I'm currently meandering mostly "planless" around in IIP/I2P:

+ SSH, the most important thing I need as hidden service, was absolutely
no problem. One server tunnel definition on each server side and
client tunnels for each system to map this to local ports is the way
it is mentioned somewhere in the examples.

I having a lot of targets, so I thought using I2P's Socks5 proxy port
makes more sense. For not needing to memorise the ports and those
long `*.b32.i2p` addresses I already would put some definitions into
my SSH config, so an additional line defining the proxy command won't
hurt.

Registering short names with <http://reg.i2p> can be done, but I do
not think that every private SSH service backdoor needs a publicly
visible name.

+ HTTP was as easy reading the examples. Here several I2P guinea pigs
have web servers running, two of them got nicer shorter addresses.

+ Mail via a free SMTP/POP server in I2P is possible. I registered
there and am experimenting how to wire this into my mail environment.
Sending something to <yeti@i2pmail.org> will land in that pop box, but
while I'm only experimenting, I won't check it frequently.

The SMTP and POP port of that server typically gets tunnelled to local
ports, but I hope to later find a way to wire that up via I2PD's
Socks5 proxy port too.

- Running own mail servers sure would be more fun, but I'm not there
yet.

On ~institute: ------------------------------------------------------------------------
$ date | mail -s 'i2p test' yeti@i2pmail.org ------------------------------------------------------------------------

Mail pulled from <pop.postman.i2p>: ------------------------------------------------------------------------ Return-Path: <yeti@tilde.institute>
Delivered-To: yeti@mail.i2p
X-Mailer: smtp.postman.i2p - Official I2P Mailer
From: <yeti@tilde.institute>
To: yeti@mail.i2p
Subject: i2p test
X-Spam-Score: -5.6 (-----)
X-Virus-Scanned: clamav-milter 0.103.X on milter.postman.i2p
Message-Id: <20241124013123.067677C07DB@smtp.postman.i2p>
Date: Sun, 24 Nov 2024 01:31:23 +0000 (UTC)

Sun Nov 24 01:31:15 UTC 2024 ------------------------------------------------------------------------


TL;DR:

So if/when I'll drop Tor because of my Rust-allergy, I probably have an alternative for my SSH backdoors via I2P. The rest is just optional
candy atop that, but really smells like including a lot of bonus fun.
\o/
--
1. Hitchhiker 5: (101) "You just come along with me and have a good
time. The Galaxy's a fun place. You'll need to have this fish in your
ear."
--- Synchronet 3.19b-Linux NewsLink 1.113

On 2024-11-24, yeti <yeti@tilde.institute> wrote:

So if/when I'll drop Tor because of my Rust-allergy, I probably have an alternative for my SSH backdoors via I2P. The rest is just optional
candy atop that, but really smells like including a lot of bonus fun.
\o/

What do you think about the yggdrasil-network project?, and would you
maybe use it?, every host has it's own public key, and doing a few simple operations (and chopping a few bytes off of the pubkey[1]), you can get a
IPv6 address inside the 200::/7 range[5], and on Linux[6] you get a tun
device and IPv6 routes added.

For this backdoor thingy, you'd be using the network's (so other
people's) traffic, most likely, but yggdrasil also supports multicast
peerings.

If you're running yggdrasil-go, you'd have to configure a firewall to
forbid other users from connecting to your node, and set a list of
whitelisted IP addresses if you want to go that route, or maybe you just
want to limit it to only being able to connect to port 22/tcp.

You'd also have to setup some peers, for this to work, as yggdrasil by
itself won't find peers, and you have to add them, or use something like peers_updater[8] to automatically update your yggdrasil peers via the
admin API (unix domain sockets or tcp)

Do keep in mind that if you add multiple peers, there's a chance[9] the best route will be trough your host, and that if you only add one peer, you're relying on that peer being up.

And also that this, differently from tor, isn't an anonymity network, so
you're able to be identified, in a not too hard way.

Their homepage: https://yggdrasil-network.github.io/

The source code for their single binary program:v https://github.com/yggdrasil-network/yggdrasil-go

References:

[1] I believe it truncates 16 bytes?
PublicKeySize = 32[2] whilst Address is represented as 16 bytes[3], and
32-16=16.
Yes, this has the practical side effect you can't get the pubkey of a
node based on the IP address if you're unable to access the network, and
someone could get a ed25519 key that happens to collide with your
address, but I'm unsure on how likely that is.[4]
[2] https://pkg.go.dev/crypto/ed25519#PublicKeySize
[3] https://github.com/yggdrasil-network/yggdrasil-go/blob/8c454a146cb70aa07ee2c87af964f5c1394da299/src/address/address.go#L10
[4] Also, if you want to, I think there's some way to directly have
yggdrasil work without the IP stack part, but I'm not sure how that
can be done.
[5] 200::/7 is marked as reserved by IETF, so it might be used for something
else later?
https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml
https://iana.org/go/rfc4048 301 to https://www.rfc-editor.org/rfc/rfc4048.html
[6] On NetBSD I've been told the go tunnel support is missing IIRC, and
I'm not sure it works on OpenBSD or other POSIX compliant systems,
but you can use yggstack[7] if you still wish to do so, but you'd
lose the receiving the IP that connected for the -remote-(tcp|udp)
options, and for part of what this message talks about you might have to
patch the code to limit who can connect.
[7] https://github.com/yggdrasil-network/yggstack
[8] https://github.com/ygguser/peers_updater
[9] I've been told this chance problem is slim and is trying to be
removed by updating how the DHT works.

P.S. Maybe this entire message is not valid as you also have a
Go-allergy?
--
~jmjl
--- Synchronet 3.19b-Linux NewsLink 1.113

/ WARNING: \
| This all was typ(o)ed before |
\ the 1st caffeine of the day. /
/
o/
(|
/ \


jmjl <jmjl@tilde.green> wrote:

What do you think about the yggdrasil-network project?,

Looks interesting, but ...

and would you maybe use it?,

... I don't see me using it because of Go.

P.S. Maybe this entire message is not valid

Nah. That's a lot of information and was meant to be a friendly reply.
Such cannot be invalid.

as you also have a Go-allergy?

A bit and a half.[0]

I might change my mind if Yggdrasil would exist in C or C++ or in a
language that uses C(++) as a backend.

I2PD is written in C++ which too is not my dream language, but it fits
Unix as good as C.[2]

I've played with Tinc-VPN (for SSH and H323) more than 20yrs ago and
that was nice for a small context, but needing keys for each VPN
connection makes it inflexible for use cases like I2P and Tor where a
community can build ad-hoc.

I2P(D) isn't a Ferrari, but when reaching a remote system over this
possibly slow backdoor, I can switch to a faster connection as soon as I
have more data.

Having nicer short addresses thanks to <reg.i2p> is more than I ever got
from Tor, except for SSH where I wired short names into the local SSH config[3], which I will keep as strategy for my I2P SSH tunnels because
they better should not appear in the public address book, but sure for
other stuff short I2P addresses are a welcome option.

I even got I2PD and the I2PD-tools built on a Pi1 (Devuan5/Armel) and
despite taking a lot of time, this generates confidence.

Maybe I'll run into a showstopper with all this soon. I'm prepared for
such an outcome, but currently I2P(D) feels like fun.

____________

[0]: While not knowing much about Go[1], I remember problems like
Molly-Brown not being able to switch the user ID for executing
Gemini's equivalent of CGIs because of Go not fitting Unix well.
My energy is limited and I don't want to fight such problems. But
maybe some of this already is solved? I just may not be uptodate
with Go things.

[1]: I just played a bit with big-ints in Go but that's basically all.

[2]: Or other languages that "sit" atop LibC and a C compiler backend.

[3]: I've wired the short I2P names for my toys into the system wide SSH
config like I did before with Tor:

SSH config and Tor
<https://daemonforums.org/showthread.php?t=12201#post73028>

...and then I wanted to clean up my ssh config a bit...
<https://daemonforums.org/showthread.php?t=12201#post73337>

That may be nice in other (proxied) contexts too.
--
I still use far too much Linux.
--- Synchronet 3.19b-Linux NewsLink 1.113