Step 1: Generate Public/Private keys for Encrypted LeaseSet with x25519.py from https://codeberg.org/Strict3443/i2pd-x25519/src/branch/main/x25519.py or build from source with x25519.cpp from https://github.com/PurpleI2P/i2pd-tools/
$ ./x25519.py
Public Key: GEwfz2F2PuBpMCxXXXXXXXXN5DoIaDJ0LvFhyorUDD8=
Private Key: sG3tqXDDKkpHHOi-XXXXXXXXXnbThbJyaXOTpP~VpV0=
Step 2: Make new .conf file in your tunnels.conf.d directory.
# tunnels.conf.d/home-router.conf
[router-encrypted-server]
type = server
host = 192.168.1.1
port = 80
keys = router-enc.dat
signaturetype = 11
i2cp.leaseSetType = 5
i2cp.leaseSetAuthType = 1
i2cp.leaseSetClient.dh.100 = GEwfz2F2PuBpMCxXXXXXXXXN5DoIaDJ0LvFhyorUDD8=
Server Tunnel Explanation
type = server- This will host a server in i2pd that will point (relay) to the HOST:PORT that you give it
keys = router-enc.dat- File to store the keys used for the tunnels
- Can be named anything, just make sure not to have conflicting names with other keys
signaturetype = 11- https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/#signature-types
RED25519-SHA512 11 For keys blinding (encrypted LeaseSet)
- https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/#signature-types
i2cp.leaseSet.....- https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/#i2cp-parameters
i2cp.leaseSetType Type of LeaseSet to be sent. 1, 3 or 5. (default: 3) i2cp.leaseSetEncType Comma separated encryption types to be used in LeaseSet type 3 or 5. (default: 0,4) i2cp.leaseSetPrivKey Decryption key for encrypted LeaseSet in base64. PSK or private DH i2cp.leaseSetAuthType Authentication type for encrypted LeaseSet. 0 - no authentication(default), 1 - DH, 2 - PSK i2cp.leaseSetClient.dh.nnn Client name:client’s public DH in base64, for authentication type 1, nnn is integer i2cp.leaseSetClient.psk.nnn Client name:client’s PSK in base64, for authentication type 2, nnn is integer
- https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/#i2cp-parameters
Step 3: Go to your i2pd webconsole and navigate to “Router Commands” page (ex. http://localhost:7070/?page=commands), and click "Reload tunnels configuration" to update the tunnels.
Step 4: Navigate to "I2P Tunnels" page (ex. http://localhost:7070/?page=i2p_tunnels) and find your configured server and click on it.
Step 5: Click on the "Encrypted B33 address:" text to reveal the hidden B33 Address, copy it down. This will be our “destination” address for our clients.
Step 6: Client config. On your client device, with an i2pd router, make a new .conf file in your tunnels.conf.d directory to store the client configuration to connect to our hidden and encrypted LeaseSet.
# tunnels.conf.d/home-router-client.conf
[router-client]
type = client
address = 127.0.0.1
port = 5555
destination = ubersitksah7kuxhc3xx5i7cqa3ylwbilprbgauvmfr3fxkmntlvl3xf.b32.i2p
keys = router-client.dat
i2cp.leaseSetPrivKey = sG3tqXDDKkpHHOi-XXXXXXXXXnbThbJyaXOTpP~VpV0=
Client Tunnel Explanation
type = client- This will open a port on the device that when connected will relay information to the b32.i2p address we list. Navigating to http://127.0.0.1:5555 will go to the
"destination"address we set.
- This will open a port on the device that when connected will relay information to the b32.i2p address we list. Navigating to http://127.0.0.1:5555 will go to the
address = 127.0.0.1- IP Address to listen on. Can be set to
0.0.0.0to allow other devices to connect to your device as well.
- IP Address to listen on. Can be set to
port = 5555- This is the port the client will listen on and send to our
destination
- This is the port the client will listen on and send to our
destination = ...b32.i2p- This is our
"Encrypted B33 address"we copied from the i2pd webconsole
- This is our
keys = router-client.dat- File to store the keys used for the tunnels
- Can be named anything, just make sure not to have conflicting names
i2cp.leaseSetPrivKey = sG3tqXDDKkpHHOi-XXXXXXXXXnbThbJyaXOTpP~VpV0=- https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/#i2cp-parameters
- Decryption key for encrypted LeaseSet in base64. PSK or private DH
- This is the PRIVATE KEY we generated with the x25519.py program
Step 7: Go to your i2pd webconsole on your client and navigate to “Router Commands” page (ex. http://localhost:7070/?page=commands), and click "Reload tunnels configuration" to update the tunnels.
Step 8: Navigate to "I2P Tunnels" page (ex. http://localhost:7070/?page=i2p_tunnels) and find your configured client to make sure it was loaded successfully.
Step 9: Test. On your client device, you should now be able to navigate to your specified HOST:PORT used in your configuration. (Ex. http://127.0.0.1:5555/)
You can now connect to your server on an encrypted LeaseSet.
Why?
Allows to host an hidden and encrypted eepsite that cannot be enumerated or scraped from other routers. If they do happen to find your b32.i2p address, then you still need the private key to decrypt and successfully connect.
Use Cases
- Host hidden SSH server for your home server and avoid CGNAT/NAT/Port Forwarding issues.
- Expose any service securely