We place the site in an anonymous network I2P (+ paranoid mode)

Suppose you have already entered I2P several times, strolled there with the guys in irc, imbued with the idea of ​​a tube invisible and thought about your own (in) hoard in I2P. Thinking about it, you sat for a couple of days before an open notebook — after hearing from the news that not only the flibusta, but the root-tracker was banned, and finally remembered that you were Snowden and the founder of wikilex (a very unexpected turn, I confess, I myself didn’t I expected this from you), and have long been looking for a springboard for posting socially significant information. For example, you decided to post somewhere pictures with cats that you tweeted on Twitter (Snowden likes cats on Twitter, did you know?). And your choice fell on I2P.

What you need for this: raised server and I2P daemon (i2pd). If not, install it (links to both installation tutorials - under win and unix - you will find at the end of the publication). In our example, the created server can be reached at

127.0.0.1 : 8080
')
Remark: if you want the site to be accessible only via I2P, connecting your server to the i2pd router does not mean that the rest of your server connections to the normal Internet will be disconnected immediately. You need to turn them off all by yourself so that the only connection is made between the router and the server on your local machine.

As you remember, i2pd is a box with a bunch of ports located inside your computer and connected to the I2P network. The server you started is another box to which you can also connect through the ports. So if we dock the ports, then our server will connect to the I2P network. And once our server listens to 127.0.0.1:8080, then we take i2pd and configure it to the same address.

Open the config file (in unix - /.i2pd/tunnels.cfg, in windows -% appdata% \ i2pd) and add to it:

[SUPERHACKERSITE]
type = http
host = 127.0.0.1
port = 8080
keys = superhackersite.dat

Unlike the present tunnels like IRC, here we ourselves act as a server, and no longer will we connect to something-in-network, but people will come to us from the network, therefore the type of the tunnel is set accordingly . Instead of http, you could specify server. The difference between them is that the server-type transfers data as it is (while using it you can also connect to your server), and the http-type uses the following headers:

X-I2P-DestHash - Base64 Hash Visitor Address
X-I2P-DestB32 - the same, but in base32
X-I2P-DestB64 is the full base64 address

For server administrators, these headers help build sessions, working with each visitor individually (yes, this is also possible in i2p, as long as the visitor is connected from the same address).

The key file - this you have already noticed - can be named as we like. This file should be stored diligently, because it contains the address of our site.

Optionally, you can enable paranoid access to strictly selected addresses. Let your friends look at each of their network address (this address, along with the addresses of the tunnels they thrown, is available to them in the web console on the LocalDestinations tab - you can find it by exception, comparing it with the addresses on the I2P Tunnels page) and let you know it. You will need to add an additional line to the tunnel being created in the format 26qxgmyqczulza5ym3jij5er3onclacejyqzecuhjllwun3kxuzq (without any additions in the form of b32.i2p), separating the addresses with a comma. The following form:

accesslist = 26qxgmyqczulza5ym3jij5er3onclacejyqzecuhjllwun3kxuzq, 4bpcp4fmvyr46vb4kqjvtxlst6puz4r3dld24umoo5mesxzspa, etc.

True for this, your friends from the accesslist will have to - every time they want to connect to you - start the routers with the proxykeys key (let’s look at the link to the document on configs at the end of the publication), let them write a script for this case: I2P without a similar configuration, each person starts every time with a new address, new addresses help to remain anonymous.

Save the changes to the tunnels.cfg. If i2pd is running now, stop it in the terminal with the line:

$ pkill i2pd

And run again. Without this change, the tunnels.cfg will not take effect.

Now go to the web console, follow the link to the 'I2P tunnels' page and look for the format inscription

SUPERHACKERSITE <4bpcp4fmvyr46vb4kqjvtxlst6puz4r3dld24umooiy5mesxzspa: 8080

Copy everything up to the port. This is the b32 address of your site as it appears on the network (it will remain constant as long as it is tied to the key superhackersite.dat you created). Add a .b32.i2p ending to it to get an address like

4bpcp4fmvyr46vb4kqjvtxlst6puz4r3dld24umooiy5mesxzspa.b32.i2p

Turn back i2pd and connect to the site through this new address. Is it done? Hence, the site is accessible from I2P. I almost forgot the most important thing: you wanted to add cats to your page!

When cats are added, you can share the address with friends (and if you are not Snowden, but just pretended to them all this time, then do not forget to send the address of your website to Snowden, who, again, loves cats).

By the way, you can still get a completely free address for your site. After all, the public address is also sometimes needed by real anonymous people like you and me. To do this, consider the I2P addressing system more closely.

Instead of ip-addresses here are long, truly inhuman cryptographic base64-identifiers (512 bytes in length!). And they are assigned to any network address: both the boxes-routers themselves, and all the addresses on the tunnels connected with this router, in addition, our site now also has such an identifier.

But everyone understands that if the base64-addresses in the “router-router” scheme are fine, then in the “person-person” scheme they are very, very inconvenient. Therefore, the network provides correspondences between inconvenient, long, repeat, as much as 512 bytes, addresses and convenient short.

Convenient addresses there are two kinds. The first is Internet type addresses (for example, onelon.i2p or armada.i2p). The second type is b32, which we have already encountered, and they are calculated from b64. B32, as we have already seen, is much shorter, and it is more convenient to transfer them to other people somewhere in the chat. What, then, is the difference, why is it used both: b32, and usual Internet addresses? And the thing is that b32 your router is able to recognize its corresponding b64-address independently. And such names of sites that you used to meet on the Internet are appointed by people; accordingly, no computation of the original b64 from the same direct.i2p can be taken out, which means that to access this address, the corresponding b64 identifier must also be stored somewhere.

Matches between identifiers and site names are stored in address books, and there is one home instance for each router running on the network. It would be worth actually comparing it with the analogue of hosts, but only here in the I2P network address books perform a much more significant role, although functionally they, of course, are similar to each other. And all because I2P is absent as a DNS server phenomenon (in order to increase network resiliency). That is, there are of course nodes, from where any other router can download its correspondences between the site name and base64, but they are still irregularly accessed to download the update for the address book. That is, when you enter the address of the site in the address bar, your router is looking in for base64 not to remote servers, but to its own address book.

The address book is located in the appropriate directory: adressbook. The addresses.csv file that you find in it consists of matching lines between Internet address types and base32 identifiers.

As we already mentioned, all this is regularly downloaded from the network through subscriptions from trusted servers (actually the same nodes as yours). This means that our site also gets into the address books of other nodes, you need to register it on one of the corresponding resources. For example, the resource I2P Name Registry: inr.i2p. To register, you will need to send a request with the b64-identifier of your site, but you can easily find it in the web console: just go to I2P Tunnels and click on the b32 address. There will be information about the compounds and, of course, b64.

Technically, you can arrange your own name registration service by placing a text file with address mapping on your resource and convincing your visitors to add your site as another source of subscriptions.

As a result, you can give your friends a b32-identifier, and to access it you only need to connect to the network, or you can additionally give the site a cool name, but then this name should appear in their address books.

In addition, there are all sorts of directories, wikis similar to hiddenwiki in the torus, and at least one search engine that uses robots.txt to distribute a website’s address on the network, but this, as they say, is another story.

Log in to IRC and communicate with the developers on channel # i2pd-ru. Remember that anonymity depends primarily on you. Good luck in building the site!

If you still don’t know how to install i2pd for yourself, go here:

habrahabr.ru/post/275643 - How to run i2pd for the first time: instruction under Debian / Ubuntu

habrahabr.ru/post/275647 - How to use i2pd: comprehensive instructions under MS Windows

Also, it is recommended to read:

i2pd.readthedocs.org/en/latest/configuration.html#config-files - Daemon Configuration and Startup Settings

xakep.ru/2011/07/07/56161 - Anonymous hosting via I2P: practical tips on using a crypto network