Transparent I2P tunneling

These notes are to setup an I2P FreeNAS jail to transparently tunnel .i2p traffic using a Ubiquiti EdgeRouter ER-X

Huge kudos to these notes that got me moving in the right direction:

This is the logical flow of what we are going to setup. Pictures really help the understanding.

As I have an EdgeRouter ER-X the instructions will cover what you need to configure on this device in terms of the router setup

Setup DNSMASQ on server to catch .i2p DNS requests return the IP as the domain lookup


Test it out. Any domain ending in .i2p will return the IP

# dig @ hello.i2p

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @ hello.i2p
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8423
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;hello.i2p.                     IN      A

hello.i2p.              0       IN      A

;; Query time: 0 msec
;; WHEN: Tue Dec 19 02:13:21 UTC 2017
;; MSG SIZE  rcvd: 43

We need to configure a NAT rule to redirect our traffic to the server running the privoxy/i2p software.

ubnt@ubnt# show service nat
 nat {
     rule 1 {
         description i2p
         destination {
             port 80
         inbound-interface switch0
         inside-address {
             port 8118
         log disable
         protocol tcp
         source {
             group {
                 address-group !I2P_EXCLUDE
         type destination
     rule 5001 {
         description "masquerade for WAN"
         outbound-interface eth0
         type masquerade
     rule 5002 {
         description "hairpin for i2p"
         destination {
             port 8118
         log disable
         outbound-interface switch0
         protocol tcp
         source {
         type masquerade

ubnt@ubnt# show firewall group
 address-group I2P_EXCLUDE {
     description "exclude these IP address from being routed via i2p proxy"

We will end up with a NAT configuration like this:

With the following firewall rule.

I run i2p and privoxy inside a FreeNAS jail so these instructions reflect this.

Follow the instructions to setup the I2P jail

Now the I2P jail is setup we need install the privoxy for transparent routing. The jail does not install privoxy.

Install privoxy into the jail and forward .i2p domain name requests to the router.

# pkg install privoxy

Allow it to autostart edit /etc/rc.conf


We need to pre-create this

# mkdir /var/run/privoxy
# chown privoxy:privoxy /var/run/privoxy

Start Privoxy manually to create the necessary config files run:

# /usr/local/etc/rc.d/privoxy forcestart

This will create the file /usr/local/etc/privoxy/config

That is hokey. You have to run it to create the config file so you can edit it ?

Edit the configuration file

accept-intercepted-requests 1
forward .i2p

Restart after making those changes

/usr/local/etc/rc.d/privoxy restart