Anxiety about clearnet leakage while browsing eepsites

[eepman]

I am using Mullvad Browser with i2pd on my debian 12 system. Every now and then, I wonder whether the eepsites I visited might be causing the mullvad browser to leak clearnet connections by maliciously or incompetently causing the browser to make clearnet request, essentially voiding my privacy.

Since i2p doesn't have something like Whonix, and since we don't have a sys-whonix 'like solution for i2p (viewtopic.php?t=1243), I can't be sure if my debian system isn't making clearnet connections. In this sense, how realistic is my anxiety? Is disabling javascript inside the browser enough to combat this?

[anikey]

I cut this problem at the root: i run browser in a container (am not using qubes os or anything like that, at least not yet), and use firewall to block all connections from that container except to the necessary i2p router ports.
I know it might be inconvenient but it's still a solution to a problem. Anxiety is gone now, for sure.

P.S it is not recommended to post links without removing the 'sid' url parameter

[eepman]

i run browser in a container (am not using qubes os or anything like that, at least not yet), and use firewall to block all connections from that container except to the necessary i2p router ports.

That's a nice idea. Are you using podman? on debian 12? Would you consider writing some guide describing your setup, so that I can also try and replicate it?

(am not using qubes os or anything like that, at least not yet)

You should check out Qubes-Whonix. It is fantastic. We (as the I2P communuity) should have something like sys-i2p which would be a router qube in QubesOS that would run the i2pd in the background and provide an i2p router connection to other i2p-only qubes.

P.S it is not recommended to post links without removing the 'sid' url parameter

oh shit I didn't know that it was a unique identifier.

[anikey]

It doesn't really matter what you use. You could even use a VM if you wanted to (it would be more secure).
Just install any distro inside the VM/container (henceforth called guest), install the browser, and tell firewall (on the host, not guest, because host firewall cannot be controlled from guest) to allow connections from the guest only to your host. (like drop all packets sent to other IPs or something)
On the host, run i2p router.
In the guest, set the browser to use I2P's proxy.

When you do that, you'll discover that you can't update your guest, because it has no internet connection.
One solution to this problem is:
- identify the guest distro's mirror location(s), probably by looking at the package manager's config
- setup a proxy on your host that allows connections only to the repo urls
- point the package manager to that proxy

Also, when using an http proxy in the browser in such a setup, i have disabled dns in about:config and also removed all references to http urls there (without doing that, it seemed like the browser took a long time to load first page after start).

I heard qubes os also uses VMs, so i guess what i do here is similar to what it does.

[Invizzible]

There was a TAILS I2P-based alternative called Prestium where you'd simply run a live ISO on a flash drive which would help prevent leaks, but unfortunately, it seems as though the project has recently gone dark. Their I2P and clearnet sites are down and their subreddit has also stopped seeing activity, although their last torrent file is still up on Postman. The OS was Arch-based and perhaps it could still be recoverable with updating the mirrors.