org` DNS |
|
lookup using a hosts entry. This is important because `fw_update` is |
|
automatically used after a system upgrade (as of 2024). |
|
|
|
In `/etc/hosts` add the line: |
|
|
|
``` |
|
127.0.0.9 firmware.openbsd.org |
|
``` |
|
|
|
The IP in the snippet above is not a mistake, it will avoid fw_update |
|
to try to connect to a local web server if any. |
|
|
|
## Tor access |
|
|
|
If you use tor, it is complicated to patch `fw_update` to use torsocks, |
|
the best method is to download the firmware manually. |
|
|
|
Firmware onion address |
|
|
|
## I2P access |
|
|
|
If you use i2p, you can reuse the tunnel configuration described in the |
|
I2P section, and pass the full url to `fw_update`: |
|
|
|
```shell |
|
# release users |
|
fw_update -p http://127.0.0.1:8080/firmware/$(uname -r)/ |
|
|
|
# snapshot users |
|
fw_update -p http://127.0.0.1:8080/firmware/snapshots/ |
|
``` |
|
|
|
Or you can browse the I2P url using an http client with the i2p proxy |
|
to download the firmware manually. |
|
|
|
Firmware i2p address |
|
|
|
# Conclusion |
|
|
|
There were no method to download OpenBSD files over Tor and I2P for |
|
people really needing it, it is now a thing. |
|
|
|
If you encounter issues with the service, please let me know. |
