I2P (short for Invisible Internet Protocol) is an anonymizing layer for TCP and UDP. It is a much smaller darknet than Tor, but more resilient to Sybil (aka 51%) attacks. It also doesn't have a notion of "exit nodes" – all traffic stays inside the i2p network. Well, there is a thing called outproxies, but from my experience they aren't very useful. I2P is just not meant to be used as a VPN to the clearnet.
It all seems dandy, until you learn that for it to become at all usable, your node (or router, in I2P terms) needs to be running for some time. Ideally, you would have it run 24/7, but of course that's off the table for most people. The solution though is to run a router on a server (can be a rented VPS, or one you physically own), and then connect to that server from your local machine when you want to browse i2p. This article will guide you through creating such a setup, assuming you already have a Debian server up and running and that you're using Linux locally. (It probably will work with Mac OS, and it might work with Windows, but no guarantees there)
Server-side setup
First, we are going to want to make sure our system is up to date. Then, we will install i2pd – a lightweight implementation of an I2P router. The "official" implementation is written in Java, and is pretty memory-hungry, so I'm opting for using i2pd instead.
Now if you're using a "Stable" version of Debian, the version of i2pd in your package repository is probably months-, if not years-old, so I recommend switching to Debian Unstable. Don't get fooled by the name – I use it exclusively and never had any stability problems. If you really don't want to do that, either you'll have to be content with an old i2pd version (don't), or add an external repository. You can see how to do that here. I'm also going to add an entry for it to Extrepo (see my article on Extrepo).
sudo apt update sudo apt upgrade sudo apt install i2pd
Next we're going to configure i2pd to fit our needs. First, look into the /etc/i2pd/i2pd.conf
file. The main point of interest there for us it the ipv4 and ipv6 options.
There you can enable the use of IPv6 by your router. Do that if you know your server can use IPv6 and you
know what that means. Don't change anything otherwise. Everything else is using sane defaults, but
the default configuration also adds some tunnels for IRC, which we don't need right now. To turn
those off, comment out everything in /etc/i2pd/tunnels.conf by prefixing lines with hashes,
and make sure that the content of files inside /etc/i2pd/tunnels.d is also commented.
With i2pd configured, we now want to reload it in order for the configuration to take effect.
sudo systemctl reload i2pd
That is all we need to do from the server's side.
Local setup
On your local machine (the one you will be browsing i2p from) you are now going to write a shell script that does something called SSH port forwarding. More precisely, I've already written a script for you:
#!/bin/sh ssh -nTNL 127.0.0.1:4444:127.0.0.1:4444 your_user@your_ddress & sshpid="$!" your_browser kill "$sshpid"
Just replace your_user with the username of the user on your server, your_address
with the address of your server, and your_browser with your browser of choice. Mind you, this
only works if your browser doesn't detach from the shell it's launched in. In particular, I know this doesn't
work with Brave, which leads me to believe it won't work with most if not all Chromium-based browsers.
I know it works with Firefox (and LibreWolf, so probably most forks of Firefox) though. But I generally
recommend using a different browser for i2p than the one you use daily, so you might as well install LibreWolf,
GNU IceCat, or just Firefox – whichever one you don't use for browsing the normal web. How to do that is beyond
the scope of this guide, but I'm sure you'll manage. Anyway, just copy that shell script with your details filled
in to a file in your filesystem, for example ~/.local/bin/browse-i2p or ~/bin/browse-i2p
– wherever you store your user-installed scripts. The only important thing is for it to be on your PATH.
Then run chmod +x path/to/your/script to be able to run it.
Run that script, and in your browser, configure it to use the HTTP proxy located at 127.0.0.1
(or just localhost), port 4444. In Firefox/LibreWolf it's in Settings → General →
Network Settings → Settings... → Manual proxy configuration. You will also want to disable any HTTPS-only-like
settings, since most eepsites (that's how services on i2p are commonly called) use plain old HTTP. HTTPS is generally
not needed when communicating over i2p, since i2p itself is already a layer of encryption, and it's not very useful
for traffic encryption anyway because of how SSL/TLS certificates work. Also, in Firefox and Firefox-based browsers,
I recommend visiting about:config, searching for keyword.enable, and disabling that option.
You will not be able to search anything on Google or DuckDuckGo anyway, so this only improves user experience.
Et voilà, you have an i2p router and browser set up. As the last thing, you can run the command
ssh -nTNL 127.0.0.1:7070:127.0.0.1:7070 your_user@your_address in a terminal window, and go to
http://localhost:7070 in your browser (should also work in the i2p-configured one) to see
the router console. There you can see some stats about your router, like the tunnel creation success rate.
If Network status says OK, and your tunnel creation success rate is above 40%,
it means all's working fine and there should not be any issues. Otherwise, if the success rate is very low
(like single-digit low), that means something's gone wrong, and you can try and look for help on the internet.
As a starter, you can visit some eepsites that provide a list of other eepsites:
