Re: Fixes and improvements for the net/i2pd port

Mon, 12 Jan 2026 10:51:45 -0800 





Hello all,

Attached to this email is a patch that includes one fix and several
improvements for the net/i2pd port.


IMHO, the changes you are proposing are mostly a matter of personal preference. 
I see no sufficient reason to deviate from upstream configuration choices, 
which are are kind of the default way of configuring i2pd, and also what most 
users are expecting.



I believe there is a reason to deviate from the default configuration, 
which is why I changed the port and sent a patch to the mailing list.



Similar ports in the tree, such as net/tor, also modify the default 
configuration.


https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/net/tor/patches/patch-src_config_torrc_sample_in




First, the patch addresses an issue related to log handling. By default,
i2pd uses a separate log file located at /var/log/i2pd/i2pd.log.
However, this file is not rotated by newsyslog(8), causing it to grow
without bounds. The proposed solution is to configure i2pd to write its
logs to /var/log/daemon by updating the i2pd.conf configuration file.


I personally like to have a separate log file for i2pd, and not mix its output 
with other things. That's a matter of taste, and anyway log rotation can be 
configured in /etc/newsyslog.conf .



Although log file rotation can be configured for the i2pd log file, it 
is not configured by default. This causes the file to grow unbounded, 
and users who are unaware of this issue may one day find out that their 
/var partition is full, as happened to me. At the very least, add a note 
to the README for the port to make users aware of this issue.





Second, the directory used to store port-related files changes from
/var/lib/i2pd to /var/i2pd, which better aligns with the OpenBSD style.
To accomplish this change, the patch updates the PLIST, the RC script,
and the i2pd.conf configuration file.


It is true that /var/i2pd would "better align with the OpenBSD style", but 
apart from that stylistic issue, what's wrong with /var/lib/i2pd ? Using this directory 
does not prevent i2pd from running fine on OpenBSD, and it is referenced by all guides 
and tutorials on i2pd, so changing it could confuse new users. I don't think it would be 
worth introducing a lot of changes in the PLIST, rc script and default config file.



If anyone has any problems, they can consult the port tree to see how 
the net/i2pd port works. Things are usually different in OpenBSD than in 
Linux, which makes OpenBSD less convenient to use. However, convenience 
is not the focus of this operating system.





Finally, the i2pd.conf and tunnels.conf configuration files are adjusted
to improve security and usability. Specifically, the web interface and
the default IRC tunnel are disabled, log verbosity is reduced, and
additional address book sources for I2P aliases are configured.


That's also a matter of personal choice. I personally use the web interface, 
which is a very convenient way to interact with your daemon, and I guess that a 
lot of users are also expecting it to work. Security-wise, it's not too bad as 
long as you don't expose it publicly on the internet. If you don't like it, 
you're free to disable it in the configuration file.




Of course, it's terrible in terms of security. The web configuration 
interface doesn't have a password by default, so any user on the system 
can perform actions on the daemon, such as shutting it down and 
deanonymizing you. It's another ticking time bomb, just like the 
separate configuration file. If I had permissions in the repository, I 
would remove the port right now for this reason alone.



The same applies for the IRC tunnel, log verbosity, etc. I guess most i2pd 
users are editing i2pd.conf and tunnels.conf anyway.

I don't use the IRC tunnel either, but I've always seen this configuration 
snippet as an example provided by the developers to demonstrate how to 
configure tunnels.



If you had checked my patch, you would have seen that the configuration 
was not removed. I only commented it out to prevent you from having an 
unnecessary open door to the network on your system that could be used 
for malicious purposes. If an attacker knows you're using i2pd, they 
will also know that this port is open locally.





I look forward to any feedback or suggestions.


At the end of the day, I think that porters should not set their personal 
configuration preferences as the default for all users; we should stick to 
upstream's choices as long as they're working under OpenBSD and don't introduce 
unnecessary risks. Moreover, i2pd's configuration is documented and the users 
can decide for themselves what's good for their use case.




It's like pouring oil on the floor at the entrance to a building and 
expecting people to clean it up if they don't want to slip.



Best regards,
David.





By the way, in my last patch, I forgot to use the LOCALSTATEDIR macro in 
the certdir variable of the RC script. I am attaching the corrected 
patch to this email.

Index: net/i2pd/patches/patch-contrib_i2pd_conf
===================================================================
RCS file: net/i2pd/patches/patch-contrib_i2pd_conf
diff -N net/i2pd/patches/patch-contrib_i2pd_conf
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ net/i2pd/patches/patch-contrib_i2pd_conf	7 Jan 2026 14:55:16 -0000
@@ -0,0 +1,68 @@
+Index: contrib/i2pd.conf
+--- contrib/i2pd.conf.orig
++++ contrib/i2pd.conf
+@@ -8,16 +8,16 @@
+ 
+ ## Tunnels config file
+ ## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf
+-# tunconf = /var/lib/i2pd/tunnels.conf
++tunconf = /etc/i2pd/tunnels.conf
+ 
+ ## Tunnels config files path
+ ## Use that path to store separated tunnels in different config files.
+ ## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d
+-# tunnelsdir = /var/lib/i2pd/tunnels.d
++tunnelsdir = /etc/i2pd/tunnels.d
+ 
+ ## Path to certificates used for verifying .su3, families
+ ## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates
+-# certsdir = /var/lib/i2pd/certificates
++certsdir = /var/i2pd/certificates
+ 
+ ## Where to write pidfile (default: /run/i2pd.pid, not used in Windows)
+ # pidfile = /run/i2pd.pid
+@@ -30,12 +30,12 @@
+ ##  * stdout - print log entries to stdout
+ ##  * file - log entries to a file
+ ##  * syslog - use syslog, see man 3 syslog
+-# log = file
++log = syslog
+ ## Path to logfile (default: autodetect)
+ # logfile = /var/log/i2pd/i2pd.log
+ ## Log messages above this level (debug, info, *warn, error, critical, none)
+ ## If you set it to none, logging will be disabled
+-# loglevel = warn
++loglevel = error
+ ## Write full CLF-formatted date and time to log (default: write only time)
+ # logclftime = true
+ 
+@@ -118,7 +118,7 @@
+ [http]
+ ## Web Console settings
+ ## Enable the Web Console (default: true)
+-# enabled = true
++enabled = false
+ ## Address and port service will listen on (default: 127.0.0.1:7070)
+ # address = 127.0.0.1
+ # port = 7070
+@@ -149,7 +149,7 @@
+ ## because anyone could spoof the short domain via addresshelper and forward other users to phishing links
+ # addresshelper = true
+ ## Address of a proxy server inside I2P, which is used to visit regular Internet
+-# outproxy = http://false.i2p
++# outproxy = http://5d4s7pcvfdpftfk7npc7hllyujhufsdprtrf4o53i44rgsa2xbwa.b32.i2p
+ ## httpproxy section also accepts I2CP parameters, like "inbound.length" etc.
+ 
+ [socksproxy]
+@@ -241,9 +241,9 @@
+ [addressbook]
+ ## AddressBook subscription URL for initial setup
+ ## Default: reg.i2p at "mainline" I2P Network
+-# defaulturl = http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
++defaulturl = http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/export/hosts-all.txt
+ ## Optional subscriptions URLs, separated by comma
+-# subscriptions = http://reg.i2p/hosts.txt,http://identiguy.i2p/hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt
++subscriptions = http://notbob.i2p/hosts-all.txt,http://identiguy.i2p/hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt
+ 
+ [limits]
+ ## Maximum active transit sessions (default: 10000)
Index: net/i2pd/patches/patch-contrib_tunnels_conf
===================================================================
RCS file: net/i2pd/patches/patch-contrib_tunnels_conf
diff -N net/i2pd/patches/patch-contrib_tunnels_conf
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ net/i2pd/patches/patch-contrib_tunnels_conf	7 Jan 2026 14:55:16 -0000
@@ -0,0 +1,23 @@
+Index: contrib/tunnels.conf
+--- contrib/tunnels.conf.orig
++++ contrib/tunnels.conf
+@@ -1,11 +1,11 @@
+-[IRC-ILITA]
+-type = client
+-address = 127.0.0.1
+-port = 6668
+-destination = irc.ilita.i2p
+-destinationport = 6667
+-keys = irc-keys.dat
+-i2p.streaming.profile=2
++#[IRC-ILITA]
++#type = client
++#address = 127.0.0.1
++#port = 6668
++#destination = irc.ilita.i2p
++#destinationport = 6667
++#keys = irc-keys.dat
++#i2p.streaming.profile=2
+ 
+ #[IRC-IRC2P]
+ #type = client
Index: net/i2pd/pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/i2pd/pkg/PLIST,v
diff -u -p -u -p -r1.17 PLIST
--- net/i2pd/pkg/PLIST	12 Nov 2025 02:13:09 -0000	1.17
+++ net/i2pd/pkg/PLIST	7 Jan 2026 14:55:16 -0000
@@ -1,5 +1,5 @@
 @newgroup _i2pd:838
-@newuser _i2pd:838:838::i2pd account:${LOCALSTATEDIR}/lib/i2pd:/sbin/nologin
+@newuser _i2pd:838:838::i2pd account:${LOCALSTATEDIR}/i2pd:/sbin/nologin
 @rcscript ${RCDIR}/i2pd
 @bin bin/i2pd
 include/i2pd/
@@ -72,11 +72,11 @@ include/i2pd/version.h
 @owner _i2pd
 @group _i2pd
 @sample ${SYSCONFDIR}/i2pd/
-@sample ${LOCALSTATEDIR}/lib/i2pd/
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/router/
+@sample ${LOCALSTATEDIR}/i2pd/
+@sample ${LOCALSTATEDIR}/i2pd/certificates/
+@sample ${LOCALSTATEDIR}/i2pd/certificates/family/
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/
+@sample ${LOCALSTATEDIR}/i2pd/certificates/router/
 @owner
 @group
 @static-lib lib/libi2pdlang.a
@@ -87,37 +87,37 @@ share/examples/i2pd/certificates/family/
 share/examples/i2pd/certificates/family/gostcoin.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/gostcoin.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/family/gostcoin.crt
 @owner
 @group
 share/examples/i2pd/certificates/family/i2p-dev.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/i2p-dev.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/family/i2p-dev.crt
 @owner
 @group
 share/examples/i2pd/certificates/family/i2pd-dev.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/i2pd-dev.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/family/i2pd-dev.crt
 @owner
 @group
 share/examples/i2pd/certificates/family/mca2-i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/mca2-i2p.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/family/mca2-i2p.crt
 @owner
 @group
 share/examples/i2pd/certificates/family/stormycloud.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/stormycloud.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/family/stormycloud.crt
 @owner
 @group
 share/examples/i2pd/certificates/family/volatile.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/volatile.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/family/volatile.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/
@@ -129,73 +129,73 @@ share/examples/i2pd/certificates/reseed/
 share/examples/i2pd/certificates/reseed/acetone_at_mail.i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/acetone_at_mail.i2p.crt 
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/acetone_at_mail.i2p.crt 
 @owner
 @group
 share/examples/i2pd/certificates/reseed/admin_at_stormycloud.org.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/admin_at_stormycloud.org.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/admin_at_stormycloud.org.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/creativecowpat_at_mail.i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/creativecowpat_at_mail.i2p.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/creativecowpat_at_mail.i2p.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/echelon3_at_mail.i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/echelon3_at_mail.i2p.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/echelon3_at_mail.i2p.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/hankhill19580_at_gmail.com.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/hankhill19580_at_gmail.com.crt 
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/hankhill19580_at_gmail.com.crt 
 @owner
 @group
 share/examples/i2pd/certificates/reseed/i2p-reseed_at_mk16.de.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/i2p-reseed_at_mk16.de.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/i2p-reseed_at_mk16.de.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/igor_at_novg.net.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/igor_at_novg.net.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/igor_at_novg.net.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/lazygravy_at_mail.i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/lazygravy_at_mail.i2p.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/lazygravy_at_mail.i2p.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/orignal_at_mail.i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/orignal_at_mail.i2p.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/orignal_at_mail.i2p.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/r4sas-reseed_at_mail.i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/r4sas-reseed_at_mail.i2p.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/r4sas-reseed_at_mail.i2p.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/rambler_at_mail.i2p.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/rambler_at_mail.i2p.crt
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/rambler_at_mail.i2p.crt
 @owner
 @group
 share/examples/i2pd/certificates/reseed/reseed_at_diva.exchange.crt
 @owner _i2pd
 @group _i2pd
-@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/reseed_at_diva.exchange.crt 
+@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/reseed_at_diva.exchange.crt 
 @owner
 @group
 share/examples/i2pd/i2pd.conf
Index: net/i2pd/pkg/i2pd.rc
===================================================================
RCS file: /cvs/ports/net/i2pd/pkg/i2pd.rc,v
diff -u -p -u -p -r1.4 i2pd.rc
--- net/i2pd/pkg/i2pd.rc	11 Mar 2022 19:46:04 -0000	1.4
+++ net/i2pd/pkg/i2pd.rc	7 Jan 2026 14:55:16 -0000
@@ -2,7 +2,7 @@
 
 daemon="${TRUEPREFIX}/bin/i2pd --daemon"
 daemon_user="_i2pd"
-daemon_flags="--service --datadir=${LOCALSTATEDIR}/lib/i2pd --conf=${SYSCONFDIR}/i2pd/i2pd.conf --tunconf=${SYSCONFDIR}/i2pd/tunnels.conf --tunnelsdir=${SYSCONFDIR}/i2pd/tunnels.d"
+daemon_flags="--service --datadir=${LOCALSTATEDIR}/i2pd --conf=${SYSCONFDIR}/i2pd/i2pd.conf --tunconf=${SYSCONFDIR}/i2pd/tunnels.conf --tunnelsdir=${SYSCONFDIR}/i2pd/tunnels.d --certsdir=${LOCALSTATEDIR}/i2pd/certificates"
 
 . /etc/rc.d/rc.subr
 






















					Reply via email to