FYI: This is a work in progress and is not currently working correctly. Let me know if you see where I have gone wrong.
Whonix + I2P
Take control of your online privacy and security with this comprehensive guide to integrating Whonix and I2P. Learn how to set up a VirtualBox environment that leverages the two-VM architecture of Whonix—Whonix Gateway and Whonix Workstation—for optimized routing through the Tor network. Discover how the Invisible Internet Project (I2P) can provide a complementary layer of anonymity with features like garlic routing and specialized services.
Step-by-step instructions for installation, initial configurations, and optional security enhancements like disk encryption are included. The guide also covers how to install the LibreWolf browser for seamless I2P integration. This post is ideal for anyone interested in network privacy, from novices to seasoned veterans. Whether you're an activist, journalist, or simply a privacy-conscious individual, this guide will equip you with the tools and knowledge you need for a more anonymous and secure online experience.
Overview of Whonix
Whonix is an open-source operating system designed for enhanced security and privacy. It is based on the Debian GNU/Linux distribution and aims to provide anonymity, privacy, and security. Whonix uses a two-part system made up of two virtual machines (VMs): the "Workstation" and the "Gateway."
Whonix Gateway: All network traffic is routed through this VM, which itself is configured to direct traffic through the Tor network. This ensures that your real IP address is never exposed, making it more difficult to trace your activities.
Whonix Workstation: This is an isolated environment where you can carry out your tasks—browsing, working, etc. It only communicates through the Whonix Gateway, meaning your activities are protected by the layers of anonymity and encryption provided by Tor.
How Whonix is used in VirtualBox
VirtualBox is a general-purpose full virtualizer for x86 hardware, targeted at server, desktop, and embedded use. Whonix can be installed on VirtualBox by setting up two different VM instances for the Whonix Gateway and Whonix Workstation.
Download Whonix Images: You first download the Whonix Gateway and Whonix Workstation OVA (Open Virtualization Archive) files from the official Whonix website.
Import into VirtualBox: You then import these OVA files into VirtualBox. This sets up pre-configured VMs for both the Gateway and the Workstation.
Initial Setup: After the VMs are imported, you power them up and follow the on-screen instructions to complete the initial setup.
Network Configuration: The Whonix Gateway will automatically be set up to route traffic through Tor. Your Whonix Workstation will be configured to route its internet traffic through the Whonix Gateway.
Usage: You do all your work within the Whonix Workstation for enhanced security and privacy. The Gateway will be doing all the heavy lifting related to the network traffic, so you don't need to interact with it much during regular use.
Why You Should Use It
Anonymity: Whonix routes all your internet traffic through the Tor network, making it extremely difficult to trace back to you.
Isolation: The two-VM setup effectively isolates the Workstation from the Gateway, adding an additional layer of security. Even if your Workstation is compromised, an attacker cannot easily find your real IP address, as the Gateway controls all network traffic.
No DNS Leaks: The Whonix Gateway ensures that DNS requests are also sent through the Tor network, preventing DNS leaks which could compromise your privacy.
Streamlined Setup: Whonix offers an easy-to-setup, pre-configured environment, making it accessible even for users who are not technically savvy.
Cross-Platform: Whonix can be used in conjunction with VirtualBox on a variety of host operating systems, including Windows, macOS, and Linux, offering flexibility and freedom of choice.
Open Source: Being open source, you (or anyone with the technical know-how) can inspect, modify, and audit Whonix's code, ensuring that there are no hidden backdoors or vulnerabilities.
Whonix is particularly useful for journalists, activists, and anyone who requires high levels of anonymity and privacy online. However, keep in mind that while Whonix adds layers of security and privacy, no system can be 100% foolproof. Always keep your software up to date and be cautious of your online activities.
What is I2P?
The Invisible Internet Project (I2P) is a network layer that allows for peer-to-peer communication, distinct from the more commonly used Tor network. While Tor is optimized for anonymous access to the open internet (clearnet) and offers onion services as a secondary feature, I2P was designed primarily for creating a darknet—encrypted, private, and anonymous networks. Here are some reasons why integrating I2P with Whonix could be advantageous:
Enhanced Anonymity and Privacy
Different Network Topology: I2P uses a decentralized network model, compared to Tor's more centralized directory-based approach. This can offer additional protection against certain types of network analysis attacks.
Garlic Routing: While Tor uses onion routing, I2P uses garlic routing, which bundles multiple messages together. This makes it more difficult to conduct traffic analysis, thereby potentially offering better anonymity for certain types of activities.
Complementary Features
Eepsites: These are websites hosted on the I2P network, similar to Tor’s onion services. However, eepsites are designed to be faster and more secure within the I2P network.
Specialized Services: I2P has been designed to facilitate various types of services, such as file sharing, email, and even a decentralized Twitter clone. Integrating I2P with Whonix could offer you a broader range of anonymous services to use.
Network Diversity
Redundancy: Using both Tor and I2P provides more network routes for data transmission, which can be a fail-safe in case one of the services faces an outage or is compromised.
Choice in Anonymity Network: Some users prefer I2P for certain activities and Tor for others. Having both installed gives you the flexibility to choose the network that's best suited for your specific needs at any given time.
Strengthening Weaknesses
Exit Nodes vs No Exit Nodes: In Tor, the exit node can be a point of vulnerability, as traffic exits the Tor network and enters the clearnet. I2P doesn’t usually interact with the clearnet, so this risk is diminished, although it's somewhat limited to its own network.
Synergy: Both networks have their own sets of strengths and weaknesses. Using them in conjunction can help to mitigate the risks associated with using either network alone.
Increased Adoption and Awareness
Educational Benefit: Those who start using I2P because of its integration in Whonix might also become more interested in the larger topics of privacy and anonymity, thereby contributing to the community or becoming activists in their own right.
Community Support: With more users on both networks, you get more relays and more data traffic, which generally increases the anonymity set and makes the networks more robust against attacks.
While adding I2P to Whonix can offer enhanced features and additional layers of security, it could also add complexity and require more system resources. Therefore, it's essential to weigh these considerations based on your specific needs.
Ok lets get started.
Installing Whonix
Installing Whonix using VirtualBox involves several key steps. I'll also include information on changing the default password for the Whonix user and encrypting the virtual disk for added security. Keep in mind that the steps may vary depending on your operating system and the versions of software you're using.
Step 1: Download and Install VirtualBox
Visit the VirtualBox download page: Navigate to VirtualBox's download page and download the appropriate version for your operating system.
Install VirtualBox: Run the downloaded executable and follow the on-screen instructions to install VirtualBox.
Step 2: Download Whonix
Visit the Whonix download page: Navigate to Whonix's download page.
Download Whonix VirtualBox Images: Look for the VirtualBox images and download both the Gateway and Workstation files.
Step 3: Import Whonix to VirtualBox
Open VirtualBox.
Import Whonix Images: Go to
File > Import Appliance
and then browse to the location where you downloaded the Whonix.ova
files. Import both the Gateway and Workstation images one after the other.
Step 4: Initial Configuration
Start Whonix-Gateway: In VirtualBox, select Whonix-Gateway and click the "Start" button (shaped like a green arrow).
Initial Setup: Follow the initial setup wizard to complete the Gateway setup. Do the same for the Workstation.
Update Whonix: The default Whonix user password is "changeme". Open a terminal in both the Gateway and Workstation VMs and run:
sudo apt update && sudo apt upgrade
Step 5: Change Default Password
Open Terminal: On both the Gateway and Workstation, open a terminal window.
Change Password: Run the
passwd
command and follow the prompts to change the user password.passwd
Step 6: Encrypt the Virtual Disk
Encrypt Using VirtualBox
Shutdown Whonix VMs: Make sure both the Whonix-Gateway and Whonix-Workstation VMs are powered off.
Open VirtualBox main window, right-click on the Whonix VM, and select
Settings
.Navigate to
General
>Encryption
: Enable encryption and set a strong password.
Note: You may also need to download and install Virtual Box Extension Pack before you can encrypt the virtual disk.
Step 7: Verify Installation and Security Measures
Boot up both VMs: Make sure both the Whonix-Gateway and Whonix-Workstation VMs can boot up successfully.
Check Password: Make sure the new password is required when using
sudo
or logging in.Check Disk Encryption: Verify that disk encryption is operational and that a password is required at boot (if you've chosen to encrypt within Whonix).
Congratulations, you should now have a VirtualBox setup running Whonix with enhanced security features. Always make sure to keep all software up to date and to read the latest security advice relevant to your needs.
Installing i2p
Below is a complete guide on how to install and configure I2P within a Whonix-Workstation, including the installation of LibreWolf and setting the I2P service to start at boot. This guide assumes that you have already set up Whonix with both the Gateway and Workstation VMs operational.
Step 1: Prepare the Whonix-Workstation
Start your Whonix-Workstation VM.
Open a terminal window to execute commands.
Step 2: Install LibreWolf Browser
The Tor Browser that comes pre-installed on Whonix-Workstation blocks localhost access, so it's recommended to install a different browser for I2P configuration.
Main Debian Repository#
We have a Debian repository with which you can easily install and update LibreWolf. To add it to your system and install LibreWolf, run the following commands one by one:
sudo apt update && sudo apt install -y wget gnupg lsb-release apt-transport-https ca-certificates distro=$(if echo " una bookworm vanessa focal jammy bullseye vera uma " | grep -q " $(lsb_release -sc) "; then echo $(lsb_release -sc); else echo focal; fi) wget -O- https://deb.librewolf.net/keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/librewolf.gpg sudo tee /etc/apt/sources.list.d/librewolf.sources << EOF > /dev/null Types: deb URIs: https://deb.librewolf.net Suites: $distro Components: main Architectures: amd64 Signed-By: /usr/share/keyrings/librewolf.gpg EOF sudo apt update sudo apt install librewolf -y
Step 3: Install I2P
Prerequisites
- Make sure you have root access. You can get root access by switching to the root user with
su
or by prefixing each command withsudo
.
Step-by-Step Guide
Update Package List
sudo apt-get update
Install Required Packages
sudo apt-get install apt-transport-https lsb-release curl
Add I2P Repository to Sources List
echo "deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p2.de/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/i2p.list
Download I2P Repository Signing Key
curl -o i2p-archive-keyring.gpg https://geti2p.net/_static/i2p-archive-keyring.gpg
Display Key Fingerprint
gpg --keyid-format long --import --import-options show-only --with-fingerprint i2p-archive-keyring.gpg
Verify Key Fingerprint
Make sure the displayed key fingerprint matches7840 E761 0F28 B904 7535 49D7 67EC E560 5BCF 1346
.Move the Keyring
sudo cp i2p-archive-keyring.gpg /usr/share/keyrings
Symlink the Keyring (Only for Older Distributions)
sudo ln -sf /usr/share/keyrings/i2p-archive-keyring.gpg /etc/apt/trusted.gpg.d/i2p-archive-keyring.gpg
Update Package List Again
sudo apt-get update
Install I2P and Keyring Package
sudo apt-get install i2p i2p-keyring
After following these steps, I2P should now be installed on your system. You can proceed to configure and start using I2P.
Remember to exercise caution when configuring I2P on a Whonix system to ensure that you maintain the desired levels of privacy and security.
Using these I2P packages the I2P router can be started in the following three ways: "on demand" using the i2prouter script.
Simply run
i2prouter start
from a command prompt.
Note: Do not use sudo or run it as root!
"on demand" without the java service wrapper (needed on non-Linux/non-x86 systems) by running
i2prouter-nowrapper
Note: Do not use sudo or run it as root!
To run I2P automatically runs when your system boots, even before logging in. The service can be enabled with
sudo dpkg-reconfigure i2p
This is the recommended means of operation.
When installing for the first time, please remember to adjust your NAT/firewall if you can. The ports to forward can be found on the network configuration page in the router console. If guidance with respect to forwarding ports is needed, you may find portforward.com to be helpful.
Please review and adjust the bandwidth settings on the configuration page, as the default settings of 96 KB/s down / 40 KB/s up are fairly conservative.
If you want to reach I2P Sites via your browser, have a look on the browser proxy setup page for an easy howto.
Post-install work
Additional Security Considerations
- Always keep your software up to date.
- Read the documentation for Whonix and I2P to stay updated on best practices for anonymity and security.
And that's it! You should now have I2P installed and configured on your Whonix-Workstation, complete with the LibreWolf browser and a systemd service that starts I2P at boot.
Make sure to use I2P exclusively for navigating within the I2P network; this is why we needed a separate browser like LibreWoulf. I2P is not intended for browsing the regular internet. For that, rely on the standard TOR browser in Whonix. To enhance your security, enable PGP-based two-factor authentication for any website you access. I may make another blog post about this. Lastly, it's highly recommended to utilize the KeePass password manager for managing credentials for all the websites you visit and services you register for.
It may take up to a few hours for the I2P tunnel connections to be built. Please give it some time. Once it does, you can use this tutorial to create an anonymous email address for use within I2P as well as the clearnet.
I do also plan to write another post on how to secure clearnet emails with PGP encryption from within Thunderbird on Whonix over I2P.
Stay tuned.
Adam Malin
You can find me on Twitter or on Nostr at
npub15jnttpymeytm80hatjqcvhhqhzrhx6gxp8pq0wn93rhnu8s9h9dsha32lx
You can view and write comments on this or any other post by using the Satcom browser extention.
value4value Did you find any value from this article? Click here to send me a tip!