Synopsis

By tweaking some hidden parameters in the Tor Browser and using an I2P daemon alongside a Tor daemon, the Tor Browser can be used to safely browse I2P Eepsites.

Browsing I2P Eepsites with the Tor Browser

I2P is an anonymous network layer similar to Tor. This article focuses on one of I2P's numerous use cases: browsing hidden I2P HTTP sites, also called "Eepsites". We'll be using the Tor browser for additional security.

[OPERATIONAL SECURITY REMINDERS]

  1. The Tor Browser team strongly advises against modding their browser. The Tor Browser is configured to deliver as much privacy and security as possible by default. That means any modification could replace or hinder what the Tor Browser team deemed as the ideal, and could potentially void your anonymity. Stay aware of your thread model, follow this guide carefully, and always test your new configuration before sailing the net.
  2. While it's possible and, unfortunately, regularly shown how to proxy I2P addresses without affecting clearnet traffic, such configuration brings no anonymity whatsoever. Unless you don't mind browsing the I2P network naked, please, consider blocking clearnet traffic or using Tor as a fallback proxy (keep on reading to learn how to do just that).
  3. If you're following this guide on a browser other than the Tor Browser, remember to configure your browser to proxy DNS requests. Whatever you do, don't forget to run a DNS leak test before sailing the net.
  4. The net is treacherous; staying anonymous goes beyond simply hiding your IP! Use a privacy-respecting browser with reasonable hardening to protect yourself against fingerprinting, practice good OpSec, and always think before clicking or typing.

Before this article, this fellow here wrote a blog on browsing I2P with the Tor Browser. While my article goes further by putting Tor and I2P together, McKinley shares a few important "don'ts" (no "dos," just "don'ts") for Tor and I2P. Give him a click, read both articles and shape up your OpSec.

This article assumes you've already configured a Tor and an I2P proxy. The Tor Browser bundle comes with a built-in Tor daemon, but you'll need a dedicated Tor daemon for this setup.

Writing a Proxy Auto-Configuration File

Unlike Tor, I2P doesn't support clearnet proxying, meaning clearnet traffic must either be blocked or relayed to a fallback proxy. While it wouldn't be wrong to force ourselves to keep a browser exclusively for I2P-related activities, most of us probably aren't paranoid enough to endure that inconvenience.

Fortunately, support for dynamic proxying has been standardized across most browsers thanks to Proxy Auto-Configuration (PAC). A PAC (.pac) file is a JavaScript file with a function that decides which proxy method should be used for a given URL. Here's our template PAC file:

const proxy_i2p = 'PROXY 127.0.0.1:4444';
const proxy_tor = 'SOCKS 127.0.0.1:9051';

function FindProxyForURL(url, host)
{
   if(host.match(/[.]i2p$/))
       return proxy_i2p;

   return proxy_tor;
}

In layman's term, this function asks the browser to use our I2P proxy for hosts ending with 'i2p,' and to use the Tor proxy for every other URL. Be free to tweak the constants as needed. Write this file somewhere on your system (mine is named '/usr/local/proxy+tor.pac') and load it on your chosen browser.

Configuring the Tor Browser

For most browsers, the PAC file can be loaded from their respective setting page under the dedicated proxy section. This section is hidden on the Tor browser, but these settings can still be configured by navigating to "about:config" in your URL bar and tweaking the following options;

Setting Value Description
network.proxy.autoconfig_url file:///usr/local/proxy+tor.pac Set this to point to your PAC file.
network.proxy.type 2 Enable proxy auto-configuration. Set it back to 1 to restore Tor's default proxy.
dom.security.https_only_mode false Since Eepsites doesn't support HTTPS, this option must be set to false.
extensions.torbutton.use_nontor_proxy true Allows us to use our own proxy.
browser.fixup.domainsuffixwhitelist.i2p true While not strictly required, this option allows us to type ".i2p" addresses in the search bar and to be sent to the given address instead of being redirected to the search engine.

Testing and Conclusion

Before sailing the net, you should check your Tor connection status and test for DNS leaks. Finally, open a new tab and go to http://bbergeron.i2p/. If all the tests succeeded and my home page is rendering, then congratulations, your Tor Browser now support I2P Eepsites!