{"id":30272138,"url":"https://github.com/kn0sys/i2nix","last_synced_at":"2025-08-16T05:14:08.036Z","repository":{"id":309286399,"uuid":"1035702802","full_name":"kn0sys/i2nix","owner":"kn0sys","description":"[WIP] i2nix is a security-focused Linux operating system designed to route all network connections through the I2P anonymity network. It follows the isolation principles of Whonix®","archived":false,"fork":false,"pushed_at":"2025-08-11T01:41:26.000Z","size":1205,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-11T03:08:48.412Z","etag":null,"topics":["i2p","linux","privacy","security","whonix"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kn0sys.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-11T00:39:11.000Z","updated_at":"2025-08-11T02:41:45.000Z","dependencies_parsed_at":"2025-08-11T03:09:00.920Z","dependency_job_id":"d3cc3c04-6aca-4f49-bec5-b5eed666032b","html_url":"https://github.com/kn0sys/i2nix","commit_stats":null,"previous_names":["kn0sys/i2nix"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/kn0sys/i2nix","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0sys%2Fi2nix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0sys%2Fi2nix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0sys%2Fi2nix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0sys%2Fi2nix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kn0sys","download_url":"https://codeload.github.com/kn0sys/i2nix/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kn0sys%2Fi2nix/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270670063,"owners_count":24625444,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-16T02:00:11.002Z","response_time":91,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["i2p","linux","privacy","security","whonix"],"created_at":"2025-08-16T05:14:06.202Z","updated_at":"2025-08-16T05:14:08.028Z","avatar_url":"https://github.com/kn0sys.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"![i2nix](i2nix.png) \n\n# i2nix: Reproducible Build Guide\n**Version 1.0 (2025-08-10)**\n\n## 1. Introduction\ni2nix is a security-focused Linux operating system designed to route all network connections through the I2P anonymity network. It follows the isolation principles of Whonix®, using a two-part virtual machine design:\n\n* **i2nix-gateway**: A dedicated virtual machine that acts as a network router, forcing all traffic through I2P.\n* **i2nix-workstation**: A completely isolated virtual machine for user applications, which can only connect to the internet via the Gateway.\n\nThis guide provides the steps to build both components from scratch for a truly reproducible and transparent system.\n\n### Prerequisites\n* A Linux host machine with KVM/QEMU and `virt-manager` installed.\n* A Debian net-installer ISO (e.g., `debian-12-netinst.iso`).\n* Basic familiarity with the Linux command line and `virt-manager`.\n\n## 2. Building the i2nix-gateway\n\n### Step 2.1: Base System Installation\n1.  Create a new VM in `virt-manager`.\n2.  During the Debian installation:\n    * **Software selection**: Deselect all options except for **\"standard system utilities\"** and **\"SSH server\"**.\n    * **Partitioning**: Standard is fine. Encrypted LVM is recommended.\n\n### Step 2.2: Network Configuration\n1.  Shut down the VM after installation. In `virt-manager`, configure two network adapters:\n    * **Adapter 1 (External)**: Set to your default NAT or Bridged network. This is for I2P to connect to the internet.\n    * **Adapter 2 (Internal)**: Create a new virtual network. Name it `i2nix` and set it to \"Isolated network\".\n2.  (Optional: run the [gateway-setup.sh](https://github.com/kn0sys/i2nix/blob/main/gateway-setup.sh) and proceed to Workstation setup) Start the VM and configure `/etc/network/interfaces`:\n\n    ```bash\n    # /etc/network/interfaces\n    source /etc/network/interfaces.d/*\n\n    auto lo\n    iface lo inet loopback\n\n    # External interface (e.g., enp1s0)\n    allow-hotplug enp1s0\n    iface enp1s0 inet dhcp\n\n    # Internal interface for i2nix-workstation (e.g., enp7s0)\n    auto enp7s0\n    iface enp7s0 inet static\n        address 10.152.152.10\n        netmask 255.255.255.0\n    ```\n\n### Step 2.3: I2P Installation\n1.  Add the I2P repository:\n    ```bash\n    sudo apt-get update\n    sudo apt-get install apt-transport-https curl gpg\n    curl -o /tmp/i2p-repo-key.asc https://geti2p.net/_static/i2p-archive-keyring.gpg\n    sudo gpg --dearmor -o /usr/share/keyrings/i2p-archive-keyring.gpg /tmp/i2p-repo-key.asc\n    echo \"deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg] https://deb.i2p.net/ $(lsb_release -sc) main\" | sudo tee /etc/apt/sources.list.d/i2p.list\n    ```\n2.  Install and enable the I2P service:\n    ```bash\n    sudo apt-get update\n    sudo apt-get install i2p i2p-keyring\n    sudo systemctl enable i2p\n    sudo systemctl start i2p\n    ```\n\n### Step 2.4: Firewall \u0026 Transparent Proxying\n1.  **Configure I2P HTTP Proxy Tunnel**:\n    * Using a text-based browser on the Gateway (e.g., `w3m`), navigate to the router console at `http://127.0.0.1:7657`.\n    * Go to **\"Hidden Service Manager\"**.\n    * Modify the **\"HTTP Proxy\"** client tunnel with these settings:\n        * **Interface**: `10.152.152.10`\n        * **Port**: `4444`\n\n2.  **Configure I2P SOCKS Proxy Tunnel**:\n    * Using a text-based browser on the Gateway (e.g., `w3m`), navigate to the router console at `http://127.0.0.1:7657`.\n    * Create a new **\"SOCKS 4/4a/5\"** client tunnel with these settings:\n        * **Name**: `i2nix-transproxy`\n        * **Interface**: `10.152.152.10`\n        * **Port**: `7667`\n        * **Outproxies**: `outproxy.acetone.i2p` (or another reliable outproxy)\n        * Enable **\"Auto Start\"**.\n    * Save and start the new tunnel.\n      \n2.  **Apply Firewall Rules**:\n    * Install the persistence tool: `sudo apt-get install iptables-persistent`.\n    * Create a script `firewall-setup.sh` with the following content and run it with `sudo bash firewall-setup.sh`.\n\n    ```bash\n    #!/bin/bash\n    I2NIX_WORKSTATION=\"10.152.152.11\"\n    GATEWAY_INTERNAL_IP=\"10.152.152.10\"\n    INTERNAL_INTERFACE=\"enp7s0\" # CHANGE IF YOURS IS DIFFERENT\n    I2P_DNS_PORT=\"7653\"\n    I2P_TRANS_PORT=\"7667\"\n\n    # Flush old rules\n    iptables --flush\n    iptables --delete-chain\n    iptables --policy FORWARD DROP\n\n    # NAT Table: Redirect traffic\n    # DNS\n    iptables -t nat -A PREROUTING -i $INTERNAL_INTERFACE -p udp --dport 53 -j DNAT --to-destination $GATEWAY_INTERNAL_IP:$I2P_DNS_PORT\n    iptables -t nat -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport 53 -j DNAT --to-destination $GATEWAY_INTERNAL_IP:$I2P_DNS_PORT\n    # All other TCP\n    iptables -t nat -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --syn -j DNAT --to-destination $GATEWAY_INTERNAL_IP:$I2P_TRANS_PORT\n\n    # Filter Table: Permit forwarding of redirected traffic\n    iptables -A FORWARD -i $INTERNAL_INTERFACE -d $GATEWAY_INTERNAL_IP -p tcp --dport $I2P_TRANS_PORT -m state --state NEW -j ACCEPT\n    iptables -A FORWARD -i $INTERNAL_INTERFACE -d $GATEWAY_INTERNAL_IP -p tcp --dport $I2P_DNS_PORT -m state --state NEW -j ACCEPT\n    iptables -A FORWARD -i $INTERNAL_INTERFACE -d $GATEWAY_INTERNAL_IP -p udp --dport $I2P_DNS_PORT -m state --state NEW -j ACCEPT\n    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n\n    # Save rules\n    netfilter-persistent save\n    echo \"Gateway firewall applied.\"\n    ```\n\n## 3. Building the i2nix-workstation\n\n### Step 3.1: Base System Installation\n1.  Create a new VM in `virt-manager`.\n2.  During the Debian installation:\n    * **Software selection**: Select **\"XFCE\"** (or another desktop environment) and **\"standard system utilities\"**.\n\n### Step 3.2: Network Configuration\n1.  Shut down the VM. In `virt-manager`, configure a **single** network adapter set to the isolated `i2nix` virtual network.\n2.  (Optional: run the [workstation-setup.sh](https://github.com/kn0sys/i2nix/blob/main/workstation-setup.sh) and test Librewolf) Start the VM and configure a static IP.\n    * Edit `/etc/network/interfaces`:\n        ```bash\n        # /etc/network/interfaces\n        auto enp1s0\n        iface enp1s0 inet static\n            address 10.152.152.11\n            netmask 255.255.255.0\n            gateway 10.152.152.10\n        ```\n    * Set the DNS server in `/etc/resolv.conf`:\n        ```\n        nameserver 10.152.152.10\n        ```\n### Step 3.3: Connection Test\n1.  `ping 10.152.152.10` -\u003e **Should PASS**.\n2.  `ping 8.8.8.8` -\u003e **Should FAIL**.\n3.  `wget stats.i2p` -\u003e **Should SUCCEED** and return HTML.\n\n## 4. Hardening the i2nix-workstation\n\n### Step 4.1: Browser Hardening (LibreWolf)\n1.  **On the Gateway**, download the LibreWolf GPG key and `.deb` package. (`https://download.opensuse.org/repositories/home:/bgstack15:/aftermozilla...`)\n2.  **Transfer** these files to the Workstation (e.g., via a temporary shared folder).\n3.  **On the Workstation**, install the files:\n    ```bash\n    # Move key to correct location\n    sudo gpg --dearmor -o /usr/share/keyrings/librewolf.gpg keyring.gpg\n    # Install package (this will likely fail on dependencies)\n    sudo dpkg -i librewolf_*.deb\n    # Fix broken dependencies, which downloads them through I2P\n    sudo apt-get -f install\n    ```\n4.  **In LibreWolf `about:config`**, set the following to `true`:\n    * `privacy.resistFingerprinting`\n    * `webgl.disabled`\n    * `privacy.firstparty.isolate`\n    * `network.proxy.socks_remote_dns`\n5.  **In LibreWolf Network Settings**, configure manual proxy:\n    * **HTTP Host**: `10.152.152.10`, **Port**: `4444`\n    * **SOCKS Host**: `10.152.152.10`, **Port**: `7667`\n    * Select **SOCKS v5**.\n    * Check **\"Proxy DNS when using SOCKS v5\"**.\n\n### Step 4.2: Application Sandboxing (Firejail)\n1.  Install Firejail: `sudo apt install firejail firejail-profiles`.\n2.  Copy the LibreWolf launcher: `cp /usr/share/applications/librewolf.desktop ~/.local/share/applications/`.\n3.  Edit `~/.local/share/applications/librewolf.desktop` and change the `Exec` line:\n    * **From**: `Exec=librewolf %u`\n    * **To**: `Exec=firejail librewolf %u`\n\n### Step 4.3: Kernel Hardening\n1.  Create `/etc/sysctl.d/99-i2nix-hardening.conf`:\n    ```ini\n    kernel.kptr_restrict=2\n    kernel.dmesg_restrict=1\n    kernel.unprivileged_userns_clone=0\n    kernel.unprivileged_bpf_disabled=1\n    net.ipv4.tcp_syncookies=1\n    net.ipv4.icmp_echo_ignore_broadcasts=1\n    ```\n2.  Apply settings: `sudo sysctl --system`.\n\n---\n*This guide provides the steps to create a functional i2nix system. Further security hardening is always encouraged.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkn0sys%2Fi2nix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkn0sys%2Fi2nix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkn0sys%2Fi2nix/lists"}