Allowing access to I2P router on the local LAN

[BlindTraveler]

I would like to access I2P router running on another device on my LAN.

Idea is to have older PC or Raspberry Pi or some cheap copy of it running all the time with i2pd router on it and then connect to i2p console and http/SAM tunnels with my main PC.

Question is how do I do the connection part.

There are some reddit posts on this topic titled:
Allowing access to I2P router on the local LAN _ i2p
https://old.reddit.com/r/i2p/comments/v ... ess_to_i2p

How can i access to my webconsole from m'y local network _ i2p
https://old.reddit.com/r/i2p/comments/r ... _access_to

How to access i2p console from lan_ _ i2p
https://old.reddit.com/r/i2p/comments/1 ... ess_i2p_co


1. suggestion is SSH:

ssh -L 7657:127.0.0.1:7657 user@192.168.x.x from the device you want to access the webconsole from, then just open
http://127.0.0.1:7657/ in your browser

I'm guessing I would just have to setup "user"(with password) on 192.168.x.x and I would have a secure/encrypted connection.
This looks like the easiest and most secure option.
I'm also guessing I could replicate this for the HTTP/HTTPS/SAM clients(ports).

2. suggestion is nginx:

setup nginx to forward all traffic to port 80 to 127.0.0.1:7657

Not sure what is this, ignoring it at the moment.

3. suggestion is this:

I2P+ / I2P: Locate the file clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config
situated in your config directory and modify the line
clientApp.0.args=7657 127.0.0.1 -s 7667 127.0.0.1 ./webapps/ with your desired LAN address. You can add
multiple addresses separated by commas, and the -s argument enables https console access on the specified port (in this case
7667). e.g.
clientApp.0.args=7657 127.0.0.1,192.168.1.10 -s 7667 127.0.0.1,192.168.1.10 ./webapps/

So on what PC do I do this router/client, I would guess router. Is 192.168.1.10 client address? I'm just not sure how clientApp.0.args line works. Could someone clarify this or direct me to the right part of documentation?

How do I connect to router from client?
Suggestion 4 instructs http://your.lan.ip:port, but does that mean that all traffic flowing to router is unauthorized(anyone on my LAN can use my router) and without encryption(data on my LAN could be read by third party). While I would not say it's a problem for me(I hope) this looks very bad practice in general, especially when using wireless network.

i2pd: Locate your i2pd.conf file and under the [http] section modify the line address = 10.0.0.5 to suit

I don't know how to interpret this.

Docs say:
address IP address of an interface tunnel is connected to host from.

So I guess address = router.lan.ip
That is PC running router will have static address router.lan.ip and I will then put the line address = router.lan.ip on that same PC?


4. suggestion is this:

For the console, open the
~/.i2p/clients.config.d/00-net.i2p.router.web.RouterConsoleRunner-clients.config file in a text editor and
change the 127.0.0.1 to your LAN ip and restart the router.

This is same as in 3. suggestion.

For the http proxy, go to http://your.lan.ip:7657/i2ptunnelmgr and select "I2P HTTP Proxy". In the "Reachable by" drop-
down select your LAN ip. Then stop and start the tunnel again.

I will get to this part after I set up other stuff.


5. suggestion is this:
Setting Up an I2P Router on a Raspberry Pi : i2p
https://old.reddit.com/r/i2p/comments/z ... an_i2p_rou

Looks like suggestions 3 and 4, which I suspect to be insecure.

What does address = 0.0.0.0 mean?
https://en.wikipedia.org/wiki/0.0.0.0

When a program binds to 0.0.0.0, it accepts connections from localhost (127.0.0.1), LAN IPs (e.g., 192.168.x.x) and public IPs (if configured and firewall allows it),

So if I'm understanding this correctly, router will accept all connection and process them as localhost. That is me doing router.lan.ip:port from another PC will be same as localhost:port on that PC?

But because we setup firewall[5] 7070/tcp we can only use 7070 from other PC? Still it looks like anyone can use it and I'm not sure how big of a problem this could become.



If you can please clarify/correct the information above.
As mentioned for the final solution I would like to connect to i2p console and http/SAM tunnels with my main PC in a secure way. Can i2pd running on router PC do this and what is the recommended way?


Bonus questions:

1. If I were to buy "PC" to run i2pd router(almost explicitly) like Raspberry Pi what would you recommend and why? I'm guessing it would be something cheaper and less powerfully then the Raspberry Pi but I'm not sure.

2. This newly generated LAN traffic(~200kb/s) should be mostly inconsequential to the traffic that travels to internet/ISP(internet speed will stay same, well same as if I only used one PC as router and client)? I only have ISP router but I would assume it can handle more traffic then my ISP is allowing me to send on internet.

[anikey]

Sidenote: LAN already means "local"
Also, I'll refer to the computer that will run i2pd as the "remote computer"

== Access methods ==

1. The method with SSH
SSH (Secure Shell) is an encrypted protocol that allows you to have remote access to computers over the network (LAN/Internet).
It also allows you to "forward ports" from the remote computer to the local one (local forward) and vice versa (remote forward). In your case, you'll need the local forward. Basically this means that, while the SSH client is running with the local forward option, you'll be able to access services hosted on the remote computer, as if they were on the local one.

For this, you'll set up a user account (which is probably done by default anyway). Then, when logging in with SSH, you specify the option -L{PORT}:localhost:{PORT} (no spaces between colons), where "{PORT}" (you type that without the {}) is the port number you want to forward. If you want to forward multiple ports,

Security
I think by default SSH will allow you to log in with the account's password. In case you are sure that nobody else will access SSH, that's fine (but may be tiring to enter the password every time you connect to SSH).
Instead you can generate an SSH key on your client, and add it to the ~/.ssh/authorized_keys file on the remote computer. There are many tutorials online, but the gist of it is that you:
1. Generate SSH key on the local machine: ssh-keygen -t ed25519
You may also specify a passphrase to encrypt the private key with (you'll need to enter it every time you log in, or set up ssh-agent)
2. Open the generated public key file (not private key!!), located at ~/.ssh/id_ed25519.pub
The file should consist of one line, starting with ssh-ed25519 and then random letters, then probably your local username.
3. Log into the remote machine, and add the public key line into the authorized_keys file mentioned above. If the file does not exist, create it.
4. (Optional) Disable SSH password login - on the remote machine, open /etc/ssh/sshd_config and add the 2 lines (without quotes): "PasswordAuthentication no", "KbdInteractiveAuthentication no" (you may also find the commented lines and uncomment them instead, instead of typing them. just remove the "#" symbol in the beginning of each line).

Other than that, SSH is considered pretty secure and even if there is a mitm attack on the network, they won't be able to see the contents that you access over SSH. (But they'll be able to see the (not quite precise) amount of data exchanged, as well as the time of exchanges).

Which ports to forward
You may forward the ports related to the webconsole (if you need it), SAM, HTTP, SOCKS, whatever custom tunnels.
Note that i2pd's webconsole is by default on port 7070, not 7657

Caveats
If you lose the connection (e.g. you put the PC to sleep), the SSH connection may die, and then you'll need to reconnect. This also means losing active SAM sessions, if any.

2. The method with reverse proxying (nginx)
This is a bit overcomplicated, but instead of nginx you can use something simpler like the "socat" program. I'm not going to go into details. The next method will look the same on the client side, and have about the same security.

3/4/5. The method with changing listen IP address (0.0.0.0 or LAN IP)
Since you said you'll be running i2pd.
The tunnel settings of i2pd are spread across 2 files (i2pd.conf, tunnels.conf) and one optional folder (tunnels.conf.d or tunnels.d, i don't remember which one).
Webconsole, SAM, default HTTP and SOCKS proxy settings are in i2pd.conf. Any custom tunnels (including email, IRC) are in tunnels.conf or tunnels.d.

All of them have the "address" and "port" settings, which specify the address and port which i2pd will listen for connections on.
In the default config files, I think "address" is set everywhere to "127.0.0.1", which means it only accepts connections from the local computer.
If you want to open it up to the LAN, you have two options:
- change it to the LAN IP address of the remote computer
- change it to 0.0.0.0, which will make it listen on any network interface
These two options are the same if the remote computer is only connected to your LAN and not any other network simultaneously.

You can see the local IP address with the command "ip addr" (or "ip a" for short).

Security
Anyone on the network will be able to connect (unless you set up firewall rules, but that does not prevent an attacker from taking your PC's LAN IP address while it's powered off or sleeping). Moreover, the data is not encrypted on the LAN.

Sidenote. Each I2P "tunnel" (HTTP proxy, SOCKS proxy, custom entries in tunnels.conf and tunnels.d) is assigned a "destination address", which is usually displayed as a .b32.i2p address. These destination addresses are ephemeral by default, and change every time you restart i2pd or execute "Reload tunnels configuration" from router commands in the i2pd webconsole. These destinations are fundamental to communicating over i2p, and they are not associated with the real IP address. The destination address may be used, for example, to rate-limit services (so that you don't spam them) - this is actually used in the real world, or to cross-reference visitors between sites. The caveat here is that if multiple people use the same I2P HTTP proxy, they'll appear as the same person, and may create confusion and reduce anonymity,
If you want multiple separate HTTP proxies, you can create entries in tunnels.conf (or tunnels.d) with type=httpproxy, and specifying different port= numbers to distinguish them. Some you can expose to the LAN if you need.
END Sidenote.

==Tips and tricks==

Which computer
i2pd does not consume many resources, so i guess any recent pi will work. maybe even older computers.

Generated traffic
The speed of local network is not limited by your internet plan. It is only limited by the capabilities of the router and the devices (and the medium they use to send signals).

However, you should know that i2p also generates traffic to the internet. This happens when you use i2p, but also:
- exploratory processes -- this is a regular thing that the i2p router does, to learn new peers if i understand correctly
- building and testing tunnels -- this maintains built and working tunnels so that you can access resources
- transit tunnels -- this is also a regular thing, where other people relay i2p traffic through you (don't worry, you're not an "exit node"). This is useful both for you (cover traffic) and the network (more bandwidth for everyone)

If you have limited data / unstable connection and would rather not contribute to the network, you have the option to disable transit traffic going through you - set notransit=true in i2pd.conf - but that is not considered a good thing usually.

Wired connection
If possible, you should connect the remote computer to the router via ethernet. This will give more reliability and will pollute the wifi less (wifi has limited capacity). Be sure to use a non-broken cable. Check that you don't have packet loss by pinging an internet address (or an address on the LAN) - you should see an increasing number in "icmp_seq", without skipping any numbers, it should also print 0% packet loss at the end. You may also check the speed between devices on the LAN by using software such as iperf3.

Setting static IP for the remote computer
If you reboot it, by default it may change to a different IP address. To avoid this you have two options:

- on the remote computer, set the network setting to a fixed static IP address chosen by you, instead of DHCP. Be sure to pick an address within your LAN and so that it does not collide with other devices.

- ask the router to give your device the same IP every time -- you should be able to do that on the router admin page. You'll probably need to know the mac address of the remote computer, that is also provided in the output of the "ip addr" command.
This has the advantage of not worrying about IP address collisions - the router will know for sure that that address is already taken, and likely won't try to hand it out to other devices.

For the second method, note that connecting via WIFI and via Ethernet is usually considered as two separate devices (as they have different mac addresses).

Port forward on the router
That is not related to the SSH port forwarding.
You usually port forward on the router if you want to get more transit. This provides better connectivity with I2P.
Caveat: for this to be effective, your ISP needs to give you a real IP address, not behind a carrier-grade NAT. To check this, check the WAN address of the router in the admin page. If it matches the address given by any "what is my ip" internet service, you can do this. Otherwise there may not be much point.
Not going into details, you can either use UPNP (set an option in i2pd.conf) or port forward manually in the router admin page.
If you don't do that, the network status might say "Firewalled".

[BlindTraveler]

Thank you @anikey on confirmation and extra advice.
I think you didn't have to go in such detail on SSH but at least it now look more like a guide.