mirror of
https://git.phreedom.club/localhost_frssoft/frssoft-site
synced 2024-11-25 12:19:19 +02:00
195 lines
7.5 KiB
Markdown
195 lines
7.5 KiB
Markdown
|
Source: gopher://dataswamp.org:70/1/~solene/article-i2p-intro
|
||
|
|
||
|
Title: Using the I2P network with OpenBSD and NixOS
|
||
|
Author: Solène
|
||
|
Date: 20 June 2021
|
||
|
Tags: i2p tor openbsd nixos networking
|
||
|
NIL# Introduction
|
||
|
|
||
|
In this text I will explain what is the I2P network and how to provide
|
||
|
a service over I2P on OpenBSD and how to use to connect to an I2P
|
||
|
service from NixOS.
|
||
|
|
||
|
# I2P
|
||
|
|
||
|
This acronym stands for Invisible Internet Project and is a network
|
||
|
over the network (Internet). It is quite an old project from 2003 and
|
||
|
is considered stable and reliable. The idea of I2P is to build a
|
||
|
network of relays (people running an i2p daemon) to make tunnels from a
|
||
|
client to a server, but a single TCP session (or UDP) between a client
|
||
|
and a server could use many tunnels of n hops across relays.
|
||
|
Basically, when you start your I2P service, the program will get some
|
||
|
information about the relays available and prepare many tunnels in
|
||
|
advance that will be used to reach a destination when you connect.
|
||
|
|
||
|
Some benefits from I2P network:
|
||
|
|
||
|
* your network is reliable because it doesn't take care of operator
|
||
|
peering
|
||
|
* your network is secure because packets are encrypted, and you can
|
||
|
even use usual encryption to reach your remote services (TLS, SSH)
|
||
|
* provides privacy because nobody can tell where you are connecting to
|
||
|
* can prevent against habits tracking (if you also relay data to
|
||
|
participate to i2p, bandwidth allocated is used at 100% all the time,
|
||
|
and any traffic you do over I2P can't be discriminated from standard
|
||
|
relay!)
|
||
|
* can only allow declared I2P nodes to access a server if you don't
|
||
|
want anyone to connect to a port you expose
|
||
|
|
||
|
It is possible to host a website on I2P (by exposing your web server
|
||
|
port), it is called an eepsite and can be accessed using the SOCKs
|
||
|
proxy provided by your I2P daemon. I never played with them though but
|
||
|
this is a thing and you may be interested into looking more in depth.
|
||
|
|
||
|
=> https://geti2p.net/en/ I2P project and I2P implementation (java) page
|
||
|
=> https://i2pd.website/ i2pd project (a recent C++ implementation that I use for this tutorial)
|
||
|
=> https://en.wikipedia.org/wiki/I2P Wikipedia page about I2P
|
||
|
|
||
|
# I2P vs Tor
|
||
|
|
||
|
Obviously, many people would question why not using Tor which seems
|
||
|
similar. While I2P can seem very close to Tor hidden services, the
|
||
|
implementation is really different. Tor is designed to reach the
|
||
|
outside while I2P is meant to build a reliable and anonymous network.
|
||
|
When started, Tor creates a path of relays named a Circuit that will
|
||
|
remain static for an approximate duration of 12 hours, everything you
|
||
|
do over Tor will pass through this circuit (usually 3 relays), on the
|
||
|
other hand I2P creates many tunnels all the time with a very low
|
||
|
lifespan. Small difference, I2P can relay UDP protocol while Tor only
|
||
|
supports TCP.
|
||
|
|
||
|
Tor is very widespread and using a tor hidden service for hosting a
|
||
|
private website (if you don't have a public IP or a domain name for
|
||
|
example) would be better to reach an audience, I2P is not very well
|
||
|
known and that's partially why I'm writing this. It is a fantastic
|
||
|
piece of software and only require more users.
|
||
|
|
||
|
Relays in I2P doesn't have any weight and can be seen as a huge P2P
|
||
|
network while Tor network is built using scores (consensus) of relaying
|
||
|
servers depending of their throughput and availability. Fastest and
|
||
|
most reliable relays will be elected as "Guard server" which are entry
|
||
|
points to the Tor network.
|
||
|
|
||
|
I've been running a test over 10 hours to compare bandwidth usage of
|
||
|
I2P and Tor to keep a tunnel / hidden service available (they have not
|
||
|
been used). Please note that relaying/transit were desactivated so
|
||
|
it's only the uploaded data in order to keep the service working.
|
||
|
|
||
|
* I2P sent 55.47 MB of data in 114 430 packets. Total / 10 hours = 1.58
|
||
|
kB/s average.
|
||
|
* Tor sent 6.98 MB of data in 14 759 packets. Total / 10 hours = 0.20
|
||
|
kB/s average.
|
||
|
|
||
|
Tor was a lot more bandwidth efficient than I2P for the same task:
|
||
|
keeping the network access (tor or i2p) alive.
|
||
|
|
||
|
# Quick explanation about how it works
|
||
|
|
||
|
There are three components in an I2P usage.
|
||
|
|
||
|
- a computer running an I2P daemon configured with tunnels servers (to
|
||
|
expose a TCP/UDP port from this machine, not necessarily from localhost
|
||
|
though)
|
||
|
- a computer running an I2P daemon configured with tunnel client (with
|
||
|
information that match the server tunnel)
|
||
|
- computers running I2P and allowing relay, they will receive data from
|
||
|
other I2P daemons and pass the encrypted packets. They are the core of
|
||
|
the network.
|
||
|
|
||
|
In this text we will use an OpenBSD system to share its localhost ssh
|
||
|
access over I2P and a NixOS client to reach the OpenBSD ssh port.
|
||
|
|
||
|
# OpenBSD
|
||
|
|
||
|
The setup is quite simple, we will use i2pd and not the i2p java
|
||
|
program.
|
||
|
|
||
|
```shell commands
|
||
|
pkg_add i2pd
|
||
|
|
||
|
# read /usr/local/share/doc/pkg-readmes/i2pd for open files limits
|
||
|
|
||
|
cat <<EOF > /etc/i2pd/tunnels.conf
|
||
|
[SSH]
|
||
|
type = server
|
||
|
port = 22
|
||
|
host = 127.0.0.1
|
||
|
keys = ssh.dat
|
||
|
EOF
|
||
|
|
||
|
rcctl enable i2pd
|
||
|
rcctl start i2pd
|
||
|
```
|
||
|
|
||
|
You can edit the file /etc/i2pd/i2pd.conf to uncomment the line
|
||
|
"notransit = true" if you don't want to relay. I would encourage
|
||
|
people to contribute to the network by relaying packets but this would
|
||
|
require some explanations about a nice tuning to limit the bandwidth
|
||
|
correctly. If you disable transit, you won't participate into the
|
||
|
network but I2P won't use any CPU and virtually no data if your tunnel
|
||
|
is in use.
|
||
|
|
||
|
Visit http://localhost:7070/ for the admin interface and check the menu
|
||
|
"I2P Tunnels", you should see a line "SSH => " with a long address
|
||
|
ending by .i2p with :22 added to it. This is the address of your
|
||
|
tunnel on I2P, we will need it (without the :22) to configure the
|
||
|
client.
|
||
|
|
||
|
# Nixos
|
||
|
|
||
|
As usual, on NixOS we will only configure the
|
||
|
/etc/nixos/configuration.nix file to declare the service and its
|
||
|
configuration.
|
||
|
|
||
|
We will name the tunnel "ssh-solene" and use the destination seen on
|
||
|
the administration interface on the OpenBSD server and expose that port
|
||
|
to 127.0.0.1:2222 on our NixOS box.
|
||
|
|
||
|
```nixos configuration file
|
||
|
services.i2pd.enable = true;
|
||
|
services.i2pd.notransit = true;
|
||
|
|
||
|
services.i2pd.outTunnels = {
|
||
|
ssh-solene = {
|
||
|
```
|
||
|
enable = true;
|
||
|
name = "ssh";
|
||
|
destination = "gajcbkoosoztqklad7kosh226tlt5wr2srr2tm4zbcadulxw2o5a.b32.i2p";
|
||
|
address = "127.0.0.1";
|
||
|
port = 2222;
|
||
|
};
|
||
|
```
|
||
|
};
|
||
|
```
|
||
|
|
||
|
Now you can use "nixos-rebuild switch" as root to apply changes.
|
||
|
|
||
|
Note that the equivalent NixOS configuration for any other OS would
|
||
|
look like that for any I2P setup in the file "tunnel.conf" (on OpenBSD
|
||
|
it would be in /etc/i2pd/tunnels.conf).
|
||
|
|
||
|
```i2pd tunnels.conf
|
||
|
[ssh-solene]
|
||
|
type = client
|
||
|
address = 127.0.0.1 # optional, default is 127.0.0.1
|
||
|
port = 2222
|
||
|
destination = gajcbkoosoztqklad7kosh226tlt5wr2srr2tm4zbcadulxw2o5a.b32.i2p
|
||
|
```
|
||
|
|
||
|
# Test the setup
|
||
|
|
||
|
From the NixOS client you should be able to run "ssh -p 2222 localhost"
|
||
|
and get access to the OpenBSD ssh server.
|
||
|
|
||
|
Both systems have a http://localhost:7070/ interface because it's a
|
||
|
default setting that is not bad (except if you have multiple people who
|
||
|
can access the box).
|
||
|
|
||
|
# Conclusion
|
||
|
|
||
|
I2P is a nice way to share services on a reliable and privacy friendly
|
||
|
network, it may not be fast but shouldn't drop you when you need it.
|
||
|
Because it can easily bypass NAT or dynamic IP it's perfectly fine for
|
||
|
a remote system you need to access when you can use NAT or VPN.
|
||
|
|