Alternative GNUnet access

2019-01-06 return to ogiginal hostname

2014-02-07 If you can’t see this notice, you were being blocked

2013-02-07 i18nhtml removed for the time being to allow replacement of mysql with sqlite.


Do note that our hostlist is currently not being updated due to change to different ISP with very low free peak time bandwidth allowance. I.e. 08:00 - 18:00 BST / GMT. It would cost me, until can modify GNUnet to work around this, but this was necessary to get native IPv6 after 4 years of waiting as the Credit Crunch is coming soon… ☺

A special message to Adversaries: Our entire list of known peers is presently available in the hostlist offered here.

We are providing our gnunet hostlist so people can have a point of attachment to GNUnet when you′ve no friends running it. The GNUnet project also provide their own hostlist and hosts.

We used to say we were an alternative to the distributed lists but with only two others out there it would not take much to shut off newcomer access to GNUnet. So we′ve given permission for our list to be distributed.

However, for maximum anonymousness, we recommend, that you use hostlists only from trusted friends, such as whoever introduced you to gnunet, and delete other lists, thus minimising your IP′s exposure to strangers, including us, especially if you′re making classifed information available anonymously. Remember that a powerful adversary may force a node operator to disclose everything they know about you.

To use F2F mode, the key of each friend can be listed, 1 per line in /var/lib/GNUnet/friends. Then add F2F = "/friends" in section [NETWORK] in gnunetd.conf

I am running in modified F2F mode. This is intended to only initiate connections to friends, but accept connections from everyone. It is more conservative than P2P mode (doesn′t thash the mesh) nor offer the possibility of attacking IP addresses that do not run GNUnet. It still allows outsider access if you have the keys of the nodes operating this way.

Techniques for choosing hosts

You can pick a few hosts from GNUnet keys offered on the Internet, for example:

You would download the files you′re interested in, and add them to your hostcache manually, and you can also track the hosts known to a gnunet node by adding their hostlist url to your configuration file. For example, our own hostcache may be easiest accessed by ftp, as programs like wget or the mget command, allow users to copy the entire directory of files, or chosen portions of it. Username will be anonymous or ftp and of course, no password is requested.

We also offer hosts by Gopher+ or even the hostlist

For GNUnet 0.7 up, a new node can often be primed quicker this way, than by waiting for it to try the hostlists, which it is often conservative about to be gentle on them. If, after copying the contents of all the key caches available on the Internet, your node still suffers in performance it may be worth doing this after a while of running: (whilst your node is stopped)

for N in /var/lib/GNUnet/data/hosts/*
        if [ ! -f "/var/lib/GNUnet/data/credit/`basename  | cut -d"." -f1`" ]
                mv $N /var/lib/GNUnet/data/nohosts/`basename $N`

This removes dead peers that have not earnt any credit from your hosts cache, usually forcing GNUnet to try only live peers.

If you wish to be selective about your peers, first stop your node, to avoid direct contact with hosts you don′t wish to know your email/URL/IP address (depending on transport), then download keys of interest. You can then use gnunet-stats to discover the IP addresses of nodes of interest.

If, for example you like to appear in hostlists for maximum gnunet connectivity, just ensure that the key of the node(s) providing the hostlists appears in yout hosts cache. Generally the IP of the webserver offering the hostlist is the same as the node that provides its feed of keys. Give it a higher credit rating by using hexedit on the creditfiles, or just temporarily remove all other keys from your cache to encourage a connection.

You may instead want to avoid appearing in hostlists or host caches for better anonymity. Then you′d remove the key of the host(s) offering the hostlists from your cache. It will also be needed to ensure all the nodes you do peer with then don′t propogate your keys either to such nodes.

They would set HELOEXCHANGE = NO to avoid spreading knowledge of GNUnet contact transports learnt from other GNUnet nodes.

Here are our GNUnet hosts and our GNUnet hostlist

Our hostlist is copied in real time from our hosts cache. Currently we report all our known hosts using the following hostlist.cgi: The extra code here provides hints to any proxies that may be in circuit between the hostlist server and users fetching copies of the hostlist so they can make a more informed decision about caching it.

# This is a CGI script to generate the host list on-demand.
# by Michael Wensley, with minor improvements by Christian Grothoff

# Generate a http date in GMT from the host cache.
export TZ=GMT
LM=`ls -tgoc1 --time-style="+%a, %d %b %Y %T %Z" /var/lib/GNUnet/data/hosts/ |head -n 2|tail -n 1|tr -s " "|cut -d" " -f4-9`
# See if it's newer than what the client / proxy has.
        echo $LM" 1"
        echo $HTTP_IF_MODIFIED_SINCE" 0"
} | { while read WK D M Y T G X; do echo $Y $M $D $T $X; done } | sort | {
        read Y M D T X
        if [ "$X" == "1" ]
                # Assure them that theirs is still the latest.
                echo -ne "Status: 304 Not Modified\r\n\r\n"
                exit 0

# Give them the hostlist.
echo -ne "Last-Modified: $LM\r\n"
echo -ne "Content-Type: application/octet-stream\r\n"
cat /var/lib/GNUnet/data/hosts/*.{6,8,12,17,23,25} | /usr/local/sbin/lengen --http

It is imported into the configuration of Apache like so:

<location /hostlist>
	SetHandler cgi-script

Rather than information about fake mimetypes such as x-http-cgi ☹ all negotiation is now handled by our cgi ☺

Here are some example 0.6 hosts, and their keys.
CB6DB904F1C519D30317470193B701D014703004 is
A57029281B9A8A94BFBC7A87C4AD5414515A25ED was

Building extra features into GNUnet

Standard Debian GNUnet comes with quite a few features disabled. You can easily turn them on. We recommend you upgrade to the corresponding latest binary release first. You may wish to temporarily disable GNUnet first with /etc/default/gnunet until potential anonymity breaking features in a replaced /etc/gnunet.conf are disabled, such as direct IP communication with machines you don\′t absolutely trust. e.g. hostlist retrieval from master servers not under the control of friends.

Personally I have apt setup to provide all releases

This ensures that anxilliary files such as /etc/gnunet.conf are up to date. Check that GNUnet works properly, with anonymity settings you are comfortable with, then move on. Now, make an empty directory e.g. mkdir gnunet and step inside it, followed by apt-get source gnunet. This will download the source. The directory created will bear the release′s name. Go inside. Now you can edit the file debian/rules to dictate what will actually be built. Change --disable-ipv6 to --enable-ipv6 and each --without-whatever to --with-whatever=/usr

Examples of other dependencies needed during build
Switch Dependency
--enable-mysql libmysqlclient-dev
--enable-sqlite libsqlite-dev

Using MySQL will want mysql-server and mysql-client

At this point the source tree is configured. You may wish to edit the source files themselves. You could also change the cost of the various transports. For example, to encourage the use of IPv6, drop the cost of UDP6 and TCP6 to, say, 50 in the files src/transports/udp6.c and src/transports/tcp6.c near the bottom.

SMTP Transport

To setup SMTP, perhaps the easiest way is to use a dedicated e-mail address, matching the user GNUnet runs under. You do not need procmail for this as suggested in the main FAQ, as a simple forward file will do it under the Exim MTA at least. I make /var/lib/GNUnet the home of user gnunet firstly and ensure this username can receive email even if other system users are prevented.

Then put |/bin/bash -c "/bin/cat > /var/lib/GNUnet/gnunet.smtp" into the file /var/lib/GNUnet/.forward, and ensure it is owned by user and group gnunet:

This causes mail to be written to the gnunet.smtp pipe instead of gnunet′s mailbox. To store messages in user gnunet′s mailbox as well, the forward file begins like \gnunet, |/bin/bash... which you normally would not want for gnunet.

On exim, to blacklist other system users such as mail and www-data from junkmail you can write a file /etc/exim4/realmailusers containing one username per line that accepts email.

It can be referenced by inserting local_parts = lsearch;/etc/exim4/realmailusers into the file /etc/exim4/conf.d/router/900_exim4-config_local_user

Patch files

For example, these are the patch files I have applied locally to my GNUnet sources
Release Patchfile
0.6.5 changes-0.6.5.diff
0.6.6a changes-0.6.6a.diff
0.6.6b changes-0.6.6b.diff
0.7.0 changes-0.7.0.diff

To actually compile is nice and simple, but you might like to investigate the package pentium-builder to build code optimised for your processor, whether it is a pentium or not. (Adding export DEBIAN_BUILDARCH=athlon-xp to your ~/.bashrc to build for Athlon XP for example) making sure it is set in your Environment for it to be effective.

See -march settings for examples.

To compile execute: nice -10 dpkg-buildpackage -rfakeroot maybe inside screen so you can detach from it and let it run once it gets going. You may be asked to install some packages, usually whatever-dev compilation headers. So install them, then repeat the command.

Hopefully it compiled witout error. If not you can fix it and re-run the command. You need root for the actual install. cd .. become root with su, then dpkg -i gnunet_version.deb gnunet-gtk_version.deb. I usually install them together as they are related.

One final note: If you are using MySQL, you need to ensure it starts before GNUnet. You can rename files in /etc/rcX.d/ to achieve this.

For GNUnet 0.65 and up

For GNUnet 0.65 and above, it runs as user gnunet instead of root. To use a mysql server on the same machine, you could set this user′s home directory to be /var/lib/GNUnet and in there write a such as:


And do GRANT ALL ON gnunet.* TO gnunet@localhost IDENTIFIED BY 'password';

If you migrate gnunet between machines and like to keep its earned credit, copy across the /var/lib/GNUnet/ directory, including /var/lib/GNUnet/.hostkey file, which contains your node′s private key and public key. Usually when gnunet starts, it generates a public key in the hostcache from that and is then distributed to other nodes.