Home Blog Notes Twtxt

Browsing I2P with the Tor Browser

November 2nd, 2022

Due to current events, I2P has recently surged in popularity. Since I2P has no official browser, and the Tor Browser Bundle already has strong fingerprinting protections, many users choose to configure the Tor Browser to connect to I2P instead. This is my procedure for doing so, based on several guides from around the net.

Disclaimer: I am a hobbyist, not a computer security expert. This guide is based on guides from other people, common sense, and my prior knowledge from experience and quite a bit of reading on both Tor and I2P.

Also, don't trust me. Verify yourself that what I'm saying is true. If you think I'm an idiot, go write your own guide and send me a link.

Create a new profile (optional, but recommended)

Containing i2p in its own browser profile allows you to continue accessing Tor on the default profile.

  1. Navigate to about:profiles and click Create a New Profile.
  2. Click Next, give the profile a nice, descriptive name, and click Finish.
  3. Make the "default" profile default by clicking Set as default profile under that profile.
  4. Click Launch profile in new browser under the profile you just created.

Tweak about:config

Don't connect to the Tor network. Instead, navigate to about:config in the address bar and click "Accept the Risk and Continue".

Change the following settings. Use the search bar to make things faster.

Option Value Description false Don't try connecting to a site with TLS first false Allow connections to HTTP sites
network.proxy.http* The address of your i2p daemon's proxy
network.proxy.http_port 4444* The port of your i2p daemon's proxy
network.proxy.no_proxies_on (Optional) Connect directly to websites on this address[1]
javascript.enabled false Disable JavaScript
extensions.torlauncher.start_tor false Don't start Tor
extensions.torbutton.local_tor_check false Don't check for a running Tor process
extensions.torbutton.security_slider 1 Set the Tor Browser security level to 'Safest'
extensions.torbutton.use_nontor_proxy true Allow the use of non-tor proxies

* You may need to change this value depending on your i2p setup.

Setting extensions.torbutton.use_nontor_proxy will cause Tor Browser to restart. If you see an error about Torbutton, you can safely ignore it.

  1. ^ This option bypasses the proxy for the selected addresses can be used to access your I2P daemon's status page. Unless you have a good reason, don't set this option to any address other than a loopback address like

Change homepage (optional)

While you're in about:config, you may want to set browser.startup.homepage to about:blank. Alternatively, you could set it to your I2P daemon's status page. For PurpleI2P (i2pd), it's

You probably shouldn't set it to an external site because that information could be used to identify you.

Remove the New Identity button

The Tor New Identity button does nothing if we're not connected to Tor. Let's remove it.

  1. Right-click the top bar and select Customize toolbar.
  2. Click the New Identity (broom icon) button and drag it to the group of other buttons on the left.

Launching the i2p profile

If you made a separate profile for i2p, this is the procedure to start it up.

  1. Start your i2p daemon if necessary.
  2. Launch Tor Browser.
  3. Navigate to about:profiles.
  4. Click Launch profile in new browser under your i2p profile.

Closing note

The Tor Browser is (still) not a silver bullet! In fact, we actually weakened the security of the browser by configuring it to use an i2p proxy.

I could probably write a book about this, but here are some quick "don't"s[2] before I wrap up this post.

  1. ^ I couldn't come up with any "do"s.
  2. ^ If you're going to use outproxies anyway, realize that the outproxy is in a position to snoop on you and minimize the information you're giving to it. Make sure you have an encrypted (HTTPS) connection to the clearnet server. The same rules apply to Tor exit nodes; they can and do snoop on you. However, since Tor rotates circuits regularly and uses a different one for each domain, it's slightly harder for an attacker to get the big picture on what you're doing.

[ ← Disabling Web Search | Notes Index | Ladybird's Current Progress on → ]