A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Running an I2P Svartkast on the Raspberry Pi: Even more cheap hardware to leave on someone else's network

Running an I2P Svartkast on the Raspberry Pi: Even more cheap hardware to leave on someone else's network

        This is sort of a sequel to a previous article I wrote titled "Running an I2P Svartkast on the Raspberry Pi: Even more cheap hardware to leave on someone else's network". In that article I answer the obvious question of what the hell a Svartkast is, as well as show how to make one out of a Raspberry Pi. The short explanation is that a Svartkast is sort of like a Dropbox/Pwn Plug but with a darknet component like Tor or I2P. Svartkast is a term I picked up from Telecomix. Before I would have just referred to it as a “drop box” (too much name collision there now), but some also call it a kamikaze box or a Blackthrow (which is English for the Swedish term Svartkast). The Pogoplug was about $50, the Raspberry Pi is $35, has some better hardware and should be more readily available in a few months after the rush dies down.

Raspberry Pi Stats bogarded from Wikipedia:

Developer Raspberry Pi Foundation
Type Single-board computer
Release date 29 February 2012[1]
Introductory price US$ 25 and US$ 35
Operating system Linux (Debian GNU/Linux, Fedora, and Arch Linux ARM)[2]
Power 2.5 W (model A), 3.5 W (model B)
CPU ARM1176JZF-S 700 MHz[3]
Storage capacity SD Card Slot
(SD or SDHC card)
Memory 256 MByte
Graphics Broadcom VideoCore IV[3]
Website www.raspberrypi.org

Let’s Get Linux On It

        This part is way easier than with the Pogoplug. For my testing I'm using the Debian “wheezy” public beta (2012-06-18-wheezy-beta). Rather than tell you how to install it, I'd rather point you to their notes:

                http://elinux.org/RPi_Easy_SD_Card_Setup

        I used Win32DiskImager on a Windows 7 box to write mine. After booting from it, which is as easy as just inserting the SD card into the Raspberry Pi and plugging in the power, I choose the menu option to resize the install to my whole SD card. This last step will take a bit of time depending on the size of your SD card. You will also want to change the pi account's password on first boot.

Next up, let's install some useful apps

        At this point you should have a nice little computer that can be used as a drop box. Install whatever you might normally want on such an item, pretty much if it’s in Debian’s repositories you can install it with easy (think of the pen-test options). The rest of the article  will focus on the darknet/anonymity aspects. The next step will be to grab a bunch of packages that will be useful for the following steps. First we should update all the packages. We can pretty much do this with one command:

------------------------------------
sudo apt-get update; sudo apt-get dist-upgrade
------------------------------------

Then we will want to add a few packages:

------------------------------------
sudo apt-get install default-jre-headless xrdp
------------------------------------

Here are the things we are installing, and why:

default-jre: Java Runtime. We will need to replace it with the Oracle/Sun version of Java.
xrdp: This is so you can use a Windows Remote Desktop client to connect to the Blackthrow and use GUI tools. Keep in mind GUI access may be a little slow even with a direct connection, over a darknet it will likely be unusable.

        Notice we installed less apps on the Raspberry Pi than on the Pogoplug, this is because most of what I want is already there on this Debian install. Also, since we can get I2P to work with the defaule-jre (Java run time environment) we don't need to go though the pain of using the Oracle embedded version, saving a few steps.

Installing I2P

        Since I2P is the cipherspace we will be using, we need to install it (duh!).

1. We will need to set up a directory to install into. I do this with a few simple commands, and will be running as the pi user. If you use a different account, change paths accordingly. For those not up on *nix, ~ is just shorthand for the current users home directory.

------------------------------------
cd ~
mkdir i2pbin
cd i2pbin
------------------------------------

2. Find the URL to download I2P from by going to http://www.i2p2.de/download, this will change with time as new versions are released. At the time of this writing the following works.

------------------------------------
wget http://mirror.i2p2.de/i2pinstall_0.9.jar
------------------------------------

3. Next, to install I2P use the following command:

------------------------------------
java -cacao -jar i2pinstall_0.9.jar -console
------------------------------------

I suppose the -cacao is not needed here, but I'll explain more about it in a bit.

4. Take all the defaults. I put mine in a directory called just i2pbin. Keep in mind that i2pbin is the directory where the binaries for I2P are but the active configs will be in pi’s home under .i2p (note the leading period).

5. Ok, in future releases this step may not be needed. It seems the I2P installer gets confused by what Debian tells it regarding the CPU version in the Raspberry Pi. As I understand it, it needs an ARM6 version of the big integer library, but it unpacks the ARM7 version which will not work (but the ARM 5 will). What we need to do is move the jar that contains that library (and I do mean move, renaming is not enough) out of the lib folder, unpack it, then copy the correct library .so file into i2pbin (big thanks to zzz for figuring this out). We can do that with this set of commands:

------------------------------------
mkdir ~/unpackedjar
mv lib/jbigi.jar ~/unpackedjar
cd ~/unpackedjar
unzip jbigi.jar
mv libjbigi-linux-armv5.so ~/i2pbin/libjbigi.so
------------------------------------

6. In theory, if we are in Pi’s home we should be able to use the command:

------------------------------------
i2pbin/i2prouter start
------------------------------------

But I've not played enough with modifying that script yet. Instead I'm just using runplain.sh, but first we need to change it a bit. Open it up in nano (or whatever text editor you like):

------------------------------------
cd ~/i2pbin
nano runplain.sh
------------------------------------

Then edit the "JAVAOPTS" line by adding the -cacao option:

JAVAOPTS="-cacao -Djava.net.preferIPv4Stack=${PREFERv4} -Djava.library.path=${I2P}:${I2P}/lib -Di2p.dir.base=${I2P} -DloggerFilenameOverride=logs/log-router-@.txt"

My understanding is that the default Java is purely interpreted byte code, and is very slow:

------------------------------------
pi@raspberrypi ~ $ java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.1) (6b24-1.11.1-6)
OpenJDK Zero VM (build 20.0-b12, mixed mode)
pi@raspberrypi ~ $
------------------------------------

But that Cacao is much faster because it uses JIT (Just In Time) compiling and executes closer to native code:

------------------------------------
pi@raspberrypi ~ $
pi@raspberrypi ~ $ java -cacao -version
java version "1.6.0_24"
IcedTea Runtime Environment (IcedTea6 1.11.1) (6b24-1.11.1-6)
CACAO (build 1.1.0pre2, compiled mode)
pi@raspberrypi ~ $
------------------------------------

Someone who knows more about Java, feel free to correct me on how this works exactly, the point is that Cacao should be faster which is why we modify out runplain.sh.

7. Lets run runplain.sh for the first time, then kill it. We do this to set up a .i2p profile for use to edit:

------------------------------------
./runplain.sh
kill -9 `cat /tmp/router.pid`
------------------------------------

If the kill command above fails, you can try "killall java" but that is less elegant. I can normally find I2P pretty easily in the process list, just run "top" and it's near the top in CPU usage. Now we should have the directory /root/.i2p/ where our configs will be.

8. If you want to you can RDP into the Raspberry Pi and just use I2P from there. I want to make it a gateway to I2P for my whole LAN, so let’s make it so we can get into the web console from any box, not just the local host. Edit ~/.i2p/clients.config and look for a line that looks like:

    clientApp.0.args=7657 ::1,127.0.0.1 ./webapps/

Comment it out with a # and uncomment the line that looks like:

    #clientApp.0.args=7657 0.0.0.0 ./webapps/

to:

    clientApp.0.args=7657 0.0.0.0 ./webapps/

If we do this step, and we don't trust all of the hosts on our LAN, it is probably a good idea to make a router password. Just edit .i2p/clients.config

------------------------------------
nano ~/.i2p/clients.config
------------------------------------

then add the line:

    consolePassword=SomePassword

Obviously replacing “SomePassword” with the password you want to use. The logon name is “admin”. That takes care of giving access to the I2P console, now to be able to get to the proxies. For this we have to set the proxies on ports 4444 and 4445 to listen on 0.0.0.0. Edit the i2ptunnel.config:

------------------------------------
nano ~/.i2p/i2ptunnel.config
------------------------------------

Find the lines that look like:

tunnel.0.interface=127.0.0.1
tunnel.6.interface=127.0.0.1

and set them to be

tunnel.0.interface=0.0.0.0
tunnel.6.interface=0.0.0.0

9. We can now start I2P with a simple:

------------------------------------
./runplain.sh
------------------------------------

but what if you want it to start on boot and make sure it’s running at all times, even after a crash. The following is my solution, but there may be a better way. Run:

------------------------------------
crontab -e
------------------------------------

This should bring up an editor so we can add scheduled tasks. Add the following lines:

0 * * * * /home/pi/i2pbin/runplain.sh
@reboot /home/pi/i2pbin/runplain.sh

then exit. These lines should start up I2P on boot and try to load it every hour. The reason for the every hour line is to restart I2P in case it has crashed. If I2P finds that it is already running, it should graceful close.

10. We should now have I2P up and running now, config you browser to point to 4444 and 4445 for the http and https proxies respectively.

Extra I2P Tweaks

For a full list see http://www.irongeek.com/i.php?page=security/i2p-tor-workshop-notes    

If too many resources are being taken by routing for others, you may wish to add:

        router.maxParticipatingTunnels=0

to your ~/.i2p/clients.config. Sharing is good for the network, but the the Raspberry Pi may be a little under powered depending on what you do with it. I'm still testing this, but so far routing for others does not seem to be causing me an undue performance hit, and it helps obfuscate my traffic some.

Also, to add more sites you you address box you can surf to :

http://<Raspberry Pi's IP>:7657/susidns/subscriptions

and add:

http://www.i2p2.i2p/hosts.txt
http://i2host.i2p/cgi-bin/i2hostetag
http://stats.i2p/cgi-bin/newhosts.txt
http://tino.i2p/hosts.txt
http://inr.i2p/export/alive-hosts.txt

to the subscription list.

Setting up access over the Darknet

        Of course to make it a working BlackThrow you would need something more to access it remotely. You could go to the extreme and use Garlicat (http://www.cypherpunk.at/?p=40 ) but for simplicity I’m just using OpenSSH. OpenSSH is already installed, fairly low bandwidth is required for just remote shell access and you can use dynamic port forwarding over SSH to make it act as a poor man’s VPN/anonymising proxy.

1. On the server’s install of I2P (the Raspberry Pi) go into the console and make a Standard server tunnel that points to port 22 on 127.0.0.1. Also make sure you enable “Auto Start”, no other settings should need to be changed. After you start the server tunnel for the first time go back into the setting of the tunnel and take note of the “Local destination(L):”. You will need this string shortly. It’s blank in the screenshot because I was just configuring the tunnel and it had not been generated yet.


2. On the client’s install of I2P make a client tunnel with a port of your choosing (I used port 2222 ), reachable by 127.0.0.1, and insert the value you copied from “Local destination(L):” in step 1 into the “Tunnel Destination(T):” field.

 


3. Now you should be able to SSH and dynamic port forward into the Raspberry Pi. If you can, set up port forwarding on the NAT router, but the default UDP hole punching behavior should be sufficient. Hopefully these notes are enough for someone with a little experience with Linux and SSH to be able to get a Svartkast up and running.

Here are a few links that may be useful to you in setting up a svartkast.

As for how to use dynamic port forwarding, check out
http://www.irongeek.com/i.php?page=videos/sshdynamicportforwarding   

My notes on I2P and Tor, hope these are helpful
http://www.irongeek.com/i.php?page=security/i2p-tor-workshop-notes    

For an intro to I2P see my section of these talks
http://www.irongeek.com/i.php?page=videos/shmoocon-firetalks-2011   

Getting started with the I2P Darknet in Windows
http://www.irongeek.com/i.php?page=videos/getting-started-with-the-i2p-darknet    

Installing the I2P darknet software in Linux
http://www.irongeek.com/i.php?page=videos/getting-started-with-the-i2p-darknet    

Hosting Hidden Services in I2P: eepSites and SSH
http://www.irongeek.com/i.php?page=videos/i2p-darknet-hidden-servers   

Darknets and hidden servers:Identifying the true IP/network identity of I2P service hosts
http://www.irongeek.com/i.php?page=security/darknets-i2p-identifying-hidden-servers   
 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast