Pandora
Heya
Pandora
I've got a question regarding i2pd, i'm currently researching the best way to do this but are there any i2pd dev's here i could ask a couple questions to?
weko
Pandora: hello, orignal is i2pd developer. You can also make question in #dev in Ilita IRC (irc.ilita.i2p)
Pandora
So i don't know if DM'ing would be pestering, i don't mind asking the question in public chat
Pandora
i think i might be getting close to a solution already but not sure
weko
Just ask your question, in DM or in public chat
Pandora
is the netDb where i2pd stores a list of the nodes it know's about?
weko
I don't know, do orignal answer in Irc2P or not
Pandora
i wrote about my situation in another chat that provides some context, would it be helpful to post that here?
Pandora
Is there a method i could use to create firewall rules that block all connections going outbound that are not connections to i2p nodes? i can do a similar thing with tor using an api to download the list of nodes in the network and whitelisting those addresses, but don't know if a similar thing exists for i2p?
Pandora
i know it's not possible to enumerate all the i2p nodes by design and that's a good thing as it works to my advantage
weko
Pandora: netDb stores Router Info of routers
weko
Pandora: i2pd-tools maybe
Pandora
so if my understanding is correct, isn't every user on the network acting as a router / node to relay traffic?
Pandora
the idea is to run a small vm while the main vpn connection is up so it can constantly enumerate nodes it see's and pass those to the firewall, if the vpn gets cut off there's a recent list of known good nodes the fallback over i2p will be allowed to connect to. The plan is to use the following for fail over to the vpn server: Direct access, Yggdrasil access, i2pd acces
weko
Pandora: you need public ip (without NAT) for many transit routers
weko
Pandora: one sec, I will send link to netDb tool
Pandora
so in this case, if my ISP blocks a direct connection to my VPN, the firewall will try to reach it via yggdrasil, if my isp blocks access to yggdrasil nodes, the firewall will try to connect via i2p which my isp shouldn't be able to block
weko
routerinfo
weko
can generate iptables rules
Pandora
the daemon that will enumerate the nodes will do so over the vpn connection so my isp can't see what nodes i connected to recently and just block those. then i feed all the known good nodes i see into the firewall rules while the vpn connection is up, that way if it gets blocked the firewall can allow an i2p fail over to connect out to just i2p nodes
Pandora
i was just looking at the i2pcontrol jsonrpc api on i2pd and the request i2p.router.netdb.knownpeers
Pandora
i was going to try and parse the netDb manually but that api request might give me the information i need, just working out how to make i2pcontrol api requests at the moment
Pandora
oh cool, 2 secs just let me take a look at i2pd-tools
weko
I can call orignal in Ilita for him come
weko
Ping*
Pandora
i2pd tools looks like an option, just tried to compile it and got the following errors
Pandora
x25519.cpp:23:32: error: ‘NID_X25519’ was not declared in this scope
Pandora
Ctx = EVP_PKEY_CTX_new_id (NID_X25519, NULL);
Pandora
x25519.cpp:28:60: error: ‘EVP_PKEY_get_raw_public_key’ was not declared in this scope
Pandora
EVP_PKEY_get_raw_public_key (Pkey, keys.PublicKey, &len);
Pandora
x25519.cpp:29:62: error: ‘EVP_PKEY_get_raw_private_key’ was not declared in this scope
Pandora
EVP_PKEY_get_raw_private_key (Pkey, keys.PrivateKey, &len);
weko
You use --recursive option in git clone?
Pandora
At global scope:
Pandora
cc1plus: warning: unrecognized command line option ‘-Wno-misleading-indentation’
Pandora
Makefile:92: recipe for target 'x25519.o' failed
Pandora
make: *** [x25519.o] Error 1
Pandora
yes, i copy pasted the command from the github page
weko
Do you use*
Pandora
it's probably a stupid issue, c++ isn't my strong point and it's been a very long time since i've looked at it
weko
Oh, don't know . I ping orignal in Ilita right now)
Pandora
just checked the dependancies (dependancies.sh) and they're all installed
weko
I compile i2pd-tools successfully recently
weko
I ping orignal
orignal
you use old compiler
orignal
your openssl is also old
orignal
you must use openssl 1.1.1 and higher
Pandoraa
yeah this machine is pretty old, still saving up so i can re-load it and get away from HDD's on here, kinda stuck with it for now
Pandoraa
it does look like the i2pd tool will do what i need as i was going to read the i2pd source and try to write a tool to parse the netDb but this basically does it
Pandoraa
i was looking at the i2pcontrol interface though and wonder if that would also give me the same results?
weko
In your case, as I understand, you need to create script, witch will enumerate netDb, run 'routerinfo' util and get iptables rules or just ip:port values and use this data for your firewall
weko
I heat about i2pcontrol protocol
weko
Hear*
weko
Check geti2p.net docs
Pandoraa
so that was the plan, i have multiple i2pd instances on various machines on the network too which might help me enumerate a bigger list of nodes. I was going to write a small script on each server to enumerate the nodes, feed that back to a central place on the network and then write another script on the firewall to grab that list of nodes, compare it to it's current list and add new nodes and also remove
Pandoraa
nodes that haven't been seen for a while so the list doesn't keep growing
Pandoraa
yeah just checking out the geti2p.net docs at the moment
Pandoraa
is there a client tool for i2pcontrol? i'm getting an empty response from the i2pcontrol port
weko
Pandoraa: I hear about program from Java I2P team
Pandoraa
curl -X POST -H 'Content-Type: application/json' -d '{ "id": "id", "method": "authenticate", "params": { "password": "itoopie", }, "jsonrpc": "2.0"}' 127.0.0.1:7650
Pandoraa
this gives me: curl: (52) Empty reply from server
weko
Pandoraa: about remove - need to discover. i2pd don't store all i2p's routers. So, in i2p ~60000 routers, I think this not such many for firewall
weko
Pandoraa: don't know about i2pcontrol support
Pandora
I'm just wondering if keeping a list where nodes never expire could be a bad thing, that's releated to a completely different situation but i dont know if i want to allow outbound access to a node i haven't seen in like a year as it could be used to escape the network by an attacker if they can obtain the ip address of an i2p node that isn't being used anymore.
weko
And yes, i2pcontrol usage is more well decision than netDb enumerate. But I don't know anything about i2pcontol, can't help for you
Pandora
in principle they could still block the VPN traffic even over i2p, they can just block the connections i2pd makes while they are blocking direct access to the vpn, if i have a list of known good recent nodes they can't know what ip's to block ahead of time so have to wait until my i2pd connects to them to discover them. Any list i make will be finite and i'll get knocked offline if they are persistent
Pandora
enough but it will hopefully buy me enough time to reach out to the vpn server to try and diagnose if my isp is indeed blocking the connection to the vpn and hopefully get any messages out to people before my connection dies
weko
Pandora: any i2p address might be used by hackers
Pandora
so i was reading the i2pcontrol docs and trying to get an auth token
weko
Pandora: you can create iptables rule, for allow traffic from specific user, for example "i2pd", and run i2pd as this user
weko
And any other traffic will block
Pandora
weko: any i2p address might be used by hackers. - Yes that's true, for one attacker to compramise a machine deep inside my tor only network, break through multiple virtual firewalls to my physical firewall, and either break through those virtual firewalls or gain access to the hypervisor kernel to bypass the firewall is a big ask, if they can break out of the tor only network, and they have access to an ip
Pandora
address that's a tor node to bypass that firewall rule, and then also gain access to an i2p node that's not being used anymore, then yeah they could possibly jump outside of the vpn connection that way, there are many firewalls, physical and virtual, as well as vm servers they would need to break through consecutively in order to do that though
Pandora
so the reason i want the list is because my new firewall will be a hypervisor running multiple virtual firewalls, the hypervisor also has a firewall it can use to lock down vm guests, the idea is even if the firewall's get hacked and the attacker has root, the hypervisor will also be blocking outbound connections too, so they would need to not only hack the firewalls and gain root, they would need to escape
Pandora
the guest vm and get root on the hypervisor
Pandora
i can setup the user only rule for i2pd, i've done a similar thing for the tor daemon before and it works quite well, but assuming that get's rooted i have another layer to fall back on, user based ip tables, opnsense and pfsense firewall rules, and the hypervisor firewall all need that list of nodes regardless
weko
Paranoic's problems
weko
Blinded message
weko
For recognize
weko
I know one paranoic
weko
Maybe he can help you
Pandora
lol yeah, it does sound paranoid when you read it. Partly it is paranoia, partly i want the challenge and will learn new things along the way, and partly its just cos i want my new firewall to be way better then my current one if i'm going to spend the money re-building it as i'm not exactly rich lol
Pandora
its the kind of thing i'd rather have and not need, then need and not have. it also means my solution will be more robust and will keep me kinda online without leaking traffic outside the vpn, this makes the resources and effort spent by my ISP / LE a complete waste and they won't keep trying to knock my connection offline repeatedly which is super fucking annoying
weko
Whatever, this is good topic. i2pd/ Java i2p need tool for create and update full network ip's list
Pandora
if they just block everything and stand their ground, eventually i'm going to call my isp and ask why my connection doesn't work and they won't be able to give me a good reason for it, they can't tell me oh LE told us to, so by that point in my mind at least i've got confirmation i'm being monitored and can begin taking action which is not helpful to LE, so hopefully they'll just leave my connection alone
Pandora
and try a different strategy
weko
Technically, you can create full list of network IPs. But big part of data will not actual (some IPs offline, some new IPs online), that mean bad for transit.
weko
Because your firewall will block new network IPs
Pandora
true, and some nodes are running behind tor exit nodes too. I'm not sure what the data looks like until i've taken a look but i read somewhere there was at least 45,000 i2p nodes on the network and im not sure if one single i2pd instance would see close to 45k nodes.
Pandora
Because your firewall will block new network IPs - so the i2pd instances would enumerate nodes while the direct connection to the vpn is up, they will be able to connect out through the vpn to any nodes they can find without issue
weko
My floodfill i2pd router store 6000-7000 routers
weko
My data says, what i2p have 60000 routers
Pandora
if the direct connection to the vpn is blocked by the isp, then i have a local list of nodes i can then allow through the firewall and have a small vm running i2pd that can connect out to those nodes, the firewall controlling the vpn connection will then connect to that vm as a fail-over and i'll configure an i2p tunnel between that vm and the vps server so the firewall can connect to the vpn through i2p
Pandora
without touching my isp or the router they gave me
Pandora
i thought 45k would have been an older number given the rise in popularity recently
weko
Maybe
Pandora
im glad i2p is growing, it's a really nice tool in it's own right and i prefer some things about i2pd over the tor daemon.
weko
Two ways to collect data - parse netDb with "routerinfo" tool or i2pcontol
weko
i2p over tor? I guess that such instability
weko
Tor packets loss + i2p packets loss
weko
You can just set 8 transits for your tunnels
Pandora
so i've tried running i2pd over a tor exit node via transparent tor routing, then plugging i2pd browser into it. Sometimes it's a bit flakey and slow, but most of the time if you're just browsing dread and sites on i2p it's actually pretty dependable, i've been plesantly supprised
Pandora
if i can get the i2pcontrol port method working that might be more preferable, then i can configure my firewalls to allow access to the control port on the various i2pd instances across the network without having to have a script running on each server, then i can just have one central vm that calls out to the daemons and produces the list for the firewall
weko
Yes
weko
Pandora: is good, but I don't see any use cases for such browser
weko
I2p over yggdrasil also good
weko
And more stable
Pandora
so i2pdbrowser isn't an equivelent for tor browser i've found, the i2pd daemon is somewhat broken in every machine i've tried it on, that's fine for me because i can re-configure everything and make it work but the average user wont be able to. Having the portable firefox is nice though and means i can use my other browsers for differnet things like tor access over the firewall, ssh tunnels to anon vps's
Pandora
for anon clearweb access, yggdrasil only browser etc...
Pandora
I2p over yggdrasil also good - i found out earlier in the docs it says i2p has support for yggdrasil which is really nice
Pandora
yggdrasil is really cool, not anon out of the box though but then you also gain speed too. You can run yggdrasil behind tor and it works fine and you can also host services anon on yggdrasil too if you connect out over a tor firewall
weko
Do you now anything about 802.11s?
Pandora
no
Pandora
802.11s looks pretty awesome
Pandora
so i found this github.com/eyedeekay/i2p-control
Pandora
it doesn't look like the api method i need is implemented and i'm not a go programmer but tbh looking at the source it doesn't look hard to add the method i need. Are there any alternative cli clients for i2pcontrol out there?