Learn how to install i2pd, configure LibreWolf, host a private Nginx site, and navigate the invisible internet with step-by-step instructions.
Unlocking the Invisible Internet: How I2P Lets Me Browse Censorship-Resistant Sites
Published by Brav
Table of Contents
TL;DR
- I learned how to install i2pd on Debian 12 and connect LibreWolf to the i2p network.
- I set up a private Nginx site on the i2p network and registered a short, memorable address.
- I discovered that i2p is a fully decentralized network where every user is a node, making it more resilient than Tor.
- I got a hands-on view of i2p’s proxy settings, tunnel configuration, and the way it handles DNS for clearnet sites.
- I can now browse and host sites behind i2p without touching the public internet.
Why this matters
As someone who has been wrestling with browser bloat and privacy concerns, the idea of a “hidden” internet where you’re not just a client but a node feels like a game-changer. The interface of LibreWolf is stripped-down, which is great for speed but can feel confusing. Plus, most mainstream browsers won’t just “jump in” to i2p; you need to set up a proxy and a tunnel yourself. The lack of built-in search or browsing tools means you’re left with a kind of raw, open-ended playground that can be overwhelming. My goal was to turn that rawness into something useful: a place I could navigate and host my own site without the fear of being tracked.
Core concepts
I2P is a parallel darknet network similar to Tor (but built differently). The i2p — Official Site (2025) calls it a “fully encrypted private network layer” that hides both the server and the user. Unlike Tor’s central directory of relays, i2p relies on a peer-to-peer architecture where every user’s machine becomes a router. That is why i2p is said to be less susceptible to attacks: more nodes = less chance of a single point of failure. In practice, i2p uses a registrar to claim domain names (see the “reg.i2p” service in the web console) and relies on Base32 addresses that are long, random strings ending in .b32.i2p. The B32 spec can be found on the official spec page: i2p — Base32 Spec (2025). The network is “invisible” because all traffic stays within its own encrypted tunnels; it cannot reach the clearnet by default. To reach clearnet sites you need an outproxy, which is why you configure your browser to use 127.0.0.1:4444 for HTTP and 127.0.0.1:4445 for HTTPS. I discovered this while reading the browser configuration guide: i2p — Browser Config (2025).
I think i2p is more secure than Tor because of its peer-to-peer nature.
How to apply it
1. Install the packages
I’m on Debian 12, so the easiest route is to use the Debian repo:
sudo apt update
sudo apt -y install i2pd
The package page confirms this: Debian — i2pd Package (2025). After installation, the service is already set up to start with systemd. You can check the status with:
sudo systemctl status i2pd
The systemd unit is documented in the run guide: i2p — Run Guide (2025). You can restart it anytime with:
sudo systemctl restart i2pd
2. Verify the console
Open your web browser to http://127.0.0.1:7070. That’s the i2pd web console. I saw a status page that said “Uptime 1 minute 38 seconds”, which matched the fact list. The console is a handy way to see your tunnels, the router’s statistics, and the registrar.
3. Set up the proxy in LibreWolf
LibreWolf is a lightweight, privacy-focused fork of Firefox. I had to tweak its proxy settings because LibreWolf doesn’t ship with i2p support out of the box.
- Open the menu → Settings → General → Network Settings → Settings…
- Choose “Manual proxy configuration”.
- Set HTTP proxy to 127.0.0.1 and Port to 4444.
- Check SSL proxy with the same address and port.
- Ensure “Proxy DNS over HTTPS” is enabled.
The browser now forwards all traffic through the i2p daemon. You can confirm this by visiting the web console URL; the console will show the traffic coming from your browser.
4. Create an i2p site
I wanted a small, personal “blog” inside i2p, so I set up Nginx.
- Install Nginx if you haven’t already:
sudo apt -y install nginx
- Edit the tunnel config to forward HTTP traffic from 127.0.0.1:7676 to your local Nginx instance. In /etc/i2pd/tunnels.conf add:
[mysite-name] type = http
host = 127.0.0.1
port = 80
keys = mywebsite.dat
(You can generate the keys with i2p-keygen from the i2pd bundle.) The docs explain this format: i2p — Tunnel Config (2025). The HTTP tunnel type is used to serve a website over i2p.
- Restart i2pd so the new tunnel loads:
sudo systemctl reload i2pd
- Configure Nginx to listen on port 7676:
server {
listen 7676;
server_name _;
root /var/www/i2p;
index index.html;
}
Set proper permissions:
sudo chown -R www-data:www-data /var/www/i2p
- Put a simple index.html in /var/www/i2p:
<!DOCTYPE html>
<html>
<head><title>Welcome to my i2p site</title></head>
<body>
<p>Hello, I’m here on the Invisible Internet. <em>Bomb</em>!</p>
</body>
</html>
- Restart Nginx:
sudo systemctl restart nginx
Now your site is reachable through i2p. In the web console, look for the destination that looks like example.b32.i2p and copy it. You can register a vanity address via the registrar at reg.i2p (the “Register” tab). I used the short name “denshi.i2p”, which resolves to my long address.
5. Optional: Configure HTTPS
i2p traffic itself is already encrypted, but if you want TLS inside the tunnel, you can generate a self-signed cert for your local domain and configure Nginx to serve HTTPS on 127.0.0.1:8443. Then add a tunnel that forwards that port to i2p, just like the HTTP tunnel above.
Pitfalls & edge cases
| Parameter | Use Case | Limitation |
|---|---|---|
| Decentralization | Fully decentralized, every node is a router | Higher latency, slower bootstrap |
| Node participation | Every user is automatically a node | Requires bandwidth and resources |
| Network size | ~55k nodes worldwide | Limited compared to Tor’s large relay network |
| Typical ports | 4444 (HTTP proxy), 7070 (web console) | Port conflicts on some hosts |
| Limitation |
Open questions
- How to generate vanity B32 addresses more efficiently? The only official method is to use the registrar’s “Register” tab and brute-force a desired prefix. Some third-party tools claim to speed this up, but they still rely on the registrar’s API.
- What are the security implications of using i2p for illegal activities? i2p is built for anonymity and censorship resistance. It does not provide legal immunity; law-enforcement can still pursue other vectors (device compromise, metadata, etc.). The network’s peer-to-peer design reduces the risk of single-point failures but cannot make you invisible forever.
- How does i2p handle DNS resolution for clearnet sites via proxy? i2p’s outproxy forwards your DNS queries over the encrypted tunnel to a remote DNS server (by default exit.stormycloud.i2p). This means the DNS query itself is also hidden from eavesdroppers inside the network.
- What are the performance differences between i2p and Tor? i2p’s garlic routing can bundle multiple messages, which helps with throughput, but the network is smaller and sometimes more latency-prone. Tor’s onion routing is optimized for high-speed browsing but has a higher overhead per request.
- How can i2p be configured on Linux distributions other than Debian? The i2pd binary can be compiled from source or built from an AUR package on Arch Linux (i2pd). For Fedora, you can use the COPR repo. The commands are the same: install, enable the systemd unit, and edit /etc/i2pd/tunnels.conf.
- How does i2p’s peer-to-peer architecture resist attacks compared to Tor’s relay-based model? Because every node forwards traffic, an attacker would need to control a large proportion of nodes to perform a denial-of-service or traffic-analysis attack. Tor relies on directory authorities and exit nodes, making it more vulnerable to targeted attacks.
- What is the recommended method to enable HTTPS for an i2p site? Generate a self-signed cert, configure Nginx to listen on 127.0.0.1:8443, then create an i2p HTTP tunnel that forwards that port. Inside the i2p network, traffic remains encrypted; the HTTPS layer adds an extra layer of protection for data integrity and authentication.
Quick FAQ
Q: Can I use i2p to browse the regular internet? A: Only through an outproxy; by default, i2p can’t reach clearnet sites. The web console lets you configure one.
Q: Do I need a VPN to use i2p? A: No. i2p already encrypts and routes traffic internally; adding a VPN would just add unnecessary complexity.
Q: Is i2p safe for everyday use? A: It’s designed for privacy, but no system is 100 % safe. Use it as part of a broader privacy strategy.
Q: How do I keep my i2p site up-to-date? A: Keep i2pd and Nginx updated through your package manager and restart the services when necessary.
Q: Can I host multiple sites on i2p? A: Yes. Just create more tunnels in /etc/i2pd/tunnels.conf and point them to different local ports.
Conclusion
I’ve turned the invisible network into a living, breathing part of my digital life. The learning curve was steep, but the payoff—censorship-resistant browsing and the ability to host my own hidden site—was worth it. If you’re a privacy enthusiast, a developer, or just a curious hobbyist, i2p is a powerful tool. It’s not a silver bullet; it works best when combined with good security hygiene (regular updates, strong passwords, separate user accounts). For casual users who only want a quick, private browsing session, a dedicated i2p browser bundle on Windows or macOS is a simpler route. For Linux users who want full control, the step-by-step guide above will get you going.
Happy hacking on the invisible internet!
