README.md at main · distributed.camp/i2p-python

distributed.camp / i2p-python
fork atom
A Python port of the Invisible Internet Project (I2P)
fork atom
i2p-python / README.md
at main 249 lines 9.8 kB view raw view rendered
wrap content
bimo.studio feat: initial public release of i2p-python 7d ago
65a1e8dc
  1# I2P Python
  2
  3A complete, from-scratch Python implementation of the [I2P](https://geti2p.net)
  4anonymous network protocol. This is not a wrapper or binding — it is a full
  5reimplementation of the Java I2P router, capable of connecting to the live I2P
  6network.
  7
  8Built by [bimo.studio](https://bimo.studio).
  9
 10## Installation
 11
 12```bash
 13pip install i2p-python
 14```
 15
 16Or install individual components:
 17
 18```bash
 19pip install i2p-py-router      # Router only
 20pip install i2p-py-sam          # SAM bridge only
 21pip install i2p-crypto          # All crypto primitives
 22```
 23
 24### Requirements
 25
 26- Python 3.11 or later
 27- `cryptography` >= 41.0
 28
 29## Running the Router
 30
 31### Quick Start
 32
 33```bash
 34i2p-router
 35```
 36
 37This starts the router with default settings:
 38
 39| Setting | Default | Description |
 40|---------|---------|-------------|
 41| Listen host | `0.0.0.0` | Bind address for incoming connections |
 42| Listen port | `9700` | NTCP2 transport port (TCP) |
 43| Data directory | `~/.i2p-python` | Router identity and state |
 44| Tunnel count | 3 in / 3 out | Exploratory tunnel pool size |
 45| Tunnel length | 3 hops | Privacy level per tunnel |
 46| Bandwidth limit | Unlimited | Set `I2P_BANDWIDTH_LIMIT_KBPS` to cap |
 47
 48### Command-Line Options
 49
 50```bash
 51i2p-router --host 0.0.0.0 --port 9700 --data-dir ~/.i2p-python
 52i2p-router --log-level DEBUG          # Verbose logging
 53i2p-router --reseed                   # Force reseed on startup
 54```
 55
 56### Environment Variables
 57
 58Every setting can also be controlled via environment variables:
 59
 60```bash
 61export I2P_LISTEN_HOST=0.0.0.0
 62export I2P_LISTEN_PORT=9700
 63export I2P_DATA_DIR=~/.i2p-python
 64export I2P_INBOUND_TUNNEL_COUNT=3
 65export I2P_OUTBOUND_TUNNEL_COUNT=3
 66export I2P_TUNNEL_LENGTH=3
 67export I2P_TUNNEL_LIFETIME=600
 68export I2P_BANDWIDTH_LIMIT_KBPS=256
 69export I2P_FLOODFILL=false
 70export I2P_HANDSHAKE_TIMEOUT=30
 71export I2P_IDLE_TIMEOUT=300
 72```
 73
 74### Running the SAM Bridge
 75
 76The [SAM](https://geti2p.net/en/docs/api/samv3) bridge lets external
 77applications (e.g., I2P-enabled IRC clients, torrent clients) connect through
 78your router:
 79
 80```bash
 81i2p-sam                                # Default: 127.0.0.1:7656
 82i2p-sam --host 127.0.0.1 --port 7656   # Explicit
 83```
 84
 85## First-Run Bootstrap
 86
 87On first startup, the router must **bootstrap** into the I2P network:
 88
 891. **Identity generation** (~1 second) — creates Ed25519 signing keys and X25519
 90   NTCP2 transport keys, saved to `~/.i2p-python/router.keys.json`.
 912. **Reseed** (5-25 minutes) — downloads RouterInfo entries from reseed servers
 92   over HTTPS to populate the local NetDB. Triggers automatically when the NetDB
 93   has fewer than 50 entries. Downloads from at least 2 of 13 hardcoded reseed
 94   servers.
 953. **Peer connections** (~1-2 minutes) — connects to 5 initial peers via NTCP2,
 96   exchanging RouterInfo.
 974. **Tunnel building** (~1-2 minutes) — constructs 3 inbound and 3 outbound
 98   exploratory tunnels through the network.
 99
100**Expect 10-30 minutes before the router is fully integrated.** Subsequent
101startups are faster because the router identity is reused and the NetDB may
102retain entries from the previous run.
103
104You can monitor progress via log output at `--log-level INFO` or higher.
105
106## Known Issues and Operational Notes
107
108### Ports and Firewalls
109
110The router listens on **TCP port 9700** by default (NTCP2 transport). For the
111router to accept inbound connections from the I2P network:
112
113- **Port 9700/TCP must be reachable** from the internet (or at least from I2P
114  peers).
115- If your firewall blocks inbound TCP, the router will still function in
116  **outbound-only mode** — it can build tunnels and route traffic, but other
117  routers cannot initiate connections to you. This reduces your contribution to
118  the network and may slightly increase latency.
119- The SAM bridge (port 7656) should **not** be exposed to the internet — it is
120  a local API for applications on the same machine.
121
122### NAT Traversal
123
124If your router is behind a NAT (home router, cloud VPC, etc.):
125
126- **Port forwarding** is the most reliable option. Forward TCP 9700 from your
127  gateway to the machine running the I2P router.
128- **UPnP auto-configuration is not yet implemented** in this Python port. The
129  Java I2P router has UPnP support; this is planned for a future release.
130- **SSU2 (UDP transport) includes NAT detection infrastructure** (peer testing
131  and relay/introduction), but it is not yet integrated into the main router
132  bootstrap. Until SSU2 integration is complete, the router operates NTCP2-only.
133- If you cannot forward ports, the router will work but will be classified as
134  "firewalled" by the network. Other routers can still reach you through
135  existing tunnels, but you cannot participate as a relay.
136
137### Low-Memory and Residential Routers
138
139Running an I2P router on hardware with limited resources (e.g., Linksys,
140OpenWrt, Raspberry Pi, or small VPS instances) requires care:
141
142- **Connection count**: The router maintains up to **50 peer connections** by
143  default. Each connection holds state, buffers, and crypto context. On devices
144  with < 256 MB RAM, consider reducing tunnel counts to lower overall load.
145- **Tunnel overhead**: Each tunnel (default: 6 total, 3 hops each) requires
146  per-hop encryption state. Reducing `I2P_INBOUND_TUNNEL_COUNT` and
147  `I2P_OUTBOUND_TUNNEL_COUNT` to 1-2 lowers memory and CPU load.
148- **Residential NAT routers** (Linksys, Netgear, etc.) have limited connection
149  tracking tables (typically 4,096-16,384 entries). An I2P router with 50 peers,
150  each with multiple tunnels, can exhaust this table, causing the residential
151  router to drop connections for *all* devices on the network. **Symptoms**:
152  intermittent internet outages, DNS failures, smart home devices going offline.
153  **Mitigation**: set `I2P_BANDWIDTH_LIMIT_KBPS` to a conservative value (128-256)
154  and reduce tunnel counts, or run the I2P router behind a dedicated gateway.
155- **CPU**: Tunnel encryption uses AES-256-CBC and Ed25519 signatures. On
156  ARM-based devices (Pi 3/4), expect higher CPU usage than x86. Python's
157  `cryptography` library uses OpenSSL under the hood, which is reasonably
158  optimized, but Python's async overhead adds up.
159- **NetDB growth**: The in-memory NetDB grows as the router learns about peers.
160  A mature router may hold 1,000+ RouterInfo entries. Each is small (~256
161  bytes), but there is currently no eviction policy — the NetDB grows
162  monotonically until restart.
163
164### Bandwidth Limiting
165
166```bash
167export I2P_BANDWIDTH_LIMIT_KBPS=256   # Cap at 256 KB/s
168```
169
170Set this on metered connections or shared infrastructure. `0` (default) means
171unlimited.
172
173## Upgrading
174
175### Safe Upgrade Path
176
177```bash
178pip install --upgrade i2p-python
179```
180
181**Your configuration and identity are preserved.** The router stores its
182identity keys in `~/.i2p-python/router.keys.json` and this file is never
183modified by package upgrades. Your router will keep the same identity (and
184therefore the same network reputation) across upgrades.
185
186### What Can Break
187
188- **Major version bumps** (e.g., 0.x to 1.x) may change the config format or
189  data directory layout. Release notes will include migration instructions.
190- **Dependency updates** to `cryptography` are generally safe but may require
191  recompiling native extensions (`pip install --force-reinstall cryptography`).
192- **Do not delete `~/.i2p-python/`** unless you want to start fresh with a new
193  identity. Regenerating your identity means losing your reputation in the
194  network and going through the full bootstrap process again.
195
196### Rollback
197
198```bash
199pip install i2p-python==0.1.0
200```
201
202Pin to a known-good version if an upgrade causes issues.
203
204## Architecture
205
206I2P Python is split into 34 independent packages grouped into layers:
207
208| Layer | Packages | Description |
209|-------|----------|-------------|
210| **Crypto** | `i2p-py-crypto-*` (14 packages) | AES, ChaCha20, DSA, EdDSA, ElGamal, X25519, HKDF, HMAC, SipHash, SHA-256, ML-KEM, Noise, Garlic, Session Keys |
211| **Data** | `i2p-py-data-*` (4 packages) | Core types, I2NP messages, RouterInfo, remaining data structures |
212| **Transport** | `i2p-py-transport-*` (3 packages) | Base transport, NTCP2 (TCP), SSU2 (UDP) |
213| **Network** | `i2p-py-netdb`, `i2p-py-tunnel`, `i2p-py-peer`, `i2p-py-kademlia` | Network database, tunnel management, peer connections, DHT |
214| **Applications** | `i2p-py-router`, `i2p-py-sam`, `i2p-py-streaming`, `i2p-py-apps`, `i2p-py-client` | Router, SAM bridge, streaming lib, applications, client API |
215| **Utilities** | `i2p-py-util`, `i2p-py-stat`, `i2p-py-time`, `i2p-py-integration` | Shared utilities, statistics, clock sync, integration tests |
216
217Six **meta-packages** provide convenient dependency groups:
218
219```bash
220pip install i2p-python      # Everything — full router + SAM + all deps
221pip install i2p-crypto       # All 14 crypto packages
222pip install i2p-data         # All 4 data packages
223pip install i2p-transport    # All 3 transport packages
224pip install i2p-network      # NetDB + tunnel + peer + kademlia
225pip install i2p-utils        # Util + stat + time
226```
227
228## Protocol Compatibility
229
230This implementation follows the I2P protocol specifications:
231
232- **NTCP2** transport (Noise XK handshake + AES-CBC frame obfuscation)
233- **I2NP** message format (DatabaseStore, DatabaseLookup, TunnelData, etc.)
234- **Ed25519** router signing keys (SigType 7)
235- **X25519** NTCP2 transport keys
236- **ElGamal/AES+SessionTag** garlic encryption
237- **Kademlia-based** network database (NetDB / floodfill)
238- **SAM v3.0-3.3** bridge protocol
239
240Tested against live Java I2P peers (version 2.x). NTCP2 handshake
241interoperability confirmed.
242
243## License
244
245MIT License. Copyright (c) 2026 bimo.studio.
246
247This is an independent reimplementation. No code was copied from the original
248Java I2P project. The original Java I2P core (i2p.jar, router.jar, SAM,
249streaming) is public domain. See [LICENSE](LICENSE) for the full text.