On Monday, January 12th, 2026 at 6:51 PM, David Uhden Collado
<[email protected]> wrote:
> > > Hello all,
> > >
> > > Attached to this email is a patch that includes one fix and several
> > > improvements for the net/i2pd port.
> >
> > IMHO, the changes you are proposing are mostly a matter of personal
> > preference. I see no sufficient reason to deviate from upstream
> > configuration choices, which are are kind of the default way of configuring
> > i2pd, and also what most users are expecting.
>
>
> I believe there is a reason to deviate from the default configuration,
> which is why I changed the port and sent a patch to the mailing list.
Rather than a matter of "personal preference", I should have framed my answer
as a choice about different trade-offs.
> Similar ports in the tree, such as net/tor, also modify the default
> configuration.
>
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/net/tor/patches/patch-src_config_torrc_sample_in
You're right that other ports like net/tor have patches like that. But is this
a good enough reason to just copy and paste? My point was that there's no
*practical* benefit to set i2pd's working directory as /var/i2pd instead of
/var/lib/i2pd. On the contrary, there's a potential drawback, also on the
practical level: the risk of confusing some users. The trade-off here is style
and consistency on the one side vs. practicality on the other.
> > > First, the patch addresses an issue related to log handling. By default,
> > > i2pd uses a separate log file located at /var/log/i2pd/i2pd.log.
> > > However, this file is not rotated by newsyslog(8), causing it to grow
> > > without bounds. The proposed solution is to configure i2pd to write its
> > > logs to /var/log/daemon by updating the i2pd.conf configuration file.
> >
> > I personally like to have a separate log file for i2pd, and not mix its
> > output with other things. That's a matter of taste, and anyway log rotation
> > can be configured in /etc/newsyslog.conf .
>
>
> Although log file rotation can be configured for the i2pd log file, it
> is not configured by default. This causes the file to grow unbounded,
> and users who are unaware of this issue may one day find out that their
> /var partition is full, as happened to me. At the very least, add a note
> to the README for the port to make users aware of this issue.
Thinking a bit more about this issue, I agree with you that sending i2pd logs
to syslogd should be set as the default, instead of writing them to separate
log file, albeit for a different reason: because rotating the log file is a
little bit tricky in this case.
In order to rotate the log file, you have to restart the daemon, but it's good
practice to stop i2pd gracefully: this is important for your peers and the
operation of the I2P network as a whole. But to initiate a graceful shutdown,
you either have to use the web interface or send a signal to the process with a
command like `kill -INT $(cat /var/lib/i2pd/i2pd.pid)`. You then have to wait
for the daemon to effectively stop, which usually takes 10 minutes.
This is documented by the i2pd developers
(https://docs.i2pd.website/en/latest/user-guide/run/), but anyway adding a note
to the README about that sounds like a good idea to me.
> > > Second, the directory used to store port-related files changes from
> > > /var/lib/i2pd to /var/i2pd, which better aligns with the OpenBSD style.
> > > To accomplish this change, the patch updates the PLIST, the RC script,
> > > and the i2pd.conf configuration file.
> >
> > It is true that /var/i2pd would "better align with the OpenBSD style", but
> > apart from that stylistic issue, what's wrong with /var/lib/i2pd ? Using
> > this directory does not prevent i2pd from running fine on OpenBSD, and it
> > is referenced by all guides and tutorials on i2pd, so changing it could
> > confuse new users. I don't think it would be worth introducing a lot of
> > changes in the PLIST, rc script and default config file.
>
>
> If anyone has any problems, they can consult the port tree to see how
> the net/i2pd port works. Things are usually different in OpenBSD than in
> Linux, which makes OpenBSD less convenient to use. However, convenience
> is not the focus of this operating system.
We can agree that convenience is not the main focus of OpenBSD, it's definitely
not Linux Mint, but even the most hardcore OpenBSD users are not opposed to any
form of convenience ;-)
> > > Finally, the i2pd.conf and tunnels.conf configuration files are adjusted
> > > to improve security and usability. Specifically, the web interface and
> > > the default IRC tunnel are disabled, log verbosity is reduced, and
> > > additional address book sources for I2P aliases are configured.
> >
> > That's also a matter of personal choice. I personally use the web
> > interface, which is a very convenient way to interact with your daemon, and
> > I guess that a lot of users are also expecting it to work. Security-wise,
> > it's not too bad as long as you don't expose it publicly on the internet.
> > If you don't like it, you're free to disable it in the configuration file.
>
>
> Of course, it's terrible in terms of security. The web configuration
> interface doesn't have a password by default, so any user on the system
> can perform actions on the daemon, such as shutting it down and
> deanonymizing you. It's another ticking time bomb, just like the
> separate configuration file. If I had permissions in the repository, I
> would remove the port right now for this reason alone.
You're right that the web interface definitely adds some attack surface. But
what's the threat model exactly? The web interface allows "any user on the
system", let's say a malicious user, to shut down the daemon, namely enables a
denial-of-service attack. This malicious user could also access private
information, like your router identity or the B32 addresses of your tunnels.
That's probably what you mean by "deanonymizing you"... But bear in mind that
"any user on the system" can easily get the machine's IP address anyway, which
is usually what you want to conceal. And even with the web interface disabled,
any local user could also access i2pd's configuration files, which are
world-readable by default and can include some private information (encrypted
LeaseSets keys in /etc/i2pd/tunnels.conf for example).
On the other hand, the web interface can be very useful to control and monitor
the i2pd daemon. It's impossible to know what proportion of i2pd users rely on
this feature, but my guess is that it is widely used, hence the i2pd developers
enabled it by default.
In any case, we can also add a note to the README warning users about the risks
associated with the web interface.
BTW, if you really think i2pd is so dangerous that it should be removed from
the OpenBSD port tree, why are you using it in the first place? ;-)
> > The same applies for the IRC tunnel, log verbosity, etc. I guess most i2pd
> > users are editing i2pd.conf and tunnels.conf anyway.
> >
> > I don't use the IRC tunnel either, but I've always seen this configuration
> > snippet as an example provided by the developers to demonstrate how to
> > configure tunnels.
>
>
> If you had checked my patch, you would have seen that the configuration
> was not removed. I only commented it out to prevent you from having an
> unnecessary open door to the network on your system that could be used
> for malicious purposes. If an attacker knows you're using i2pd, they
> will also know that this port is open locally.
I checked your patch, don't worry :-) IMHO you're exaggerating the risk
introduced by this configuration snippet in tunnels.conf. If you don't have an
IRC client, or any other program, with an active connection on 127.0.0.1:6668,
I don't see how an attacker could exploit that, even if you have reasons to
think that the IRC server is malicious or compromised. *In theory*, this tunnel
could open a covert channel for a malicious application running on your
machine, allowing it to exchange data with an IRC server over I2P. If your
threat model is so high that such a targeted attack sounds likely to you, I
wish you good luck, but fortunately you know how to edit i2pd's configuration
;-)
> > > I look forward to any feedback or suggestions.
> >
> > At the end of the day, I think that porters should not set their personal
> > configuration preferences as the default for all users; we should stick to
> > upstream's choices as long as they're working under OpenBSD and don't
> > introduce unnecessary risks. Moreover, i2pd's configuration is documented
> > and the users can decide for themselves what's good for their use case.
>
>
> It's like pouring oil on the floor at the entrance to a building and
> expecting people to clean it up if they don't want to slip.
Sure, the i2pd developers and myself like to pour oil on the floor for no
reason, and if nobody cares, we even may set it on fire and burn the entire
building, just for the sake of it. Or maybe you're overreacting a little ;-)
> > > Best regards,
> > > David.
>
>
> By the way, in my last patch, I forgot to use the LOCALSTATEDIR macro in
> the certdir variable of the RC script. I am attaching the corrected
> patch to this email.
Please find attached my counterproposal: a patch changing the main
configuration file to send logs to syslogd by default, and adding a few useful
explanations in the README.
David, this patch doesn't include all your ideas, but borrows some of them, and
I hope you will consider it as an acceptable and constructive trade-off ;-)
Best regards.
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/i2pd/Makefile,v
diff -u -p -r1.31 Makefile
--- Makefile 12 Nov 2025 02:13:09 -0000 1.31
+++ Makefile 14 Jan 2026 21:14:03 -0000
@@ -3,6 +3,7 @@ COMMENT = client for the I2P anonymous n
GH_ACCOUNT = PurpleI2P
GH_PROJECT = i2pd
GH_TAGNAME = 2.58.0
+REVISION = 0
CATEGORIES = net
HOMEPAGE = https://i2pd.website
Index: patches/patch-contrib_i2pd_conf
===================================================================
RCS file: patches/patch-contrib_i2pd_conf
diff -N patches/patch-contrib_i2pd_conf
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-contrib_i2pd_conf 14 Jan 2026 21:14:03 -0000
@@ -0,0 +1,13 @@
+send logs to syslogd(8) by default
+Index: contrib/i2pd.conf
+--- contrib/i2pd.conf.orig
++++ contrib/i2pd.conf
+@@ -30,7 +30,7 @@
+ ## * stdout - print log entries to stdout
+ ## * file - log entries to a file
+ ## * syslog - use syslog, see man 3 syslog
+-# log = file
++log = syslog
+ ## Path to logfile (default: autodetect)
+ # logfile = /var/log/i2pd/i2pd.log
+ ## Log messages above this level (debug, info, *warn, error, critical, none)
Index: pkg/README
===================================================================
RCS file: /cvs/ports/net/i2pd/pkg/README,v
diff -u -p -r1.4 README
--- pkg/README 16 Apr 2024 15:22:32 -0000 1.4
+++ pkg/README 14 Jan 2026 21:14:03 -0000
@@ -24,3 +24,53 @@ and also edit /etc/login.conf.d/i2pd:
:openfiles-cur=8192:\
:openfiles-max=8192:\
:tc=daemon:
+
+
+The HTTP interface
+==================
+
+By default, i2pd's HTTP interface is enabled, listening on 127.0.0.1,
+port 7070.
+
+This interface is a convenient way to control and monitor your i2pd
+daemon. But please be aware that it carries some risks, since it allows
+any user on the system to perform actions on the daemon, such as
+shutting it down, or access private data, like your router identity or
+the B32 addresses of your tunnels.
+
+If you don't need this interface, you can disable it in
+/etc/i2pd/i2pd.conf under the [http] section.
+
+
+Graceful shutdown
+=================
+
+It is good practice to shutdown the i2pd daemon gracefully, to avoid
+immediatly severing all connections, which would disconnect all
+your peers and affect the overall operation of the I2P network.
+
+To initiate a graceful shutdown, you can either use the HTTP interface
+or send a signal to the i2pd daemon like this:
+
+ kill -INT $(cat /var/lib/i2pd/i2pd.pid)
+
+When it shuts down gracefully, the i2pd daemon waits for all transit
+tunnels to expire, which usually takes 10 minutes.
+
+
+Logging
+=======
+
+By default, the OpenBSD port of ${PKGSTEM} sends its log messages to
+syslogd(8), which writes them to the /var/log/daemon file.
+
+The default log level of ${PKGSTEM} ("warn") can be very verbose. You
+may want to reduce this log verbosity by changing the "loglevel"
+parameter in /etc/i2pd/i2pd.conf.
+
+If you want log messages to be written to another file, e.g.
+/var/lib/i2pd/i2pd.log, you can change the "log" and "logfile"
+parameters in /etc/i2pd/i2pd.conf. To have this log file rotated
+automatically, see `man 8 newsyslog.conf`, and please take into
+account that the i2pd daemon should be restarted gracefully at
+each rotation.
