Start a branch for i2p support, doesn't work yet because it can't bootstrap without already being bootstrapped, so it will probably need to mix I2P and Tor and do an onion reseed

Dockerfile

@@ -21,7 +21,7 @@ RUN git clone https://git.zx2c4.com/wireguard-tools && \
     make && \
     make install
 
-FROM ${ARCH}/alpine:3.13
+FROM ${ARCH}/alpine:edge
 
 ARG BUILD_DATE
 ARG VERSION
@@ -53,6 +53,7 @@ RUN \
     openvpn \
     tini \
     tor \
+    i2pd \
     tzdata \
     unzip && \
   rm -fr /var/cache/apk/* && \

README.md

@@ -23,7 +23,7 @@ docker run -d \
   --cap-add SETGID \
   --cap-add NET_ADMIN \
   --cap-add NET_RAW \
-  retenet/tunleV
+  retenet/tunle
 ```
 
 Wireguard Currently only supported with predefined config

configs/sample.i2p.cfg

@@ -0,0 +1,3 @@
+PROVIDER=i2p
+UNAME=i2p
+PASSWD=i2p

iptables/v4/i2p

@@ -0,0 +1,65 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+# Allow related/established traffic
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+# Allow traffic on local loopback
+-A INPUT -i lo -j ACCEPT
+# Allow connections to Tor Proxy
+-A INPUT -p tcp --dport 4447 -m state --state NEW -j ACCEPT
+-A INPUT -p udp --dport 4447 -m state --state NEW -j ACCEPT
+# Log dropped packets
+-A INPUT -j LOG --log-prefix "Dropped INPUT packet: " --log-level 7 --log-uid
+
+# Don't allow any packet forwarding
+
+# Block invalid traffic
+-A OUTPUT -m state --state INVALID -j DROP
+# Allow related/established traffic
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+# Allow outbound connection for the tor-router user to the Tor directory servers and network
+-A OUTPUT -m owner -o eth0 --uid-owner 9001 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
+# Allow traffic on local loopback
+-A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
+# Allow connections to local transparent listener
+-A OUTPUT -d 127.0.0.1/32 -p tcp --syn --dport 4447 -j ACCEPT
+# Log all other dropped packets
+-A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# Skip pre-routing if interface is WAN or local
+-A PREROUTING -i eth0 -j RETURN
+-A PREROUTING -i lo -j RETURN
+# Redirect all .onion addresses
+-A PREROUTING -d 10.192.0.0/10 -p tcp --syn -j REDIRECT --to-ports 4447
+# Redirect UDP DNS traffic to internal DNS server
+-A PREROUTING -p udp --dport 4447 -j REDIRECT --to-ports 4447
+-A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 4447
+# Skip pre-routing if destination is private or reserved
+-A PREROUTING -d 0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j RETURN
+# Redirect remaining TCP traffic
+-A PREROUTING -p tcp --syn -j REDIRECT --to-ports 4447
+
+# Redirect all .onion addresses
+-A OUTPUT -d 10.192.0.0/10 -p tcp --syn -j REDIRECT --to-ports 4447
+# Redirect all DNS traffic
+-A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 4447
+# Allow the tor-router to bypass transparent routing
+-A OUTPUT -m owner --uid-owner 9001 -j RETURN
+# Don't transparently redirect traffic out of the loopback
+-A OUTPUT -o lo -j RETURN
+# Don't redirect if destination is private or reserved
+-A OUTPUT -d 0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j RETURN
+# Redirect remaining TCP traffic
+-A OUTPUT -p tcp --syn -j REDIRECT --to-ports 4447
+
+COMMIT

iptables/v6/i2p

@@ -0,0 +1,80 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+# Create the ICMPV6-CHECK chain and its log chain
+# These chains are used later to prevent a type of bug that would
+# allow malicious traffic to reach over the server into the private network
+# An instance of such a bug on Cisco software is described here:
+# https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-dos-vulnerability-in-cisco-software/
+# other software implementations might be at least as broken as the one in CISCO gear.
+:ICMPV6-CHECK - [0:0]
+:ICMPV6-CHECK-LOG - [0:0]
+
+# Allow related/established traffic
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+# Allow traffic on local loopback
+-A INPUT -i lo -j ACCEPT
+# Allow connections to Tor Proxy
+-A INPUT -p tcp --dport 4447 -m state --state NEW -j ACCEPT
+-A INPUT -p udp --dport 4447 -m state --state NEW -j ACCEPT
+# Log dropped packets
+-A INPUT -j LOG --log-prefix "Dropped INPUT packet: " --log-level 7 --log-uid
+
+-A FORWARD -j ICMPV6-CHECK
+# Use the ICMPV6-CHECK chain, described above
+-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type router-solicitation -j ICMPV6-CHECK-LOG
+-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type router-advertisement -j ICMPV6-CHECK-LOG
+-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type neighbor-solicitation -j ICMPV6-CHECK-LOG
+-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type neighbor-advertisement -j ICMPV6-CHECK-LOG
+-A ICMPV6-CHECK-LOG -j LOG --log-prefix "ICMPV6-CHECK-LOG DROP "
+-A ICMPV6-CHECK-LOG -j DROP
+
+# Block invalid traffic
+-A OUTPUT -m state --state INVALID -j DROP
+# Allow related/established traffic
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+# Allow outbound connection for the tor-router user to the Tor directory servers and network
+-A OUTPUT -m owner -o eth0 --uid-owner 9001 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
+# Allow traffic on local loopback
+-A OUTPUT -d ::1/128 -o lo -j ACCEPT
+# Allow connections to local transparent listener
+-A OUTPUT -d ::1/128 -p tcp --syn --dport 4447 -j ACCEPT
+# Log all other dropped packets
+-A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# Skip pre-routing if interface is WAN or local
+-A PREROUTING -i eth0 -j RETURN
+-A PREROUTING -i lo -j RETURN
+# Redirect all .onion addresses
+-A PREROUTING -d fc00::/7 -p tcp --syn -j REDIRECT --to-ports 4447
+# Redirect UDP DNS traffic to internal DNS server
+-A PREROUTING -p udp --dport 4447 -j REDIRECT --to-ports 4447
+-A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 4447
+# Skip pre-routing if destination is private or reserved
+-A PREROUTING -d fd00::/8,fec0::/10 -j RETURN
+# Redirect remaining TCP traffic
+-A PREROUTING -p tcp --syn -j REDIRECT --to-ports 4447
+
+# Redirect all .onion addresses
+-A OUTPUT -d fc00::/7 -p tcp --syn -j REDIRECT --to-ports 4447
+# Redirect all DNS traffic
+-A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 4447
+# Allow the tor-router to bypass transparent routing
+-A OUTPUT -m owner --uid-owner 9001 -j RETURN
+# Don't transparently redirect traffic out of the loopback
+-A OUTPUT -o lo -j RETURN
+# Don't redirect if destination is private or reserved
+-A OUTPUT -d fd00::/8,fec0::/10 -j RETURN
+# Redirect remaining TCP traffic
+-A OUTPUT -p tcp --syn -j REDIRECT --to-ports 4447
+
+COMMIT

scripts/i2p.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo -n "Loading Configuration..."
+
+cat <<EOT > /etc/tor/torrc
+VirtualAddrNetworkIPv4 10.192.0.0/10
+VirtualAddrNetworkIPv6 [fc00::]/7
+AutomapHostsOnResolve 1
+TransPort 0.0.0.0:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
+TransPort [::]:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
+DNSPort 0.0.0.0:5353
+DNSPort [::]:5353
+
+ServerDNSDetectHijacking 0
+EOT
+echo "Done."
+
+echo -n 'nameserver 127.0.0.1' > /etc/resolv.conf
+
+echo "Starting I2P..."
+su user -c "i2pd"

setup.sh

@@ -42,6 +42,10 @@ case "${PROVIDER}" in
     UNAME="generic"
     PASSWD="generic"
     ;;
+
+  "i2p")
+    echo "Loading I2P Network Proxy..."
+    ;;
     
   "ipvanish")
     echo "Loading IPVanish..."