The Tin Hat

I2P Bootstrap | Automatically Generate I2P Routers

Category: darknets
A 2 Minute Read

Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

Setting up high-bandwidth I2P routers through a command line can be tricky for new users. It's not an environment most people put themselves in very often. That's why I've written a guide on how to set up a I2P router. But for new users who don't want to tediously tinker in a command line, or for experienced users who just want to throw up a router quickly, I've created a script which does it for you. I was inspired by Micah's Tor Relay Bootstrap Script and decided to whip up my own for I2P. KillYourTV (killyourtv.i2p) helped a lot in editing and drastically improving my original script, so a major thank-you should go out to him. I'll also say that I could have just forked Micah's script, and probably should have as his Tor bootstrap is fantastic, but I wanted to learn some Bash so that's why I started from scratch.

This script was tested on a fresh Digital Ocean Debian Wheezy server and worked perfectly. If you plan on using this on an existing server, definitely read through the script and understand the changes that will be made, as it will adjust your SSH settings as well as your firewall rules, among other things. Lastly, don't blame me if this somehow borks your machine, as it's meant to go on a fresh Debian 7 server. You will also need to create a separate user with sudo privileges before running this script, or you'll be locked out of the machine (it disables root login).

To use it just SSH into your server, then either copy and paste the script into a new text file, or use wget to download it:


Then execute it:


You can also visit the project page on Github



# This isn't strictly necessary, but wth.
wait_until() {
local timeout check_expr delay timeout_at
timeout_at=$(expr $(date +%s) + ${timeout})
until eval "${check_expr}"; do
if [ "$(date +%s)" -ge "${timeout_at}" ]; then
return 1
sleep ${delay}
return 0

#Check Root
if [ `id -u ` -ne 0 ]; then
echo "This script must be run as root" >&2
exit 1

echo "Warning: Ensure that a separate user account has been created already.">&2
echo "This account CANNOT be called i2psvc. This script will disable logging in">&2
echo "as the root user via ssh. Without another user, you will be locked out">&2
echo "of this machine.">&2
echo "Ensure that either the root password or sudo have been configured">&2
echo "Any errors, downtime, or other generally negative outcome is your">&2
echo "own responsibility.">&2
echo "The following changes will be made:">&2
echo "--Add the I2P Repositories">&2
echo "--Update the system's packages">&2
echo "--Install I2P, Fail2ban, UFW, Lynx">&2
echo "--Change the SSH port to 2121">&2
echo "--Disable Root Login">&2
echo "--Configure I2P to automatically start at boot">&2
echo "--Start I2P">&2
echo "--Configure Firewall to Only Allow I2P and SSH">&2
echo "--Enable Fail2ban and SSH">&2
echo -n "Are you sure you wish to continue? (y/n) "
read ans
case $ans in
# The user /probably/ wants to continue...
exit 0

#Edit Repos, Update System
cat > /etc/apt/sources.list.d/i2p.list << EOF
deb stable main
#deb-src stable main

# Add the I2P repo key if apt doesn't know about it yet
if ! apt-key fingerprint | fgrep -q "7840 E761 0F28 B904 7535 49D7 67EC E560 5BCF 1346" > /dev/null 2>&1; then
if wget --quiet -O $TMPFILE; then
apt-key add $TMPFILE
rm -f $TMPFILE
# Since fetching with wget failed, let's try getting it from a keyserver
apt-key adv --keyserver hkp:// --recv-key 0x67ECE5605BCF1346

apt-get update
# preseed debconf to set I2P to start at boot
echo "i2p i2p/daemon boolean true" | debconf-set-selections

# The 'i2psvc' user is created by the 'i2p' package and is set
# to start I2P by default. You can set another user here but you
# must ensure that it exists, e.g.
#if ! getent passwd i2p; then
# adduser --system --quiet --group --home /home/i2p i2p > /dev/null 2>&1
echo "i2p i2p/user string i2psvc" | debconf-set-selections
apt-get --yes upgrade
apt-get --yes install fail2ban ufw i2p i2p-keyring lynx

#Configure SSH
if [ -e /etc/ssh/sshd_config.backup ]; then
echo "SSH already configured during a previous run."
sed -i.backup -e 's/^\(Port\).*/\1 2121/;s/^\(PermitRootLogin\).*/\1 no/' /etc/ssh/sshd_config

# If we end up here, I2P should be installed, running, and configured to start at boot.
# ..but let's make sure.
if service i2p status > /dev/null 2>&1; then :; else
# Since we're here, I2P was not running. We'll make sure the initscript is enabled,
# then start I2P
sed -i.bak -e 's/^.*\(RUN_DAEMON\).*/\1="true"/' /etc/default/i2p
service i2p start

# Get the configured user from the debconf db
I2PUSER=$(debconf-show i2p |sed -e '/i2p\/user/!d' -e 's/.*:\s\+//')

if [ $I2PUSER != 'i2psvc' ]; then
I2PHOME=$(getent passwd $I2PUSER | awk -F: '{print $6}')

#Check to ensure config file has generated before setting firewall rules
# Wait up to 10 seconds for router.config to be created.
wait_until 10 "test -e /var/lib/i2p/i2p-config/router.config"
i2pport=$(awk -F= '/i2np\.udp\.port/{print $2}' $I2PHOME/router.config)

if [ x$i2pport = 'x' ]; then
echo "Error determining I2P's UDP port" >&2
exit 1
echo "The I2P port is $i2pport"

#Set firewall rules to allow SSH and I2P
ufw default deny
ufw allow 2121
ufw allow $i2pport

#Reload Fail2ban and SSH
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
/etc/init.d/fail2ban restart
/etc/init.d/ssh reload

#Enable Firewall
echo 'Done! The firewall is about to be activated. The next time that you' >&2
echo 'connect via ssh, you will need to use port 2121 on a non-root user.' >&2
sleep 5
ufw enable

#Open Lynx For Bandwidth Configuration
echo "Lynx will open so that I2P's bandwidth settings can be configured." >&2
echo '(385KBps will be about 1TB per month)' >&2
echo -n "Press y when ready: "
read ans
case $ans in
lynx -accept_all_cookies
exit 0

I personally use NordVPN and Digital Ocean.
Show some love by signing up using my affiliate links:
Or support me directly on Patreon

Help Me Out: Share, Follow, & Comment

Latest Posts

What is Device Fingerprinting?

Learn what browser fingerprinting is and how it canb e used to track you online.

How To Torrent Privately & Anonymously For Free

Learn the pros and cons of using a VPN to torrent, as well as how to use I2P to anonymously torrent for free!

VPN Drop Protection Using Simple Linux Firewall Rules

Learn how to protect against your VPN dropping using these simply Linux firewall rules

Ledger Nano S Review | Why You Need a Bitcoin Hardware Wallet

A review of the Ledger Nano S, and an explanation of why hardware wallets just make life better when using Bitcoin

What is Two Factor Authentication (2FA) And Why Use It?

What 2FA is, why you should use it, and why we need FIDO U2F.

Support The Tin Hat on Patreon!

The Tin Hat now has a few more ways to support the site.

What is a hash?

A simple explanation of what hashing is, and how hashes are used.

Trump's Toolbox | Future Attribute Screening Technology

FAST is a program that attempts to wirelessly detect whether youre a terrorist, and its in Trump's back pocket.

uBlock Origin, The Best AdBlock Alternative

For AdBlock (Plus) alternatives, look no further than uBlock Origin. This tutorial explains why, and how, you should use it.

I2P Browser Setup Tutorial | Using The Tor Browser For I2P

Learn how to browse I2P using the Tor Browser with this short guide

Privacy On Android | 2017 Android Privacy Guide

A tutorial on how to build privacy on your Android device. Learn what you need to do to stay safe and secure.

New I2P Portal For TheTinHat

TheTinHat has moved to a new server, with a new I2P hidden service to accompany it.

Rebranding 'The Dark Net'

Disassociating decentralized networks with the term 'darknets'.

In Defense of Browser-Based Email Encryption

Why I've reversed my opinion on Protonmail and Tutanota

Privacy Focused Blog Platform

A rundown of the tools I use to power my blog, hidden services.

A Lighter-weight Firefox

How I've set up a lightweight, yet still private browser.