We host the site on an anonymous I2P network (+ paranoid mode)

Let's assume that you've already logged into I2P several times, chatted with the guys there on irc, got inspired by the idea of ​​an invisible tube, and thought about your own (in)contribution to I2P. Thinking about this, you sat for a couple of days in front of an open notepad - having learned along the way from the news that not only filibuster, but also root tracker was banned - and finally remembered that you are Snowden and the founder of WikiLeaks (a very unexpected turn, I admit, I myself am not I expected this from you), and you have long been looking for a springboard for posting socially significant information. For example, you decided to post somewhere pictures of cats that you liked on Twitter (Snowden likes cats on Twitter, did you know?). And your choice fell on I2P.

What you need for this: a raised server and an I2P daemon (i2pd). If you don’t have it yet, install it (you will find links to both installation tutorials - for Win and Unix - at the end of the publication). In our example, the created server can be reached at

127.0.0.1:8080

Remark: if you want the site to be accessible only via I2P, then connecting your server to the i2pd router does not mean that the other server connections you have configured to the regular Internet will immediately be disconnected. You need to disable them all yourself so that the only connection is between the router and the server on your local machine.

As you remember, i2pd is a box with a bunch of ports located inside your computer and connected to the I2P network. The server you started is another box to which you can also connect via ports. This means that if we connect the ports, then our server will connect to the I2P network. And since our server listens to 127.0.0.1:8080, then we will take i2pd and configure it to the same address.

Let's open the config file (in unix - /.i2pd/tunnels.cfg, in windows - %appdata%\i2pd) and add to it:

[SUPERHACKERSITE]
type = http
host = 127.0.0.1
port = 8080
keys = superhackersite.dat

Unlike existing tunnels like IRC, here we ourselves act as a server, and we will no longer connect to something on the network, but people from the network will come to us, so the tunnel type is set accordingly . Instead of http, you could specify server. The difference between them is that the server type transmits the data as is (at the same time, you can connect to your server using it in the same way), and the http type uses the following headers:

X-I2P-DestHash — hash of the visitor’s address in base64
X-I2P-DestB32 - the same, but in base32
X-I2P-DestB64 is already a full address in base64

For server administrators, these headers help build sessions, working with each visitor individually (yes, this is also possible in i2p, as long as the visitor is connected from the same address).

The key file - you already noticed this - can be named whatever we want. This file should be carefully stored, because it contains the address of our website.

Optionally, you can enable paranoid access mode for strictly selected addresses. Let your friends look at each of their network addresses (this address, along with the addresses of the tunnels they have built, is available to them in the web console on the LocalDestinations tab - it can be found by elimination by comparing it with the addresses presented on the I2P Tunnels page) and report it to you. All you have to do is enter an additional line into the created tunnel in the format 26qxgmyqczulza5ym3jij5er3onclacejyqzecuhjllwun3kxuzq (without any additions in the form of b32.i2p), separating the addresses with a comma. The following type:

accesslist = 26qxgmyqczulza5ym3jij5er3onclacejyqzecuhjllwun3kxuzq, 4bpcp4fmvyr46vb4kqjvtxlst6puz4r3dld24umooiy5mesxzspa, etc..

True, for this, your friends from the accesslist will have to - every time they want to connect to you - update routers with the proxykeys key (for more details, let them look at the link to the document on configs at the end of the publication), let them write themselves a script for this matter: in I2P without such a setting, each person starts with a new address every time, new addresses help to remain anonymous.

Save the changes to tunnels.cfg. If i2pd is currently running, stop it in the terminal with the line:

$ pkill i2pd

And we start again. Without this, changes to tunnels.cfg will not take effect.

Now go to the web console, follow the link to the 'I2P tunnels' page and look for the format inscription

SUPERHACKERSITE < 4bpcp4fmvyr46vb4kqjvtxlst6puz4r3dld24umooiy5mesxzspa:8080

Copy everything down to the port. This is the b32 address of your site as it appears on the Internet (it will remain constant as long as it is tied to the superhackersite.dat key you created). Add the ending .b32.i2p to it to get an address like

4bpcp4fmvyr46vb4kqjvtxlst6puz4r3dld24umooiy5mesxzspa.b32.i2p

Turn i2pd back on and connect to the site through this new address. Ready? This means the site is accessible from I2P. We almost forgot the most important thing: you wanted to add cats to your page!

Once the cats are added, you can share the address with your friends (and if you are not Snowden, but were just pretending to be him all this time, then do not forget to send the address of your site to the real Snowden, who, we repeat, loves cats).

By the way, you can still get a valid address for your website completely free of charge. After all, real anonymous people like you and me sometimes also need a public address. To do this, let’s take a closer look at the I2P addressing system.

Instead of IP addresses, there are long, truly inhumane cryptographic base64 identifiers (512 bytes long!). And they are assigned to any network address: both the router boxes themselves, and all addresses on the tunnels associated with this router, in addition, our website also now owns such an identifier.

But everyone understands that while base64 addresses work great in a router-to-router scheme, they are very, very inconvenient in a person-to-person scheme. Therefore, the network provides correspondence between inconvenient, length, we repeat, as much as 512 bytes, addresses and convenient short ones.

There are two types of convenient addresses. The first is Internet-type addresses (for example, onelon.i2p or armada.i2p). The second type is b32, which we have already encountered, and they are calculated from b64. B32, as we have already seen, is much shorter, and they are more convenient to transfer to other people somewhere in the chat. What is the difference then, why are both used: both b32 and familiar Internet addresses? And the whole point is that using b32, your router is able to recognize the corresponding b64 address on its own. And the names of sites that you are used to seeing on the Internet are assigned by people; Accordingly, no calculations can be used to extract the original b64 from the same direct.i2p, which means that in order to access this address, you will have to store the corresponding b64 identifier somewhere.

Correspondences between identifiers and site names are stored in address books, and there is one home copy of them for each router running on the network. It would actually be worth comparing this with an analogue of hosts, but in an I2P network, address books play a much more significant role, although functionally they are, of course, similar to each other. And all because in I2P there are no DNS servers as a phenomenon (in order to increase the fault tolerance of the network). That is, of course, there are nodes from where any other router can download correspondence between the site name and base64, but they are still accessed irregularly to download an update for the address book. That is, when you enter the site address in the address bar, your router looks for base64 not to remote servers, but to its own address book.

The address book is located in the corresponding directory: addressbook. The addresses.csv file that you will find in it consists of strings corresponding to Internet address types and base32 identifiers.

As we already mentioned, all this is regularly downloaded from the network through subscriptions from trusted servers (actually the same nodes as yours). This means that in order for our site to also be included in the address books of other nodes, we need to register it on one of the corresponding resources. For example, the I2P Name Registry resource: inr.i2p. To register, you will need to submit an application with the b64 ID of your site, but you can easily find it in the web console: just go to I2P Tunnels and click on the b32 address. There will be information about connections and, of course, b64.

Technically, you can set up your own name registration service by placing a text file with address matching on your resource and convincing your visitors to add your site as another source of subscriptions.

As a result, you can give your b32 identifier to your friends, and to access it you only need a network connection, or you can additionally give the site a cool name, but then this name must appear in their address books.

In addition, to distribute a site’s address on the Internet there are all sorts of directories, wikis similar to hiddenwiki in the torus, and at least one search engine that uses robots.txt, but that, as they say, is a completely different story.

Go to IRC and chat with developers on the #i2pd-ru channel. Remember that anonymity depends primarily on you. Good luck with building your site!

If you don’t yet know how to install i2pd, then here you go:

habrahabr.ru/post/275643 — How to launch i2pd for the first time: instructions for Debian/Ubuntu

habrahabr.ru/post/275647 — How to use i2pd: comprehensive instructions for MS Windows

Also recommended reading:

i2pd.readthedocs.org/en/latest/configuration.html#config-files — Configuration and daemon start settings

xakep.ru/2011/07/07/56161 — Anonymous hosting via I2P: practical advice on using a cryptonetwork