Обновить

I2P proxy on hosting

Время на прочтение 5 min
Количество просмотров 32K
Now some resources are slowly starting to creep into i2p, so the question has arisen about convenient access to this network.
You can install an i2p router on your computer. Who wants to provide access to their entire home network, set up a proxy on their home router.
But my question was different. I wanted to be able to access i2p from any computer without installing additional software, even at the cost of security - because I don’t need to hide, but just look at something. If it is possible to launch a remote desktop, then I prefer to connect to my home server from all Internet cafes and guests, and my configured environment is already there. In the case of a slow connection or closed ports, using RDP becomes difficult. Therefore, the simplest and most undemanding option is to install an i2p router on the hosting and set up an http proxy.
image

Hosting

There are no special requirements here, VDS or just a rented server - depending on your needs and financial capabilities. If only there was a machine with root access that could run java. The OS is not critical, if you really want to, then you can raise a proxy on Windows. But I did it on Linux - it’s cheaper and more familiar. Hardware - AMD Athlon 64 5600+ X2, 2 GB RAM. But this is redundant; I also installed such a proxy on an inexpensive VDS with 256 RAM. True, it didn’t work very quickly and took up a decent percentage of resources.

Installing i2p

OS - debian wheezy. The choice of distribution does not matter, I just got used to Debian over the past 15 years.
First, add the i2p repository to sources.list:
deb http://deb.i2p2.no/ stable main
deb-src http://deb.i2p2.no/ stable main

Download the repository key www.i2p2.de/_static/debian-repo.pub and add it to apt:
apt-key add debian-repo.pub

We update the package database and install i2p and the i2p-keyring package (repository key updates):
apt-get update
apt-get install i2p i2p-keyring

Dependencies (including java) will be pulled out automatically.

You can start ip2 by simply typing "i2prouter start" in the console or as a service at system startup. It’s more convenient, of course, with the service.
We are recruiting "dpkg-reconfigure i2p" (on behalf of root), when asked about starting the service, answer “Yes”. Also at this step you can set the size of the allocated memory, left 128MB and create a user to run the i2p router.

For Ubuntu, everything is configured in the same way, the command to add a repository is only different. More details here.
For other distributions you need to install java (sunjava, openjdk), download the archive from here and run the console installer "java -jar i2pinstall_ХХХХ.jar -console". Launching as a service remains at the user's discretion.

Basic i2p setup

As a lazy person, I prefer web interfaces rather than configuration files. :)
Initially, access to the web interface is allowed only from the local computer. So we will make the first security hole - open access to the admin panel from any address. But first you need to somehow reach her. We take ssh and make a tunnel from port 7657 of the hosting to port 7657 of our computer.

C:\>ssh user@ваш_сервер -L7657:127.0.0.1:7657
user@ваш_сервер's password:
Linux ваш_сервер 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

You have mail.
Last login: Tue Dec 24 06:18:58 2013 
ваш_сервер:~>


If we see a shell invitation, then follow the link http://127.0.0.1:7657/ The admin panel of the i2p router becomes available.
Firstly, on UI tab set the language to English. Because if you need to find something, it’s easier to search by the English names of the terms, rather than by the Russian ones. For example, you won’t immediately guess that “transit traffic” is “share bandwidth».
image
Bandwidth tab — I set IN to 512, OUT to 256 and 50% share (the same transit traffic through your server).
Hosting with traffic restrictions (even ten terabytes), but I don’t want to spend a lot on strangers, I have my own needs. Of course, anonymity and, potentially, speed suffer. I want anonymity - share 100%. Speeds must be adjusted depending on the channel of your server and your needs.
image
Next, set up the address book - go to http://127.0.0.1:7657/dns, there's a bookmark there Subscriptions. Initially there is only www.i2p2.i2p/hosts.txt, which is rarely updated.
Add
http://i2host.i2p/cgi-bin/i2hostetag
http://stats.i2p/cgi-bin/newhosts.txt
http://no.i2p/export/alive-hosts.txt

In general, all three are not necessary, they can overlap, but I think it won’t be worse. If you want, you can also search for lists of resources online.
image

Access to the admin panel from any computer

We begin to add the first hole - we make access to the admin panel from any host, without tunnels
  1. http://127.0.0.1:7657/configclients, field "I2P Router Console", click Edit and change clientApp.0.args=7657 ::1,127.0.0.1 ./webapps/ on clientApp.0.args=7657 0.0.0.0 ./webapps/
    image
  2. http://127.0.0.1:7657/configui, at the bottom, under the list of languages, fields for entering the name and password for the admin panel.
    image
  3. Reboot the i2p router (for example, with the Restart button on the left).
    image

After this, the entrance to the admin panel should be available via the link http://your_server:7657, You should be prompted for a password when logging in.
By the way, for the sake of order, you can still change the port to some other one; it won’t protect you from a targeted attack, but it can protect you from randomly running bots. Although it would be better not to open access at all, but I’m a lazy person and I don’t want to open an ssh tunnel every time to enter the settings. And sometimes you have to log in to restart the service.

Setting up an http proxy

We open access to proxies from any IP. Of course, the correct option is to simply forward the ssh tunnel to the desired port:
C:\>ssh user@ваш_сервер -L4444:127.0.0.1:4444
user@ваш_сервер's password:
Linux ваш_сервер 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64

You have mail.
Last login: Tue Dec 24 07:37:52 2013 
ваш_сервер:~>

And set the proxy in the browser settings 127.0.0.1:4444
image

But, as I said above, all this is being started not for the sake of security, but for the sake of convenience, so I’ll just open a port on the proxy.
  1. Let's go to http://your_server:7657/i2ptunnelmgr, we are looking for a tunnel there called "I2P HTTP Proxy", go to its settings.
    image
  2. In point Access Point - Reachable by choose 0.0.0.0
    image
  3. Then we set a password. Field Local Authorization, check in Enable, set the name and password and click Save.
    image

Restart the server, wait a couple of minutes for the tunnels to rise.
If necessary, you can similarly configure an https proxy to same page.

Browser settings

That's right - a separate browser with scripts, flash and other silverlights disabled, in which in the settings all traffic is driven through an i2p proxy, to which an encrypted tunnel is connected (see above).
Wrong, but convenient - a script for the main browser that automatically switches proxies.

The browser configuration script is in /usr/share/doc/i2p-router/examples/scripts/i2pProxy.pac.gz
Unpack it and put it somewhere in the webserver folder (you have a webserver on your hosting? :)).
If you installed it manually from the site, then the script is in the folder script/i2pProxy.pac.
We are looking for a line in the file var i2pProxy = "PROXY 127.0.0.1:4444"; and change the IP address and port to yours.
We save, in the browser we go to the proxy settings in the “automatic configuration script” field we write имя_вашего_сервера/путь_к_i2pProxy.pac
image

All. You will browse the network as usual, but when accessing i2p, the browser will automatically go through your i2p proxy, asking for a password.
The solution is simple, platform-independent and does not require installation of additional software. It should even work on Android and other iOS, if the browser there supports proxies.

But on my permanent computers, I prefer to switch access channels using the FoxyProxy plugin - I have more complex proxy selection rules than i2p/the rest of the Internet. :)
FoxyProxy for Firefox: addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard
For chrome: chrome.google.com/webstore/detail/foxyproxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfnp
For IE: getfoxyproxy.org/downloads/FoxyProxy-Standard-IE-1.0.8.exe (It didn't work for me in IE11).

Conclusion

The result is a convenient, but unsafe personal proxy for accessing the i2p network, which can be used from almost anywhere and from any OS. But for personal safety, you still need to encrypt the channel from your computer to the server - either an ssh tunnel or a vpn.
Tags:
Hubs:
Всего голосов 32: ↑31 и ↓1 +30
Комментарии 49
+49

Comments 49

Tell me, are there any non-java proxies??
There were several attempts to implement it in C++, but, as far as I know, not a single one survived to a usable state.
Although some seem to still be fluttering. For example this one: git.repo.i2p/w/i2pcpp.git
But in order to understand what it is, you need to collect it from the source codes (and even read the source codes themselves to understand what you are collecting in general :)).

PS. github.com/majestrate/i2pcpp/ — link on the regular Internet
Here here it seems like a person took up writing it, but there I understood it was far from the finish line
can you disable loading images??
Where?
Is it a floodfill for you? Since it is still running 24 hours a day at a fairly decent speed.
I didn’t turn it on with my hands. If he wants to become an automaton, I won’t interfere. :)
But I don’t keep it turned on 24/7; I reboot it periodically. Sometimes sites stop opening (eepsite not found), after a reboot it starts.
Please tell me what could be the matter: the web interface of the i2p router is unavailable when you try to access it at ipaddress:7657. Is it necessary to somehow explicitly allow access to the web interface not only from localhost??
Necessary. We read from the words “We begin to add the first hole - we make access to the admin panel from any host, without tunnels"
Thank you! I somehow missed this part of the article:)
I have now added a separate heading there to make it more noticeable. :)
Gigas of traffic does not pass through i2p. Well, they don’t go away. I already gave a hundred megabits, and a gigabit. There is no free server with 10 yet, although there is a strong desire to try. They don't take such a strip. God willing, 300-400 kilobits.

For example, about a day has passed since the last update (installed yesterday). Here are the statistics:

3 pp.: 0.79 / 0.66 KBps
5 min: 1.36 / 1.32 KBps
Total: 1.91 / 1.91 KBps
Volume: 137.26 MB / 136.24 MB

Well, who on the more or less tolerant Internet is embarrassed by this? 136MB/day, 4-5GB month. Nothing. So let it go as much as you have.

By the way, the position “I’d just like to see” is, on the one hand, understandable (I started with this myself), but on the other hand, it somewhat blurs the idea of ​​pure anonymity. I would still suggest describing a separate FF profile for i2p with the correct config. That is, FF whose label says “use an alternative profile”».

By the way, under Linux it would be nice to wrap it in a container with disabled network interfaces and forced proxying.
«Gigas of traffic does not pass through i2p. Well, they don’t go away. I already gave a hundred megabits, and a gigabit. There is no free server with 10 yet, although there is a strong desire to try. They don't take such a strip. God willing, 300-400 kilobits.»

Have you tried enabling Floodfill? Then any new information about any node will be exchanged with your neighbors, which will dramatically increase traffic.
No, I haven't tried it. Yes, even if it was turned on, this is service information, not network traffic.

What I mean is that i2p is small, laggy and slow, just like the Internet in the days of dialup and altavistas. And in modern conditions it is possible to count its traffic crumbs only from extreme providers (mobile/satellite Internet with payment for traffic).
It lags precisely because people are constantly raising and lowering routers.
Let’s say you stopped your router, and there were a bunch of tunnels going through you. The creators of these tunnels continue to use them, sending data to nowhere and waiting from nowhere.
There is no direct way to find out that the tunnel is no longer functioning..
The correct solution, in my opinion, would be a message similar to the message for creating a tunnel, which the node would send through all its tunnels that it is disconnecting.
jfyi, this was an update of the router along with the system. Before this there were 62 days of uptime without a single failure.
By the way, if they have such a thing that they update the version and the I2P address of the router changes, as a result, those who connect to the old IP addresses get a slap.
136MB/day

So that's good. :)

blurs the idea of ​​pure anonymity

I don't have this idea. For now, at least. See title picture.
And pure anonymity must begin with the extraction of a separate computer - so that even from the clipboard nothing unnecessary leaks into the browser. :)

When JS is turned off, the clipboard is not available to the site.
No one is immune from software holes and errors..
In this case, a “separate computer” will not help in any way - one request via http, and all anonymity remains with SORM with a hanger. Containers are better in this sense, because... network namespace completely isolates the application from “unnecessary” network interfaces. That is, the hole in the kernel or i2p router remains, but trivial http will no longer go past the proxy to the vile extremist-suicidal child pornographic copyright-violating Google.
I have a different idea for this: all http requests in I2P through the built-in web server, which is used for administration, working on the principle of an anonymizer. And all links in the resulting pages are replaced with it and the address as parameters.
Then all calls to I2P addresses will ensure proper anonymity, and calls to regular addresses will not go further than their own node.
The insulation is too thin and complex. There are many places where you can do things “wrong” and miss some type of request. Favicon, there, or gopher, or a tricky composite url in web fonts in media in css.

Blocking an application's access to the network (except for the tun interface to the i2p-router) is much rougher and more reliable. (bale - no problem).
In fact, this idea is dictated primarily by simplifying work with I2P.
You need to get to some resource within the network, you don’t bother with a proxy, but launch the router and from the same page where you have the settings go to the I2P address you need.
If we still think about anonymity, then it is better to launch the browser in the browser. Something like a browser based on canvas/js. It will be isolated. How long.
It will save you from accidentally inserting private information left in the buffer. I meant browser and user glitches, not i2p.

By the way, an additional link for security - on the same hosting we install a terminal server (if the hardware allows it) and launch the browser directly on it. In this case, your client computer should not glow at all.
Can you describe the organization of such a scheme in a little more detail??

I recently got hold of a home server, so there’s an opportunity for experimentation. As far as I understand, we install a hypervisor and several virtual machines:
the first is an i2p router, the main problem here is who, how and what to limit.
second - a browser in which JS is disabled, a proxy is configured for the first virtual machine.
I'll try to write a configuration guide around i2p, while I'm still gaining experience. Not earlier than summer-autumn.
I'm really looking forward to it!
There's something strange about the speed. A few weeks ago it was around 300-700KBps. Then after another server reboot it became lower 100.
Lately the average speed is approximately as shown in the screenshot:
Gigas of traffic does not pass through i2p. Well, they don’t go away. I already gave a hundred megabits, and a gigabit.
Well, I don’t know... 200Gb back and forth in 9 days of uptime.
habrastorage.org/storage3/a67/6f1/ece/a676f1ecefaa73f37e2ec531aff2e413.png
habrastorage.org/storage3/2e2/d3c/d71/2e2d3cd7100613c59497b9c6cdcfb00d.png

For some reason, Habr does not allow you to post proofs, so only links.
Uptime: 6 days
Used: 1.54 GB / 1.41 GB

Didn't set any limits.
I now have an uptime of 6 days. Traffic “Used: 25.68 GB / 25.18 GB».
So the allowed 128 kilobits are utilized almost completely.
128 kbit - yes, but if you set the load a little more there is simply no such load, and there is no utilization either.
«There are no special requirements here, VDS or just a rented server - depending on your needs and financial capabilities. If only there was a machine with root access that could run java.»

The question is whether VDS will support AES-NI processor instructions, otherwise without them everything will become very sad, since I2P is essentially multi-layer AES encryption.
How much encryption is there per second? percentage of processor load. In addition, trusting Intel encryption in our time, to put it mildly, is not a good idea..
Depends on the traffic, obviously. Each packet is actually encrypted 5 times: garlic, a standard 3-node tunnel and transport, and, accordingly, in the other direction.
Why Intel encryption is bad is not in terms of hiding from everyone, but in terms of bypassing censorship?
This is pennies for the processor. On my old core 2 quad, all Java eats up 10% of the CPU. On modern processors this will be less than 7-8%, that is, nothing.

Intel is bad because it is not encryption, but a piece of writing. To bypass censorship, a proxy is enough, i2p - anonymity.
>This is pennies for the processor. On my old core 2 quad, all Java eats up 10% of the CPU. On modern processors this will be less than 7-8%, that is, nothing

I suppose it depends on what you are running. In addition, I don’t know much about Java, perhaps it is forcibly limited. With a regular binary application I will fill up all available processor cores in an instant.
Regarding the “kopecks”, I clearly see how my Raspberry PI spends all its time on encryption when working intensively with I2P.

>Intel is bad because it’s not encryption, it’s just crap.

Justify. Do you want to say that the output of the aesenc command will produce different data than if it were implemented programmatically? Then how does the other party with the same key and a different implementation of AES successfully decrypt?
I can fully believe that there is some kind of bookmark that “copies” the contents of some registers when executing this command and transmitting it “where needed”, but I don’t believe that there is some other AES there.
To score “all cores in an instant” you need to have so many bytes for encryption, and where do you get so many bytes in a stream in i2p?

Comparing the performance of i2p and Intel processors (above atom) is simply ridiculous, the difference is orders of magnitude.

Nobody knows what's going on inside an Intel processor. This alone is enough to not trust its encryption. Like any other hardware, without accessible circuit and electronic circuits.
>where do you get so many bytes in a stream in i2p?
Active probing, requesting hundreds of floodfills simultaneously, for example.

And someday they will start distributing torrents, then hardware encryption will be very useful.
Thank you, everything worked great. True, instead of setting up rules in the foxyproxy plugin, I used privoxy, as described here help.ubuntu.com/community/I2P
Tell me, aik, if you still host I2P, would you like to help the entire network by also creating an updated page with a list of nodes, from which newly connecting participants would receive this list. As it turned out, there is not a single such node in Russia.
I would do it, but I have ADSL and a very low upload speed. Efficiency is low.
The main thing here is not the speed of return, but the availability 24/7.
I agree, but if in addition to transit traffic I also give away address books, then it will be problematic for me to use the “regular” Internet.
Speedtest
Сегодня вообще не айс, обычно Download 15 мб/с, а вот Upload всегда такой.
My hosting is not in Russia.
Add port forwarding to a remote server via plink

plink -ssh user@server -P порт_ssh -l пользователь -pw пароль -L локальный порт:127.0.0.1:удаленный порт


You can also use the -C (compression) and -N (do not run shell) options.
Only full-fledged users can leave comments. Sign in, Please.