Tip of the day: The Security article gives hands-on tips on how to deal with drone attacks, flooding, spammers, (D)DoS and more. |
Running I2P service with UnrealIRCd
This guide will show you how to setup UnrealIRCd and I2Pd, where your IRC server will get an .b32.i2p
.
This guide will put the I2P users on their own IP address (eg. 127.0.0.3) and disable some ban checks. Then we setup I2P as a hidden service (as known as IRC server tunnel), with correct settings for UnrealIRCd. Finally, it shows you how to limit I2P access only to users with a services account (optional).
Background
By default if you run an I2P service, I2P will connect to the IRCd at localhost using IP 127.0.0.1. This is bad for two reasons:
- You would be unable to separate I2P traffic from other localhost traffic
- All I2P users would be unbanable because 127.0.0.1 is exempt from all bans, including glines
Install I2Pd
This is explained in https://i2pd.readthedocs.io/en/latest/user-guide/install/ but in short, if you run Ubuntu/Debian, then:
- Add the repository:
add-apt-repository ppa:purplei2p/i2pd
, - Then
apt install i2pd
On FreeBSD, you should run: pkg install i2pd
Configure I2P
Open /etc/i2pd/tunnels.conf
and add the lines:
[SERVER-UNREALIRCD] type = irc host = 127.0.0.1 port = 6666 keys = unrealircdserver-key.dat
Note that we are using port 6666, but you can use whichever port you prefer.
I2Pd does not have native unix socket capability, so we will create later a bridge from TCP/IP port to Unix Socket to connect it to UnrealIrcd. Therefore, this listen port should not be included in unrealircd.conf. We'll talk about this later.
Start I2Pd.
If you run Ubuntu/Debian, then:
systemctl start i2pd.service
On FreeBSD, you should run: service i2pd enable
, and then service i2pd start
Preparing the system
This needs to be done after installing I2Pd and before you reconfigure UnrealIRCd for I2Pd use. So now is the right time.
First, become root, as all next commands need to be executed as root:
Creating the socket directory
Let's create the directory that UnrealIRCd will access and create the socket file:
mkdir /etc/i2pd/unrealircd chown unrealircd:unrealircd /etc/i2pd/unrealircd chmod 750 /etc/i2pd/unrealircd
NOTE: This assumes your IRCd user is called unrealircd
. If not, change the unrealircd:unrealircd
in the chown
command of above.
Tweaking AppArmor
If you are on Debian/Ubuntu and have AppArmor installed (you probably do!) then run the next few commands. If you don't do this then everything will fail mysteriously later.
Still as root, run:
echo "/etc/i2pd/unrealircd/ip2d_ircd.socket rw," >>/etc/apparmor.d/local/system_i2pd apparmor_parser -r /etc/apparmor.d/system_i2pd
Configure UnrealIRCd
Add this to your unrealircd.conf
file:
listen { file "/etc/i2pd/unrealircd/i2pd_ircd.socket"; mode 0777; spoof-ip 127.0.0.3; }
/* Some ban checking should be turned off, otherwise all I2P * users could be banned by one user misbehaving. * * This also sets maxperip to unlimited. The alternative is to remove * 'maxperip' here and either change the generic allow block to allow * more users, or add a specific allow block specially for 127.0.0.3 * with its own limit in allow::maxperip, so you can set a hard * limit on I2P users (eg: 100) instead of 'unlimited'. */ except ban { mask { ip 127.0.0.3; } type { blacklist; connect-flood; maxperip; handshake-data-flood; } }
And then REHASH.
Creating a bridge between TCP/IP and Unix Socket
We will create a communication that act like bridge between a TCP/IP on port 6666 and UNIX socket located at "/etc/i2pd/unrealircd/i2pd_ircd.socket".
As unrealircd user, run:
socat TCP-LISTEN:6666,bind=localhost,reuseaddr,fork UNIX-CONNECT:/etc/i2pd/unrealircd/i2pd_ircd.socket &
So, when users connecting on I2P tunnel client address, they will be redirect to 127.0.0.1:6666 that will bridge to Unix Socket created by UnrealIrcd, that come up with an IP of 127.0.0.3 and exempt them from some ban checking.
Get your .b32.i2p address
Connect to your router. You can use lynx or w3m.
w3m http://127.0.0.1:7070
Go to I2P tunnels and I2P address in Server Tunnels.
Decide on your server name
Is this server going to accept connections from both the Internet and from I2P? Then it is not really a "hidden" service, and you may want to go for Option 2: keep your normal server name.
Is the server going to ONLY accept connections from I2P and not from the regular Internet? Then see Option 1: set your server name as .i2p
Option 1: set your server name as .i2p
Do you really want to run as a hidden service? Like, you want to hide the name of your server, not reveal its location, and it should only reachable over I2P? Then this is the me::name that you want to use in UnrealIRCd.
Update the Me block in your unrealircd.conf, like:
me { name xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.b32.i2p; --etc--
When you change the Me block you will have to restart the server. A rehash is not enough!
It is not necessary to block external access to port 6666, since in socket we bind in localhost only.
Option 2: keep your normal server name with a MapAddress
If your server is reachable from both the Internet and I2P, and thus you don't need to run a hidden service, then you could keep your me::name as normal (eg: irc1.example.net) and then tell your users to connect to irc1.example.net
.
If you don't like this approach, then you can also go with Option 1 mentioned further up.
Let users connect via I2P
People should now be able to connect to your I2P IRC server tunnel. Depending on the choice you made at Decide on your server name, users now connect to:
- Your .b32.i2p address directly, creating a client tunnel (if you went for option 1), or
- To like irc1.example.net (if you went for option 2).
Optional: require authentication
Since people are anonymous on I2P, there may be more abuse than usual. You may optionally require all I2P users to have a services account and use SASL.
To do so, add this to your unrealircd.conf:
require authentication { mask *@127.0.0.3; reason "I2P users need to authenticate to their services account using SASL"; };