i2pd_docs_en icon indicating copy to clipboard operation
i2pd_docs_en copied to clipboard
verified publisher icon PurpleI2P

Add how to configure encrypted lease sets

Open mashdragon opened this issue 1 year ago • 5 comments

I want to host a hidden site so only I can connect to it. I read the blog post on encrypted lease sets which describes that you need them to do this. How can I generate the PSKs (or private Diffie-Hellman) for a client to use (I think it is i2cp.leaseSetPrivKey), and for the server to whitelist in i2cp.leaseSetClient.psk.<number>? It would be nice if a short tutorial could be added to the docs too.

I see a user figured one way out here: https://github.com/PurpleI2P/i2pd/discussions/2104 But I would rather configure individual client access instead if possible. Also, that user was using a key format i2pd complained about.

mashdragon avatar Nov 16 '24 18:11 mashdragon

Use https://github.com/PurpleI2P/i2pd-tools/blob/master/x25519.cpp for DH keygen. PSK can be any random 32 bytes in base64. But before creating authentication try to run encrypted LeaseSet without it and access through B33.

orignal avatar Nov 16 '24 20:11 orignal

Thank you. I never saw this before... for others: You have to click on I2P tunnels, then click your tunnel's name, and click the text which says "Encrypted B33 address:" to see your B33 address which is also known as the Extended base32 name. The "Encrypted B33 address:" tag unfortunately was not intuitive to me, just by looking at it you think it is empty because nothing follows the colon.

Thank you so much for this reply! As I take it the B33 address should be basically the same in terms of security/hiding the lease set as a PSK, right? And the client only has to use the B33 address, no need to configure anything else special in the tunnel settings?

mashdragon avatar Nov 17 '24 06:11 mashdragon

Bumping this, I went to create a new encrypted lease set after not using it for a while and I found my own help request and this. I'm still not 100% sure what's going on there, and would love someone who knows better to sort of explain how everything should be set up. With dh specifically, I get some links to the x25519 tool which I think I understand but I'm still not sure the proper way to do it, and I don't want to go scrolling code for hours to try and decipher it.

To the devs, thank you for making this, but as a simple user I think a bit more guidance would be helpful.

spencermp avatar Nov 20 '25 02:11 spencermp

Are you able to create an encrypted LeaseSet without auth key yet?

orignal avatar Nov 20 '25 03:11 orignal

Yes, but I failed to set up a tunnel with a key, which isn't the best. I'm trying to make a mostly-private tunnel with a shared key, and it seems for most changes even a tunnel reload doesn't work and requires an i2pd restart.

I literally copy-pasted from my old help request, and that didn't seem to do it for me, but I'm not 100% sure what to check or where to start. I was able to follow a guide on idk about encrypted lease sets that was able to get me a working client/server, but that was without keys.

spencermp avatar Nov 20 '25 03:11 spencermp