Mastodawn

xabadak Jul 7, 2025

This was mentioned in the other thread but I should probably mention it here as well. Unlike with TOR, in I2P every user is also expected to be a router. I think this is great and helps encourage decentralization, scaling, and DDoS resistance. Techlore mentioned something similar in one of his videos (but I can’t find it right now). However, this does mean that you never really know what traffic is going through your router. It’s all encrypted, but some users may still have concerns with that. I wrote my own opinions on this topic in that same comment thread.

self-hosted i2p+qbittorrent beginner quickstart - Lemmy NSFW

Thought I would share my simple docker/podman setup for torrenting over I2P. It’s just 2 files, a compose file and a config file, along with an in-depth explanation, available at my repo https://codeberg.org/xabadak/podman-i2p-qbittorrent [https://codeberg.org/xabadak/podman-i2p-qbittorrent]. And it comes with a built-in “kill-switch” to prevent traffic leaking out to the clearnet. But for the uninitiated, some may be wondering: ## What is I2P and why should I care? For a p2p system like bittorrent, for two peers to connect to each other, at least one side needs to have their ports open. If one side uses a VPN, their provider needs to support “port forwarding” in order for them to have their ports open (assuming everything else is configured properly). If you have ever tried to download a torrent with seeders available, yet failed to connect to any of them, your ports are probably not open. And with regulators cracking down on VPNs and forcing providers like Mullvad to shut down port forwarding, torrenting over the clearnet is becoming more and more difficult. The I2P network [https://geti2p.net/] doesn’t have these issues. The I2P is an alternative internet network where all users are anonymous by default. So you don’t need a VPN to hide your activity from your ISP. You don’t need port-forwarding either, all peers can reach each other. And if you do happen to run a VPN on your PC, that’s fine too - I2P will work just the same. So if you’re turning your VPN on and off all the time, you can keep I2P running throughout, and continue downloading/uploading. I2P eliminates all the complications and worries about seeding, making it easy for beginners to contribute to the network. I2P also makes downloading easier, since all peers are always reachable. And it’s more decentralized too, since users don’t need to rely on VPN providers. And of course, it’s free and open source! A fair warning though, I2P is restricted in some countries [https://geti2p.net/en/about/restrictive-countries]. And in terms of torrenting specifically, torrents have to explicitly support I2P. You can’t just take any clearnet torrent and expect it to work on I2P. And the speeds are generally lower since there are less seeders, and the built-in anonymity has a cost as well. However I’ve been surprised at the amount of content on the I2P network, and I’ve been able to reach 1 MB/s download speeds. It’s more than good enough for me, and it will only get better the more people join, so I hope this repo is enough for people to get started.

xabadak Jul 6, 2025

self-hosted i2p+qbittorrent beginner quickstart

https://lemmings.world/post/29728522

self-hosted i2p+qbittorrent beginner quickstart - Lemmings.world

cross-posted from: https://lemmings.world/post/29678617 [https://lemmings.world/post/29678617] > Thought I would share my simple docker/podman setup for torrenting over I2P. It’s just 2 files, a compose file and a config file, along with an in-depth explanation, available at my repo https://codeberg.org/xabadak/podman-i2p-qbittorrent [https://codeberg.org/xabadak/podman-i2p-qbittorrent]. And it comes with a built-in “kill-switch” to prevent traffic leaking out to the clearnet. But for the uninitiated, some may be wondering: > > ## What is I2P and why should I care? > > For a p2p system like bittorrent, for two peers to connect to each other, at least one side needs to have their ports open. If one side uses a VPN, their provider needs to support “port forwarding” in order for them to have their ports open (assuming everything else is configured properly). If you have ever tried to download a torrent with seeders available, yet failed to connect to any of them, your ports are probably not open. And with regulators cracking down on VPNs and forcing providers like Mullvad to shut down port forwarding, torrenting over the clearnet is becoming more and more difficult. > > The I2P network [https://geti2p.net/] doesn’t have these issues. The I2P is an alternative internet network where all users are anonymous by default. So you don’t need a VPN to hide your activity from your ISP. You don’t need port-forwarding either, all peers can reach each other. And if you do happen to run a VPN on your PC, that’s fine too - I2P will work just the same. So if you’re turning your VPN on and off all the time, you can keep I2P running throughout, and continue downloading/uploading. > > I2P eliminates all the complications and worries about seeding, making it easy for beginners to contribute to the network. I2P also makes downloading easier, since all peers are always reachable. And it’s more decentralized too, since users don’t need to rely on VPN providers. And of course, it’s free and open source! > > A fair warning though, I2P is restricted in some countries [https://geti2p.net/en/about/restrictive-countries]. And in terms of torrenting specifically, torrents have to explicitly support I2P. You can’t just take any clearnet torrent and expect it to work on I2P. And the speeds are generally lower since there are less seeders, and the built-in anonymity has a cost as well. However I’ve been surprised at the amount of content on the I2P network, and I’ve been able to reach 1 MB/s download speeds. It’s more than good enough for me, and it will only get better the more people join, so I hope this repo is enough for people to get started.

xabadak Jul 6, 2025

self-hosted i2p+qbittorrent beginner quickstart

https://lemmings.world/post/29678617

self-hosted i2p+qbittorrent beginner quickstart - Lemmings.world

Thought I would share my simple docker/podman setup for torrenting over I2P. It’s just 2 files, a compose file and a config file, along with an in-depth explanation, available at my repo https://codeberg.org/xabadak/podman-i2p-qbittorrent [https://codeberg.org/xabadak/podman-i2p-qbittorrent]. And it comes with a built-in “kill-switch” to prevent traffic leaking out to the clearnet. But for the uninitiated, some may be wondering: ## What is I2P and why should I care? For a p2p system like bittorrent, for two peers to connect to each other, at least one side needs to have their ports open. If one side uses a VPN, their provider needs to support “port forwarding” in order for them to have their ports open (assuming everything else is configured properly). If you have ever tried to download a torrent with seeders available, yet failed to connect to any of them, your ports are probably not open. And with regulators cracking down on VPNs and forcing providers like Mullvad to shut down port forwarding, torrenting over the clearnet is becoming more and more difficult. The I2P network [https://geti2p.net/] doesn’t have these issues. The I2P is an alternative internet network where all users are anonymous by default. So you don’t need a VPN to hide your activity from your ISP. You don’t need port-forwarding either, all peers can reach each other. And if you do happen to run a VPN on your PC, that’s fine too - I2P will work just the same. So if you’re turning your VPN on and off all the time, you can keep I2P running throughout, and continue downloading/uploading. I2P eliminates all the complications and worries about seeding, making it easy for beginners to contribute to the network. I2P also makes downloading easier, since all peers are always reachable. And it’s more decentralized too, since users don’t need to rely on VPN providers. And of course, it’s free and open source! A fair warning though, I2P is restricted in some countries [https://geti2p.net/en/about/restrictive-countries]. And in terms of torrenting specifically, torrents have to explicitly support I2P. You can’t just take any clearnet torrent and expect it to work on I2P. And the speeds are generally lower since there are less seeders, and the built-in anonymity has a cost as well. However I’ve been surprised at the amount of content on the I2P network, and I’ve been able to reach 1 MB/s download speeds. It’s more than good enough for me, and it will only get better the more people join, so I hope this repo is enough for people to get started.

xabadak May 10, 2024

addressing misconceptions about the recent TunnelVision vulnerability

https://lemmings.world/post/8962443

addressing misconceptions about the recent TunnelVision vulnerability - Lemmings.world

I’ve been seeing a lot of confusion around the TunnelVision vulnerability. While I’m no expert, I’ve done a fair share of research and I’ll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me? Two sentence summary of the vulnerability When you use a commercial VPN like Mullvad or NordVPN, the VPN client tells your system to redirect all traffic through the VPN. This recent vulnerability shows that a malicious device on the network can trick your system into redirecting traffic to their device instead. Claim: just don’t connect to hostile networks! This is hard in practice. For most people, the only “trusted” networks are your home network and your workplace. So you still have to worry about coffee shops, airports, hotels, restaurants, etc. And if you are using cellular data, the cellular tower can perform this attack to snoop on your traffic. Claim: but I trust the hotel owner, restaurant owner, etc This attack allows any device on the network to impersonate a DHCP server and attack your system, not just the router. And while there are router settings that can prevent devices on the network from talking to each other, afaik they are rarely used. So even if you trust the owner of the cafe, you have to also trust everybody else in the cafe. Claim: if you use HTTPS you are safe! If you use HTTPS, the attacker can still see what websites you connect to, they just can’t see what you are sending or receiving. So basically they can steal your browsing history, which defeats the purpose of a commercial VPN for many users. Claim: Linux users are safe! Not quite. The report says that Linux has a feature that is able to fully defend against this vulnerability, called network namespaces. So if your VPN uses that, congratulations. Afaik most VPNs do not use this, and instead use a kill-switch or a firewall. In which case Linux, Mac, and Windows users are all affected the same way, and I go into it more in the next claim. Claim: if you use a kill-switch you are safe! The term “kill switch” gets thrown around a lot but there’s actually two major ways that a kill-switch can be implemented. The first way is a more literal “kill switch” - when the VPN connection drops, the kill switch is triggered and blocks leaks. The other way is a persistent firewall, which blocks leaks all the time. If your VPN client uses the first kind, then bad news, it won’t protect you against this attack. This is because the VPN connection is never dropped, so the kill switch is never triggered. NordVPN was caught using this poor practice, to nobody’s surprise (more info here [https://news.ycombinator.com/item?id=40280496]). If your VPN uses the second kind, then you should be safe. For example, Mullvad published a statement about how they are not vulnerable here [https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision]. I would hope that any competent VPN would also use a persistent firewall, but if your VPN provider hasn’t published a statement yet, unfortunately your only other option is to inspect the VPN client yourself. That being said, even if your VPN uses a persistent firewall, you may have read in the report that there’s a “side-channel” attack still possible… Claim: even if you use a firewall, there’s a side-channel attack This is true, but from what I read the side-channel is actually very hard to pull off and gain any useful information from. You can read some discussion about it here [https://news.ycombinator.com/item?id=40280296]. My takeaway is that if you’re a regular user, you don’t have to worry about it. But we should still push VPN providers and network engineers to use network namespaces in their applications, since they are more resistant to these kinds of attacks. Claim: you shouldn’t trust commercial VPN providers anyways This is not really about the vulnerability but I’ve seen it a lot in the discussions. I think it’s a mischaracterization of why people use VPNs. If you are using the internet, somebody has to send that traffic to your destination. The three major options are your ISP, a VPN provider, or Tor. Depending on your location and your circumstances, you will trust these three differently. In the EU, ISPs are not allowed to sell data. In the US, ISPs are allowed to, and have been caught doing so. VPNs can sell data too but they risk losing their entire business. Tor is much harder to judge, but the bigger issue with Tor is that many websites block it. Further reading: - Official Report [https://www.leviathansecurity.com/blog/tunnelvision] - Official TLDR and FAQ [https://tunnelvisionbug.com/] - Arstechnica article [https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/] - Hacker News discussion [https://news.ycombinator.com/item?id=40279632] - one of the original researchers is active in this discussion, see comments by @morattisec

xabadak May 9, 2024

sharing my simple wireguard kill-switch for Linux

https://lemmings.world/post/8926406

sharing my simple wireguard kill-switch for Linux - Lemmings.world

cross-posted from: https://lemmings.world/post/8926396 [https://lemmings.world/post/8926396] > In light of the recent TunnelVision vulnerability [https://tunnelvisionbug.com/] I wanted to share a simple firewall that I wrote for wireguard VPNs. > > https://codeberg.org/xabadak/wg-lockdown [https://codeberg.org/xabadak/wg-lockdown] > > If you use a fancy official VPN client from Mullvad, PIA, etc, you won’t need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here [https://news.ycombinator.com/item?id=40280496]). > > A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here [https://news.ycombinator.com/item?id=40280296]). Unfortunately I’m a noob and I couldn’t find any scripts or tools to do it that way.

xabadak May 9, 2024

sharing my simple wireguard kill-switch for Linux

https://lemmings.world/post/8926396

sharing my simple wireguard kill-switch for Linux - Lemmings.world

In light of the recent TunnelVision vulnerability [https://tunnelvisionbug.com/] I wanted to share a simple firewall that I wrote for wireguard VPNs. https://codeberg.org/xabadak/wg-lockdown [https://codeberg.org/xabadak/wg-lockdown] If you use a fancy official VPN client from Mullvad, PIA, etc, you won’t need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here [https://news.ycombinator.com/item?id=40280496]). A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here [https://news.ycombinator.com/item?id=40280296]). Unfortunately I’m a noob and I couldn’t find any scripts or tools to do it that way.