This is an old revision of the document!
Transparent I2P tunneling
These notes are to setup an I2P FreeNAS jail to transparently tunnel .i2p traffic using a Ubiquiti EdgeRouter.
Huge kudos to these notes that got me moving in the right direction:
This is the logical flow of what we are going to setup. Pictures really help the understanding.
EdgeRouter ER-X setup
As I have an EdgeRouter ER-X the instructions will cover what you need to configure on this device in terms of the router setup
Setup DNSMASQ on server to catch .i2p DNS requests return the IP 10.191.0.1 as the domain lookup
/etc/dnsmasq.conf address=/i2p/10.191.0.1
Test it out. Any domain ending in .i2p will return the IP 10.191.0.1
# dig @127.0.0.1 hello.i2p ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @127.0.0.1 hello.i2p ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8423 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;hello.i2p. IN A ;; ANSWER SECTION: hello.i2p. 0 IN A 10.191.0.1 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 19 02:13:21 UTC 2017 ;; MSG SIZE rcvd: 43
We need to configure a NAT rule to redirect our 10.191.0.1:80 traffic to the server running the privoxy/i2p software.
ubnt@ubnt# show service nat nat { rule 1 { description i2p destination { address 10.191.0.1 port 80 } inbound-interface switch0 inside-address { address 192.168.1.14 port 8118 } log disable protocol tcp source { group { address-group !I2P_EXCLUDE } } type destination } rule 5001 { description "masquerade for WAN" outbound-interface eth0 type masquerade } rule 5002 { description "hairpin for i2p" destination { address 192.168.1.0/24 port 8118 } log disable outbound-interface switch0 protocol tcp source { address 192.168.1.0/24 } type masquerade } } ubnt@ubnt# show firewall group address-group I2P_EXCLUDE { address 192.168.1.14 description "exclude these IP address from being routed via i2p proxy" }
FreeNAS I2P jail
I run i2p and privoxy inside a FreeNAS jail so these instructions reflect this.
Follow the instructions to setup the I2P jail
Privoxy configuration
Now the I2P jail is setup we need install the privoxy for transparent routing. Why not make it make of the jail? Could do but not everybody may want, or can configure, this.
Install privoxy into the jail and forward .i2p domain name requests to the router.
# pkg install privoxy
Allow it to autostart edit /etc/rc.conf
privoxy_enable="YES"
We need to pre-create this
# mkdir /var/run/privoxy # chown privoxy:privoxy /var/run/privoxy
Start Privoxy manually to create the necessary config files run:
# /usr/local/etc/rc.d/privoxy forcestart
This will create the file /usr/local/etc/privoxy/config
That is hokey. You have to run it to create the config file so you can edit it ?
Edit the configuration file
listen-address 192.168.1.14:8118 accept-intercepted-requests 1 forward .i2p 127.0.0.1:4444
Restart after making those changes
/usr/local/etc/rc.d/privoxy restartt