Transparent I2P tunneling

These notes are to setup an I2P FreeNAS jail to transparently tunnel .i2p traffic using a Ubiquiti EdgeRouter ER-X

Huge kudos to these notes that got me moving in the right direction:

This is the logical flow of what we are going to setup. Pictures really help the understanding.

As I have an EdgeRouter ER-X the instructions will cover what you need to configure on this device in terms of the router setup

Setup DNSMASQ on server to catch .i2p DNS requests return the IP 10.191.0.1 as the domain lookup

/etc/dnsmasq.conf
address=/i2p/10.191.0.1

Test it out. Any domain ending in .i2p will return the IP 10.191.0.1

# dig @127.0.0.1 hello.i2p

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @127.0.0.1 hello.i2p
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8423
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hello.i2p.                     IN      A

;; ANSWER SECTION:
hello.i2p.              0       IN      A       10.191.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 19 02:13:21 UTC 2017
;; MSG SIZE  rcvd: 43

We need to configure a NAT rule to redirect our 10.191.0.1:80 traffic to the server running the privoxy/i2p software.

ubnt@ubnt# show service nat
 nat {
     rule 1 {
         description i2p
         destination {
             address 10.191.0.1
             port 80
         }
         inbound-interface switch0
         inside-address {
             address 192.168.1.14
             port 8118
         }
         log disable
         protocol tcp
         source {
             group {
                 address-group !I2P_EXCLUDE
             }
         }
         type destination
     }
     rule 5001 {
         description "masquerade for WAN"
         outbound-interface eth0
         type masquerade
     }
     rule 5002 {
         description "hairpin for i2p"
         destination {
             address 192.168.1.0/24
             port 8118
         }
         log disable
         outbound-interface switch0
         protocol tcp
         source {
             address 192.168.1.0/24
         }
         type masquerade
     }
 }

ubnt@ubnt# show firewall group
 address-group I2P_EXCLUDE {
     address 192.168.1.14
     description "exclude these IP address from being routed via i2p proxy"
 }

We will end up with a NAT configuration like this:

With the following firewall rule.

I run i2p and privoxy inside a FreeNAS jail so these instructions reflect this.

Follow the instructions to setup the I2P jail

Now the I2P jail is setup we need install the privoxy for transparent routing. The jail does not install privoxy.

Install privoxy into the jail and forward .i2p domain name requests to the router.

# pkg install privoxy

Allow it to autostart edit /etc/rc.conf

privoxy_enable="YES"

We need to pre-create this

# mkdir /var/run/privoxy
# chown privoxy:privoxy /var/run/privoxy

Start Privoxy manually to create the necessary config files run:

# /usr/local/etc/rc.d/privoxy forcestart

This will create the file /usr/local/etc/privoxy/config

That is hokey. You have to run it to create the config file so you can edit it ?

Edit the configuration file

listen-address  192.168.1.14:8118
accept-intercepted-requests 1
forward .i2p 127.0.0.1:4444

Restart after making those changes

/usr/local/etc/rc.d/privoxy restart