I2P – Invisible Internet Project

Imagine you want to send a letter, but you don’t want anyone to know who sent it, who received it, or even what it says inside. It’s not enough to use an opaque envelope; you need a network of mail carriers who don’t even know they’re working for you, routes that change every time, and an encrypted language that only you and the recipient understand. That’s how I2P works, the anonymous network that goes beyond Tor and VPNs. Today I’ll explain how it works, why it matters, and how it could change the way you browse.

I2P, or  the Invisible Internet Project , is an  overlay network  (a network built on top of the traditional Internet) that is designed to be  resistant to traffic analysis . Unlike Tor, which focuses on accessing the open web anonymously, I2P is intended for services and users to communicate  within  the network itself. It’s like a parallel Internet where pages, chats, and files exist only to those connected to I2P. And here’s the fascinating thing: not even the nodes transmitting your data know what they’re moving.

How does it do this? With something called  garlic routing  . Imagine that instead of sending a single message, you bundle several messages (your own or others’) into a “clove of garlic,” encrypt them in layers, and send them through a random sequence of nodes. Each node only knows where the packet came from and where it should pass it—never the final origin or the content. What’s more, these routes (called  tunnels ) are rebuilt every 10 minutes. If an eavesdropper tried to track you, they’d see a stream of data that disappears and reappears at random points on the network, with no clear pattern.

Let’s talk about  tunnels , a key concept. In I2P, your connection doesn’t go directly from point A to B. Instead, you create two one-way tunnels: one for sending data ( outbound tunnel ) and one for receiving ( inbound tunnel ). Each tunnel goes through several nodes (usually 3), and each node only knows about the one before it and the one after it. Think of it as a chain of custodians: the first one receives your message and hands it to the second, who in turn passes it to the third, and so on until you reach the destination. Since tunnels are independent, even if someone compromises an exit node, they can’t link it to your entry node.

So how does I2P prevent malicious nodes from tampering with the data? This is where cryptography comes in. Everything is encrypted  end-to-end  with algorithms like AES-256 and ElGamal . Additionally, each node applies a specific layer of encryption for the next hop (similar to an onion, like in Tor, but with more layers and dynamic structures). This means that even if a node tried to inspect the content, it would only see encrypted gibberish.

But I2P isn’t just theory. It has practical uses that anyone can try out. Take  eepsites , for example : websites hosted within I2P that end in  .i2p  and are only accessible from the network. Think of them as the anonymous version of the  dark web , but more focused on privacy than sensationalism. There are also tools like  Syndie  (for decentralized forums) or  I2P-Bote  (anonymous email), which allow for communications without leaving a trace.

A concrete example: suppose you want to publish a blog critical of an authoritarian government. Using I2P, you could host the blog on an  eepsite , set up a hidden tunnel to handle comments, and use I2P-Bote to receive messages from anonymous sources. All this without your ISP, a network watchdog, or even other I2P nodes knowing where the real server is hosted.

Now, the awkward question: is I2P slow? Yes, but by design. Multiple encryption, node hopping, and the decentralized nature all add latency. You won’t see 4K streaming here, but for messaging, email, or basic browsing, it’s sufficient. Plus, I2P prioritizes anonymity over speed: would you rather have your activity take 2 seconds longer or have someone identify your location?

I’ll end with a technical detail that I find brilliant: I2P does not rely on  central authorities  (like Tor). Instead, each node maintains a  distributed network database , updated using the Kademlia  protocol   (the same one used by some P2P networks). This eliminates single points of failure and attacks. If a government tried to shut down I2P, it would have to take down thousands of nodes in dozens of countries simultaneously… something practically impossible.

Kademlia: The Protocol That Powers I2P (and Other Networks)

Imagine you want to find someone in a crowd of a million people, but you can’t shout out their name. Instead, everyone carries a flashlight and follows precise rules to pass signals back and forth until, within seconds, the light reaches the right person. That’s how Kademlia works, the protocol that allows networks like I2P to organize themselves without central servers, authorities or checkpoints. Today I’ll explain how this invisible engineering makes the impossible possible.

Kademlia is a  distributed hash table (DHT) protocol . Translation: it’s a system for storing and retrieving information on a decentralized network, where each node (a connected computer) holds only a fragment of the total information. Think of a giant library where no librarian knows all the books, but everyone knows exactly who to ask to find them. In I2P, this “library” stores critical data: node addresses, available services, and how to communicate with them.

The magic of Kademlia is in how it calculates the “distance” between nodes. It doesn’t use kilometers, but rather XOR operations between numeric identifiers (160-bit hashes). Each node has a unique ID, and when it looks up a piece of data, it calculates the XOR distance between its ID and the ID associated with the data. Why XOR? Because it allows you to efficiently determine which nodes are logically “closest” to the desired data, without relying on physical locations. It’s as if, instead of looking for someone in your city, you were looking for someone with a phone number that is most similar to yours.

Here’s the brilliant part: each node maintains a  routing table  with information about other nodes, organized into “k-buckets.” These buckets group nodes by specific XOR distances. For example, if your ID is  A3F9, your closest bucket will contain nodes with IDs that differ by just one bit, the next by two bits, and so on. When you need to find a piece of data, you iteratively query the nodes “closest” to the target, reducing the distance at each step. In large networks, this allows any resource to be located in  log₂(N)  steps (if there are a million nodes, it takes ~20 hops).

But how does Kademlia prevent the network from collapsing if nodes go offline? With redundancy and constant updating. Every piece of data is replicated across multiple nodes close to the target ID, and routing tables are automatically updated when a node stops responding. If you try to access a resource and one of the key nodes is offline, Kademlia simply asks the next one in the list. It’s as if, in our decentralized library, every book is copied onto three different shelves, and librarians alert each other if someone leaves their post.

In I2P, Kademlia doesn’t just store addresses. It also manages the  tunnel network : when you want to create a tunnel to send anonymous data, you query the DHT to find valid nodes and build your route. Also, since there are no central servers, there is no single point to attack or monitor. If a government tried to block I2P, it would have to take down a majority of nodes in multiple countries simultaneously, which is almost unfeasible.

A practical example: suppose you want to access an  eepsite  called  periodismo-libre.i2p. Your I2P client takes the hash of that name (say,  D8B1), queries the DHT using Kademlia, and asks, “Who is closest to  D8B1?” Intermediate nodes respond with addresses of other nodes that are increasingly closer to the target, until you reach the one that stores the site’s real (masked) IP. All of this happens without anyone on the network knowing who you are, what you’re looking for, or where the server actually is.

Kademlia is not unique to I2P. It is used by BitTorrent to find peers, Ethereum for its network, and even some messaging apps. But in anonymizing contexts like I2P, its value is key: it turns the chaos of a decentralized network into a predictable and efficient system, without sacrificing privacy. Of course, it comes at a cost: latency. Each search operation requires multiple queries, but that is the price of not relying on a “Big Brother” to control everything.

Kademlia is like the roots of a forest: invisible underground, but interconnected in such a way that, even if you cut down a tree, the rest continue to be nourished. In a world obsessed with centralizing power in platforms like Meta or Google, protocols like this remind us that there is another way. Slower, less comfortable, but unstoppable. And in that unstoppability lies, precisely, hope.

I2P isn’t for everyone. It requires setting up specific applications, understanding basic encryption concepts, and accepting that convenience is sacrificed in favor of anonymity. But in a world where even your refrigerator collects data about you, having a real alternative to mass surveillance isn’t paranoia: it’s common sense. Ready to try it out? The door is at geti2p.net. And remember: on the invisible web,  you  are your own best guardian.

How to Use I2P: A Practical Guide to Navigating the Invisible Web

If you want to explore I2P, you need to understand that it’s not like opening Chrome and typing in “Google.” There’s no instant convenience here, but there is radical privacy. I’ll walk you through it step by step, but first, prepare your mindset: this is more of  a technical hike  than a car ride. Here we go.

What do you need?

  • A device with an Internet connection : I2P works on Windows, macOS, Linux, Android, and even routers like the Raspberry Pi.
  • I2P software : The official implementation (Java I2P) is the most common, but there is also   the lighter i2pd (in C++). For this example, I will use Java I2P.
  • Patience : The network is slow at first, but improves over time (nodes learn to optimize routes).

Step 1: Install I2P

Windows/macOS : Download the installer from  geti2p.net . Run it like any other program.

Linux : Use the repositories. For example, on Debian/Ubuntu:

sudo apt install i2p

Then start the service:

sudo systemctl start i2p

Android : Install  I2P Android  from  F-Droid . It’s not on Google Play for obvious reasons.

Step 2: Initial Setup

When you start I2P, the router console will automatically open   in your browser ( http://localhost:7657). You will see a panel with traffic graphs, active tunnels, and status messages.

  • Wait 10-15 minutes – I2P needs to build incoming and outgoing tunnels. The progress bar under “Network” will indicate when you are ready.
  • Speed ​​up integration : In the console, go to  Config  >  Bandwidth  and set a higher speed (e.g. 1024 KB/s). Don’t overdo it: if your connection is modest, prioritize stability.

Step 3: Configure your browser to access eepsites

I2P does not route all your traffic, only the traffic directed to its network. To visit  .i2p sites , configure your browser:

  • Use a separate browser  (Firefox is ideal).
  • Go to  Settings  >  Proxy  and set:
    • HTTP/HTTPS Proxy :  127.0.0.1 (localhost), Port:  4444.
  • Save changes .

Now, typing  http://identiguy.i2p (a directory of eepsites) will take you to the network. If you see errors, make sure I2P is running and tunnels are green in the console.

Step 4: Navigating I2P (practical examples)

  • Eepsites Directories :
  • Anonymous Mail : Install  I2P-Bote  (available in the router console). It works like Thunderbird, but with encrypted emails and no central server.
  • Forums and Blogs : Use  Syndie  (built-in tool) to read or post on decentralized forums.

Step 5: Using applications over I2P

  • Anonymous BitTorrent : Configure clients like qBittorrent to use I2P’s SOCKS proxy ( 127.0.0.1:7656). Download without anyone seeing your IP.
  • Messaging :  IRC2P  (anonymous chat) is accessed from clients like HexChat, configuring the server  127.0.0.1 and port  6668.

Mobile access (Android)

  • Install  I2P Android  and open it.
  • Follow the same proxy steps ( localhost:4444) on your mobile browser.
  • Use apps like  Azzuro  (preconfigured I2P browser) to simplify the process.

Where can it be accessed from?

  • At home : The safest option if you use an unmonitored connection.
  • Public networks (cafes, libraries) : Useful for physical anonymity, but always encrypt your data (I2P already does this, but use HTTPS extra if possible).
  • About VPN : Combine I2P with a VPN to hide from your ISP that you are using the network.  Important : Connect VPN first, then I2P.

Security and common mistakes

  • Don’t use I2P with Tor simultaneously : Both networks add layers, but may create detectable patterns. Choose one.
  • Always update : I2P is frequently updated to patch vulnerabilities.
  • Avoid browser plugins : Flash, Java or WebRTC can leak your real IP. Use extensions like  uBlock Origin  and  NoScript .

Advanced Tips

  • Host your eepsite : In your router console, go to  I2PTunnel  >  Create New Tunnel . Choose “Web Server” and follow the instructions. Your site will be on  http://[tu-clave].i2p.
  • Contribute to the network : Under  Config  >  Bandwidth , check “Participate in the network by passing traffic.” This will improve overall speed, but it will consume more data.

What if something goes wrong?

  • Tunnels are not built : Check your firewall. I2P needs open ports (TCP 7656-7660 and UDP 7656-7658).
  • An eepsite does not load : Try  http://stats.i2p/i2p/addkey.html to update the address manually.

Are there any technologies that have surpassed I2P?

I2P remains one of the most robust anonymous networks, but there is no one-size-fits-all solution. Other technologies have emerged with different, though not necessarily “superior”, approaches. For example:

  • Tor  (The Onion Router): This is more popular and faster for accessing the open web (like .onion sites and the regular web). However, Tor prioritizes  origin anonymity  when accessing external services, while I2P is designed for communications  within its own network . If you want to use forums, mail, or internal files anonymously, I2P is better. If you’re looking to browse the traditional web without leaving a trace, Tor wins.
  • Lokinet  (based on Oxen): Uses a decentralized network with cryptocurrency-incentivized nodes. It is faster than I2P and allows access to the regular web, but its economic model is still being tested. Its main advantage is that node operators are rewarded, which could scale the network better.
  • Nym : Combines mixnets and blockchain for real-time anonymity. It is more modern and theoretically resistant to correlation attacks, but is not yet as mature as I2P.

Bottom line: no technology has “surpassed” I2P in its niche (anonymous internal communications). They are different tools for different problems.

Is I2P vulnerable?

No system is 100% secure, and I2P is no exception. These are its known weaknesses:

  • Correlation attacks : If an adversary controls the first and last nodes in your tunnels, they could correlate the timing and size of packets to infer that it’s you communicating. This is difficult (tunnels change every 10 minutes), but not impossible. I2P mitigates this with multi-layer encryption and dynamic routing.
  • Rogue nodes : Someone could run thousands of fake nodes to increase the probability of breaking into your tunnels. However, I2P prioritizes trusted nodes (those that have been on the network the longest) when building routes.
  • Java I2P : The official implementation is written in Java, a language with a history of vulnerabilities. Alternatives such as  i2pd  (in C++) reduce this risk, but have fewer features.
  • Metadata : Even though the content is encrypted, the fact that you’re using I2P (and not a regular VPN) may attract the attention of your ISP or government. In repressive countries, this could be a problem in itself.
  • Small network : Because it has fewer nodes than Tor, it is theoretically easier for a well-resourced attacker to monitor a lot of traffic.

Does I2P encrypt metadata?

I2P is designed to protect both  content  and  metadata , but not in the same way. A key distinction comes into play here:  not all metadata can be encrypted  if you want the network to work. Here’s how I2P handles this, and where its limits lie.

What is metadata in I2P?

Imagine you are sending an envelope by mail:

  • Contents : The letter inside (encrypted).
  • Metadata : The sender’s address, the recipient’s address, the postmark, the envelope size, and even the fact that you sent something.

In I2P, metadata includes:

  • Who sends/who receives (.i2p addresses).
  • When the message was sent.
  • The size of the packages.
  • The route the data took (intermediate nodes).
How does I2P protect this metadata?
a) Addresses and routes
  • Encrypted Addresses : I2P addresses (e.g.  mj3s7qziq...i2p) are cryptographic hashes of public keys. They do not reveal the real IP or identity.
  • Dynamic tunnels : Messages travel through one-way tunnels that change every 10 minutes. Neither the ingress node knows where the packet is going, nor the egress node knows where it came from.
b) Time and size
  • Padding : I2P adds random data to messages so that all packets have a standard size. Thus, a 5 MB PDF and a text message look the same.
  • Message mixing :  Garlic routing  groups multiple messages into a single packet (like a “garlic clove”). This blurs the relationship between the original sender and the final recipient.
c) Layered encryption

Each hop in the tunnel decrypts a layer to know where to send the packet, but:

  • The  source  only knows the first node.
  • Intermediate nodes only   see the previous and next nodes.
  • The  destination  only knows the last node in the tunnel.

What metadata  is not  encrypted?

  • Traffic existence : Your ISP can detect that you are using I2P (although not what you do within it). This is mitigated by combining I2P with a VPN or Tor.
  • Amount of data : If you send 1 GB over I2P, an outside observer will see 1 GB of encrypted traffic (but won’t know if it’s a video, an email, or another file).
  • Activity Patterns : If you always connect to I2P at 3 AM, someone could link those times to your identity.

Known attacks on I2P metadata

  • Temporal correlation : If an adversary controls your entry and exit nodes, they could link the time you send and receive data. I2P makes this difficult by switching tunnels every 10 minutes, but it’s not impossible on small networks.
  • Traffic analysis : Countries like China or Iran use  DPI (Deep Packet Inspection)  to block “suspicious” protocols, including I2P. The solution is to use bridges or VPNs.
  • Sybil Attacks : If an attacker controls many nodes, the likelihood of your tunnels going through them increases. I2P prioritizes “trusted” nodes (those that have been active the longest) to reduce this risk.

Summarizing:

  • Number : Addresses, routes and relationships between sender/receiver.
  • Obfuscate : Time, size and traffic patterns.
  • Can’t encrypt : Whether you use I2P or the total amount of data.

Despite this, I2P remains one of the safest networks for high-risk activities. Its  serverless design  and default encryption make it resistant even to state attacks.

I2P isn’t a magic wand, but it is one of the most robust tools for anyone who values ​​anonymity. It requires tweaking, yes, but each click of configuration is a brick in your wall against surveillance. The first time you load an eepsite and see that “.i2p” in the address bar, you’ll feel something strange: the freedom of knowing you’re in a place where no one is spying on you.

Sources: