I2P is an anonymising network, similar to Tor (without the exit nodes). Machines connected to I2P can host and access “eepSites”, which are anonymously hosted websites like the “hidden services” on Tor. I have configured my home network to allow any connected device to transparently access eepSites, without having to install any additional software or reconfigure any proxy settings on them.
A standard I2P installation exposes a HTTP proxy on port 4444. The idea is that you reconfigure your web browser to connect to it and then it will handle routing requests for “.i2p” domain names over the I2P anonymising network. I have a Debian GNU/Linux (Jessie) machine at the edge of my network, which sits between the Internet and my LAN. It handles DHCP, DNS and NAT amongst other things. I have configured that machine to intercept requests for .i2p sites and then bounce them through the HTTP proxy provided by I2P. I will refer to this machine as “the router” from now on.
First things first. To install I2P on Debian, add the following to /etc/apt/sources.list:
deb http://deb.i2p2.no/ unstable main
deb-src http://deb.i2p2.no/ unstable main
Then run:
curl http://www.i2p2.de/_static/debian-repo.pub|apt-key add -
apt-get update
apt-get install i2p i2p-keyring
dpkg-reconfigure i2p
Now we need a piece of software that can intercept HTTP requests and convert them into HTTP proxy requests. For this, I used Privoxy. To install Privoxy, run “apt-get install privoxy” and then make the following changes to /etc/privoxy/config:
accept-intercepted-requests 1
forward .i2p 127.0.0.1:4444
Now, there is no DNS for .i2p domain names, so when you type “http://example.i2p/" into your browser, the DNS lookup will fail and the site wont be fetched. I have a caching DNS resolver on my router named Unbound which is advertised to the rest of the machines on my LAN via DHCP. I added the following to my unbound.conf so that all .i2p domain lookups would return the IP address 10.191.0.1:
local-zone: "i2p" redirect
local-data: "i2p A 10.191.0.1"
10.191.0.1 is just a random private network IP address that I selected which doesn’t fall within any private network ranges that I’m actually using. By doing this, whenever a browser attempts to visit “http://example.i2p/", when it does a DNS lookup, it will receive “10.191.0.1” as the machine to connect to. It will then try to connect to that IP on port 80 through the router.
On my router I then run the following commands:
iptables -t nat -A OUTPUT -d 10.191.0.1 -p tcp --dport 80 -j REDIRECT --to-port 8118
iptables -t nat -A PREROUTING -d 10.191.0.1 -p tcp --dport 80 -j REDIRECT --to-port 8118
This catches any traffic destined for 10.191.0.1 on port 80 (HTTP), and redirects it to Privoxy which is listening on port 8118, which then subsequently passes it off to the locally running I2P daemon.
Now any machine on my network is able to access .i2p eepSites in exactly the same way as they would access any other website.
I’ve also got a similar setup for accessing Tor hidden services, which I describe in another blog post called Transparent Access to Tor Hidden Services
Want to leave a tip?You can follow this Blog using RSS or Mastodon. To read more, visit my blog index.