HowTo/Qubes

Aus i2pwiki.mk16.de
Zur Navigation springen Zur Suche springen

Qubes is an operating system following the security by isolation paradigm <ref>https://www.qubes-os.org/doc/architecture/</ref>. Since R3, Qubes comes with two whonix-images, one to be used as gateway in a proxy-VM, another to be used as workstation in an AppVM. However, there is no similar I2P support, so here you can find a tutorial on how to setup an AppVM running I2P.

Resources[Bearbeiten]

  • The Privacyhawk website has a tutorial for I2P on Qubes. [1]Enabling system-wide Tor, like Privacyhawk recommended, is optional and unrelated to the functioning of I2P.

Basic Instructions[Bearbeiten]

Step 1: Installing I2P[Bearbeiten]

There are a variety of ways to run I2P on Qubes.

Installation on Whonix-WS[Bearbeiten]

Should be possible in theory, though the whonix workstation is configured to connect only through tor. If you can get around that, just follow the debian instructions, since whonix is based on debian.

Installation on Debian (TemplateVM)[Bearbeiten]

The installation is done in a templateVM. In step 2 the i2p.service will be configured to only run when we allow it to. (... assuming the templateVM is trusted. If it isn't, do the complete setup in a standalone VM.) Feel free to torify the complete traffic of your templateVM. Only the traffic of your I2P-AppVM needs to connect to the clearnet.

There are debian repositories for I2P, so this is the preferred operating system.

  • Download signature:
wget https://geti2p.net/_static/i2p-debian-repo.key.asc

(Downloads i2p-debian-repo.key.asc file to current working directory)

  • Confirm fingerprint:
gpg --with-fingerprint i2p-debian-repo.key.asc

should yield:

pub  4096R/5BCF1346 2013-10-10 I2P Debian Package Repository <killyourtv@i2pmail.org>
      Key fingerprint = 7840 E761 0F28 B904 7535  49D7 67EC E560 5BCF 1346

If it fits, create a .gpg file and add it to apt's trusted keys:

gpg --no-default-keyring --keyring ./i2p-pubkey.gpg --import i2p-debian-repo.key.asc
sudo cp i2p-pubkey.gpg /etc/apt/trusted.gpg.d/

(A split-gpg-setup would be awesome, but harder to pull of.)

  • Add the repository by adding the file:
sudo nano /etc/apt/sources.list.d/i2p-release.list

and entering the following two lines:

deb http://deb.i2p2.no/ jessie main
deb-src http://deb.i2p2.no jessie main

(If you are using Debian Testing or Unstable, replace "jessie" with "unstable")

  • Load the new repository and the public key
sudo apt-get update
  • Install necessary packages:
sudo apt-get install i2p i2p-keyring xul-ext-foxyproxy-standard

If you don't want to use foxyproxy, simply omit it.

Installation on Fedora (AppVM)[Bearbeiten]

This method is installed ONLY in the AppVM or ProxyVM. As such, no changes are made to any Templates.

Download, verify and install the latest version from the I2P website. No special instructions are needed here, I2P installer will place all files in ~/home/. Persistence will always apply in this location. OpenJDK is available in the default repositories in the TemplateVM. Oracle Java is beyond the scope of this tutorial, and should not be required for I2P.

You will want to enable port forwarding for I2P. In AppVMs and ProxyVMs, most data does not persist after shutdown if it is not in the /home directory. Because of that, startup commands are stored in the /rw/config/ folder. For AppVM, startup commands are to be placed in /rw/config/rc.local. The rc.local file runs all commands as root unless the user specifies otherwise.

  • Port forwarding instructions can be found at the Qubes-OS website:
Onion address [2]
Clearnet address [3]


Step 2: configuring i2p<ref>https://www.qubes-os.org/doc/qubes-service/</ref>[Bearbeiten]

In a TemplateVM[Bearbeiten]

(This should be equal for all Linux-OS. However, i2p.service may be called i2prouter.service, adjust accordingly!) If you installed i2p in an AppVM, these instructions are still valid. However, they will only work in that particular AppVM! We need to configure i2p.service in a way that allows qubes to control it. This assumes that the templateVM is trusted. If it isn't, remove i2p and install it in a standalone VM!

  • Make sure I2P is disabled:
sudo systemctl disable i2p

(This is still run in the templateVM.)

  • Create controllable i2p.service:
sudo nano /etc/systemd/system/i2p.service

file content if installed via package-manager (mostly debian based systems):

.include /lib/systemd/system/i2p.service
[Unit]
ConditionPathExists=/var/run/qubes-service/i2p

file content if installed via download (mostly fedora based systems):

[Unit]
ConditionPathExists=/var/run/qubes-service/i2p
[Service]
ExecStart=/path/to/i2p/executable start
  • Configure I2P to start automatically:
sudo systemctl enable i2p

(alternatively: run dpkg-configure i2p and select i2p to start on boot.) Now I2P can be controlled from the VM-manager service-tab!

In an AppVM[Bearbeiten]

NOTE: You should DEFINATELY configure i2p in a templateVM, if you installed it there!

To run i2p on startup, make sure the rc.local is executable:

# chmod +x /rw/config/rc.local

Add this line to /rw/config/rc.local:

su -l <user> -c /path/to/i2p/executable start

Reboot persistence[Bearbeiten]

Some I2P plugins save their data in locations not persisted by Qubes! This means you should configure them to store data in persistent (e.g. your home-directory) paths. Sadly, there doesn't seem to be a global setting for that in I2P, so you have to figure that out for every plugin on its own. This problem likely exists only for those who have installed I2P in a TemplateVM.

Step 3: configure browser[Bearbeiten]

  • If you didn't already, create a new appVm based on the I2P-template. (and shutdown the template)
  • In the Qubes VM Manager, open VM settings of your I2P appVM.
  • In the services-tab, create a new service called "i2p". It should appear checked.
  • Make sure the i2p-AppVM is allowed to connect to the clearnet. (= sys-firewall or sys-net)
  • Close settings and start Firefox/Iceweasel in the I2P appVM.
  • In your browser, go to 127.0.0.1:7657

It could take a few minutes for I2P to start. If the browser can't connect, try again in a minute or so.

  • Once you reached the I2P router console, configure a proxy in firefox to route everything ending in .i2p through 127.0.0.1:4444

If you need further help, look up the proxy-tutorial from I2P

I2P in a ProxyVM[Bearbeiten]

This is a basic guide that can probably be improved.

1. Create the ProxyVM that will run I2P. Debian or Fedora-minimal would be a good template to create it from.

2. Install I2P and forward ports.

  • Port forwarding instructions can be found at the Qubes-OS website:
Onion address [4]
Clearnet address [5]

2. Edit the ProxyVM startup scripts. Firewall rules must be added to /rw/config/qubes-firewall-user-script when using a ProxyVM. Use /rw/config/rc.local for non-firewall startup commands.

  • List the existing iptables rules. New rules on the INPUT chain need to be inserted after rule 4.
$ sudo iptables -S
  • Example additions to qubes-firewall-user-script. Add rules for port forwarding before you add these rules.
# Flush forwarding chain rules, set policy to reject. This should prevent accidental leaks from any connected AppVM. 
iptables -F FORWARD
iptables -P FORWARD REJECT
# INPUT chain rules to allow connections from the AppVM.
# See http://i2p-projekt.i2p/en/faq#ports for a list of local I2P ports.
# The address in "-s 10.137.x.x" will be that of anon-i2p.
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 4444 -j ACCEPT ## HTTP proxy
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7654 -j ACCEPT ## console
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 7656 -j ACCEPT ## SAM
iptables -I INPUT <rule#> -s 10.137.x.x -p tcp --dport 6668 -j ACCEPT ## irc


3. Change I2P's address bindings for desired services and tunnels.

  • Example clients.config settings:
clientApp.0.main=net.i2p.router.web.RouterConsoleRunner
clientApp.0.name=I2P Router Console
clientApp.0.args=7657 0.0.0.0 ./webapps/ 

  • Example i2ptunnel.config settings:
tunnel.0.description=HTTP proxy for browsing eepsites and the web
tunnel.0.interface=0.0.0.0
tunnel.0.listenPort=4444
tunnel.0.name=I2P HTTP Proxy

4. Create an AppVM using the I2P ProxyVM for network access.

5. Configure programs in the AppVM to connect to the ProxyVM. For example, in a browser, use the ProxyVM's address for the HTTP proxy and webconsole.

foxyproxy config[Bearbeiten]

There is a helpful predefined config from the whonix-team. If you have a whonix-ws VM, you can simply copy it:

qvm-copy-to-vm [i2p-app-vm] /usr/share/usability-misc/tbb-foxyproxy/foxyproxy.xml

You can get the file from github as well.

Copy the file into the firefox path (inside the i2p-appVM):

cp /path/to/foxyproxy.xml /home/user/.mozilla/firefox/[whatever].default/

However, the settings are a bit outdated, and you will have to disable all forum-rules. (click foxproxy-icon -> select 4445-proxy -> click Edit Selection -> remove Enabled tick -> ok; then select 4444-proxy -> Edit Selection -> URL Patterns - tab -> select Forum/Ugha -> Edit Selection -> remove Enabled tick -> click OK a bunch of times)