free
/
freedombone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'stretch' of https://github.com/bashrc/freedombone

This commit is contained in:
Bob Mottram 2017-09-27 18:01:04 +01:00
parent 7bb41c166c 0359de62c1
commit 2e10444237
9 changed files with 1233 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
doc/EN/app_vpn.org Normal file
View File

@ -0,0 +1,83 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, openvpn
#+DESCRIPTION: How to use OpenVPN on Freedombone
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>OpenVPN</h1>
</center>
#+END_EXPORT
#+begin_quote
"/The Net interprets censorship as damage and routes around it./" -- John Gilmore
#+end_quote
A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.
Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.
On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue.
Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server.
* Usage
When the installation is complete you can download your VPN keys and configuration files onto your local machine.
#+begin_src bash
scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
#+end_src
You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:
#+begin_src bash
sudp pacman -S openvpn stunnel4
#+end_src
Or on a Debian based system:
#+begin_src bash
sudo apt-get install openvpn stunnel4
#+end_src
Now you can connect to your VPN with:
#+begin_src bash
sudo stunnel stunnel-client.conf
sudo openvpn client.ovpn
#+end_src
You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.
* Changing port number
Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above.
* Generating new keys
It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above.

4
doc/EN/apps.org
View File

@ -154,6 +154,10 @@ A system for privately creating and sharing notes and images, similar to Evernot
* Vim
If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
* Virtual Private Network (VPN)
Set up a VPN on your server so that you can bypass local internet censorship.
[[./app_vpn.html][How to use it]]
* XMPP
Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as /client state notification/ to save battery power on your mobile devices, support for seamless roaming between networks and /message carbons/ so that you can receive the same messages while being simultaneously logged in to your account on more than one device.

2
src/freedombone-addcert
View File

@ -49,7 +49,7 @@ HOSTNAME=
remove_cert=
LETSENCRYPT_HOSTNAME=
COUNTRY_CODE="US"
AREA="Free Speech Zone"
AREA="Apparent Free Speech Zone"
LOCATION="Freedomville"
ORGANISATION="Freedombone"
UNIT="Freedombone Unit"

602
src/freedombone-app-vpn
View File

@ -9,11 +9,14 @@
# Freedom in the Cloud
#
# VPN functions
# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
# http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php
#
# License
# =======
#
# Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
# Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
@ -28,12 +31,31 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
VARIANTS=''
VARIANTS='full full-vim'
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=0
vpn_variables=()
OPENVPN_SERVER_NAME="server"
OPENVPN_KEY_FILENAME='client.ovpn'
VPN_COUNTRY_CODE="US"
VPN_AREA="Apparent Free Speech Zone"
VPN_LOCATION="Freedomville"
VPN_ORGANISATION="Freedombone"
VPN_UNIT="Freedombone Unit"
STUNNEL_PORT=3439
VPN_TLS_PORT=553
vpn_variables=(MY_EMAIL_ADDRESS
DEFAULT_DOMAIN_NAME
MY_USERNAME
VPN_COUNTRY_CODE
VPN_AREA
VPN_LOCATION
VPN_ORGANISATION
VPN_UNIT
VPN_TLS_PORT)
function logging_on_vpn {
echo -n ''
@ -44,10 +66,135 @@ function logging_off_vpn {
}
function install_interactive_vpn {
echo -n ''
read_config_param VPN_TLS_PORT
if [ ! $VPN_TLS_PORT ]; then
VPN_TLS_PORT=553
fi
VPN_DETAILS_COMPLETE=
while [ ! $VPN_DETAILS_COMPLETE ]
do
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')
if [ $currtlsport ]; then
VPN_TLS_PORT=$currtlsport
fi
dialog --backtitle $"Freedombone Configuration" \
--title $"VPN Configuration" \
--form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
$"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \
2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
tlsport=$(cat $data | sed -n 1p)
if [ ${#tlsport} -gt 1 ]; then
if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
VPN_TLS_PORT="$tlsport"
VPN_DETAILS_COMPLETE="yes"
write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
fi
fi
done
clear
APP_INSTALLED=1
}
function vpn_change_tls_port {
EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"VPN Configuration" \
--backtitle $"Freedombone Control Panel" \
--inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data
sel=$?
case $sel in
0)
tlsport=$(<$data)
if [ ${#tlsport} -gt 0 ]; then
if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
clear
VPN_TLS_PORT=$tlsport
write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/stunnel-client.conf ]; then
cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf
fi
done
if [ $VPN_TLS_PORT -eq 443 ]; then
systemctl stop nginx
systemctl disable nginx
else
systemctl enable nginx
systemctl restart nginx
fi
systemctl restart stunnel
dialog --title $"VPN Configuration" \
--msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60
fi
fi
;;
esac
}
function vpn_regenerate_client_keys {
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Regenerate VPN keys for a user" \
--backtitle $"Freedombone Control Panel" \
--inputbox $'username' 10 50 2>$data
sel=$?
case $sel in
0)
USERNAME=$(<$data)
if [ ${#USERNAME} -gt 0 ]; then
if [ -d /home/$USERNAME ]; then
clear
create_user_vpn_key $USERNAME
dialog --title $"Regenerate VPN keys for a user" \
--msgbox $"VPN keys were regenerated for $USERNAME" 6 60
fi
fi
;;
esac
}
function configure_interactive_vpn {
read_config_param VPN_TLS_PORT
while true
do
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Control Panel" \
--title $"VPN Configuration" \
--radiolist $"Choose an operation:" 13 70 3 \
1 $"Change TLS port (currently $VPN_TLS_PORT)" off \
2 $"Regenerate keys for a user" off \
3 $"Exit" on 2> $data
sel=$?
case $sel in
1) return;;
255) return;;
esac
case $(cat $data) in
1) vpn_change_tls_port;;
2) vpn_regenerate_client_keys;;
3) break;;
esac
done
}
function reconfigure_vpn {
echo -n ''
}
@ -57,40 +204,457 @@ function upgrade_vpn {
}
function backup_local_vpn {
echo -n ''
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
fi
done
function_check backup_directory_to_usb
backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
backup_directory_to_usb /etc/stunnel vpnstunnel
}
function restore_local_vpn {
echo -n ''
temp_restore_dir=/root/tempvpn
restore_directory_from_usb $temp_restore_dir vpn
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
cp -r ${temp_restore_dir}/dh* /etc/openvpn/
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
fi
done
fi
temp_restore_dir=/root/tempvpnstunnel
restore_directory_from_usb $temp_restore_dir vpnstunnel
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/stunnel
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/stunnel.pem ]; then
cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
fi
if [ -f /home/$USERNAME/stunnel.p12 ]; then
cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
fi
done
fi
}
function backup_remote_vpn {
echo -n ''
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
fi
done
function_check backup_directory_to_friend
backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
backup_directory_to_friend /etc/stunnel vpnstunnel
}
function restore_remote_vpn {
echo -n ''
temp_restore_dir=/root/tempvpn
restore_directory_from_friend $temp_restore_dir vpn
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
cp -r ${temp_restore_dir}/dh* /etc/openvpn/
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
fi
done
fi
temp_restore_dir=/root/tempvpnstunnel
restore_directory_from_friend $temp_restore_dir vpnstunnel
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/stunnel
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/stunnel.pem ]; then
cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
fi
if [ -f /home/$USERNAME/stunnel.p12 ]; then
cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
fi
done
fi
}
function remove_vpn {
apt-get -yq remove --purge fastd
systemctl stop stunnel
systemctl disable stunnel
rm /etc/systemd/system/stunnel.service
systemctl stop openvpn
if [ $VPN_TLS_PORT -ne 443 ]; then
firewall_remove VPN-TLS $VPN_TLS_PORT
else
systemctl enable nginx
systemctl restart nginx
fi
apt-get -yq remove --purge fastd openvpn easy-rsa
apt-get -yq remove stunnel4
if [ -d /etc/openvpn ]; then
rm -rf /etc/openvpn
fi
firewall_disable_vpn
echo 0 > /proc/sys/net/ipv4/ip_forward
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
remove_completion_param install_vpn
# remove any client keys
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
fi
rm /home/$USERNAME/stunnel*
done
userdel -f vpn
groupdel -f vpn
if [ -d /etc/stunnel ]; then
rm -rf /etc/stunnel
fi
}
function create_user_vpn_key {
username=$1
if [ ! -d /home/$username ]; then
return
fi
echo $"Creating VPN key for $username"
cd /etc/openvpn/easy-rsa
if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
rm /etc/openvpn/easy-rsa/keys/$username.crt
fi
if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
rm /etc/openvpn/easy-rsa/keys/$username.key
fi
if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
rm /etc/openvpn/easy-rsa/keys/$username.csr
fi
sed -i 's| --interact||g' build-key
./build-key "$username"
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
echo $'VPN user cert not generated'
exit 783528
fi
user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
if [ ${#user_cert} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/$username.crt
echo $'User cert generation failed'
exit 634659
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
echo $'VPN user key not generated'
exit 682523
fi
user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
if [ ${#user_key} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/$username.key
echo $'User key generation failed'
exit 285838
fi
user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
echo 'client' > $user_vpn_cert_file
echo 'dev tun' >> $user_vpn_cert_file
echo 'proto tcp' >> $user_vpn_cert_file
echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
echo 'resolv-retry infinite' >> $user_vpn_cert_file
echo 'nobind' >> $user_vpn_cert_file
echo 'tun-mtu 1500' >> $user_vpn_cert_file
echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
echo 'mssfix 1450' >> $user_vpn_cert_file
echo 'persist-key' >> $user_vpn_cert_file
echo 'persist-tun' >> $user_vpn_cert_file
echo 'auth-nocache' >> $user_vpn_cert_file
echo 'remote-cert-tls server' >> $user_vpn_cert_file
echo 'comp-lzo' >> $user_vpn_cert_file
echo 'verb 3' >> $user_vpn_cert_file
echo '' >> $user_vpn_cert_file
echo '<ca>' >> $user_vpn_cert_file
cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
echo '</ca>' >> $user_vpn_cert_file
echo '<cert>' >> $user_vpn_cert_file
cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
echo '</cert>' >> $user_vpn_cert_file
echo '<key>' >> $user_vpn_cert_file
cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
echo '</key>' >> $user_vpn_cert_file
chown $username:$username $user_vpn_cert_file
# keep a backup
cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
#rm /etc/openvpn/easy-rsa/keys/$username.crt
#rm /etc/openvpn/easy-rsa/keys/$username.csr
shred -zu /etc/openvpn/easy-rsa/keys/$username.key
echo $"VPN key created at $user_vpn_cert_file"
}
function add_user_vpn {
new_username="$1"
new_user_password="$2"
create_user_vpn_key $new_username
if [ -f /etc/stunnel/stunnel.pem ]; then
cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem
chown $new_username:$new_username /home/$new_username/stunnel.pem
fi
if [ -f /etc/stunnel/stunnel.p12 ]; then
cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12
chown $new_username:$new_username /home/$new_username/stunnel.p12
fi
cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf
chown $new_username:$new_username /home/$new_username/stunnel-client.conf
}
function remove_user_vpn {
new_username="$1"
}
function install_stunnel {
apt-get -yq install stunnel4
cd /etc/stunnel
openssl req -x509 -nodes -days 3650 -sha256 \
-subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
-newkey rsa:2048 -keyout key.pem \
-out cert.pem
if [ ! -f key.pem ]; then
echo $'stunnel key not created'
exit 793530
fi
if [ ! -f cert.pem ]; then
echo $'stunnel cert not created'
exit 204587
fi
chmod 400 key.pem
chmod 640 cert.pem
cat key.pem cert.pem >> stunnel.pem
chmod 640 stunnel.pem
openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem -passout pass:
if [ ! -f stunnel.p12 ]; then
echo $'stunnel pkcs12 not created'
exit 639353
fi
chmod 640 stunnel.p12
echo 'chroot = /var/lib/stunnel4' > stunnel.conf
echo 'pid = /stunnel4.pid' >> stunnel.conf
echo 'setuid = stunnel4' >> stunnel.conf
echo 'setgid = stunnel4' >> stunnel.conf
echo 'socket = l:TCP_NODELAY=1' >> stunnel.conf
echo 'socket = r:TCP_NODELAY=1' >> stunnel.conf
echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
echo '[openvpn]' >> stunnel.conf
echo "accept = $VPN_TLS_PORT" >> stunnel.conf
echo 'connect = localhost:1194' >> stunnel.conf
echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4
echo '[openvpn]' > stunnel-client.conf
echo 'client = yes' >> stunnel-client.conf
echo "accept = $STUNNEL_PORT" >> stunnel-client.conf
echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> stunnel-client.conf
echo 'cert = stunnel.pem' >> stunnel-client.conf
echo '[Unit]' > /etc/systemd/system/stunnel.service
echo 'Description=SSL tunnel for network daemons' >> /etc/systemd/system/stunnel.service
echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> /etc/systemd/system/stunnel.service
echo 'DefaultDependencies=no' >> /etc/systemd/system/stunnel.service
echo 'After=network.target' >> /etc/systemd/system/stunnel.service
echo 'After=syslog.target' >> /etc/systemd/system/stunnel.service
echo '' >> /etc/systemd/system/stunnel.service
echo '[Install]' >> /etc/systemd/system/stunnel.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/stunnel.service
echo 'Alias=stunnel.target' >> /etc/systemd/system/stunnel.service
echo '' >> /etc/systemd/system/stunnel.service
echo '[Service]' >> /etc/systemd/system/stunnel.service
echo 'Type=forking' >> /etc/systemd/system/stunnel.service
echo 'RuntimeDirectory=stunnel' >> /etc/systemd/system/stunnel.service
echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
echo 'ExecStop=/usr/bin/killall -9 stunnel' >> /etc/systemd/system/stunnel.service
echo 'RemainAfterExit=yes' >> /etc/systemd/system/stunnel.service
if [ $VPN_TLS_PORT -eq 443 ]; then
systemctl stop nginx
systemctl disable nginx
else
systemctl enable nginx
systemctl restart nginx
fi
systemctl enable stunnel
systemctl daemon-reload
systemctl start stunnel
cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
}
function install_vpn {
if ! grep -q "repo.universe-factory.net" /etc/apt/sources.list; then
echo 'deb http://repo.universe-factory.net/debian/ sid main' >> /etc/apt/sources.list
gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C
if [ ! "$?" = "0" ]; then
exit 76272
apt-get -yq install fastd openvpn easy-rsa
groupadd vpn
useradd -r -s /bin/false -g vpn vpn
# server configuration
echo 'port 1194' > /etc/openvpn/server.conf
echo 'proto tcp' >> /etc/openvpn/server.conf
echo 'dev tun' >> /etc/openvpn/server.conf
echo 'tun-mtu 1500' >> /etc/openvpn/server.conf
echo 'tun-mtu-extra 32' >> /etc/openvpn/server.conf
echo 'mssfix 1450' >> /etc/openvpn/server.conf
echo 'ca /etc/openvpn/ca.crt' >> /etc/openvpn/server.conf
echo 'cert /etc/openvpn/server.crt' >> /etc/openvpn/server.conf
echo 'key /etc/openvpn/server.key' >> /etc/openvpn/server.conf
echo 'dh /etc/openvpn/dh2048.pem' >> /etc/openvpn/server.conf
echo 'server 10.8.0.0 255.255.255.0' >> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 85.214.73.63\"" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 213.73.91.35\"" >> /etc/openvpn/server.conf
echo 'keepalive 5 30' >> /etc/openvpn/server.conf
echo 'comp-lzo' >> /etc/openvpn/server.conf
echo 'persist-key' >> /etc/openvpn/server.conf
echo 'persist-tun' >> /etc/openvpn/server.conf
echo 'status /dev/null' >> /etc/openvpn/server.conf
echo 'verb 3' >> /etc/openvpn/server.conf
echo '' >> /etc/openvpn/server.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
cp -r /usr/share/easy-rsa/ /etc/openvpn
if [ ! -d /etc/openvpn/easy-rsa/keys ]; then
mkdir /etc/openvpn/easy-rsa/keys
fi
gpg -a --export 16EF3F64CB201D9C | sudo apt-key add -
apt-get update
apt-get -yq install fastd
if [ ! "$?" = "0" ]; then
exit 52026
# keys configuration
sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" /etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" /etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" /etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" /etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" /etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" /etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" /etc/openvpn/easy-rsa/vars
# generate host keys
if [ ! -f /etc/openvpn/dh2048.pem ]; then
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
fi
if [ ! -f /etc/openvpn/dh2048.pem ]; then
echo $'vpn dhparams were not generated'
exit 73724523
fi
cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
vpn_openssl_version='1.0.0'
if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
echo $"openssl-${vpn_openssl_version}.cnf was not found"
exit 7392353
fi
cp openssl-${vpn_openssl_version}.cnf openssl.cnf
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
fi
sed -i 's| --interact||g' build-key-server
sed -i 's| --interact||g' build-ca
./build-ca
./build-key-server $OPENVPN_SERVER_NAME
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
echo $'OpenVPN crt not found'
exit 7823352
fi
server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
if [ ${#server_cert} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
echo $'Server cert generation failed'
exit 3284682
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
echo $'OpenVPN key not found'
exit 6839436
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
echo $'OpenVPN ca not found'
exit 7935203
fi
cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
create_user_vpn_key $MY_USERNAME
firewall_enable_vpn
if [ $VPN_TLS_PORT -ne 443 ]; then
firewall_add VPN-TLS $VPN_TLS_PORT tcp
fi
systemctl start openvpn
install_stunnel
systemctl restart openvpn
APP_INSTALLED=1
}

2
src/freedombone-controlpanel
View File

@ -519,7 +519,7 @@ function show_ip_addresses {
echo $'IP/DNS addresses'
echo '================'
echo ''
echo -n "IPv4: $(get_ipv4_address)"
echo -n "IPv4: $(get_ipv4_address)/$(get_external_ipv4_address)"
ipv6_address="$(get_ipv6_address)"
if [ ${#ipv6_address} -gt 0 ]; then
echo " IPv6: ${ipv6_address}"

26
src/freedombone-utils-firewall
View File

@ -32,6 +32,8 @@
FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
FIREWALL_EIFACE=eth0
EXTERNAL_IPV4_ADDRESS=
function save_firewall_settings {
iptables-save > /etc/firewall.conf
@ -108,6 +110,30 @@ function enable_ipv6 {
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
}
function firewall_disable_vpn {
firewall_remove VPN 1194
iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -D INPUT -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
iptables -D OUTPUT -o tun+ -j ACCEPT
save_firewall_settings
}
function firewall_enable_vpn {
firewall_add VPN 1194 tcp
iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
save_firewall_settings
}
function configure_firewall {
if [ $INSTALLING_MESH ]; then
mesh_firewall

29
src/freedombone-utils-network
View File

@ -31,6 +31,13 @@
# If the system is on an IPv6 network
IPV6_NETWORK='2001:470:26:307'
# Destinations used to get the local IP address of this system
# Google ipv6 DNS 2001:4860:4860::8888
# OpenDNS ipv6 DNS 2620:0:ccc::2
IPV4_ADDRESS_TEST_DESTINATION='85.214.73.63'
IPV6_ADDRESS_TEST_DESTINATION='2620:0:ccc::2'
EXTERNAL_IP_LOOKUP_URL='ifcfg.me'
# The static IP address of the system within the local network
# By default the IP address is dynamic within your LAN
LOCAL_NETWORK_STATIC_IP_ADDRESS=
@ -64,13 +71,31 @@ function install_static_network {
mark_completed $FUNCNAME
}
function get_external_ipv4_address {
nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print $2}'
}
function get_ipv4_address {
IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
IPv4dev=$(ip route get $IPV4_ADDRESS_TEST_DESTINATION | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
echo $(ip -o -f inet addr show dev "$IPv4dev" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
}
function get_ipv6_address {
echo $(ip -6 route get 2001:4860:4860::8888 | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }')
retval=$(ip -6 route get $IPV6_ADDRESS_TEST_DESTINATION 2> /dev/null)
echo $(echo "$retval" | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }')
}
function update_external_ip {
ip_update_script=/usr/bin/externalipupdate
echo '#!/bin/bash' >> $ip_update_script
echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script
echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script
echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script
echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script
echo " echo \"\$(date)\" >> ~/${PROJECT_NAME}-external-ip-changes.txt" >> $ip_update_script
echo 'fi' >> $ip_update_script
cron_add_mins 10 $ip_update_script
}
# NOTE: deliberately no exit 0

390
website/EN/app_vpn.html Normal file
View File

@ -0,0 +1,390 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2017-09-27 Wed 17:58 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>&lrm;</title>
<meta name="generator" content="Org mode" />
<meta name="author" content="Bob Mottram" />
<meta name="description" content="How to use OpenVPN on Freedombone"
/>
<meta name="keywords" content="freedombone, openvpn" />
<style type="text/css">
<!--/*--><![CDATA[/*><!--*/
.title { text-align: center;
margin-bottom: .2em; }
.subtitle { text-align: center;
font-size: medium;
font-weight: bold;
margin-top:0; }
.todo { font-family: monospace; color: red; }
.done { font-family: monospace; color: green; }
.priority { font-family: monospace; color: orange; }
.tag { background-color: #eee; font-family: monospace;
padding: 2px; font-size: 80%; font-weight: normal; }
.timestamp { color: #bebebe; }
.timestamp-kwd { color: #5f9ea0; }
.org-right { margin-left: auto; margin-right: 0px; text-align: right; }
.org-left { margin-left: 0px; margin-right: auto; text-align: left; }
.org-center { margin-left: auto; margin-right: auto; text-align: center; }
.underline { text-decoration: underline; }
#postamble p, #preamble p { font-size: 90%; margin: .2em; }
p.verse { margin-left: 3%; }
pre {
border: 1px solid #ccc;
box-shadow: 3px 3px 3px #eee;
padding: 8pt;
font-family: monospace;
overflow: auto;
margin: 1.2em;
}
pre.src {
position: relative;
overflow: visible;
padding-top: 1.2em;
}
pre.src:before {
display: none;
position: absolute;
background-color: white;
top: -10px;
right: 10px;
padding: 3px;
border: 1px solid black;
}
pre.src:hover:before { display: inline;}
/* Languages per Org manual */
pre.src-asymptote:before { content: 'Asymptote'; }
pre.src-awk:before { content: 'Awk'; }
pre.src-C:before { content: 'C'; }
/* pre.src-C++ doesn't work in CSS */
pre.src-clojure:before { content: 'Clojure'; }
pre.src-css:before { content: 'CSS'; }
pre.src-D:before { content: 'D'; }
pre.src-ditaa:before { content: 'ditaa'; }
pre.src-dot:before { content: 'Graphviz'; }
pre.src-calc:before { content: 'Emacs Calc'; }
pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
pre.src-fortran:before { content: 'Fortran'; }
pre.src-gnuplot:before { content: 'gnuplot'; }
pre.src-haskell:before { content: 'Haskell'; }
pre.src-hledger:before { content: 'hledger'; }
pre.src-java:before { content: 'Java'; }
pre.src-js:before { content: 'Javascript'; }
pre.src-latex:before { content: 'LaTeX'; }
pre.src-ledger:before { content: 'Ledger'; }
pre.src-lisp:before { content: 'Lisp'; }
pre.src-lilypond:before { content: 'Lilypond'; }
pre.src-lua:before { content: 'Lua'; }
pre.src-matlab:before { content: 'MATLAB'; }
pre.src-mscgen:before { content: 'Mscgen'; }
pre.src-ocaml:before { content: 'Objective Caml'; }
pre.src-octave:before { content: 'Octave'; }
pre.src-org:before { content: 'Org mode'; }
pre.src-oz:before { content: 'OZ'; }
pre.src-plantuml:before { content: 'Plantuml'; }
pre.src-processing:before { content: 'Processing.js'; }
pre.src-python:before { content: 'Python'; }
pre.src-R:before { content: 'R'; }
pre.src-ruby:before { content: 'Ruby'; }
pre.src-sass:before { content: 'Sass'; }
pre.src-scheme:before { content: 'Scheme'; }
pre.src-screen:before { content: 'Gnu Screen'; }
pre.src-sed:before { content: 'Sed'; }
pre.src-sh:before { content: 'shell'; }
pre.src-sql:before { content: 'SQL'; }
pre.src-sqlite:before { content: 'SQLite'; }
/* additional languages in org.el's org-babel-load-languages alist */
pre.src-forth:before { content: 'Forth'; }
pre.src-io:before { content: 'IO'; }
pre.src-J:before { content: 'J'; }
pre.src-makefile:before { content: 'Makefile'; }
pre.src-maxima:before { content: 'Maxima'; }
pre.src-perl:before { content: 'Perl'; }
pre.src-picolisp:before { content: 'Pico Lisp'; }
pre.src-scala:before { content: 'Scala'; }
pre.src-shell:before { content: 'Shell Script'; }
pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
/* additional language identifiers per "defun org-babel-execute"
in ob-*.el */
pre.src-cpp:before { content: 'C++'; }
pre.src-abc:before { content: 'ABC'; }
pre.src-coq:before { content: 'Coq'; }
pre.src-groovy:before { content: 'Groovy'; }
/* additional language identifiers from org-babel-shell-names in
ob-shell.el: ob-shell is the only babel language using a lambda to put
the execution function name together. */
pre.src-bash:before { content: 'bash'; }
pre.src-csh:before { content: 'csh'; }
pre.src-ash:before { content: 'ash'; }
pre.src-dash:before { content: 'dash'; }
pre.src-ksh:before { content: 'ksh'; }
pre.src-mksh:before { content: 'mksh'; }
pre.src-posh:before { content: 'posh'; }
/* Additional Emacs modes also supported by the LaTeX listings package */
pre.src-ada:before { content: 'Ada'; }
pre.src-asm:before { content: 'Assembler'; }
pre.src-caml:before { content: 'Caml'; }
pre.src-delphi:before { content: 'Delphi'; }
pre.src-html:before { content: 'HTML'; }
pre.src-idl:before { content: 'IDL'; }
pre.src-mercury:before { content: 'Mercury'; }
pre.src-metapost:before { content: 'MetaPost'; }
pre.src-modula-2:before { content: 'Modula-2'; }
pre.src-pascal:before { content: 'Pascal'; }
pre.src-ps:before { content: 'PostScript'; }
pre.src-prolog:before { content: 'Prolog'; }
pre.src-simula:before { content: 'Simula'; }
pre.src-tcl:before { content: 'tcl'; }
pre.src-tex:before { content: 'TeX'; }
pre.src-plain-tex:before { content: 'Plain TeX'; }
pre.src-verilog:before { content: 'Verilog'; }
pre.src-vhdl:before { content: 'VHDL'; }
pre.src-xml:before { content: 'XML'; }
pre.src-nxml:before { content: 'XML'; }
/* add a generic configuration mode; LaTeX export needs an additional
(add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
pre.src-conf:before { content: 'Configuration File'; }
table { border-collapse:collapse; }
caption.t-above { caption-side: top; }
caption.t-bottom { caption-side: bottom; }
td, th { vertical-align:top; }
th.org-right { text-align: center; }
th.org-left { text-align: center; }
th.org-center { text-align: center; }
td.org-right { text-align: right; }
td.org-left { text-align: left; }
td.org-center { text-align: center; }
dt { font-weight: bold; }
.footpara { display: inline; }
.footdef { margin-bottom: 1em; }
.figure { padding: 1em; }
.figure p { text-align: center; }
.inlinetask {
padding: 10px;
border: 2px solid gray;
margin: 10px;
background: #ffffcc;
}
#org-div-home-and-up
{ text-align: right; font-size: 70%; white-space: nowrap; }
textarea { overflow-x: auto; }
.linenr { font-size: smaller }
.code-highlighted { background-color: #ffff00; }
.org-info-js_info-navigation { border-style: none; }
#org-info-js_console-label
{ font-size: 10px; font-weight: bold; white-space: nowrap; }
.org-info-js_search-highlight
{ background-color: #ffff00; color: #000000; font-weight: bold; }
.org-svg { width: 90%; }
/*]]>*/-->
</style>
<link rel="stylesheet" type="text/css" href="freedombone.css" />
<script type="text/javascript">
/*
@licstart The following is the entire license notice for the
JavaScript code in this tag.
Copyright (C) 2012-2017 Free Software Foundation, Inc.
The JavaScript code in this tag is free software: you can
redistribute it and/or modify it under the terms of the GNU
General Public License (GNU GPL) as published by the Free Software
Foundation, either version 3 of the License, or (at your option)
any later version. The code is distributed WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU GPL for more details.
As additional permission under GNU GPL version 3 section 7, you
may distribute non-source (e.g., minimized or compacted) forms of
that code without the copy of the GNU GPL normally required by
section 4, provided you include this license notice and a URL
through which recipients can access the Corresponding Source.
@licend The above is the entire license notice
for the JavaScript code in this tag.
*/
<!--/*--><![CDATA[/*><!--*/
function CodeHighlightOn(elem, id)
{
var target = document.getElementById(id);
if(null != target) {
elem.cacheClassElem = elem.className;
elem.cacheClassTarget = target.className;
target.className = "code-highlighted";
elem.className = "code-highlighted";
}
}
function CodeHighlightOff(elem, id)
{
var target = document.getElementById(id);
if(elem.cacheClassElem)
elem.className = elem.cacheClassElem;
if(elem.cacheClassTarget)
target.className = elem.cacheClassTarget;
}
/*]]>*///-->
</script>
</head>
<body>
<div id="preamble" class="status">
<a name="top" id="top"></a>
</div>
<div id="content">
<div class="org-center">
<div class="figure">
<p><img src="images/logo.png" alt="logo.png" />
</p>
</div>
</div>
<center>
<h1>OpenVPN</h1>
</center>
<blockquote>
<p>
"<i>The Net interprets censorship as damage and routes around it.</i>" &#x2013; John Gilmore
</p>
</blockquote>
<p>
A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "<i>this content is not available in your area</i>" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.
</p>
<p>
Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.
</p>
<p>
On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
</p>
<div id="outline-container-org778c839" class="outline-2">
<h2 id="org778c839">Installation</h2>
<div class="outline-text-2" id="text-org778c839">
<p>
ssh into the system with:
</p>
<div class="org-src-container">
<pre class="src src-bash">ssh myusername@mydomainname -p 2222
</pre>
</div>
<p>
Select <b>Administrator controls</b> then <b>Add/Remove apps</b> then <b>vpn</b>. Choose the port which you want the VPN to operate on and then the install will continue.
</p>
<p>
Only use ports 443 or 80 for VPN as an <i>absolute last resort</i>, since doing so will prevent other web based apps from running on your server.
</p>
</div>
</div>
<div id="outline-container-org2cfcc49" class="outline-2">
<h2 id="org2cfcc49">Usage</h2>
<div class="outline-text-2" id="text-org2cfcc49">
<p>
When the installation is complete you can download your VPN keys and configuration files onto your local machine.
</p>
<div class="org-src-container">
<pre class="src src-bash">scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
</pre>
</div>
<p>
You will need to ensure that the <i>openvpn</i> and <i>stunnel</i> packages are installed. On an Arch based system:
</p>
<div class="org-src-container">
<pre class="src src-bash">sudp pacman -S openvpn stunnel4
</pre>
</div>
<p>
Or on a Debian based system:
</p>
<div class="org-src-container">
<pre class="src src-bash">sudo apt-get install openvpn stunnel4
</pre>
</div>
<p>
Now you can connect to your VPN with:
</p>
<div class="org-src-container">
<pre class="src src-bash">sudo stunnel stunnel-client.conf
sudo openvpn client.ovpn
</pre>
</div>
<p>
You should see a series of messages with "<i>Initialization Sequence Completed</i>" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.
</p>
</div>
</div>
<div id="outline-container-orgc7282cd" class="outline-2">
<h2 id="orgc7282cd">Changing port number</h2>
<div class="outline-text-2" id="text-orgc7282cd">
<p>
Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
</p>
<div class="org-src-container">
<pre class="src src-bash">ssh myusername@mydomainname -p 2222
</pre>
</div>
<p>
Select <b>Administrator controls</b> then <b>App Settings</b> then <b>vpn</b>. Choose <b>Change TLS port</b> and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the <a href="#org2cfcc49">Usage</a> section above.
</p>
</div>
</div>
<div id="outline-container-orgbe4ddea" class="outline-2">
<h2 id="orgbe4ddea">Generating new keys</h2>
<div class="outline-text-2" id="text-orgbe4ddea">
<p>
It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the <b>Administrator controls</b> by going to <b>App Settings</b> then <b>vpn</b> then choosing <b>Regenerate keys for a user</b> and downloading the new keys as described in the <a href="#org2cfcc49">Usage</a> section above.
</p>
</div>
</div>
</div>
<div id="postamble" class="status">
<style type="text/css">
.back-to-top {
position: fixed;
bottom: 2em;
right: 0px;
text-decoration: none;
color: #000000;
background-color: rgba(235, 235, 235, 0.80);
font-size: 12px;
padding: 1em;
display: none;
}
.back-to-top:hover {
background-color: rgba(135, 135, 135, 0.50);
}
</style>
<div class="back-to-top">
<a href="#top">Back to top</a> | <a href="mailto:bob@freedombone.net">E-mail me</a>
</div>
</div>
</body>
</html>

220
website/EN/apps.html
View File

@ -3,10 +3,10 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2017-07-28 Fri 22:42 -->
<!-- 2017-09-27 Wed 17:45 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title></title>
<title>&lrm;</title>
<meta name="generator" content="Org mode" />
<meta name="author" content="Bob Mottram" />
<meta name="description" content="List of apps available on freedombone"
@ -264,9 +264,9 @@ The base install of the system just contains an email server and Mutt client, bu
</div>
</div>
<div id="outline-container-orgbe17d63" class="outline-2">
<h2 id="orgbe17d63">CryptPad</h2>
<div class="outline-text-2" id="text-orgbe17d63">
<div id="outline-container-orge12e0d4" class="outline-2">
<h2 id="orge12e0d4">CryptPad</h2>
<div class="outline-text-2" id="text-orge12e0d4">
<p>
Collaborate on editing documents, presentations and source code, or vote on things. All with a good level of security.
</p>
@ -276,9 +276,9 @@ Collaborate on editing documents, presentations and source code, or vote on thin
</p>
</div>
</div>
<div id="outline-container-orgeb85cd1" class="outline-2">
<h2 id="orgeb85cd1">DLNA</h2>
<div class="outline-text-2" id="text-orgeb85cd1">
<div id="outline-container-orgaaead32" class="outline-2">
<h2 id="orgaaead32">DLNA</h2>
<div class="outline-text-2" id="text-orgaaead32">
<p>
Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.
</p>
@ -288,9 +288,9 @@ Enables you to use the system as a music server which any DLNA compatible device
</p>
</div>
</div>
<div id="outline-container-orge7dce56" class="outline-2">
<h2 id="orge7dce56">Dokuwiki</h2>
<div class="outline-text-2" id="text-orge7dce56">
<div id="outline-container-orga0c144d" class="outline-2">
<h2 id="orga0c144d">Dokuwiki</h2>
<div class="outline-text-2" id="text-orga0c144d">
<p>
A databaseless wiki system.
</p>
@ -300,9 +300,9 @@ A databaseless wiki system.
</p>
</div>
</div>
<div id="outline-container-org16980fe" class="outline-2">
<h2 id="org16980fe">Emacs</h2>
<div class="outline-text-2" id="text-org16980fe">
<div id="outline-container-orgad65042" class="outline-2">
<h2 id="orgad65042">Emacs</h2>
<div class="outline-text-2" id="text-orgad65042">
<p>
If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.
</p>
@ -312,9 +312,9 @@ If you use the Mutt client to read your email then this will set it up to use em
</p>
</div>
</div>
<div id="outline-container-orge6eede4" class="outline-2">
<h2 id="orge6eede4">Etherpad</h2>
<div class="outline-text-2" id="text-orge6eede4">
<div id="outline-container-org7ba525b" class="outline-2">
<h2 id="org7ba525b">Etherpad</h2>
<div class="outline-text-2" id="text-org7ba525b">
<p>
Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.
</p>
@ -324,9 +324,9 @@ Collaborate on creating documents in real time. Maybe you're planning a holiday
</p>
</div>
</div>
<div id="outline-container-org72aea62" class="outline-2">
<h2 id="org72aea62">Friendica</h2>
<div class="outline-text-2" id="text-org72aea62">
<div id="outline-container-orgb7656a4" class="outline-2">
<h2 id="orgb7656a4">Friendica</h2>
<div class="outline-text-2" id="text-orgb7656a4">
<p>
Federated social network system.
</p>
@ -336,9 +336,9 @@ Federated social network system.
</p>
</div>
</div>
<div id="outline-container-org75bbd1d" class="outline-2">
<h2 id="org75bbd1d">Ghost</h2>
<div class="outline-text-2" id="text-org75bbd1d">
<div id="outline-container-org9b12dc6" class="outline-2">
<h2 id="org9b12dc6">Ghost</h2>
<div class="outline-text-2" id="text-org9b12dc6">
<p>
Modern looking blogging system.
</p>
@ -348,9 +348,9 @@ Modern looking blogging system.
</p>
</div>
</div>
<div id="outline-container-org879241a" class="outline-2">
<h2 id="org879241a">GNU Social</h2>
<div class="outline-text-2" id="text-org879241a">
<div id="outline-container-org507ecb0" class="outline-2">
<h2 id="org507ecb0">GNU Social</h2>
<div class="outline-text-2" id="text-org507ecb0">
<p>
Federated social network. You can "<i>remote follow</i>" other users within the GNU Social federation.
</p>
@ -360,9 +360,9 @@ Federated social network. You can "<i>remote follow</i>" other users within the
</p>
</div>
</div>
<div id="outline-container-org0c63c0d" class="outline-2">
<h2 id="org0c63c0d">Gogs</h2>
<div class="outline-text-2" id="text-org0c63c0d">
<div id="outline-container-org8309404" class="outline-2">
<h2 id="org8309404">Gogs</h2>
<div class="outline-text-2" id="text-org8309404">
<p>
Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar <i>fork-and-pull</i> workflow. If you can use Github then you can also use Gogs.
</p>
@ -372,9 +372,9 @@ Lightweight git project hosting system. You can mirror projects from Github, or
</p>
</div>
</div>
<div id="outline-container-org8d5a195" class="outline-2">
<h2 id="org8d5a195">HTMLy</h2>
<div class="outline-text-2" id="text-org8d5a195">
<div id="outline-container-orgc12018c" class="outline-2">
<h2 id="orgc12018c">HTMLy</h2>
<div class="outline-text-2" id="text-orgc12018c">
<p>
Databaseless blogging system. Quite simple and with a markdown-like format.
</p>
@ -384,9 +384,9 @@ Databaseless blogging system. Quite simple and with a markdown-like format.
</p>
</div>
</div>
<div id="outline-container-orgbc0a684" class="outline-2">
<h2 id="orgbc0a684">Hubzilla</h2>
<div class="outline-text-2" id="text-orgbc0a684">
<div id="outline-container-org7c97a23" class="outline-2">
<h2 id="org7c97a23">Hubzilla</h2>
<div class="outline-text-2" id="text-org7c97a23">
<p>
Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.
</p>
@ -396,9 +396,9 @@ Web publishing platform with social network like features and good privacy contr
</p>
</div>
</div>
<div id="outline-container-org4f18360" class="outline-2">
<h2 id="org4f18360">IRC Server (ngirc)</h2>
<div class="outline-text-2" id="text-org4f18360">
<div id="outline-container-org15dcaac" class="outline-2">
<h2 id="org15dcaac">IRC Server (ngirc)</h2>
<div class="outline-text-2" id="text-org15dcaac">
<p>
Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.
</p>
@ -408,18 +408,18 @@ Run your own IRC chat channel which can be secured with a password and accessibl
</p>
</div>
</div>
<div id="outline-container-orgc105f39" class="outline-2">
<h2 id="orgc105f39">Jitsi Meet</h2>
<div class="outline-text-2" id="text-orgc105f39">
<div id="outline-container-orga195719" class="outline-2">
<h2 id="orga195719">Jitsi Meet</h2>
<div class="outline-text-2" id="text-orga195719">
<p>
Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.
</p>
</div>
</div>
<div id="outline-container-org10fbc88" class="outline-2">
<h2 id="org10fbc88">KanBoard</h2>
<div class="outline-text-2" id="text-org10fbc88">
<div id="outline-container-org67269ac" class="outline-2">
<h2 id="org67269ac">KanBoard</h2>
<div class="outline-text-2" id="text-org67269ac">
<p>
A simple kanban system for managing projects or TODO lists.
</p>
@ -429,9 +429,9 @@ A simple kanban system for managing projects or TODO lists.
</p>
</div>
</div>
<div id="outline-container-orgb3097e7" class="outline-2">
<h2 id="orgb3097e7">Key Server</h2>
<div class="outline-text-2" id="text-orgb3097e7">
<div id="outline-container-org5db580b" class="outline-2">
<h2 id="org5db580b">Key Server</h2>
<div class="outline-text-2" id="text-org5db580b">
<p>
An OpenPGP key server for storing and retrieving GPG public keys.
</p>
@ -441,9 +441,9 @@ An OpenPGP key server for storing and retrieving GPG public keys.
</p>
</div>
</div>
<div id="outline-container-orga3542ee" class="outline-2">
<h2 id="orga3542ee">Koel</h2>
<div class="outline-text-2" id="text-orga3542ee">
<div id="outline-container-org6675f8f" class="outline-2">
<h2 id="org6675f8f">Koel</h2>
<div class="outline-text-2" id="text-org6675f8f">
<p>
Access your music collection from any internet connected device.
</p>
@ -453,9 +453,9 @@ Access your music collection from any internet connected device.
</p>
</div>
</div>
<div id="outline-container-orga662c8f" class="outline-2">
<h2 id="orga662c8f">Lychee</h2>
<div class="outline-text-2" id="text-orga662c8f">
<div id="outline-container-orgdfd8572" class="outline-2">
<h2 id="orgdfd8572">Lychee</h2>
<div class="outline-text-2" id="text-orgdfd8572">
<p>
Make your photo albums available on the web.
</p>
@ -465,9 +465,9 @@ Make your photo albums available on the web.
</p>
</div>
</div>
<div id="outline-container-orgccf23ee" class="outline-2">
<h2 id="orgccf23ee">Mailpile</h2>
<div class="outline-text-2" id="text-orgccf23ee">
<div id="outline-container-org5f70509" class="outline-2">
<h2 id="org5f70509">Mailpile</h2>
<div class="outline-text-2" id="text-org5f70509">
<p>
Modern email client which supports GPG encryption.
</p>
@ -477,9 +477,9 @@ Modern email client which supports GPG encryption.
</p>
</div>
</div>
<div id="outline-container-orgdee374a" class="outline-2">
<h2 id="orgdee374a">Matrix</h2>
<div class="outline-text-2" id="text-orgdee374a">
<div id="outline-container-orgacaf2b5" class="outline-2">
<h2 id="orgacaf2b5">Matrix</h2>
<div class="outline-text-2" id="text-orgacaf2b5">
<p>
Multi-user chat with some security and moderation controls.
</p>
@ -489,9 +489,9 @@ Multi-user chat with some security and moderation controls.
</p>
</div>
</div>
<div id="outline-container-org7faaca0" class="outline-2">
<h2 id="org7faaca0">Mediagoblin</h2>
<div class="outline-text-2" id="text-org7faaca0">
<div id="outline-container-org4c6673d" class="outline-2">
<h2 id="org4c6673d">Mediagoblin</h2>
<div class="outline-text-2" id="text-org4c6673d">
<p>
Publicly host video and audio files so that you don't need to use YouTube/Vimeo/etc.
</p>
@ -501,9 +501,9 @@ Publicly host video and audio files so that you don't need to use YouTube/Vimeo/
</p>
</div>
</div>
<div id="outline-container-orgfa87291" class="outline-2">
<h2 id="orgfa87291">Mumble</h2>
<div class="outline-text-2" id="text-orgfa87291">
<div id="outline-container-org5778590" class="outline-2">
<h2 id="org5778590">Mumble</h2>
<div class="outline-text-2" id="text-org5778590">
<p>
The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.
</p>
@ -513,9 +513,9 @@ The popular VoIP and text chat system. Say goodbye to old-fashioned telephony co
</p>
</div>
</div>
<div id="outline-container-org88bc444" class="outline-2">
<h2 id="org88bc444">NextCloud</h2>
<div class="outline-text-2" id="text-org88bc444">
<div id="outline-container-orgbecac51" class="outline-2">
<h2 id="orgbecac51">NextCloud</h2>
<div class="outline-text-2" id="text-orgbecac51">
<p>
Store files on your server and sync them with laptops or mobile devices. Includes many plugins including videoconferencing and collaborative document editing.
</p>
@ -525,9 +525,9 @@ Store files on your server and sync them with laptops or mobile devices. Include
</p>
</div>
</div>
<div id="outline-container-orgd909087" class="outline-2">
<h2 id="orgd909087">PI-Hole</h2>
<div class="outline-text-2" id="text-orgd909087">
<div id="outline-container-org4e52617" class="outline-2">
<h2 id="org4e52617">PI-Hole</h2>
<div class="outline-text-2" id="text-org4e52617">
<p>
The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.
</p>
@ -537,9 +537,9 @@ The black hole for web adverts. Block adverts at the domain name level within yo
</p>
</div>
</div>
<div id="outline-container-org54cc393" class="outline-2">
<h2 id="org54cc393">PostActiv</h2>
<div class="outline-text-2" id="text-org54cc393">
<div id="outline-container-org77c5c76" class="outline-2">
<h2 id="org77c5c76">PostActiv</h2>
<div class="outline-text-2" id="text-org77c5c76">
<p>
An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.
</p>
@ -549,9 +549,9 @@ An alternative federated social networking system compatible with GNU Social. It
</p>
</div>
</div>
<div id="outline-container-orgbf4385b" class="outline-2">
<h2 id="orgbf4385b">Profanity</h2>
<div class="outline-text-2" id="text-orgbf4385b">
<div id="outline-container-org0bf6985" class="outline-2">
<h2 id="org0bf6985">Profanity</h2>
<div class="outline-text-2" id="text-org0bf6985">
<p>
A shell based XMPP client which you can run on the Freedombone server via ssh.
</p>
@ -561,9 +561,9 @@ A shell based XMPP client which you can run on the Freedombone server via ssh.
</p>
</div>
</div>
<div id="outline-container-orgda318c9" class="outline-2">
<h2 id="orgda318c9">Riot Web</h2>
<div class="outline-text-2" id="text-orgda318c9">
<div id="outline-container-org3a8644d" class="outline-2">
<h2 id="org3a8644d">Riot Web</h2>
<div class="outline-text-2" id="text-org3a8644d">
<p>
A browser based user interface for the Matrix federated communications system, including WebRTC audio and video chat.
</p>
@ -573,9 +573,9 @@ A browser based user interface for the Matrix federated communications system, i
</p>
</div>
</div>
<div id="outline-container-org99449d0" class="outline-2">
<h2 id="org99449d0">SearX</h2>
<div class="outline-text-2" id="text-org99449d0">
<div id="outline-container-org072b2ee" class="outline-2">
<h2 id="org072b2ee">SearX</h2>
<div class="outline-text-2" id="text-org072b2ee">
<p>
A metasearch engine for customised and private web searches.
</p>
@ -585,9 +585,9 @@ A metasearch engine for customised and private web searches.
</p>
</div>
</div>
<div id="outline-container-org761a652" class="outline-2">
<h2 id="org761a652">tt-rss</h2>
<div class="outline-text-2" id="text-org761a652">
<div id="outline-container-orge6d7a97" class="outline-2">
<h2 id="orge6d7a97">tt-rss</h2>
<div class="outline-text-2" id="text-orge6d7a97">
<p>
Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "<i>the right to read</i>" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
</p>
@ -597,9 +597,9 @@ Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via a
</p>
</div>
</div>
<div id="outline-container-orga6e23d7" class="outline-2">
<h2 id="orga6e23d7">Syncthing</h2>
<div class="outline-text-2" id="text-orga6e23d7">
<div id="outline-container-orgb533fa3" class="outline-2">
<h2 id="orgb533fa3">Syncthing</h2>
<div class="outline-text-2" id="text-orgb533fa3">
<p>
Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.
</p>
@ -609,9 +609,9 @@ Possibly the best way to synchronise files across all of your devices. Once it h
</p>
</div>
</div>
<div id="outline-container-org643b86b" class="outline-2">
<h2 id="org643b86b">Tahoe-LAFS</h2>
<div class="outline-text-2" id="text-org643b86b">
<div id="outline-container-orgae3276a" class="outline-2">
<h2 id="orgae3276a">Tahoe-LAFS</h2>
<div class="outline-text-2" id="text-orgae3276a">
<p>
Robust and encrypted storage of files on one or more server.
</p>
@ -621,9 +621,9 @@ Robust and encrypted storage of files on one or more server.
</p>
</div>
</div>
<div id="outline-container-org8eb9d12" class="outline-2">
<h2 id="org8eb9d12">Tox</h2>
<div class="outline-text-2" id="text-org8eb9d12">
<div id="outline-container-orga445624" class="outline-2">
<h2 id="orga445624">Tox</h2>
<div class="outline-text-2" id="text-orga445624">
<p>
Client and bootstrap node for the Tox chat/VoIP system.
</p>
@ -633,9 +633,9 @@ Client and bootstrap node for the Tox chat/VoIP system.
</p>
</div>
</div>
<div id="outline-container-org5a0e4e5" class="outline-2">
<h2 id="org5a0e4e5">Turtl</h2>
<div class="outline-text-2" id="text-org5a0e4e5">
<div id="outline-container-org176644c" class="outline-2">
<h2 id="org176644c">Turtl</h2>
<div class="outline-text-2" id="text-org176644c">
<p>
A system for privately creating and sharing notes and images, similar to Evernote but without the spying.
</p>
@ -645,18 +645,30 @@ A system for privately creating and sharing notes and images, similar to Evernot
</p>
</div>
</div>
<div id="outline-container-orgdeeab5b" class="outline-2">
<h2 id="orgdeeab5b">Vim</h2>
<div class="outline-text-2" id="text-orgdeeab5b">
<div id="outline-container-org8d3d9ed" class="outline-2">
<h2 id="org8d3d9ed">Vim</h2>
<div class="outline-text-2" id="text-org8d3d9ed">
<p>
If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
</p>
</div>
</div>
<div id="outline-container-orgdbd802c" class="outline-2">
<h2 id="orgdbd802c">XMPP</h2>
<div class="outline-text-2" id="text-orgdbd802c">
<div id="outline-container-orgbab78c1" class="outline-2">
<h2 id="orgbab78c1">Virtual Private Network (VPN)</h2>
<div class="outline-text-2" id="text-orgbab78c1">
<p>
Set up a VPN on your server so that you can bypass local internet censorship.
</p>
<p>
<a href="./app_vpn.html">How to use it</a>
</p>
</div>
</div>
<div id="outline-container-org76fcabc" class="outline-2">
<h2 id="org76fcabc">XMPP</h2>
<div class="outline-text-2" id="text-org76fcabc">
<p>
Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as <i>client state notification</i> to save battery power on your mobile devices, support for seamless roaming between networks and <i>message carbons</i> so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
</p>