I2P Is Not a Tor Replacement. It Is a Separate Anonymous Internet Built for Different Threats.

The Invisible Internet Project operates ~55,000 nodes across a fully self-contained network, routing traffic through bundled garlic messages and unidirectional tunnels to serve journalists, activists, developers, and privacy-sensitive applications that cannot tolerate any connection to the open web.

Key Takeaways

I2P routes traffic exclusively between .i2p services within its own network; it has no exit nodes to the clearnet, making it the correct tool for internal services and the wrong tool for anonymous browsing of regular websites.
Garlic routing bundles multiple encrypted messages into a single transmission, and a four-tunnel unidirectional architecture ensures no single router ever sees both a request and its response, providing traffic-correlation resistance that onion routing alone does not.
The I2P network has approximately 12,000 consistently active nodes and an estimated 30,000 users, compared to Tor's 2+ million daily users; the smaller anonymity set is both a feature trade-off and a statistical vulnerability.
I2P has been actively blocked in China, Iran, Kuwait, Oman, and Qatar using DNS poisoning and TCP injection, while Russia has expanded broad censorship of circumvention tools since 2024.
The project is volunteer-driven, open source under BSD/GPL/MIT/public domain licenses, funded by episodic grants and a 2025 StormyCloud partnership, and receives no government funding, distinguishing it from Tor's historically significant U.S. federal funding.

I2P is a self-contained anonymous internet, not an anonymizing proxy. It is a distinct network of approximately 55,000 volunteer-operated routers that communicate exclusively with each other, carrying no traffic to or from the clearnet through exit nodes. According to the Wikipedia I2P article, the project has operated since 2001, is written in Java with a C++ alternative, and is available in 62 languages across Windows, macOS, Linux, and Android. It solves a different problem than Tor: not anonymous access to the open web, but private, censorship-resistant infrastructure for communications and services that must never touch the public internet.

Garlic Routing Bundles Multiple Encrypted Messages Together to Prevent Traffic Correlation

Garlic routing is the foundational technical distinction between I2P and every other anonymous network in active deployment. Where Tor wraps each message in layers of encryption and routes it through three relays in a fixed circuit, I2P bundles multiple messages, called cloves, into a single garlic message. Each clove carries its own encrypted payload and delivery instructions. According to the official I2P garlic routing documentation, an observer watching the network sees a single encrypted bundle arrive at a router with no visibility into which clove is the primary payload and which are acknowledgments, routing updates, or decoy traffic.

The tunnel architecture adds a second layer of structural protection. I2P creates unidirectional tunnels: an outbound request travels through a four-router outbound tunnel; the response returns through a completely separate four-router inbound tunnel. A full round-trip message therefore traverses four distinct tunnel chains. A single compromised router never observes both sides of a conversation. According to the IVPN technical comparison, I2P uses packet-based routing rather than Tor's circuit-based model, enabling dynamic rerouting around congestion.

Encryption defaults meet current standards. The Wikipedia I2P article documents the default stack as 2048-bit ElGamal for initial key exchange, AES-256-CBC with SHA-256 for session traffic, and Ed25519 for router identity signatures. Deployments since version 0.9.36 have migrated to NTCP2 transport and, from 0.9.47 onward, to ECIES-X25519-AEAD-Ratchet for end-to-end encryption, bringing the cryptographic stack in line with modern forward-secrecy requirements.

The decentralized directory system eliminates one of Tor's structural concentration points. Where Tor relies on trusted directory servers bundled with the client to obtain relay information, I2P uses the NetDB: a distributed hash table maintained across the network by designated floodfill nodes. According to IVPN's comparison, "each router constantly evaluates other routers and shares what it finds," producing a directory that has no central operator who could be compelled or compromised to produce the network's topology.

I2P Has No Exit Nodes, Making It the Right Tool for Internal Services and Wrong for Clearnet Anonymity

The structural difference from Tor is not a capability deficit but a design choice. IVPN's technical comparison defines it precisely: Tor is optimized for anonymous access to the open internet with hidden services as an ancillary benefit; I2P is designed as a network within the internet, with internal services as the primary focus.

This distinction has concrete implications. Users who want to anonymously visit a website on the regular internet need Tor, not I2P. I2P's outbound proxy capability, called an outproxy, is an optional add-on that very few nodes support and that exposes the operating node to the same legal risks as a Tor exit operator. For I2P's designed use cases, an exit node is unnecessary:

Internal websites, called eepsites, accessed at .i2p addresses
File sharing via BitTorrent (built-in Snark client)
End-to-end encrypted email via I2P-Bote
Anonymous IRC and messaging services
Application-layer communication for developers via the SAM (Simple Anonymous Messaging) bridge

Because I2P has no exit nodes, the network avoids one of Tor's most persistent operational risks: exposure of unencrypted traffic at the final hop. A Tor exit operator can observe, and in documented cases has intercepted, unencrypted HTTP traffic between the exit and the destination server. No equivalent attack surface exists in I2P's internal-only model.

The Network Has 12,000 to 55,000 Active Nodes Globally, a Small Anonymity Set Relative to Tor

Network size is the most frequently cited limitation of I2P relative to Tor. Privacy Savvy's 2025 comparison estimates approximately 30,000 active I2P users against Tor's 2+ million daily users. The Wikipedia I2P article places approximately 55,000 computers participating globally, a figure that includes nodes of varying activity levels. A 2025 dataset published in ScienceDirect using the SWARM-I2P framework, which deployed I2P routers as mapping agents, documented over 50,000 nodes with detailed records of bandwidth, latency, and geographic distribution. Independent monitoring at Stats.i2p has recorded approximately 12,000 consistently active nodes.

A smaller anonymity set is a structural statistical risk. An adversary who can monitor a significant fraction of 12,000 to 55,000 nodes has meaningfully better odds of correlating entry and exit traffic than against Tor's pool of relays. This is the primary argument in favor of Tor for high-stakes anonymity needs. However, I2P's decentralized NetDB eliminates the trusted directory server model, which represents a concentration of network knowledge that is absent from I2P's architecture.

Network growth followed censorship demand. According to the I2P 20-year history, the network had approximately 1,000 users in early 2006. Growth accelerated from 2009 onward, driven primarily by demand for censorship circumvention in countries with restricted internet access.

China, Iran, Kuwait, Oman, and Qatar Actively Block I2P Using DNS Poisoning and TCP Injection

State-level censorship of I2P has been measured and documented. A study presented at USENIX FOCI 2019 measured I2P censorship across multiple countries and found active blocking in five: China used DNS poisoning against the I2P main website and three of ten reseed servers. Iran deployed TCP injection of HTTP 403 responses to block the I2P mirror site. Kuwait, Oman, and Qatar also showed evidence of I2P-specific blocking.

Russia has expanded censorship of circumvention tools broadly. The Human Rights Watch 2025 report on Russian internet censorship documents Russia's regulator Roskomnadzor blocking at least 8,700 websites containing information about circumvention tools by April 2025. In March 2024, Russia criminalized dissemination of information about such tools, placing I2P infrastructure in a legally hostile environment.

I2P maintains a Strict Countries list on its official website documenting jurisdictions where participating in routing for others may carry legal risk. Despite censorship of the main website, the network's distributed reseed infrastructure, spread across multiple servers in different jurisdictions, allows new users with alternative bootstrap methods to join even when primary servers are blocked.

I2P Serves Journalists, Activists, Cryptocurrency Users, and Privacy-Sensitive Developers

The user population visible across I2P's internal services reflects a different risk profile from Tor's general anonymity use case. According to Red Dog Security's 2025 analysis, observable I2P communities include FreeVoice, a citizen journalism platform drawing approximately 200 readers per day primarily from countries with press restrictions; ShadowNet, a communications platform with 700-plus registered users and voice chat capability; and Skhranil, a torrent mirror processing approximately 10 TB of downloads per month.

Monero, the privacy-focused cryptocurrency, integrates I2P natively, enabling transaction broadcasts without revealing the originating IP address to the peer-to-peer network. This represents one of the largest deployments of I2P infrastructure outside pure anonymity use cases and has brought a technically literate, operationally motivated user base to the network.

The SAM bridge positions I2P as infrastructure rather than only an end-user tool. Developers can write applications in any language that communicate over I2P without reimplementing the full protocol stack. This is a key differentiator from Tor, which provides SOCKS proxying but does not offer equivalent application-layer API access for building I2P-native services.

The primary audience for I2P groups into four distinct categories:

Journalists and activists in jurisdictions with press restrictions or active internet censorship, who require communication channels that cannot be monitored at an exit node
Developers building applications that require private, censorship-resistant communication infrastructure
Cryptocurrency users requiring IP-level privacy for blockchain transactions, particularly Monero users
File sharers and archivists using the built-in BitTorrent client for content that requires durable, censorship-resistant distribution

I2P Has Real Limitations: Smaller Network, Steep Setup Requirements, and Application Compatibility Constraints

Network size is the primary statistical limitation. An adversary controlling a meaningful fraction of I2P's 12,000 to 55,000 nodes can conduct traffic correlation attacks with greater probability of success than against Tor's substantially larger relay pool. This is not a theoretical limitation but a mathematical consequence of anonymity set size.

Structural vulnerabilities have been discovered and addressed. A 2018 academic study cited in the Wikipedia I2P article demonstrated that strategic placement of malicious routers could achieve 95% peer blockage, effectively partitioning users. A 2014 zero-day allowed de-anonymization before being patched. Metadata leakage through improperly handled LeaseSets has also been documented in prior versions.

The Java client's resource requirements create an adoption barrier on low-powered devices. The default Java implementation requires approximately 200 MB of RAM. The C++ alternative, i2pd, reduces memory use to approximately 50 MB per Red Dog Security's reporting, but trades away some features and interface polish.

Application compatibility requires purpose-built software. Unlike Tor, which can anonymize traffic from virtually any application via a SOCKS proxy, I2P requires applications to be written specifically for the network or configured with dedicated I2P-aware bridges. This creates a significant adoption barrier for non-technical users comparing the two tools.

I2P Traffic Is Detectable During Bootstrapping but Invisible to Traditional IDS Once Operational

During the bootstrapping phase, I2P makes observable, fingerprint-able network calls. A 2019 research paper from the University of Amsterdam (Tim de Boer and Vincent Breider, supervised by Deloitte), Invisible Internet Project (I2P), conducted controlled experiments capturing I2P router traffic across multiple phases. The paper found that during initialization, the router queries 11 hard-coded reseed server domains via DNS, including reseed.i2p.net, i2p.novg.net, i2pseed.creativecowpat.net, and reseed.memcpy.io, all observable by any network monitor. Every HTTP request uses the fixed User-Agent string "Wget/1.11.4". The downloaded seed file is fetched via HTTPS with TLS certificates containing identifiable fingerprints, common names, and validity dates. According to the paper, an IPS or HTTPS proxy can block I2P bootstrapping in a controlled network by blocking these DNS queries, reseed domains, TLS certificate common names, or the User-Agent header.

Once operational, I2P becomes nearly invisible to traditional intrusion detection. The University of Amsterdam study found that after approximately 20 minutes, I2P traffic contains no identifiable parameters in protocol headers. Traffic consists exclusively of TCP and UDP packets with payloads that appear random. Port numbers are drawn from the non-privileged range above port 1023 through the dynamically allocated ranges, changing per session with no single port reused. Traditional signature-based IDS systems cannot identify operational I2P traffic.

Statistical traffic analysis reveals a detectable pattern, but not in real time. The paper demonstrated that I2P message lengths show deterministic clustering rather than the uniform distribution that would result from perfect padding. UDP messages cluster around 50-100 bytes and approximately 300, 500, 600, and 1,100 bytes. TCP messages cluster near 800, 1,000-1,100, and 1,400-1,500 bytes. These patterns correlate with tunnel hop lengths and could theoretically support protocol fingerprinting. However, the paper concludes that detecting this pattern requires analysis of traffic flows over time and is infeasible for real-time IDS enforcement.

Malware has already exploited I2P's operational invisibility. The University of Amsterdam paper documents that I2Ninja, Dyre, and CryptoWall 3.0 used I2P as a covert channel for command and control communications. This dual-use reality means an enterprise security operations center that has not blocked I2P at the bootstrapping phase cannot reliably detect its presence through standard IDS signatures during the operational phase.

Manual bootstrapping bypasses all network-level controls. Even if every reseed domain is blocked at DNS and HTTPS, a user can upload an out-of-band NetDB file obtained through alternative means, bootstrapping the router without any observable network calls to known reseed servers. The paper identifies this as an inherent bypass that network controls alone cannot address.

Background: I2P's 22-Year Development History from Anonymous IRC to Privacy Infrastructure

I2P originated in October 2001 when Lance James, operating under the handle 0x90, launched the Invisible IRC Project as an anonymous communication layer for Freenet users. According to the official I2P Medium article, the founding vision described the project as "an impenetrable neural-network, that is self-driven, self-defenced," built on decentralized peer-to-peer architecture.

jrandom rewrote the codebase in Java in 2003, introduced garlic routing, and renamed the project I2P. A critical transition began in late 2007 when jrandom announced an extended hiatus and subsequently disappeared from the project. A power outage in January 2008 at the primary hosting provider briefly threatened to destroy the source history. Recovery was led by a distributed team with zzz assuming primary development leadership, a role held for over a decade.

Funding has been episodic and independent. The project received a $5,000 donation from DuckDuckGo in 2014, Internews and Open Tech Fund grants in 2018-2019 for usability improvements, and in 2025 the American nonprofit StormyCloud formalized ongoing financial support. I2P operates without a commercial parent and without government funding, a distinction from Tor, which has historically received substantial U.S. federal funding. This independence limits development velocity but eliminates the political and legal pressures that government funding relationships can create.

Key technical milestones include: Secure Semireliable UDP (SSU) for firewall traversal in 2005, the NTCP transport protocol in 2006, NTCP2 in version 0.9.36 (2018), the ECIES-X25519-AEAD-Ratchet encryption overhaul from 0.9.47 onward (2019-2021), and ongoing work toward post-quantum cryptographic primitives. The project has completed 22 years without a second mandatory network-wide "flag day" upgrade since 2006, indicating a stable protocol foundation.