This post is not really for typical users of i2p. This is for system administrators or people who may be setting i2p up for you in a more secure environment or integrating it into a network. This is what I affectionately call “techno-babble” for most of you. This information is valid for i2p version 0.9.13 as of 01JUL2014. I have tried to create a more secure i2p installation and ran into some issues, some of them I have figured out were documented on the i2p site, but not well enough that I understood them. It took much longer than expected. I have been working very hard to expand our American Redoubt Darknet (AmRD) project with this more secure setup, however I have had some issues getting some added features working and I thought to share. First a little about what we are doing.
I2p can be installed in many, different modes. I’ve been working on installing i2p in a more secure installation including enterprise firewalls, routers, application firewalls and operating system firewalls such as iptables or the Windows firewall. Also many other types of software can be loaded on your computer to implement a host based firewall. Why did I implement more computer and network security? To try and set the bar higher to hack the i2p installation I am building. A very normal approach to security is to try and not only limit the services that are running on a machine, but to limit the ports and protocols that are even open to that machine.
One issue in working with i2p installed with this extra security infrastructure is configuring your Internet routers and firewalls. What has cost me a lot of time and frustration is how i2p works with Internet routers and firewalls. When looking at geti2p.net under its FAQ under “what ports does i2p uses? It seems to says “outbound UDP from random port noted on configuration page to arbitrary remote UDP ports allowing replies. Then it says outbound TCP from random high ports to arbitrary remote TCP ports.” Even though it said this, I did not understand.
I am sharing my lessons learned. To get i2p configured correctly apparently you need to allow all ports TCP and UDP going out from the server between 9000 through 31000. You should allow your configurable “arbitrary” port, what I call the i2p secret port over TCP and UDP in and out, but you must allow all TCP and UDP ports between 9000 and 31000 outward. You also apparently must have Network Time Protocol (NTP) TCP port 123 allowed out. You do not have to (and it is not recommended) to allow any low-level ports such as 80 (web sites), 22 (SSH) or anything on an i2p box you are trying to reach remotely. What i2p does is force these ports through its more anonymous system, so why would you want to expose them to a direct attack?
Thus to use i2p minimally you can allow:
- Nothing in, but must allow all secret i2p TCP / UDP ports 9000 through 31000 out including NTP over TCP port 123.
- You can allow your i2p secret port both TCP and UDP in and out, NTP TCP port 123 out and all ports between 9000 and 31000.
What is interesting if you only limit i2p out to its “secret port” or the port you configure and no other arbitrary or secret ports it goes into this “Testing” mode and never comes out of it as of version 0.9.13. I think the error message can be more helpful.
Here is what I think is happening. I think i2p starts calling around looking for a list of other servers to join the Darknet. A question is, how does i2p know which server to call initially? No matter, it then appears to start to try to communicate with these servers, not over your configurable “secret” or arbitrary port as I expected, but it just starts calling remote servers on random ports between 90000 through 31000. I2p doesn’t know what ports other i2p routers are working on, as you can configure this port, or i2p randomly selects it (thus why they call it the arbitrary port) that and it can be any port from 9000 – 31000. It is very important to never share this port with anyone because this port is exposed. The reason i2p uses any high level port between 9000 – 31000 is to make it harder for governments to block i2p from their countries. The government would have to block all ports in this range to stop i2p from working, and in truth be told, you could configure i2p to use different low level ports, but once again that is not recommended for various reasons. This I think is a strength of i2p, however I had all of those ports blocked because I thought you only needed your configurable “secret” port open. When I had it in that configuration, like I said, I could see traffic going out, I could see peers joining, but the i2p router never got out of “Testing” mode and it did not allow any people connecting inward. It says on the ports FAQ on the geti2p.net page that i2p can work completely behind a firewall. I also think that is a bit misleading. It can work behind a firewall that blocks incoming ports. It cannot work behind a firewall that blocks all outgoing ports between its secret or arbitrary port ranges.
Again, the minimal ports that i2p appears to need to work “well” behind a network firewall like Cisco or Check Point is an access list that allows all TCP and UDP ports out between 9000 through 31000. The only low number port it specifically seems to need is NTP out. Apparently to work well, it needs your configurable “secret” port in and out on both TCP and UDP.
Next up is to restrict the arbitrary ports to only UDP between 9000 through 31000 like the FAQ says to see if that works. Right now I have TCP and UDP. Then also block the same on the host computer using iptables (defense in depth). This should greatly reduce the number of ports an attacker can enter the system through. Another thing that appears to make good secure system administration is to run an internal NTP clock so you don’t have to get time directly on your i2p box. Also run an internal separate DNS server just in case you need that. That way you are making DNS calls locally to another box, which hopefully is taking a different path into the Internet. Remember paranoia does not work in past tense.
We have discuss the AmRD project several times. In short, I believe learning and practicing computer security is a critical component to your preparedness as things spin down and as things spin back up in the rebuilding. I noticed that the Left, or progressives, not necessarily authoritarians, but many what we call “classic” liberals dominate the computer security / hacking communities. What I mean by “classic liberal” is a more left-wing, progressive approach, which we may not agree with, but people who are rabidly opposed to the surveillance state, the police state and recognized that there is little to no difference between a fascist nation and a communist nation.
I may not agree with where classic liberals want to go, but I completely can cooperate with them in opposing the ever expanding police state. Examples of Patriots trying to use Computer anonymity and security include people who are leaking information about the IRS scandal, people who provided information on Fast and Furious, people who are leaking information about the condition at Southern border, people who are obeying their Oaths and leaking information about purchases of military equipment to others. In these examples and many, many more cases all of these people would benefit from using TAILS, TOR, i2p and Pigin encrypted chat to leak their documents and communicate with honest political leaders and members of the press specifically alternative media such as the blog-o-sphere. The AmRD project is my approach to bring many of these computer security tools and concept to the more conservative Traditional Patriot movement.