blog
2026-04-05
reticulumi2ptorprivacyanonymitymesh-networkingtutorial

Reticulum over I2P and Tor: Maximum Privacy Networking

Route Reticulum traffic through I2P or Tor for maximum privacy. Hide your IP, bypass firewalls, and host globally reachable nodes anonymously.

Reticulum over I2P and Tor: Maximum Privacy Networking

This is Part 11 of a 12-part series on building private, resilient communication networks with Reticulum, LoRa, and associated tools.

Reticulum already encrypts all traffic and provides sender anonymity by default. But when you connect to the network over TCP, your IP address is visible to the transport node you connect to, and to anyone inspecting the connection. If you need to hide the fact that you're using Reticulum at all — or host a globally reachable node without a public IP — routing through I2P or Tor solves both problems.

Why I2P or Tor?

Concern Plain TCP Over I2P/Tor
Message contents visible to network No (encrypted) No (encrypted)
Your IP visible to transport node Yes No
Observer can see you're using Reticulum Yes (port/traffic analysis) No (hidden in I2P/Tor traffic)
Need a public IP to host a node Yes No
Works behind NAT/firewall Outbound only Full bidirectional

Reticulum has a native I2P interface that makes this straightforward. Tor requires a bit more manual setup using TCP tunneling.

Option A: Reticulum over I2P (Recommended)

I2P (Invisible Internet Protocol) is a network layer designed for anonymous communication. It encrypts and mixes traffic through multiple hops, hiding both sender and receiver.

Step 1: Install i2pd

i2pd is a lightweight C++ I2P router. Install it on the same machine running Reticulum:

Debian/Ubuntu:

sudo apt install i2pd

Arch:

sudo pacman -S i2pd

From source or other platforms: See i2pd.website for instructions.

Start and enable the service:

sudo systemctl enable --now i2pd

Give i2pd a few minutes to bootstrap and connect to the I2P network. You can check its status at http://127.0.0.1:7070 (the i2pd web console).

Step 2: Configure the I2P Interface

Add the I2P interface to ~/.reticulum/config:

[[I2P]]
  type = I2PInterface
  enabled = yes
  connectable = yes

That's it. On first start, Reticulum will: 1. Connect to the local i2pd router 2. Generate a persistent I2P destination (a .b32.i2p address) 3. Start listening for inbound connections over I2P

Check rnstatus to see your I2P interface and its address:

rnstatus

The I2P address will also be printed to the log. It looks like:

5urvjicpzi7q3ybztsef4i5ow2aq4soktfj7zedz53s47r54jnqq.b32.i2p

Step 3: Connect to Peers over I2P

To connect to other Reticulum nodes over I2P, add their .b32.i2p addresses as peers:

[[I2P]]
  type = I2PInterface
  enabled = yes
  connectable = yes
  peers = 5urvjicpzi7q3ybztsef4i5ow2aq4soktfj7zedz53s47r54jnqq.b32.i2p

Multiple peers can be comma-separated:

  peers = address1.b32.i2p, address2.b32.i2p, address3.b32.i2p

I2P connections take longer to establish than TCP (seconds to minutes), but once connected they're stable and fully functional.

What You Get with I2P

  • Your IP is hidden from the Reticulum peers you connect to
  • Their IP is hidden from you
  • Traffic is encrypted and mixed through multiple I2P hops — an observer sees I2P traffic, not Reticulum traffic
  • No public IP needed — I2P handles NAT traversal. You can host a globally reachable Reticulum node from behind any firewall
  • Persistent address — your .b32.i2p address stays the same across restarts, so others can always find you

Option B: Reticulum over Tor

Tor provides similar anonymity properties to I2P but uses a different architecture. Reticulum doesn't have a native Tor interface, but you can tunnel TCP connections through Tor using hidden services.

Step 1: Install Tor

Debian/Ubuntu:

sudo apt install tor

Start and enable:

sudo systemctl enable --now tor

Step 2: Create a Tor Hidden Service

Edit /etc/tor/torrc and add:

HiddenServiceDir /var/lib/tor/reticulum/
HiddenServicePort 4965 127.0.0.1:4965

Restart Tor:

sudo systemctl restart tor

Get your .onion address:

sudo cat /var/lib/tor/reticulum/hostname

This gives you something like:

abc123def456ghi789jkl012mno345pqr678stu901vwx234yz.onion

Step 3: Configure Reticulum to Listen

Set up a TCP server on localhost that Tor will forward to:

[[Tor Hidden Service]]
  type = TCPServerInterface
  enabled = yes
  listen_ip = 127.0.0.1
  listen_port = 4965
  i2p_tunneled = yes

The i2p_tunneled = yes option (despite the name) tells Reticulum that this connection is being tunneled through an anonymizing network, which adjusts internal timeouts and reliability mechanisms.

Step 4: Connect to a Tor Hidden Service

On the client side, you need torsocks or configure Tor as a SOCKS proxy:

[[Tor Remote Node]]
  type = TCPClientInterface
  enabled = yes
  target_host = 127.0.0.1
  target_port = 9150
  i2p_tunneled = yes

Alternatively, use torsocks to wrap the entire Reticulum daemon:

torsocks rnsd

This routes all TCP connections through Tor transparently.

I2P vs. Tor for Reticulum

I2P Tor
Native Reticulum support Yes (I2PInterface) No (manual TCP tunneling)
Setup complexity Easy (3 lines of config) Moderate (hidden service setup)
Bidirectional connectivity Built-in Requires hidden service
Latency Higher (garlic routing) Moderate (onion routing)
Network size Smaller Larger
Designed for Peer-to-peer, internal services Accessing clearnet anonymously
Best for Reticulum Hosting nodes, peer connections Connecting to existing Tor-based nodes

Recommendation: Use I2P for Reticulum. The native interface makes it dramatically simpler, and I2P's peer-to-peer architecture is a better fit for Reticulum's design philosophy.

Combining I2P with Other Interfaces

You can run I2P alongside all your other interfaces. A typical privacy-focused transport node might look like:

[reticulum]
  enable_transport = yes

[interfaces]
  # Local network
  [[Default Interface]]
    type = AutoInterface
    enabled = yes

  # Anonymous internet connectivity
  [[I2P]]
    type = I2PInterface
    enabled = yes
    connectable = yes
    peers = peer1.b32.i2p, peer2.b32.i2p

  # Local LoRa radio
  [[RNode LoRa Interface]]
    type = RNodeInterface
    enabled = yes
    port = /dev/ttyUSB0
    frequency = 867200000
    bandwidth = 125000
    txpower = 7
    spreadingfactor = 8
    codingrate = 5

This node is reachable over I2P (anonymously from the internet), over local WiFi, and over LoRa radio — all simultaneously. Traffic is bridged between all interfaces by the transport layer.

Performance Considerations

I2P and Tor add latency: - I2P: Expect 2-10 seconds additional latency per hop through the I2P network - Tor: Expect 1-5 seconds additional latency

For text messaging via LXMF, this is barely noticeable — messages are asynchronous anyway. For interactive page browsing on NomadNet, pages will load a bit slower. For real-time applications, the latency may be significant.

Bandwidth through I2P is also limited compared to direct TCP — typically a few hundred kbps to a few Mbps, depending on I2P network conditions. More than enough for Reticulum's typical use cases.

Threat Model Considerations

Running Reticulum over I2P or Tor protects against: - Network observers seeing your Reticulum traffic - Transport nodes learning your IP address - ISPs or governments identifying you as a Reticulum user

It does not protect against: - Compromised endpoints (if your device is compromised, encryption doesn't help) - Traffic correlation attacks by a global adversary (theoretical, but possible) - Metadata from the Reticulum layer itself (announce patterns, timing)

For most threat models, I2P provides a very strong privacy layer on top of Reticulum's already-strong encryption.

What's Next

In the final guide, we'll put everything together into an emergency communications playbook — a grab-and-go kit with pre-configured hardware that works when all other infrastructure fails.

Previous: [Part 10 — Host a Decentralized Website with NomadNet] Next: [Part 12 — Emergency Comms Playbook: Reticulum for Disaster Preparedness]

← back to index