Hosting Sites on the I2P Network

There are not many technologies that can help you to run a website that cannot be blocked. The Invisible Internet Project (I2P) can help you out. Read this post and learn the basic steps on how to set up your website on the I2P network.

I2P is one of the most technologically advanced solutions that provides the possibility of anonymous hosting. I2P seriously complicates tracking, thus practically excluding the possibility of determining where the server with files is located.

Tor and I2P

So, what is I2P? This is an additional network layer that runs on top of the IP protocol and provides the ability to transfer data anonymously. I2P uses various types of cryptography for secure message transmission as well as numerous pear-to-pear tunnels that provide anonymity and fault tolerance of the system.

The Tor Project has become extremely popular in the field of anonymization. Therefore, while talking about how I2P works, let us compare these two technologies.

Both systems, Tor and I2P, use multi-layered cryptography to prevent third parties from decrypting the contents of transmitted packets. The only thing that is known for each node is the next link in the data transmission chain. While Tor is more focused on keeping the client's incognito while surfing the Internet, I2P's aim is to create an anonymous network of connected users. However, the possibility of anonymous surfing is still present.

I2P is primarily about hosting websites (called eepSites) on the network. This is somewhat similar to the concept of hidden\onion services available to Tor users. However, anonymous hosting using I2P is significantly faster.

I2P does not have central servers. There are also no usual DNS servers. It uses a distributed hash table (DHT), built on the basis of Kademlia. This approach eliminates the problem of a single point of failure. Experts know how the Great Firewall of China blocks Tor. The fact that I2P relies on peer-to-peer technology to exchange routing information avoids such problems.

The system by which I2P users get information about each other is called netDb. Each member of the network represents a router through which traffic is transmitted. Generally speaking, there is no noticeable difference between a server and a regular client.

I2P addresses

IP's are not used to access other routers and services. Addressing is carried out using a unique cryptographic identifier, through which both routers and end services are designated.

The identifier of the destination point uses 516 bytes in Base64. Obviously, such an identifier is not very convenient. Besides, it will not work with some protocols. Therefore, I2P offers another approach called Base32 names. It is similar to the system used for naming .onion sites on the Tor network. The original 516-byte identifier is decoded (with some characters replaced) into the original raw form. The resulting value is hashed using SHA256 and then gets B32 encoded. The result is quite a usable sequence of characters which is much easier to work with.

In I2P, there is no official analog of a DNS server that would perform name resolution, that is, establish a correspondence between the "somename.i2p"; domain and an identifier, since this would be a severe privacy and security issue. Each I2P node has its own set of text files, in which the mapping for services is performed. These files are very similar to HOSTS. However, the user can synchronize his base of "bindings" through a special server inside I2P. At the same time, he must trust the owner of such a service, believing that the latest provides him with the correct identifiers.

Protection techniques

I2P implements several interesting technologies to eliminate the possibility of traffic interception and spoofing. While Tor uses a single chain to perform communication, I2P relies on the concept of inbound and outbound tunneling. Thus, requests and responses do not always follow the same path. During transmission, the message is subjected to multi-level encryption (end-to-end, tunnel, and transport layers), and the end nodes are identified with encrypted identifiers. Moreover, the tunnels themselves are rebuilt/updated every several minutes.

In addition, I2P uses Garlic routing. In essence, it is multi-layer encryption that allows a single message (called a "garlic") to contain many "cloves" - fully formed messages with instructions for their delivery. In one "garlic" at the moment of its formation, before sending, a lot of "cloves" are laid. These "cloves" represent encrypted messages from our node as well as other nodes – transit messages. Only the person who created the "garlic" knows whether this or that "clove" in the "garlic" is his own message or it is someone else's transit message that passes through him.

This sophisticated approach provides a high level of data protection but does not limit the use of I2P. The network can host a variety of services: IRC, BitTorrent, email. In addition, I2P developers provide APIs for new applications that work over a secure network but do not require the user to additionally install and configure an I2P client.

Client installation

I2P is written in Java, and therefore you can run the application on almost any OS. The client distribution kit is equipped with a convenient installer that will do everything for you. After the installation is complete, go to the directory with the application and launch it. All control is carried out through a web shell, which is available at To be able to visit I2P resources and external Internet resources (anonymously), it is better to immediately register the HTTP proxy in your browser:

Anonymous website hosting

Your eepSite will not be available to the general public via the Internet, but I2P users can always visit it and, if they wish, make a mirror of your site on the global network. At the same time, in theory, it will be extremely difficult to identify your real IP address. Below is a step-by-step guide for hosting a site using I2P.
  1. If you go to, you will see a stub page - a kind of eepSite template. You need to edit or replace files in .i2p/eepsite/docroot (Linux) or %APPDATA%\I2P\eepsite\docroot (Windows). This is the default folder for the Jetty web server installed together with I2P. Here you need to understand that, at the moment, this is just a local site. To make it available to other users, an appropriate tunnel must be created for it on the I2P network.
  2. You also have a tunnel template\manager. Go to the admin panel for managing tunnels located at In section "Server I2P tunnels," you will see the entry "I2P webserver" - this is just what you need. The tunnel is now off. Go to its settings. The first thing to notice is the "local destination" parameter and its value. It looks something like "F52tTd-vS67C0v1wudVdaYV [.. stripped ...] AAAB." This long Base64 string is the key that is used for addresses within the I2P network, something like an IP address. Copy and save it somewhere, you may need it in the future. It is time to convert it into a more convenient Base32 form using a simple Python script. Having specified the original identifier as a key, at the output you will get something like seky4b7hp1hscdhovgb9vtdbvdtsvpf42ushbpe5uuigu4243v2q.b32.i2p. If the tunnel was running now, then other users could connect to it using this address. But it is still early to activate the tunnel. You need to make sure that your site can be accessed by a domain name.
  3. There is no DNS system in I2P, but there are substitutes. Therefore, you can register a domain name for your eepSite. Go to the settings of your tunnel and replace the default value "mysite.i2p" with your new name, for example, ii7777ii.i2p.
  4. The minimum setup is complete. Now you can turn on the tunnel. To do this, go to the admin area, and for your eepSite press the "Start" button. In the "Status" column, an asterisk representing the current status will first turn yellow and then green. If you go to the main page of the admin panel, a new entry with your eepSite will appear in the left pane under the "Local tunnels" category. From now on, anonymous hosting is launched. You can share the identifier in the Base32 format, and any person will be able to visit your site.
  5. Information about your eepSite needs to be entered into distributed address databases like stats.i2p. Visiting this site, you will quickly find a form for adding a new record. Here, you need to specify the domain name and local destination address (516 bytes in Base64). It is advised to add your site there as many users periodically update their local address books with the latest entries from this and similar sites. If the site is of some public interest, then it can be added to the ugha.i2p (a wiki with how-to guides) and to the main discussion forum - forum.i2p.
So, you have just learned the basic steps how to set up a site, which is extremely difficult to track and almost impossible to restrict access to. Your site does not have to be physically located on the local computer; it can be anywhere: on the local network or even on the Internet.

Surfing anonymously

Although the possibility of anonymous surfing is not the main feature of I2P, it is still possible. All you need to do is to register the proxy: To access Internet resources, special gateways (so-called outproxy) are used. However, there is a potential risk as someone may install a sniffer there and monitor all traffic. In short, I2P is not for 100% anonymous surfing. If you want to access the Internet through an anonymous and encrypted channel, use a combination of VPN, Tor, and secure browsers.

SSH servers

In addition to hosting web servers, I2P works well for many other services. Below are instructions on how to create an SSH tunnel, which can be useful at least in order to administer your eepSite.
  1. Let us start by creating a new tunnel using the familiar I2P admin panel. You need to indicate the address and port of your SSH server. Let us run it somewhere on our local network, for example, on a router - Next, the local destination address (that the admin panel generated) should be translated into an abbreviated Base32 form.
  2. It may seem that now all that remains is to specify the service ID in the SSH client (for example, PuTTY). But, wait, no. Other I2P users will not be able to access this service directly. You must use SOCKS. And for this, in turn, you should create a special tunnel. So, on the machine from which the connection will be made, you need to launch the I2P admin panel, go to the section for configuring tunnels, find the section "Client I2P tunnels," and create the SOCKS4, 4a, 5 tunnel. In fact, the only option you need to specify is the port. Let us take 5456.
  3. Now, open PuTTY, specify the identifier obtained in step one as the server. Go to the "Connection ... Proxy" settings, and in the "Proxy Name" field, you specify the address where you just created the SOCKS-tunnel - The DNS name lookup option must be set to Yes or Auto.
  4. All that remains is to connect to the server and make sure that SSH works fine over I2P. Thus, it is possible to host not only web servers, but many other daemons as well.

Is I2P safe?

A security concerned reader may ask the question: "Can I2P provide 100% anonymity to the owner of an eepSite?" And the short answer is - No. Even though the core system is very well thought out, the services hosted on I2P can pose privacy and security risks. A simple example is a vulnerability in a web application. If you manage to exploit it and execute commands, then there is a high probability of identifying the real IP address of the computer.


No responses found. Be the first to comment...

  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name: