I2P RELAY

======================================================================================================================================
						        						e01 @AccessPwned 2018
======================================================================================================================================
														 SETUP AN I2P RELAY

I2P is a great network, but like any other decentralized system it relies on a diverse set of actors to operate resiliently. For example, if it ran on ten servers, six of which were controlled by [insert government agency here], then it wouldn't be very secure. Thus, one of the easiest, best ways that you can help support I2P is to run your own high-bandwidth node on a VPS (Virtual Private Server). While running a node at home definitely helps, slow residential internet speeds and unstable desktop computers put a cap on just how helpful the node can be to the network. Using a VPS with a gigabit connection on the other hand adds significantly to the speed, capacity, and robustness of the network.

In fact, not only does running I2P on a VPS benefit the network, it can also function as a reliable I2P portal that you can connect to from anywhere. For example, if you boot up your laptop in a coffee shop and want to get onto I2P without waiting ten minutes to build enough tunnels, you can instead just connect your laptop to your VPS and get online instantly*.

This tutorial will teach you how to set up a fairly secure server on Digital Ocean that functions as a high-bandwidth router on the I2P network. Of course, you can chose whatever hosting provider you like, but Digital Ocean is my favorite, and signing up through This referral link will give you a $10 credit for free, enough to run the server for two months. It also gives me a small kickback, which helps keep ads off the site (once you spend $25, I get $25 myself).

*There are some cons to this as well, primarily that the hosting provider could watch what you're doing. But for low risk activities, like chatting on IRC, it shouldn't be an issue.
Server Setup

If you've read my Owncloud setup guide, most of the steps here will be quite similar, though slightly different this time around. Also, if you're using another hosting provider you should probably just skip this part as it's fairly specific to Digital Ocean.

The first step of course is to sign up for Digital Ocean if you don't already have an account, and then to create a new droplet. I called my droplet 'i2prouter', and selected the $5 per month option, which will give you 1TB of bandwidth out to the network. I also selected the London data-center. I've set up around ten I2P routers recently and found London to be one of the fastest. Next, select which operating system you want to run (this guide is based on Debian 7). Lastly, we're going to upload our own SSH key, rather than use a password. This makes the server significantly more secure and faster to log into. If you're on Windows, then give this guide a read. Linux users who don't already have an SSH key can simply type into the terminal:


ssh-keygen -t rsa

Issuing this command will ask a few questions, which you can simply mash enter through, before generating a SSH keypair. We'll need to copy and paste the public key into the droplet creation page, so if you saved your key in the default location simply type:


cat ~/.ssh/id_rsa.pub

Copy and paste the contents of this into the 'Add SSH Key' field on Digital Ocean, and then create the droplet. Once the droplet has been created, write down its IP address and go back to your terminal to SSH into it:


ssh root@[Enter IP Address Here]

Now that we're connected to the server we're going to change a few things so that it doesn't become the property of Russians in 3 hours. First, we'll make a new user called i2p (you can name it whatever you want, but throughout this tutorial I'll reference it as i2p):


adduser i2p

Give it a fairly strong password, then skip through the name and number fields. We now need to give this user some higher level privileges through sudo:


visudo

Add a line so that it looks like this, of course replacing the 'i2p' with whatever username you chose:


root    ALL=(ALL:ALL) ALL

i2p     ALL=(ALL:ALL) ALL

What we've just done is given the user i2p the ability to execute commands as if it were the root user by simply typing sudo before the command. Using sudo instead of root has a number of benefits, especially when it comes to auditing and permission limiting. We're allowing it to execute any commands right now, but we'll lock it down later so that it is a bit more secure. The last thing we'll do before logging out and back in as the new user we've created is give root a password:


passwd root

Give root a very strong password, then issue the following commands, which will log out, copy your SSH key to the new user you just created, and then log back in as that user:


exit

ssh-copy-id i2p@[Enter IP Address Here]

ssh i2p@[Enter IP Address Here]

Next, we'll upgrade the system and install some new software:


sudo apt-get update && apt-get upgrade -y

sudo apt-get install ufw fail2ban -y

Now we need to edit the SSH settings:


sudo nano /etc/ssh/sshd_config

Within this text file we're going to change the SSH port to something random like 3451, change PermitRootLogin to no, and change PasswordAuthentication to no:


Port [Enter Random Port Here]

PermitRootLogin no

PasswordAuthentication no

Close and save this by hitting Control+X, then Y, then enter, making sure to take note of the new port number you just gave. Now we need to reload the SSH configuration that we just changed:


sudo service ssh reload

Because we just changed the port for SSH, the next time you log in you'll need to add "-p [port number here]" to the end of the ssh command.

The two programs we installed back when we upgraded the system were ufw and fail2ban, and now we need to set them up. UFW is a program which makes setting up firewalls extremely easy. All you need to do is execute these commands, making sure that you enter the correct ssh port, otherwise you'll be locked out!


sudo ufw allow [Enter SSH Port Here]

sudo ufw default deny

sudo ufw enable

Now that the firewall is set up, we're going to set up fail2ban so that if anyone does find the right SSH port they'll get locked out after making a few failed attempts, so pump this into your terminal:


sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo service fail2ban restart

Installing I2P

If you've gotten this far, you've got a 'secure-enough' platform that you can now install I2P on. The easiest way to do this is to add the I2P repository, by editing your sources file and copying and pasting a couple of lines into it:


sudo nano /etc/apt/sources.list

Now add these lines to the bottom:


deb http://deb.i2p2.no/ stable main

deb-src http://deb.i2p2.no/ stable main

Exit out of that, then download the keyring, update your sources, and install I2P with these commands:


wget https://geti2p.net/_static/i2p-debian-repo.key.asc

sudo apt-key add i2p-debian-repo.key.asc

sudo apt-get update

sudo apt-get install i2p i2p-keyring -y

sudo dpkg-reconfigure i2p

You'll get a question asking if you want to start I2P at boot, as well as how much RAM you want to give. I set it to start at boot, and gave it 400Mb.

If you've gotten to this point, you now have I2P installed! But you've still got a little bit more to go!
Configuring I2P

There's still a few things that we need to tweak to get I2P fully up and running. The first thing we're going to do is type 'exit' into the terminal, before reconnecting, but this time slightly differently:


ssh -L 7657:127.0.0.1:7657 i2p@[Enter IP Address Here] -p [Enter SSH Port Here]

What this command has just done, other than log you into the server, is forward the 7657 port on your computer to 7657 on the server. This means that if you pump the following link into your browser, you'll be connected to the I2P web interface on the server:


http://127.0.0.1:7657/config

The first thing we'll change here is the bandwidth, setting it to 400KBps, sharing 100% of it. This equates to just over your 1TB limit on the $5 droplet (if you chose a larger droplet size, you may want to raise this).

Now we'll go to the Network tab and write down the default port that's been set. We're going to need to add a firewall for this a bit later.

Navigate to the Tunnels tab, and set the exploratory tunnel length, quantity, and backup quantity all to their maximum. This will integrate your router more quickly into the network. Setting up tunnels is quite expensive on the CPU, so you might want to lower this later once your router is fairly integrated and pushing a high bandwidth, but I find it helps integrate the router quickly on initial setup. It will be a good idea to write down the default settings before changing them so that you can revert later.

Last but not least is to add that firewall rule to make I2P accessible. Go back to your terminal and add a UFW rule for the port you noted previously:


sudo ufw allow [Enter I2P Port Here]

And that's pretty much it. I2P should be up and running, and after a few minutes the console page should read 'Network: OK' on the left hand side.
Loose Ends

There's still one loose end we need to tie, and that's sudo permissions. Right now your i2p user is allowed to do anything, and we want to tighten this up a bit.


sudo visudo

Now you want to change where it says 'i2p ALL=(ALL:ALL) ALL' to:


i2p	ALL=(ALL:ALL) /usr/sbin/service i2p *, /usr/bin/apt-get

What we've just done is allow the i2p user to install or update software, and start/stop/restart the i2p service. Other than that they're all locked down. If you ever want to change this you'll have to log in as root and update the permissions again. But for now, let's get out of here:


exit

You're Done.

That's pretty much it. It will take a few days for the bandwidth to start creeping up, but you've now got a high bandwidth router contributing to the I2P network. Remember to log into it every once in a while to update the system. Other than that though, it should be fairly set-and-forget.