Title: OpenBSD mirror over Tor / I2P
Author: Solène
Date: 25 May 2024
Tags: privacy openbsd tor i2p
Description: In this article, you will learn how to reach an OpenBSD
mirror over Tor or I2P
# Introduction
For an upcoming privacy related article about OpenBSD I needed to setup
an access to an OpenBSD mirror both from a Tor hidden service and I2P.
The server does not contain any data, it only act as a proxy fetch
files from a random existing OpenBSD mirror, so it does not waste
bandwidth mirroring everything, the server does not have the storage
required anyway. There is a little cache to keep most requested files
locally.
(HTM) Wikipedia page about I2P protocol
(HTM) Wikipedia page about Tor
It is only useful if you can not reach OpenBSD mirrors, or if you
really need to hide your network activity. Tor or I2P will be much
slower than connecting to a mirror using HTTP(s).
However, as they exist now, let me explain how to start using them.
# Tor
Using a client with tor proxy enabled, you can reach the following
address to download installers or sets.
(HTM) OpenBSD onion mirror over Tor
If you want to install or update your packages from tor, you can use
the onion address in `/etc/installurl`. However, it will not work for
sysupgrade and syspatch, and you need to export the variable
`FETCH_CMD="/usr/local/bin/curl -L -s -q -N -x
socks5h://127.0.0.1:9050"` in your environment to make `pkg_*` programs
able to use the mirror.
To make sysupgrade or syspatch able to use the onion address, you need
to have the program `torsocks` installed, and patch the script to use
torsocks:
* `sed -i 's,ftp -N,/usr/local/bin/torsocks &,' /usr/sbin/sysupgrade`
for sysupgrade
* `sed -i 's,ftp -N,/usr/local/bin/torsocks &,' /usr/sbin/syspatch` for
syspatch
These patches will have to be reapplied after each sysupgrade run.
# I2P
If you have a client with i2p proxy enabled, you can reach the
following address to download installers or sets.
(HTM) OpenBSD mirror address over I2P
If you want to install or update your packages from i2p, install i2pd
with `pkg_add i2pd`, edit the file `/etc/i2pd/i2pd.conf` to set
`notransit = true` except if you want to act as an i2p relay (high
cpu/bandwidth consumption).
Replace the file `/etc/i2pd/tunnels.conf` by the following content (or
adapt your current tunnels.conf if you configured it earlier):
```
[MIRROR]
type = client
address = 127.0.0.1
port = 8080
destination = 2st32tfsqjnvnmnmy3e5o5y5hphtgt4b2letuebyv75ohn2w5umq.b32.i2p
destinationport = 8081
keys = mirror.dat
```
Now, enable and start i2pd with `rcctl enable i2pd && rcctl start
i2pd`.
After a few minutes to let i2pd establish tunnels, you should be able
to browse the mirror over i2p using the address
`http://127.0.0.1:8080/`. You can configure the port 8080 to another
you prefer by modifying the file `tunnels.conf`.
You can use the address `http://127.0.0.1:8080/pub/OpenBSD/` in
`/etc/installurl` to automatically use the I2P mirror for
installing/updating packages, or keeping your system up to date with
syspatch/sysupgrade.
Note: from experience the I2P mirror works fine to install packages,
but did not play well with fw_update, syspatch and sysupgrade, maybe
because they use ftp command that seems to easily drop the connection.
Downloading the files locally using a proper HTTP client supporting
transfer resume would be better. On the other hand, this issue may be
related to the current attack the I2P network is facing as of the time
of writing (May 2024).
# Firmware mirror
OpenBSD pulls firmware from a different server than the regular
mirrors, the address is `http://firmware.openbsd.org/firmware/`, the
files on this server are signed packages, they can be installed using
`fw_update $file`.
Both i2p and tor hidden service hostname can be reused, you only have
to change `/pub/OpenBSD/` by `/firmware/` to browse the files.
The proxy server does not cache any firmware, it directly proxy to the
genuine firmware web server. They are on a separate server for legal
matter, it seems to be a grey area.
## Disable firmware.openbsd.org
For maximum privacy, you need to neutralize `firmware.openbsd.org` DNS
lookup using a hosts entry. This is important because `fw_update` is
automatically used after a system upgrade (as of 2024).
In `/etc/hosts` add the line:
```
127.0.0.9 firmware.openbsd.org
```
The IP in the snippet above is not a mistake, it will avoid fw_update
to try to connect to a local web server if any.
## Tor access
If you use tor, it is complicated to patch `fw_update` to use torsocks,
the best method is to download the firmware manually.
(HTM) Firmware onion address
## I2P access
If you use i2p, you can reuse the tunnel configuration described in the
I2P section, and pass the full url to `fw_update`:
```shell
# release users
fw_update -p http://127.0.0.1:8080/firmware/$(uname -r)/
# snapshot users
fw_update -p http://127.0.0.1:8080/firmware/snapshots/
```
Or you can browse the I2P url using an http client with the i2p proxy
to download the firmware manually.
(HTM) Firmware i2p address
# Conclusion
There were no method to download OpenBSD files over Tor and I2P for
people really needing it, it is now a thing.
If you encounter issues with the service, please let me know.