I2PD Guide (OpenBSD)

Part I. Install¹#

Intro#

This is a tutorial on how to install i2pd on OpenBSD.

Why? The port of i2pd on OpenBSD fails to build a dependency (at least for me) and builds extra packages that aren’t required for my use case, such as universial plug and play (UPnP).

Dependencies#

$ doas pkg_add boost cmake git

Commands/Install#

$ export I2PD_VERSION=2.54.0 # Or replace with latest version

$ mkdir .i2pd
$ cd .i2pd

$ wget https://github.com/PurpleI2P/i2pd/archive/refs/tags/${I2PD_VERSION}.tar.gz

$ tar -xzvf ${I2PD_VERSION}.tar.gz
$ cd i2pd-${I2PD_VERSION}

$ cd build
$ cmake .
$ make

$ doas make install

Copying Files#

If this is the first install, copy the configuration files to the correct location:

$ cd ../contrib
$ doas mkdir -p /etc/i2pd /var/lib/i2pd
$ doas cp -R i2pd.conf tunnels.* /etc/i2pd
$ doas cp -R certificates /var/lib/i2pd

Modifying System Settings & Files²#

For a regular node, you should raise the system-wide maxfiles limit to 8192:

# sysctl kern.maxfiles=8192
# echo "kern.maxfiles=8192" >> /etc/sysctl.conf

If you intend to run a floodfill, you should raise this limit even more:

# sysctl kern.maxfiles=16000
# echo "kern.maxfiles=16000" >> /etc/sysctl.conf

Lastly, add the following to the file /etc/login.conf.d/i2pd:

i2pd:\
	:openfiles-cur=8192:\
	:openfiles-max=8192:\
	:tc=daemon:

Startup Script#

sh /etc/rc.d/i2pd

#!/bin/ksh

daemon="${TRUEPREFIX}/bin/i2pd --daemon"
daemon_user="_i2pd"
daemon_flags="--service --datadir=${LOCALSTATEDIR}/lib/i2pd --conf=${SYSCONFDIR}/i2pd/i2pd.conf --tunconf=${SYSCONFDIR}/i2pd/tunnels.conf --tunnelsdir=${SYSCONFDIR}/i2pd/tunnels.d"

. /etc/rc.d/rc.subr

rc_cmd $1

Copy this code into /etc/rc.d/i2pd

Starting#

$ doas rcctl enable i2pd
$ doas rcctl start i2pd # You may want to configure i2pd.conf before starting

Part II. Firewall#

By default it can connect to the i2p network without exposing a port, but the connection quality will be impacted.

Universal Plug and Play (UPnP)#

When building and installing this package, it is built without Universal Plug and Play (UPnP) support. UPnP is very very very insecure and should never be used!!!

If you require UPnP, install the miniupnpc package and enable the UPnP build flag when building i2pd in step 1.

Choosing Port#

Open i2pd.conf in /etc/i2pd/ and find this section:

sh /etc/i2pd/i2pd.conf

## Port to listen for connections
## ...
# port = 4567

Change the port to any unused port by common network services and open the port on your (hopefully) existing router’s firewall.

Opening Firewall#

We also need to open this port on this system’s firewall, otherwise its pointless.

Edit pf.conf in /etc/ and add the following:

sh /etc/pf.conf

## Port to listen for connections
## ...
pass in on egress proto {tcp udp} from any to any port <selected port>
pass out on egress proto {tcp udp} from any to any port <selected port>

This will open the selected port so peers can connected more effectivly.

Part III. Usage#

Ports#

Since I run this on a seperate (local) server, I could listen on all interfaces for the proxy, so any clients on the local network could utilize this, but I prefer to expose as little ports/services as possible to any network. One way to use this is to tunnel local ports over SSH. For example, to tunnel the http proxy port and the i2pd webconsole from my machine to the server, this could be used:

$ ssh -fTNL 4444:127.0.0.1:4444 -L 7070:127.0.0.1:7070 user@hostname

It is not recommended to do this over the public internet (and you should always use ssh keys), which is why I only use this on my local network.

Browser#

It is recommended to use a hardened Firefox configuration. This could be done by:

Creating a seperate profile, and using a custom user.js: ArkenFox’s user.js.
Using a custom Firefox fork, such as LibreWolf or Mullvad Browser.
Using the standalone Tor Browser (more complicated).

User Agent (advanced) (optional)#

The i2pd SOCKS proxy should never be used with normal browsing, as it may leak your user agent making it easier to track you. By default, the http proxy sets the user agent of all http headers: MYOB/6.66 (AN/ON) This is by design to prevent tracking, but when using the i2pd SOCKS proxy, it only redirects the traffic to the i2p network not changing and of the data sent, which may make it easier to track users across eepsites. This can be solved by setting the user agent through about:config, or by using an extension to change the user agent on .i2p sites.

Tracking (optional)#

Most eepsites don’t require JavaScript to function (which is how it should be), so you may want to change javascript.enabled in about.config to false.

When browsing eepsites, you should never use the SOCKS proxy since it will not change your user agent, making it easier to track you.

Part IV. Eepsites³#

An eepsite is simply a website that is hosted on the I2P Network.

Configuring Tunnels#

The best way to host an eepsite is through i2pd’s tunnel configuration.

Edit tunnels.conf in /etc/i2pd/ and add the following lines, changing example to your website’s name:

sh /etc/i2pd/tunnels.conf

## ...
[example]
type = http
host = 127.0.0.1
port = 80
keys = example.dat

To find the address you created to visit your website, go to your i2pd webconsole (127.0.0.1:7070), down to I2P tunnels, and under Server Tunnels you will see the b32.i2p address.

NGINX Server#

Edit nginx.conf in /etc/nginx/ and add:

nginx /etc/nginx/nginx.conf

server {
	listen 127.0.0.1:80;
    
	root /var/www/example;
	index index.html;

	location / {
		try_files $uri $uri/ =404;
	}
}

Then restart nginx:

$ doas rcctl restart nginx

This guide helped with most of Part I. ↩︎
The port package of i2pd helped with the required changes to the system, login.conf changes, and the RC script. ↩︎
All of the initial configuration came from this online guide. ↩︎