Packaging for Tails

# Project: I2Pd package for Tails Related: https://gitlab.tails.boum.org/tails/tails/-/issues/12264#note_150424 Target: having an up-to-date I2Pd package (a deb) for tails available from a suitable repo. The problems: * Tails is debian based (which is great) - but as of today - the I2P package is rather outdated. * Tails is heavily relying on iptables to control and secure the network of the system. This approach is fine from a tails perspective. I2P should therefore simply run in a sandbox with clearly defined interfaces to the host. The I2P sandbox itself needs full network access (tcp/udp). In the I2P jargon this is called NTCP and SSU. As a **prototype** this approach is working (tested on tails 4.7): Execute as root: ``` apt-get install i2pd systemctl stop i2pd ``` THEN: 1. fix the systemd i2pd.service file, see below 2. fix /etc/i2pd/i2pd.conf, see below 3. empty /etc/i2pd/tunnels.conf (currently not needed for the prototype) Execute as root: ``` iptables -I OUTPUT 3 -p tcp -d 127.0.0.1 -j ACCEPT -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -m multiport --destination-ports 4444,4447,7070 -m owner --uid-owner amnesia iptables -I OUTPUT 4 -p tcp -j ACCEPT -m owner --uid-owner i2pd iptables -I OUTPUT 5 -p udp -j ACCEPT -m owner --uid-owner i2pd systemctl start i2pd ``` Go get a tea and wait for a few minutes until I2Pd has integrated into the I2P network. Test as user amnesia: ``` curl -x localhost:4444 http://diva.i2p > diva.i2p.html more diva.i2p.html ``` ## systemd i2pd.service file ``` [Unit] Description=I2P Router written in C++ Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/ After=network.target [Service] User=i2pd Group=i2pd RuntimeDirectory=i2pd RuntimeDirectoryMode=0700 LogsDirectory=i2pd LogsDirectoryMode=0700 Type=forking ExecStart=/usr/sbin/i2pd --conf=/etc/i2pd/i2pd.conf --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --daemon --service ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/i2pd/i2pd.pid ### Uncomment, if auto restart needed #Restart=on-failure KillSignal=SIGQUIT # If you have the patience waiting 10 min on restarting/stopping it, uncomment this. # i2pd stops accepting new tunnels and waits ~10 min while old ones do not die. #KillSignal=SIGINT #TimeoutStopSec=10m # If you have problems with hanging i2pd, you can try increase this LimitNOFILE=4096 # To enable write of coredump uncomment this #LimitCORE=infinity PrivateDevices=yes [Install] WantedBy=multi-user.target ``` ## /etc/i2pd/i2pd.conf file ``` ## Configuration file for a typical i2pd user ## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/ ## for more options you can use in this file. ## Lines that begin with "## " try to explain what's going on. Lines ## that begin with just "#" are disabled commands: you can enable them ## by removing the "#" symbol. ## Tunnels config file ## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf # tunconf = /var/lib/i2pd/tunnels.conf ## Tunnels config files path ## Use that path to store separated tunnels in different config files. ## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d # tunnelsdir = /var/lib/i2pd/tunnels.conf.d ## Where to write pidfile (don't write by default) # pidfile = /var/run/i2pd.pid ## Logging configuration section ## By default logs go to stdout with level 'info' and higher ## ## Logs destination (valid values: stdout, file, syslog) ## * stdout - print log entries to stdout ## * file - log entries to a file ## * syslog - use syslog, see man 3 syslog # log = file ## Path to logfile (default - autodetect) # logfile = /var/log/i2pd.log ## Log messages above this level (debug, *info, warn, error, none) ## If you set it to none, logging will be disabled loglevel = debug ## Write full CLF-formatted date and time to log (default: write only time) # logclftime = true ## Daemon mode. Router will go to background after start # daemon = true ## Specify a family, router belongs to (default - none) # family = ## External IP address to listen for connections ## By default i2pd sets IP automatically # host = 1.2.3.4 ## Port to listen for connections ## By default i2pd picks random port. You MUST pick a random number too, ## don't just uncomment this # port = 4567 ## Enable communication through ipv4 ipv4 = true ## Enable communication through ipv6 ipv6 = false ## Network interface to bind to # ifname = ## You can specify different interfaces for IPv4 and IPv6 # ifname4 = # ifname6 = ## Enable NTCP transport (default = true) ntcp = true ## If you run i2pd behind a proxy server, you can only use NTCP transport with ntcpproxy option ## Should be http://address:port or socks://address:port # ntcpproxy = socks://localhost:9050 ## Enable SSU transport (default = true) ssu = true ## Should we assume we are behind NAT? (false only in MeshNet) # nat = true ## Bandwidth configuration ## L limit bandwidth to 32KBs/sec, O - to 256KBs/sec, P - to 2048KBs/sec, ## X - unlimited ## Default is X for floodfill, L for regular node bandwidth = P ## Max % of bandwidth limit for transit. 0-100. 100 by default share = 50 ## Router will not accept transit tunnels, disabling transit traffic completely ## (default = false) # notransit = true ## Router will be floodfill # floodfill = true [http] ## Web Console settings ## Uncomment and set to 'false' to disable Web Console # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 7070 ## Path to web console, default "/" # webroot = / ## Uncomment following lines to enable Web Console authentication # auth = true # user = i2pd # pass = changeme [httpproxy] ## Uncomment and set to 'false' to disable HTTP Proxy # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 4444 ## Optional keys file for proxy local destination # keys = http-proxy-keys.dat ## Enable address helper for adding .i2p domains with "jump URLs" (default: true) # addresshelper = true ## Address of a proxy server inside I2P, which is used to visit regular Internet # outproxy = http://false.i2p ## httpproxy section also accepts I2CP parameters, like "inbound.length" etc. [socksproxy] ## Uncomment and set to 'false' to disable SOCKS Proxy # enabled = true ## Address and port service will listen on address = 127.0.0.1 port = 4447 ## Optional keys file for proxy local destination # keys = socks-proxy-keys.dat ## Socks outproxy. Example below is set to use Tor for all connections except i2p ## Uncomment and set to 'true' to enable using of SOCKS outproxy # outproxy.enabled = false ## Address and port of outproxy # outproxy = 127.0.0.1 # outproxyport = 9050 ## socksproxy section also accepts I2CP parameters, like "inbound.length" etc. [sam] ## Uncomment and set to 'true' to enable SAM Bridge enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7656 [bob] ## Uncomment and set to 'true' to enable BOB command channel enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 2827 [i2cp] ## Uncomment and set to 'true' to enable I2CP protocol enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7654 [i2pcontrol] ## Uncomment and set to 'true' to enable I2PControl protocol enabled = false ## Address and port service will listen on # address = 127.0.0.1 # port = 7650 ## Authentication password. "itoopie" by default # password = itoopie [precomputation] ## Enable or disable elgamal precomputation table ## By default, enabled on i386 hosts # elgamal = true [upnp] ## Enable or disable UPnP: automatic port forwarding (enabled by default in WINDOWS, ANDROID) enabled = false ## Name i2pd appears in UPnP forwardings list (default = I2Pd) # name = I2Pd [reseed] ## Options for bootstrapping into I2P network, aka reseeding ## Enable or disable reseed data verification. verify = false ## URLs to request reseed data from, separated by comma ## Default: "mainline" I2P Network reseeds # urls = https://reseed.i2p-projekt.de/,https://i2p.mooo.com/netDb/,https://netdb.i2p2.no/ urls = https://reseed.diva.exchange/ ## Path to local reseed data file (.su3) for manual reseeding # file = /path/to/i2pseeds.su3 ## or HTTPS URL to reseed from # file = https://legit-website.com/i2pseeds.su3 ## Path to local ZIP file or HTTPS URL to reseed from # zipfile = /path/to/netDb.zip ## If you run i2pd behind a proxy server, set proxy server for reseeding here ## Should be http://address:port or socks://address:port proxy = socks://localhost:9050 ## Minimum number of known routers, below which i2pd triggers reseeding. 25 by default # threshold = 25 [addressbook] ## AddressBook subscription URL for initial setup ## Default: inr.i2p at "mainline" I2P Network # defaulturl = http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt ## Optional subscriptions URLs, separated by comma # subscriptions = http://inr.i2p/export/alive-hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt,http://rus.i2p/hosts.txt [limits] ## Maximum active transit sessions (default:2500) # transittunnels = 2500 ## Limit number of open file descriptors (0 - use system limit) # openfiles = 0 ## Maximum size of corefile in Kb (0 - use system limit) # coresize = 0 ## Threshold to start probabalistic backoff with ntcp sessions (0 - use system limit) # ntcpsoft = 0 ## Maximum number of ntcp sessions (0 - use system limit) # ntcphard = 0 [trust] ## Enable explicit trust options. false by default # enabled = true ## Make direct I2P connections only to routers in specified Family. # family = MyFamily ## Make direct I2P connections only to routers specified here. Comma separated list of base64 identities. # routers = ## Should we hide our router from other routers? false by default # hidden = true [exploratory] ## Exploratory tunnels settings with default values # inbound.length = 2 # inbound.quantity = 3 # outbound.length = 2 # outbound.quantity = 3 [persist] ## Save peer profiles on disk (default: true) # profiles = true ```