Whonix on Qubes Setup - Advanced
Works on Qubes OS 4.1 and newer, Whonix 16 or newer Prerequisites
- Install Qubes OS with Whonix templates
Setup a Whonix work station with the appropriate persistence options enabled (Without persistence correctly set up you will lose all progress on virtual machine restart) All following commands should be entered into your whonix workstation terminal. Add the I2P signing key to your Qubes install If you are using Whonix-Workstation ™ (anon-whonix), run
scurl-download --proxy https://127.0.0.1:8082 --tlsv1.2 https://geti2p.net/_static/i2p-archive-keyring.gpg
Then display the key’s fingerprint and verify
gpg --keyid-format long --import --import-options show-only --with-fingerprint i2p-archive-keyring.gpg
The finger print should look something like (verify the fingerprint via the whonix wiki about I2P)
7840 E761 0F28 B904 7535 49D7 67EC E560 5BCF 1346
After confirming the signing key matches, copy the signing key to your APT keyring folder
sudo ***** i2p-archive-keyring.gpg /usr/share/keyrings/i2p-archive-keyring.gpg
Now add the I2P APT repository
echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] tor+https://deb.i2p2.de/ bullseye main" | sudo tee /etc/apt/sources.list.d/i2p.list
{{ /highlight }}
Install both I2P packages
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo apt update <span style="color:#f92672">&&</span> sudo apt full-upgrade
sudo apt install --no-install-recommends i2p i2p-keyring</code></pre></div>
Configure the I2P service to start automatically upon boot (Leave defaults and answer 'Yes')
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo dpkg-reconfigure i2p</code></pre></div>
Edit the local worker connection address (to avoid Whonix Tor Proxy)
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudoedit /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config</code></pre></div>
Change 127.0.0.1 to 127.0.0.2
**THE ABOVE STEP IS BROKEN ON LATEST I2P/WHONIX**
To make the above config persist, make a startup script:
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo nano /start.sh</code></pre></div>
Add the following bash script:
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sed -i <span style="color:#e6db74">'s/127.0.0.1/127.0.0.2/'</span> /var/lib/i2p/i2p-config/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config
systemctl restart i2p</code></pre></div>
Make the script executable
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo chmod +x /start.sh</code></pre></div>
(make sure this file is in the root of your whonix template)
When you start your anon-whonix qube, always open Xfce Terminal and type
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo /start.sh</code></pre></div>
You can make this a default startup option but it might not work.
Continue the following:
Enable I2P on anon-whonix startup
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo systemctl enable i2p</code></pre></div>
Shutdown the whonix-ws-XX template.
Start / restart the anon-whonix qube
Open the System Menu and hover over anon-whonix (IMPORTANT) and open the XFCE terminal.
Start I2P service is not enabled
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo systemctl start i2p</code></pre></div>
Now that I2P is installed on your whonix qube, you must configure Tor Browser to allow I2P connections. Navigate to `about:config` in Tor Browser. Search for and change the following settings
* Search for `extensions.torbutton.use_nontor_proxy` set it to `true`
* Search for `network.proxy.http` set it to `127.0.0.1`
* Search for `network.proxy.http_port` set it to `4444`
* Search for `network.proxy.no_proxies_on` set it to `127.0.0.2`
* Search for `network.proxy.socks_remote_dns` set it to `false`
* Search for `dom.security.https_first_pbm` set it to `false`
* Search for `dom.security.https_only_mode` set it to `false`
* Search for `javascript.enabled` set it to `false`
<font color="red">When following these instructions, the about:config changes in Tor Browser worsen the browser fingerprint. This is unavoidable if the user intends to use I2P. The modified Tor Browser should only be used for I2P purposes.</font>
Navigate to your I2P Router Console at `127.0.0.2:7657` to check statistics. You will most likely need to wait 20 or more minutes before you can access any eepsites through a proxy (first run only). As you build more tunnels, you will get a faster and more reliable connection.
If errors appear like: `Network: ERR-UDP Disabled and Inbound T***** host/port not set` or `ERR-Clock Skew of X min` or `WARN [Timestamper] .router.time.RouterTimestamper: Unable to reach any of the NTP servers ...`, they can be safely ignored.
Once the Local Tunnels (shared clients) section shows a green connection, I2P should be fully functional and it is possible to browse eepsites.. Some users report this process can be lengthy and can take more than 10 minutes before the tunnels are stable/available.
I2P is functional over Tor but users should be aware that I2P developers do not support it nor recommend it to be used over Tor. Just because it is functional does not mean it is supported. In other words, I2P upstream developers will not change any I2P behaviours just for the sake of connectivity issues of I2P over Tor because I2P is not designed to be running over Tor in the first place. However this is used to mask your ip from the I2P network.