free
/
freedombone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'stretch' of https://github.com/bashrc/freedombone

This commit is contained in:
Bob Mottram 2018-01-16 10:12:07 +00:00
parent 118c03d3cb f657b2f8b0
commit a817de0d3b
21 changed files with 908 additions and 486 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/EN/faq.org
View File

@ -31,6 +31,7 @@
| [[How is Tor integrated with Freedombone?]] |
| [[Can I add a clearnet domain to an onion build?]] |
| [[Why use Github?]] |
| [[Should I upload my GPG keys to keybase.io?]] |
| [[Keys and emails should not be stored on servers. Why do you do that?]] |
| [[Why can't I access my .onion site with a Tor browser?]] |
| [[What is the best hardware to run this system on?]] |
@ -118,6 +119,10 @@ At present Github is useful just because of the sheer number of eyeballs and the
The source code for this project is experimentally independently hosted, and it is expected that in future the main development will shift over to an independent site, maybe with mirrors on Github if it still exists in a viable form.
Currently many of the repositories used for applications which are not yet packaged for Debian are on Github, and to provide some degree of resilliance against depending too much upon that copies of them also exist within disk images.
* Should I upload my GPG keys to keybase.io?
It's not recommended unless there exists some compelling reason for you to be on there. That site asks users to upload the *private keys*, and even if the keys are client side encrypted with a passphrase there's always the chance that there will be a data leak in future and letter agencies will then have a full time opportunity to crack the passphrases.
Saying something resembling /"only noobs will use crackable private key passphrases"/ isn't good enough. A passphrase should not be considered to be a substitute for a private key.
* Keys and emails should not be stored on servers. Why do you do that?
Ordinarily this is good advice. However, the threat model for a device in your home is different from the one for a generic server in a massive warehouse. Compare and contrast:

2
doc/EN/mesh.org
View File

@ -32,6 +32,8 @@ If an internet connection is available then it can make use of that, but otherwi
Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
Like [[https://libremesh.org][LibreMesh]], this system uses a combination of [[https://en.wikipedia.org/wiki/B.A.T.M.A.N.][batman-adv]] on network layer 2 and [[http://bmx6.net][BMX]] on layer 3.
#+BEGIN_CENTER
This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion
#+END_CENTER

2
src/freedombone-app-gnusocial
View File

@ -28,7 +28,7 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
VARIANTS='full full-vim media'
VARIANTS='full full-vim social'
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1

10
src/freedombone-app-pleroma
View File

@ -37,7 +37,7 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
VARIANTS=''
VARIANTS='full full-vim social'
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1
@ -47,7 +47,7 @@ PLEROMA_CODE=
PLEROMA_PORT=4000
PLEROMA_ONION_PORT=8011
PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
PLEROMA_COMMIT='c1fa1e8844c8eae1ad7638a2d7f9d00e8cd07ce8'
PLEROMA_COMMIT='80f6ac412a632da090be9f3d86971eac0b95a53d'
PLEROMA_ADMIN_PASSWORD=
PLEROMA_DIR=/etc/pleroma
PLEROMA_SECRET_KEY=""
@ -890,13 +890,13 @@ function install_pleroma {
# lost during mix compile
pleroma_secret=$PLEROMA_DIR/config/dev.secret.exs
if ! grep -q 'watchers: [],' $pleroma_secret; then
sed -i 's|watchers: []|watchers: [],|g' $pleroma_secret
sed -i 's|watchers: \[\]|watchers: \[\],|g' $pleroma_secret
fi
if ! grep -q 'url:' $pleroma_secret; then
if [[ $ONION_ONLY == 'no' ]]; then
sed -i "/watchers: []/a url: [host: \"$PLEROMA_DOMAIN_NAME\", scheme: \"https\", port: 443]" $pleroma_secret
sed -i "/watchers: /a url: [host: \"$PLEROMA_DOMAIN_NAME\", scheme: \"https\", port: 443]" $pleroma_secret
else
sed -i "/watchers: []/a url: [host: \"$PLEROMA_ONION_HOSTNAME\", scheme: \"http\", port: 80]" $pleroma_secret
sed -i "/watchers: /a url: [host: \"$PLEROMA_ONION_HOSTNAME\", scheme: \"http\", port: 80]" $pleroma_secret
fi
fi

4
src/freedombone-app-tox
View File

@ -136,6 +136,10 @@ function mesh_tox_qtox {
chroot "${rootdir}" apt-get -yq install build-essential libatk1.0-0 libbz2-1.0 libc6 libcairo2 libdbus-1-3 libegl1-mesa libfontconfig1 libfreetype6 libgcc1 libgdk-pixbuf2.0-0 libgl1-mesa-glx libglib2.0-0 libgtk2.0-0 libice6 libicu57 libjpeg62-turbo libmng1 libmtdev1 libopenal1 libopus0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpng16-16 libqrencode3 libsm6 libsodium18 libsqlite3-0 libssl1.1 libstdc++6 libtiff5 libudev1 libvpx4 libwayland-client0 libwayland-cursor0 libwayland-egl1-mesa libwebp6 libx11-6 libx11-xcb1 libxcb-glx0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-sync1 libxcb-xfixes0 libxcb-xinerama0 libxcb1 libxext6 libxfixes3 libxi6 libxrender1 libxss1 zlib1g libopus-dev libvpx-dev
chroot "${rootdir}" apt-get -yq install build-essential qt5-qmake qt5-default qttools5-dev-tools libqt5opengl5-dev libqt5svg5-dev libopenal-dev libxss-dev qrencode libqrencode-dev libglib2.0-dev libgdk-pixbuf2.0-dev libgtk2.0-dev libsqlcipher-dev libopus-dev libvpx-dev libavformat-dev libavdevice-dev libswscale-dev libavutil-dev libavcodec-dev libavcodec57 libavfilter-dev libavfilter6
chroot "$rootdir" apt-get clean
chroot "$rootdir" /bin/rm -rf /var/lib/apt/lists/*
chroot "$rootdir" apt-get clean
# ffmpeg
chroot "${rootdir}" apt-get -yq install build-essential
chroot "${rootdir}" apt-get -yq install ffmpeg libmp3lame-dev libvorbis-dev libtheora-dev

2
src/freedombone-client
View File

@ -281,7 +281,7 @@ function remove_known_hosts_entries {
function setup_avahi_client {
echo $'Configuring Avahi'
if [ ! -f /usr/bin/pacman ]; then
sudo apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
sudo apt-get -yq install avahi-utils avahi-dnsconfd
else
sudo pacman -S --noconfirm avahi nss-mdns
sudo sed -i 's|hosts:.*|hosts: files mdns_minimal [NOTFOUND=return] dns myhostname|g' /etc/nsswitch.conf

3
src/freedombone-image
View File

@ -165,6 +165,7 @@ function image_setup {
sudo apt-get -yq install git python-docutils mktorrent xz-utils debootstrap
sudo apt-get -yq install dosfstools btrfs-tools extlinux python-distro-info mbr
sudo apt-get -yq install qemu-user-static binfmt-support u-boot-tools qemu
sudo apt-get -yq install python-cliapp
;;
parabola|arch)
sudo pacman -S --noconfirm libc++ git gcc gcc-libs python-docutils mktorrent patch
@ -249,7 +250,7 @@ function image_setup {
return
fi
debian_script_hash=$(sha256sum /usr/share/debootstrap/scripts/${DEBIAN_VERSION} | awk -F ' ' '{print $1}')
expected_debian_script_hash='94e01603091748e8a6a9d2c3beefec29f2a174d989500f81be4ab767830f4489'
expected_debian_script_hash='620fa84c7ef64d10349aed38fa9cc2e7f00a6fcd1bc425f33ca2b57cc946fd0c'
if [[ "$debian_script_hash" != "$expected_debian_script_hash" ]]; then
echo $"Invalid hash for debootstrap ${DEBIAN_VERSION} script"
return

167
src/freedombone-image-customise
View File

@ -13,6 +13,8 @@
# License
# =======
#
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@ -123,6 +125,12 @@ ENABLE_ZERONET=
MESH_TEXT_EDITOR='pluma'
BMX6_REPO="https://github.com/bmx-routing/bmx6"
BMX6_COMMIT='39dd1f2d99ac5a3fa28e92f8173c15039132e181'
BMX7_REPO="https://github.com/bmx-routing/bmx7"
BMX7_COMMIT='0a82c7c10fef44b259b35e77ab33632aa132d219'
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
function configure_backports {
@ -639,13 +647,20 @@ EOF
}
mesh_shutdown_script() {
mesh_shutdown_script=$rootdir/usr/bin/meshshutdown
echo '#!/bin/bash' > $mesh_shutdown_script
echo 'batman stop' >> $mesh_shutdown_script
chroot "$rootdir" chmod +x /usr/bin/meshshutdown
echo '[Unit]' > $rootdir/etc/systemd/system/meshshutdown.service
echo 'Description=Shuts down the mesh' >> $rootdir/etc/systemd/system/meshshutdown.service
echo 'Before=shutdown.target' >> $rootdir/etc/systemd/system/meshshutdown.service
echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
echo '[Service]' >> $rootdir/etc/systemd/system/meshshutdown.service
echo 'User=root' >> $rootdir/etc/systemd/system/meshshutdown.service
echo 'Group=root' >> $rootdir/etc/systemd/system/meshshutdown.service
echo 'ExecStart=/bin/true' >> $rootdir/etc/systemd/system/meshshutdown.service
echo 'ExecStop=/bin/bash /usr/local/bin/batman stop' >> $rootdir/etc/systemd/system/meshshutdown.service
echo 'ExecStop=/bin/bash /usr/bin/meshshutdown' >> $rootdir/etc/systemd/system/meshshutdown.service
echo 'RemainAfterExit=yes' >> $rootdir/etc/systemd/system/meshshutdown.service
echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
echo '[Install]' >> $rootdir/etc/systemd/system/meshshutdown.service
@ -653,6 +668,135 @@ mesh_shutdown_script() {
chroot "$rootdir" systemctl enable meshshutdown
}
install_bmx6() {
git clone $BMX6_REPO $rootdir/etc/bmx6
cat <<EOF > $rootdir/usr/bin/install_bmx6
#!/bin/bash
cd /etc/bmx6
git checkout $BMX6_COMMIT -b $BMX6_COMMIT
make
make install
cd /etc/bmx6/lib/bmx6_http_info
make
make install
cd /etc/bmx6/lib/bmx6_json
make
make install
cd /etc/bmx6/lib/bmx6_quagga
make
make install
cd /etc/bmx6/lib/bmx6_sms
make
make install
cd /etc/bmx6/lib/bmx6_table
make
make install
cd /etc/bmx6/lib/bmx6_topology
make
make install
EOF
chroot "$rootdir" chmod +x /usr/bin/install_bmx6
chroot "$rootdir" /usr/bin/install_bmx6
if [ ! -f $rootdir/usr/sbin/bmx6 ]; then
echo $'bmx6 was not installed'
exit 79835292
fi
rm $rootdir/usr/bin/install_bmx6
echo '[Unit]' > $rootdir/etc/systemd/system/bmx6.service
echo 'Description=BMX6 mesh routing protocol' >> $rootdir/etc/systemd/system/bmx6.service
echo 'Requires=network.target' >> $rootdir/etc/systemd/system/bmx6.service
echo 'After=network.target' >> $rootdir/etc/systemd/system/bmx6.service
echo '' >> $rootdir/etc/systemd/system/bmx6.service
echo '[Service]' >> $rootdir/etc/systemd/system/bmx6.service
echo 'Type=forking' >> $rootdir/etc/systemd/system/bmx6.service
echo 'User=root' >> $rootdir/etc/systemd/system/bmx6.service
echo 'Group=root' >> $rootdir/etc/systemd/system/bmx6.service
echo 'ExecStart=/usr/sbin/bmx6 dev=wlan0' >> $rootdir/etc/systemd/system/bmx6.service
echo 'ExecStop=/usr/bin/kill -15 $MAINPID' >> $rootdir/etc/systemd/system/bmx6.service
echo 'PIDFile=/var/run/bmx6/pid' >> $rootdir/etc/systemd/system/bmx6.service
echo 'Restart=on-failure' >> $rootdir/etc/systemd/system/bmx6.service
echo '' >> $rootdir/etc/systemd/system/bmx6.service
echo '[Install]' >> $rootdir/etc/systemd/system/bmx6.service
echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/bmx6.service
}
install_bmx7() {
chroot "$rootdir" apt-get -qy install libjson-c-dev zlib1g-dev libiw-dev
git clone $BMX7_REPO $rootdir/etc/bmx7
cat <<EOF > $rootdir/usr/bin/install_bmx7
#!/bin/bash
cd /etc
wget https://polarssl.org/code/releases/polarssl-1.3.3-gpl.tgz
tar xzvf polarssl-1.3.3-gpl.tgz
cd /etc/polarssl-1.3.3
make
sudo make install
cd /etc/bmx7
git checkout $BMX7_COMMIT -b $BMX7_COMMIT
make EXTRA_CFLAGS="-DCRYPTLIB=POLARSSL_1_3_3"
make install
cd /etc/bmx7/lib/bmx7_http_info
make
make install
cd /etc/bmx7/lib/bmx7_json
make
make install
cd /etc/bmx7/lib/bmx7_tun
make
make install
cd /etc/bmx7/lib/bmx7_sms
make
make install
cd /etc/bmx7/lib/bmx7_topology
make
make install
EOF
chroot "$rootdir" chmod +x /usr/bin/install_bmx7
chroot "$rootdir" /usr/bin/install_bmx7
if [ ! -f $rootdir/usr/sbin/bmx7 ]; then
echo $'bmx7 was not installed'
exit 67836235
fi
rm $rootdir/usr/bin/install_bmx7
echo '[Unit]' > $rootdir/etc/systemd/system/bmx7.service
echo 'Description=BMX7 mesh routing protocol' >> $rootdir/etc/systemd/system/bmx7.service
echo 'Requires=network.target' >> $rootdir/etc/systemd/system/bmx7.service
echo 'After=network.target' >> $rootdir/etc/systemd/system/bmx7.service
echo '' >> $rootdir/etc/systemd/system/bmx7.service
echo '[Service]' >> $rootdir/etc/systemd/system/bmx7.service
echo 'Type=forking' >> $rootdir/etc/systemd/system/bmx7.service
echo 'User=root' >> $rootdir/etc/systemd/system/bmx7.service
echo 'Group=root' >> $rootdir/etc/systemd/system/bmx7.service
echo 'ExecStart=/usr/sbin/bmx7 dev=wlan0' >> $rootdir/etc/systemd/system/bmx7.service
echo 'ExecStop=/usr/bin/kill -15 $MAINPID' >> $rootdir/etc/systemd/system/bmx7.service
echo 'PIDFile=/var/run/bmx7/pid' >> $rootdir/etc/systemd/system/bmx7.service
echo 'Restart=on-failure' >> $rootdir/etc/systemd/system/bmx7.service
echo '' >> $rootdir/etc/systemd/system/bmx7.service
echo '[Install]' >> $rootdir/etc/systemd/system/bmx7.service
echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/bmx7.service
}
initialise_mesh() {
if [[ $VARIANT != "mesh"* ]]; then
return
@ -689,9 +833,26 @@ initialise_mesh() {
# dhcp daemon for hotspot on secondary wifi adapter
chroot "$rootdir" apt-get -yq install dnsmasq
# for debugging
chroot "$rootdir" apt-get -yq install traceroute
# set the default protocol to be used
echo 'bmx6' > $rootdir$MESH_DEFAULT_PROTOCOL
sed -i 's|#net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding=1|g' $rootdir/etc/sysctl.conf
sed -i 's|net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding=1|g' $rootdir/etc/sysctl.conf
sed -i 's|#net.ipv6.conf.all.accept_redirects.*|net.ipv6.conf.all.accept_redirects=1|g' $rootdir/etc/sysctl.conf
sed -i 's|net.ipv6.conf.all.accept_redirects.*|net.ipv6.conf.all.accept_redirects=1|g' $rootdir/etc/sysctl.conf
sed -i 's|#net.ipv6.conf.all.accept_source_route.*|net.ipv6.conf.all.accept_source_route=1|g' $rootdir/etc/sysctl.conf
sed -i 's|net.ipv6.conf.all.accept_source_route.*|net.ipv6.conf.all.accept_source_route=1|g' $rootdir/etc/sysctl.conf
configure_firewall
install_avahi
install_batman
install_bmx6
install_bmx7
mesh_shutdown_script
install_vpn
install_tomb
@ -1448,7 +1609,7 @@ function image_setup_utils {
chroot "$rootdir" apt-get -yq install avahi-daemon avahi-utils avahi-discover
chroot "$rootdir" apt-get -yq install connect-proxy openssh-server
chroot "$rootdir" apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
chroot "$rootdir" apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
chroot "$rootdir" apt-get -yq install avahi-discover iptables dnsutils net-tools
chroot "$rootdir" apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
chroot "$rootdir" apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
@ -1753,7 +1914,7 @@ if [[ $VARIANT != "mesh"* ]]; then
chroot "$rootdir" apt-get install -y openssh-server
fi
chroot "$rootdir" apt-get install -y sudo git dialog build-essential
chroot "$rootdir" apt-get install -y avahi-daemon avahi-utils avahi-discover avahi-autoipd
chroot "$rootdir" apt-get install -y avahi-daemon avahi-utils avahi-discover
chroot "$rootdir" apt-get install -y iptables dnsutils net-tools network-manager iputils-ping
chroot "$rootdir" apt-get install -y libnss-mdns libnss-myhostname libnss-gw-name nano man ntp
chroot "$rootdir" apt-get install -y locales locales-all debconf wireless-tools wpasupplicant usbutils

2
src/freedombone-image-makefile
View File

@ -43,7 +43,7 @@ IMAGE = $(NAME).img
ARCHIVE = $(IMAGE).xz
SIGNATURE = $(ARCHIVE).sig
OWNER = 1000
XZ = xz --no-warn --best --verbose --keep
XZ = xz --no-warn --verbose --keep --threads=0 -3
SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
# settings for `make test`

8
src/freedombone-image-mesh
View File

@ -1415,6 +1415,14 @@ if [ -f $MESH_INSTALL_SETUP ]; then
systemctl disable tor
echo $'TOR disabled' >> $INSTALL_LOG
systemctl stop bmx6
systemctl disable bmx6
echo $'BMX6 disabled' >> $INSTALL_LOG
systemctl stop bmx7
systemctl disable bmx7
echo $'BMX7 disabled' >> $INSTALL_LOG
#tomb slam all
tmp_ram_disk 100
enable_predictable_device_names

352
src/freedombone-mesh-batman
View File

@ -35,58 +35,9 @@ COMPLETION_FILE=/root/${PROJECT_NAME}-completed.txt
HOTSPOT_PASSPHRASE="${PROJECT_NAME}"
source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-wifi
source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-mesh
if [[ $1 == "start" ]]; then
# install avahi
sed -i "s|#host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
sed -i "s|host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv4=.*|use-ipv4=yes|g" /etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv6=.*|use-ipv6=no|g" /etc/avahi/avahi-daemon.conf
sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" /etc/avahi/avahi-daemon.conf
sed -i "s|hosts:.*|hosts: files mdns4_minimal dns mdns4 mdns|g" /etc/nsswitch.conf
fi
# Mesh definition
WIFI_SSID='mesh'
if [ -f $COMPLETION_FILE ]; then
if grep -q "WIFI_SSID:" $COMPLETION_FILE; then
WIFI_SSID=$(cat $COMPLETION_FILE | grep "WIFI_SSID:" | awk -F ':' '{print $2}')
fi
sed -i "s|WIFI_SSID:.*|WIFI_SSID:${WIFI_SSID}|g" $COMPLETION_FILE
fi
CELLID='any'
CHANNEL=2
HOTSPOT_CHANNEL=6
if [ -f $COMPLETION_FILE ]; then
if grep -q "Wifi channel:" $COMPLETION_FILE; then
CHANNEL=$(cat $COMPLETION_FILE | grep "Wifi channel:" | awk -F ':' '{print $2}')
fi
sed -i "s|Wifi channel:.*|Wifi channel:${CHANNEL}|g" $COMPLETION_FILE
fi
ZERONET_PORT=15441
IPFS_PORT=4001
TOX_PORT=33445
TRACKER_PORT=6969
LIBREVAULT_PORT=42345
TAHOELAFS_PORT=50213
GIT_SSB_PORT=7718
NGINX_GIT_SSB_PORT=7719
# Ethernet bridge definition (bridged to bat0)
BRIDGE=br-mesh
BRIDGE_HOTSPOT=br-hotspot
IFACE=
IFACE_SECONDARY=
EIFACE=eth0
WLAN_ADAPTORS=$(count_wlan)
if [ $WLAN_ADAPTORS -eq 0 ]; then
echo $'No wlan adaptors found'
exit 0
fi
mesh_protocol_init
update_wifi_adaptors
if [ ! $IFACE ]; then
@ -98,33 +49,30 @@ if [ -e /etc/default/batctl ]; then
. /etc/default/batctl
fi
function get_ipv4_wlan {
echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
}
function mesh_hotspot_ip_address {
echo $(ip -o -f inet addr show dev "${BRIDGE}" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
}
function global_rate_limit {
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
else
sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
fi
sysctl -p -q
}
function status {
batctl o
if grep -q "bmx6" $MESH_CURRENT_PROTOCOL; then
bmx6 -c show=originators
else
bmx7 -c show=originators
fi
}
function stop {
if [ ! -f $MESH_CURRENT_PROTOCOL ]; then
return
fi
if [ -z "$IFACE" ]; then
echo 'error: unable to find wifi interface, not enabling batman-adv mesh'
return
fi
systemctl stop bmx6
systemctl stop bmx7
systemctl disable bmx6
systemctl disable bmx7
systemctl stop dnsmasq
systemctl disable dnsmasq
@ -140,8 +88,6 @@ function stop {
brctl delbr $BRIDGE
fi
avahi-autoipd -k $BRIDGE
avahi-autoipd -k $IFACE
ifconfig bat0 down -promisc
batctl if del $IFACE
@ -160,46 +106,13 @@ function stop {
rmmod batman-adv
iptables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport 80 -j ACCEPT
iptables -D INPUT -p udp --dport 80 -j ACCEPT
iptables -D INPUT -p tcp --dport 548 -j ACCEPT
iptables -D INPUT -p udp --dport 548 -j ACCEPT
iptables -D INPUT -p tcp --dport 5353 -j ACCEPT
iptables -D INPUT -p udp --dport 5353 -j ACCEPT
iptables -D INPUT -p tcp --dport 5354 -j ACCEPT
iptables -D INPUT -p udp --dport 5354 -j ACCEPT
iptables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
# SSB/Scuttlebot/Patchwork
iptables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
iptables -D INPUT -p udp --dport 8008 -j ACCEPT
iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
iptables -D INPUT -p udp --dport 8010 -j ACCEPT
iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
# vpn over the internet
iptables -D INPUT -p tcp --dport 653 -j ACCEPT
iptables -D INPUT -p udp --dport 653 -j ACCEPT
iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -D INPUT -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
iptables -D OUTPUT -o tun+ -j ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
disable_mesh_firewall
systemctl restart network-manager
if [ -f $MESH_CURRENT_PROTOCOL ]; then
rm $MESH_CURRENT_PROTOCOL
fi
}
function verify {
@ -215,21 +128,6 @@ function verify {
rm $tempfile
}
function assign_peer_address {
for i in {1..6}; do
number=$RANDOM
let "number %= 255"
octet=$(echo "obase=16;$number" | bc)
if [ ${#octet} -lt 2 ]; then
octet="0${octet}"
fi
if [ $i -gt 1 ]; then
echo -n ":"
fi
echo -n "${octet}"
done
}
function add_wifi_interface {
ifname=$1
ifssid=$WIFI_SSID
@ -261,53 +159,6 @@ function add_wifi_interface {
ifconfig $ifname up
}
function mesh_create_app_downloads_page {
if [ ! -d /root/$PROJECT_NAME/image_build/mesh_apps ]; then
return
fi
if [ ! -d /var/www/html ]; then
return
fi
# Don't go straight to cryptpad when navigating to the peer's IP address
if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
rm /etc/nginx/sites-enabled/cryptpad
ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
if [ -d /etc/cryptpad ]; then
systemctl stop cryptpad
systemctl disable cryptpad
fi
systemctl restart nginx
fi
# Don't show the cryptpad icon on the desktop
if [ -f /home/fbone/Desktop/cryptpad.desktop ]; then
mv /home/fbone/Desktop/cryptpad.desktop /home/fbone/.cryptpad.desktop
fi
cp /root/$PROJECT_NAME/website/EN/meshindex.html /var/www/html/index.html
if [ ! -f /var/www/html/ssb.apk ]; then
cp /root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk /var/www/html/ssb.apk
fi
if [ ! -f /var/www/html/trifa.apk ]; then
cp /root/$PROJECT_NAME/image_build/mesh_apps/trifa.apk /var/www/html/trifa.apk
fi
if [ ! -d /var/www/html/images ]; then
mkdir /var/www/html/images
fi
if [ ! -f /var/www/html/images/logo.png ]; then
cp /root/$PROJECT_NAME/img/logo.png /var/www/html/images/logo.png
fi
if [ ! -f /var/www/html/images/ssb.png ]; then
cp /root/$PROJECT_NAME/img/icon_patchwork.png /var/www/html/images/ssb.png
fi
if [ ! -f /var/www/html/images/trifa.png ]; then
cp /root/$PROJECT_NAME/img/trifa.png /var/www/html/images/trifa.png
fi
if [ ! -f /var/www/html/freedombone.css ]; then
cp /root/$PROJECT_NAME/website/freedombone.css /var/www/html/freedombone.css
fi
chown -R www-data:www-data /var/www/html/*
}
function start {
update_wifi_adaptors
@ -317,6 +168,7 @@ function start {
fi
echo "info: enabling batman-adv mesh network $WIFI_SSID on $IFACE"
stop
systemctl stop network-manager
sleep 5
@ -348,8 +200,15 @@ function start {
modprobe batman-adv
# avahi on ipv6
sed -i 's|use-ipv4=.*|use-ipv4=no|g' /etc/avahi/avahi-daemon.conf
sed -i 's|use-ipv6=.*|use-ipv6=yes|g' /etc/avahi/avahi-daemon.conf
sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx6 dev=${IFACE}|g" /etc/systemd/system/bmx6.service
sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx7 dev=${IFACE}|g" /etc/systemd/system/bmx7.service
systemctl daemon-reload
add_wifi_interface $IFACE $WIFI_SSID ad-hoc $CHANNEL
avahi-autoipd --force-bind --daemonize --wait $IFACE
# NOTE: Don't connect the secondary wifi device. hostapd will handle that by itself
@ -367,6 +226,10 @@ function start {
ifconfig $EIFACE 0.0.0.0
ifconfig $EIFACE up promisc
echo $'End of ethernet bridge'
sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx6 dev=${IFACE} dev=${EIFACE}|g" /etc/systemd/system/bmx6.service
sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx7 dev=${IFACE} dev=${EIFACE}|g" /etc/systemd/system/bmx7.service
systemctl daemon-reload
else
echo $"$EIFACE is not connected"
fi
@ -374,145 +237,34 @@ function start {
ifconfig $BRIDGE up
dhclient $BRIDGE
if [ $secondary_wifi_available ]; then
sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
enable_mesh_seconary_wifi
mesh_hotspot_address=$(mesh_hotspot_ip_address)
if [[ "$mesh_hotspot_address" == *'.'* ]]; then
echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
echo "bridge=${BRIDGE}" >> /etc/hostapd/hostapd.conf
echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
echo "country_code=UK" >> /etc/hostapd/hostapd.conf
echo "ssid=${WIFI_SSID}-${mesh_hotspot_address}" >> /etc/hostapd/hostapd.conf
echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
echo 'wpa=2' >> /etc/hostapd/hostapd.conf
echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
enable_mesh_firewall
sed -i "s|#interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
sed -i "s|interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
sed -i "s|listen-address=.*|listen-address=127.0.0.1,$mesh_hotspot_address|g" /etc/dnsmasq.conf
sed -i 's|#listen-address|listen-address|g' /etc/dnsmasq.conf
systemctl enable dnsmasq
systemctl restart dnsmasq
enable_mesh_scuttlebot
enable_mesh_tor
systemctl enable hostapd
systemctl restart hostapd
mesh_create_app_downloads_page
else
secondary_wifi_available=
echo $'WARNING: No IP address could be obtained for the hotspot'
fi
sed -i "s|server_name .*|server_name ${HOSTNAME}.local;|g" /etc/nginx/sites-available/git_ssb
systemctl restart nginx
if [ ! -f $MESH_DEFAULT_PROTOCOL ]; then
echo 'bmx6' > $MESH_DEFAULT_PROTOCOL
fi
if [ ! $secondary_wifi_available ]; then
systemctl stop hostapd
systemctl disable hostapd
# Recreate the cryptpad symlink
if [ -f /etc/nginx/sites-available/cryptpad ]; then
if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
rm /etc/nginx/sites-enabled/default
fi
systemctl enable cryptpad
systemctl start cryptpad
if [ ! -L /etc/nginx/sites-enabled/cryptpad ]; then
ln -s /etc/nginx/sites-available/cryptpad /etc/nginx/sites-enabled/cryptpad
systemctl restart nginx
fi
fi
if [ -f /home/fbone/.cryptpad.desktop ]; then
mv /home/fbone/.cryptpad.desktop /home/fbone/Desktop/cryptpad.desktop
fi
if grep -q "bmx6" $MESH_DEFAULT_PROTOCOL; then
systemctl enable bmx6
systemctl restart bmx6
else
systemctl enable bmx7
systemctl restart bmx7
fi
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 548 -j ACCEPT
iptables -A INPUT -p udp --dport 548 -j ACCEPT
iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
iptables -A INPUT -p udp --dport 5354 -j ACCEPT
iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
# SSB/Scuttlebot/Patchwork
iptables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
iptables -A INPUT -p udp --dport 8008 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
iptables -A INPUT -p udp --dport 8010 -j ACCEPT
iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
# vpn over the internet
# Note: the vpn firewall settings are needed in order for Patchwork
# to discover local peers
iptables -A INPUT -p tcp --dport 653 -j ACCEPT
iptables -A INPUT -p udp --dport 653 -j ACCEPT
iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
systemctl restart avahi-daemon
if [ -f /etc/scuttlebot/.ssb/config ]; then
ethernet_connected=$(cat /sys/class/net/eth0/carrier)
if [[ "$ethernet_connected" != "0" ]]; then
sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config
systemctl restart scuttlebot
else
if [ ! -f /etc/nginx/sites-available/git_ssb ]; then
systemctl stop scuttlebot
else
systemctl restart scuttlebot
fi
fi
fi
# if we have an ethernet connection to an internet router then create
# an onion address for this peer
if [[ "$ethernet_connected" != "0" ]]; then
systemctl enable tor
systemctl start tor
HIDDEN_SERVICE_PATH=/var/lib/tor/hidden_service_
if [ ! -f ${HIDDEN_SERVICE_PATH}mesh/hostname ]; then
echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}mesh/" >> /etc/tor/torrc
echo "HiddenServicePort 653 127.0.0.1:653" >> /etc/tor/torrc
systemctl restart tor
fi
else
systemctl stop tor
systemctl disable tor
fi
sed -i "s|\"host\":.*|\"host\": \"${HOSTNAME}.local\",|g" /etc/scuttlebot/.ssb/config
sed -i "s|server_name .*|server_name ${HOSTNAME}.local;|g" /etc/nginx/sites-available/git_ssb
systemctl restart scuttlebot
systemctl restart nginx
verify
echo "$(cat $MESH_DEFAULT_PROTOCOL)" > $MESH_CURRENT_PROTOCOL
}
function monitor {

87
src/freedombone-mesh-install
View File

@ -92,19 +92,19 @@ function show_help {
}
function mesh_avahi {
$CHROOT_PREFIX apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
$CHROOT_PREFIX apt-get -yq install avahi-utils avahi-dnsconfd
decarray=( 1 2 3 4 5 6 7 8 9 0 )
PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
if [ ! -d $rootdir/etc/avahi/services ]; then
mkdir -p $rootdir/etc/avahi/services
mkdir -p $rootdir/etc/avahi/services
fi
# remove an avahi service which isn't used
if [ -f $rootdir/etc/avahi/services/udisks.service ]; then
rm $rootdir/etc/avahi/services/udisks.service
rm $rootdir/etc/avahi/services/udisks.service
fi
# Add an ssh service
@ -143,15 +143,15 @@ function install_batman {
$CHROOT_PREFIX apt-get -yq install wireless-tools rfkill
if ! grep -q "batman_adv" $rootdir/etc/modules; then
echo 'batman_adv' >> $rootdir/etc/modules
echo 'batman_adv' >> $rootdir/etc/modules
fi
BATMAN_SCRIPT=$rootdir/var/lib/batman
if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
else
cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
fi
BATMAN_DAEMON=$rootdir/etc/systemd/system/batman.service
@ -191,28 +191,43 @@ function mesh_firewall {
echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
chmod +x $MESH_FIREWALL_SCRIPT
echo '[Unit]' > $FIREWALL_FILENAME
@ -256,29 +271,29 @@ do
key="$1"
case $key in
-h|--help)
show_help
;;
-f|--function)
shift
FN="$1"
;;
-r|--rootdir)
shift
rootdir="$1"
CHROOT_PREFIX='chroot "${rootdir}"'
;;
-w|--wifi|--interface)
shift
WIFI_INTERFACE="$1"
;;
--remove)
shift
REMOVE="$1"
;;
*)
# unknown option
;;
-h|--help)
show_help
;;
-f|--function)
shift
FN="$1"
;;
-r|--rootdir)
shift
rootdir="$1"
CHROOT_PREFIX='chroot "${rootdir}"'
;;
-w|--wifi|--interface)
shift
WIFI_INTERFACE="$1"
;;
--remove)
shift
REMOVE="$1"
;;
*)
# unknown option
;;
esac
shift
@ -292,9 +307,9 @@ if [[ $FN == 'firewall' ]]; then
fi
if [[ $FN == 'batman' ]]; then
if [[ $REMOVE != 'yes' ]]; then
install_batman
install_batman
else
install_batman_remove
install_batman_remove
fi
fi
if [[ $FN == 'qtox' ]]; then

4
src/freedombone-mesh-reset
View File

@ -34,7 +34,9 @@ export TEXTDOMAINDIR="/usr/share/locale"
MESH_INSTALL_COMPLETED=/root/.mesh_setup_completed
if ! zenity --question --title=$'New Identity' --text=$"Do you want to reset your identity? This will reset ALL data for this peer, and you will not be able to recover it." --ok-label=No --cancel-label=Yes --width=300; then
sudo batman stop
sudo pkill qtox
sudo pkill firefox
sudo pkill iceweasel
@ -42,7 +44,9 @@ if ! zenity --question --title=$'New Identity' --text=$"Do you want to reset you
sudo pkill patchwork
sudo rm -f $MESH_INSTALL_COMPLETED
sudo ${PROJECT_NAME}-image-mesh $USER new
sudo batman start
if [ -f $HOME/mesh-desktop.sh ]; then
$HOME/mesh-desktop.sh
else

20
src/freedombone-utils-avahi
View File

@ -55,11 +55,29 @@ function create_avahi_service {
}
function mesh_avahi {
chroot "$rootdir" apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
chroot "$rootdir" apt-get -yq install avahi-utils avahi-dnsconfd
decarray=( 1 2 3 4 5 6 7 8 9 0 )
PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv4=.*|use-ipv4=no|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv6=.*|use-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#allow-interfaces=.*|allow-interfaces=wlan0, wlan1, wlan2, wlan3, wlan4, wlan5|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|allow-interfaces=.*|allow-interfaces=wlan0, wlan1, wlan2, wlan3, wlan4, wlan5|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#deny-interfaces=.*|deny-interfaces=eth0, eth1, eth2, eth3, eth4, eth5|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|deny-interfaces=.*|deny-interfaces=eth0, eth1, eth2, eth3, eth4, eth5|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|disallow-other-stacks=.*|disallow-other-stacks=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#publish_addresses=.*|publish_addresses=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|publish_addresses=.*|publish_addresses=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#publish-hinfo=.*|publish-hinfo=no|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|publish-hinfo=.*|publish-hinfo=no|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#publish-workstation=.*|publish-workstation=no|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|publish-workstation=.*|publish-workstation=no|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#publish-domain=.*|publish-domain=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|publish-domain=.*|publish-domain=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|#publish-a-on-ipv6=.*|publish-a-on-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
sed -i "s|publish-a-on-ipv6=.*|publish-a-on-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
if [ ! -d $rootdir/etc/avahi/services ]; then
mkdir -p $rootdir/etc/avahi/services

24
src/freedombone-utils-firewall
View File

@ -350,28 +350,42 @@ function mesh_firewall {
echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
echo '' >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
chmod +x $MESH_FIREWALL_SCRIPT
echo '[Unit]' > $FIREWALL_FILENAME

2
src/freedombone-utils-gnusocialtools
View File

@ -33,7 +33,7 @@ QVITTER_THEME_REPO="https://github.com/bashrc/Qvitter"
QVITTER_THEME_COMMIT='c6f09bda4e45be4290cf7409fa5efb4420538032'
PLEROMA_FRONTEND_REPO="https://gitgud.io/lambadalambda/pleroma-fe"
PLEROMA_FRONTEND_COMMIT='cbe652f2d94d81fa54a37378b7ff014c4391ca5e'
PLEROMA_FRONTEND_COMMIT='3b3bbaab822b553f514a62d20d679acc5ce4414a'
SHARINGS_REPO="http://github.com/bashrc/Sharings"
SHARINGS_COMMIT='0d30fe7d153c7ab44e8459970b8f2b5dec06e43c'

418
src/freedombone-utils-mesh Executable file
View File

@ -0,0 +1,418 @@
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# mesh utilities used by the batman and bmx commands
#
# License
# =======
#
# Copyright (C) 2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# File which contains the current protocol in use
MESH_CURRENT_PROTOCOL=/root/.mesh_protocol
MESH_DEFAULT_PROTOCOL=/root/.mesh_protocol_default
function mesh_protocol_init {
if [[ $1 == "start" ]]; then
# install avahi
sed -i "s|#host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
sed -i "s|host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv4=.*|use-ipv4=no|g" /etc/avahi/avahi-daemon.conf
sed -i "s|use-ipv6=.*|use-ipv6=yes|g" /etc/avahi/avahi-daemon.conf
sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" /etc/avahi/avahi-daemon.conf
sed -i "s|hosts:.*|hosts: files mdns4_minimal dns mdns4 mdns|g" /etc/nsswitch.conf
fi
# Mesh definition
WIFI_SSID='mesh'
if [ -f $COMPLETION_FILE ]; then
if grep -q "WIFI_SSID:" $COMPLETION_FILE; then
WIFI_SSID=$(cat $COMPLETION_FILE | grep "WIFI_SSID:" | awk -F ':' '{print $2}')
fi
sed -i "s|WIFI_SSID:.*|WIFI_SSID:${WIFI_SSID}|g" $COMPLETION_FILE
fi
CELLID='any'
CHANNEL=2
HOTSPOT_CHANNEL=6
if [ -f $COMPLETION_FILE ]; then
if grep -q "Wifi channel:" $COMPLETION_FILE; then
CHANNEL=$(cat $COMPLETION_FILE | grep "Wifi channel:" | awk -F ':' '{print $2}')
fi
sed -i "s|Wifi channel:.*|Wifi channel:${CHANNEL}|g" $COMPLETION_FILE
fi
ZERONET_PORT=15441
IPFS_PORT=4001
TOX_PORT=33445
TRACKER_PORT=6969
LIBREVAULT_PORT=42345
TAHOELAFS_PORT=50213
GIT_SSB_PORT=7718
NGINX_GIT_SSB_PORT=7719
# Ethernet bridge definition (bridged to bat0)
BRIDGE=br-mesh
BRIDGE_HOTSPOT=br-hotspot
IFACE=
IFACE_SECONDARY=
EIFACE=eth0
WLAN_ADAPTORS=$(count_wlan)
if [ $WLAN_ADAPTORS -eq 0 ]; then
echo $'No wlan adaptors found'
exit 0
fi
}
function get_ipv4_wlan {
echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
}
function mesh_hotspot_ip_address {
echo $(ip -o -f inet addr show dev "${BRIDGE}" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
}
function global_rate_limit {
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
echo 'net.ipv6.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
else
sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
sed -i 's|net.ipv6.tcp_challenge_ack_limit.*|net.ipv6.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
fi
sysctl -p -q
}
function assign_peer_address {
for i in {1..6}; do
number=$RANDOM
let "number %= 255"
octet=$(echo "obase=16;$number" | bc)
if [ ${#octet} -lt 2 ]; then
octet="0${octet}"
fi
if [ $i -gt 1 ]; then
echo -n ":"
fi
echo -n "${octet}"
done
}
function mesh_create_app_downloads_page {
if [ ! -d /root/$PROJECT_NAME/image_build/mesh_apps ]; then
return
fi
if [ ! -d /var/www/html ]; then
return
fi
# Don't go straight to cryptpad when navigating to the peer's IP address
if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
rm /etc/nginx/sites-enabled/cryptpad
ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
if [ -d /etc/cryptpad ]; then
systemctl stop cryptpad
systemctl disable cryptpad
fi
systemctl restart nginx
fi
# Don't show the cryptpad icon on the desktop
if [ -f /home/fbone/Desktop/cryptpad.desktop ]; then
mv /home/fbone/Desktop/cryptpad.desktop /home/fbone/.cryptpad.desktop
fi
cp /root/$PROJECT_NAME/website/EN/meshindex.html /var/www/html/index.html
if [ ! -f /var/www/html/ssb.apk ]; then
cp /root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk /var/www/html/ssb.apk
fi
if [ ! -f /var/www/html/trifa.apk ]; then
cp /root/$PROJECT_NAME/image_build/mesh_apps/trifa.apk /var/www/html/trifa.apk
fi
if [ ! -d /var/www/html/images ]; then
mkdir /var/www/html/images
fi
if [ ! -f /var/www/html/images/logo.png ]; then
cp /root/$PROJECT_NAME/img/logo.png /var/www/html/images/logo.png
fi
if [ ! -f /var/www/html/images/ssb.png ]; then
cp /root/$PROJECT_NAME/img/icon_patchwork.png /var/www/html/images/ssb.png
fi
if [ ! -f /var/www/html/images/trifa.png ]; then
cp /root/$PROJECT_NAME/img/trifa.png /var/www/html/images/trifa.png
fi
if [ ! -f /var/www/html/freedombone.css ]; then
cp /root/$PROJECT_NAME/website/freedombone.css /var/www/html/freedombone.css
fi
chown -R www-data:www-data /var/www/html/*
}
function enable_mesh_firewall {
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
iptables -A INPUT -p udp --dport 6240 -j ACCEPT
iptables -A INPUT -p tcp --dport 6240 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 548 -j ACCEPT
iptables -A INPUT -p udp --dport 548 -j ACCEPT
iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
iptables -A INPUT -p udp --dport 5354 -j ACCEPT
iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
# SSB/Scuttlebot/Patchwork
iptables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
iptables -A INPUT -p udp --dport 8008 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
iptables -A INPUT -p udp --dport 8010 -j ACCEPT
iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
ip6tables -A INPUT -p udp --dport 6240 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 6240 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p udp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 548 -j ACCEPT
ip6tables -A INPUT -p udp --dport 548 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 5353 -j ACCEPT
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 5354 -j ACCEPT
ip6tables -A INPUT -p udp --dport 5354 -j ACCEPT
ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
ip6tables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
ip6tables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
ip6tables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
ip6tables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
ip6tables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
# SSB/Scuttlebot/Patchwork
ip6tables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
ip6tables -A INPUT -p udp --dport 8008 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 8008 -j ACCEPT
ip6tables -A INPUT -p udp --dport 8010 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 8010 -j ACCEPT
# vpn over the internet
# Note: the vpn firewall settings are needed in order for Patchwork
# to discover local peers
iptables -A INPUT -p tcp --dport 653 -j ACCEPT
iptables -A INPUT -p udp --dport 653 -j ACCEPT
iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
}
function disable_mesh_firewall {
iptables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
iptables -D INPUT -p udp --dport 6240 -j ACCEPT
iptables -D INPUT -p tcp --dport 6240 -j ACCEPT
iptables -D INPUT -p tcp --dport 80 -j ACCEPT
iptables -D INPUT -p udp --dport 80 -j ACCEPT
iptables -D INPUT -p tcp --dport 548 -j ACCEPT
iptables -D INPUT -p udp --dport 548 -j ACCEPT
iptables -D INPUT -p tcp --dport 5353 -j ACCEPT
iptables -D INPUT -p udp --dport 5353 -j ACCEPT
iptables -D INPUT -p tcp --dport 5354 -j ACCEPT
iptables -D INPUT -p udp --dport 5354 -j ACCEPT
iptables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
# SSB/Scuttlebot/Patchwork
iptables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
iptables -D INPUT -p udp --dport 8008 -j ACCEPT
iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
iptables -D INPUT -p udp --dport 8010 -j ACCEPT
iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
ip6tables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
ip6tables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
ip6tables -D INPUT -p udp --dport 6240 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 6240 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -D INPUT -p udp --dport 80 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 548 -j ACCEPT
ip6tables -D INPUT -p udp --dport 548 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 5353 -j ACCEPT
ip6tables -D INPUT -p udp --dport 5353 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 5354 -j ACCEPT
ip6tables -D INPUT -p udp --dport 5354 -j ACCEPT
ip6tables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
ip6tables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
ip6tables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
ip6tables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
ip6tables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
ip6tables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
ip6tables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
ip6tables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
ip6tables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
# SSB/Scuttlebot/Patchwork
ip6tables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
ip6tables -D INPUT -p udp --dport 8008 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 8008 -j ACCEPT
ip6tables -D INPUT -p udp --dport 8010 -j ACCEPT
ip6tables -D INPUT -p tcp --dport 8010 -j ACCEPT
# vpn over the internet
iptables -D INPUT -p tcp --dport 653 -j ACCEPT
iptables -D INPUT -p udp --dport 653 -j ACCEPT
iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -D INPUT -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
iptables -D OUTPUT -o tun+ -j ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
}
function enable_mesh_scuttlebot {
if [ -f /etc/scuttlebot/.ssb/config ]; then
ethernet_connected=$(cat /sys/class/net/eth0/carrier)
if [[ "$ethernet_connected" != "0" ]]; then
sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config
systemctl restart scuttlebot
else
if [ ! -f /etc/nginx/sites-available/git_ssb ]; then
systemctl stop scuttlebot
else
systemctl restart scuttlebot
fi
fi
fi
sed -i "s|\"host\":.*|\"host\": \"${HOSTNAME}.local\",|g" /etc/scuttlebot/.ssb/config
systemctl restart scuttlebot
}
function enable_mesh_tor {
# if we have an ethernet connection to an internet router then create
# an onion address for this peer
if [[ "$ethernet_connected" != "0" ]]; then
systemctl enable tor
systemctl start tor
HIDDEN_SERVICE_PATH=/var/lib/tor/hidden_service_
if [ ! -f ${HIDDEN_SERVICE_PATH}mesh/hostname ]; then
echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}mesh/" >> /etc/tor/torrc
echo "HiddenServicePort 653 127.0.0.1:653" >> /etc/tor/torrc
systemctl restart tor
fi
else
systemctl stop tor
systemctl disable tor
fi
}
function enable_mesh_seconary_wifi {
if [ $secondary_wifi_available ]; then
sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
mesh_hotspot_address=$(mesh_hotspot_ip_address)
if [[ "$mesh_hotspot_address" == *'.'* ]]; then
echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
echo "bridge=${BRIDGE}" >> /etc/hostapd/hostapd.conf
echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
echo "country_code=UK" >> /etc/hostapd/hostapd.conf
echo "ssid=${WIFI_SSID}-${mesh_hotspot_address}" >> /etc/hostapd/hostapd.conf
echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
echo 'wpa=2' >> /etc/hostapd/hostapd.conf
echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
sed -i "s|#interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
sed -i "s|interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
sed -i "s|listen-address=.*|listen-address=127.0.0.1,$mesh_hotspot_address|g" /etc/dnsmasq.conf
sed -i 's|#listen-address|listen-address|g' /etc/dnsmasq.conf
systemctl enable dnsmasq
systemctl restart dnsmasq
systemctl enable hostapd
systemctl restart hostapd
mesh_create_app_downloads_page
else
secondary_wifi_available=
echo $'WARNING: No IP address could be obtained for the hotspot'
fi
fi
if [ ! $secondary_wifi_available ]; then
systemctl stop hostapd
systemctl disable hostapd
# Recreate the cryptpad symlink
if [ -f /etc/nginx/sites-available/cryptpad ]; then
if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
rm /etc/nginx/sites-enabled/default
fi
systemctl enable cryptpad
systemctl start cryptpad
if [ ! -L /etc/nginx/sites-enabled/cryptpad ]; then
ln -s /etc/nginx/sites-available/cryptpad /etc/nginx/sites-enabled/cryptpad
systemctl restart nginx
fi
fi
if [ -f /home/fbone/.cryptpad.desktop ]; then
mv /home/fbone/.cryptpad.desktop /home/fbone/Desktop/cryptpad.desktop
fi
fi
}
# NOTE: deliberately there is no "exit 0"

2
src/freedombone-utils-setup
View File

@ -263,7 +263,7 @@ function initial_setup {
apt-get -yq install cryptsetup libgfshare-bin duplicity sshpass wget avahi-daemon
apt-get -yq install avahi-utils avahi-discover connect-proxy openssh-server
apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
apt-get -yq install avahi-discover iptables dnsutils net-tools
apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
apt-get -yq install wireless-tools wpasupplicant usbutils zsh cpulimit screen

2
src/freedombone-utils-wifi
View File

@ -216,7 +216,7 @@ function update_wifi_adaptors {
IFACE_SECONDARY=
for i in $(seq 10 -1 0); do
ifdown --force wlan${i}
ifdown --force wlan${i} 2> /dev/null
done
for i in $(seq 10 -1 0); do

272
website/EN/faq.html
View File

@ -3,7 +3,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2017-12-30 Sat 15:48 -->
<!-- 2018-01-11 Thu 20:57 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>&lrm;</title>
@ -264,139 +264,143 @@ for the JavaScript code in this tag.
</colgroup>
<tbody>
<tr>
<td class="org-left"><a href="#org416597b">What applications are supported?</a></td>
<td class="org-left"><a href="#org3b9d551">What applications are supported?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org719e222">I don't have a static IP address. Can I still install this system?</a></td>
<td class="org-left"><a href="#orgdcdffc6">I don't have a static IP address. Can I still install this system?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org997ae78">Why Freedombone and not FreedomBox?</a></td>
<td class="org-left"><a href="#org04dca90">Why Freedombone and not FreedomBox?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org0fe5706">Why not support building images for Raspberry Pi?</a></td>
<td class="org-left"><a href="#org250c12d">Why not support building images for Raspberry Pi?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgf565b16">Why use Tor? I've heard it's used by bad people</a></td>
<td class="org-left"><a href="#orgd5c1184">Why use Tor? I've heard it's used by bad people</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgac61490">How is Tor integrated with Freedombone?</a></td>
<td class="org-left"><a href="#org9591a28">How is Tor integrated with Freedombone?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgbe35250">Can I add a clearnet domain to an onion build?</a></td>
<td class="org-left"><a href="#orgda2b251">Can I add a clearnet domain to an onion build?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org1ea193b">Why use Github?</a></td>
<td class="org-left"><a href="#org2fcade7">Why use Github?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org7057def">Keys and emails should not be stored on servers. Why do you do that?</a></td>
<td class="org-left"><a href="#orgc5b7d76">Should I upload my GPG keys to keybase.io?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orge669711">Why can't I access my .onion site with a Tor browser?</a></td>
<td class="org-left"><a href="#org1b54432">Keys and emails should not be stored on servers. Why do you do that?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgdb3b7a6">What is the best hardware to run this system on?</a></td>
<td class="org-left"><a href="#orgd51af85">Why can't I access my .onion site with a Tor browser?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgf1c38a0">Can I add more users to the system?</a></td>
<td class="org-left"><a href="#org4585a4a">What is the best hardware to run this system on?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgd32f191">Why not use Signal for mobile chat?</a></td>
<td class="org-left"><a href="#org12ce8ec">Can I add more users to the system?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org16a21bb">What is the most secure chat app to use on mobile?</a></td>
<td class="org-left"><a href="#org6e6f0bd">Why not use Signal for mobile chat?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org279eac7">How do I remove a user from the system?</a></td>
<td class="org-left"><a href="#orgb8a6086">What is the most secure chat app to use on mobile?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org12ac09e">Why is logging for web sites turned off by default?</a></td>
<td class="org-left"><a href="#orgd46fade">How do I remove a user from the system?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org5e9d3c7">How do I reset the tripwire?</a></td>
<td class="org-left"><a href="#org7fc4d88">Why is logging for web sites turned off by default?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org0613054">Is metadata protected?</a></td>
<td class="org-left"><a href="#orge1a3788">How do I reset the tripwire?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgdf75721">How do I create email processing rules?</a></td>
<td class="org-left"><a href="#org572f545">Is metadata protected?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org5b21211">Why isn't dynamic DNS working?</a></td>
<td class="org-left"><a href="#org733a91b">How do I create email processing rules?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org929e4ae">How do I change my encryption settings?</a></td>
<td class="org-left"><a href="#org78eef24">Why isn't dynamic DNS working?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org087d147">How do I get a domain name?</a></td>
<td class="org-left"><a href="#org2c06ab3">How do I change my encryption settings?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org4bb381a">How do I get a "real" SSL/TLS/HTTPS certificate?</a></td>
<td class="org-left"><a href="#org5afac46">How do I get a domain name?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgfbd420c">How do I renew a Let's Encrypt certificate?</a></td>
<td class="org-left"><a href="#org438f36d">How do I get a "real" SSL/TLS/HTTPS certificate?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgdaf57b7">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</a></td>
<td class="org-left"><a href="#orge32e913">How do I renew a Let's Encrypt certificate?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org9fde76d">Why not use the services of $company instead? They took the Seppuku pledge</a></td>
<td class="org-left"><a href="#org44f909f">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org71ce92c">Why does my email keep getting rejected as spam by Gmail/etc?</a></td>
<td class="org-left"><a href="#org27439c3">Why not use the services of $company instead? They took the Seppuku pledge</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org1bd542d">Tor is censored/blocked in my area. What can I do?</a></td>
<td class="org-left"><a href="#org00d41d3">Why does my email keep getting rejected as spam by Gmail/etc?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgcf6a401">I want to block a particular domain from getting its content into my social network sites</a></td>
<td class="org-left"><a href="#org7ab9062">Tor is censored/blocked in my area. What can I do?</a></td>
</tr>
<tr>
<td class="org-left"><a href="#org39004fe">The mesh system doesn't boot from USB drive</a></td>
<td class="org-left"><a href="#org5cd6bab">I want to block a particular domain from getting its content into my social network sites</a></td>
</tr>
<tr>
<td class="org-left"><a href="#orgafedf35">The mesh system doesn't boot from USB drive</a></td>
</tr>
</tbody>
</table>
</div>
<div id="outline-container-org416597b" class="outline-2">
<h2 id="org416597b">What applications are supported?</h2>
<div class="outline-text-2" id="text-org416597b">
<div id="outline-container-org3b9d551" class="outline-2">
<h2 id="org3b9d551">What applications are supported?</h2>
<div class="outline-text-2" id="text-org3b9d551">
<p>
<a href="./apps.html">See here</a> for the complete list of apps. In addition to those as part of the base install you get an email server.
</p>
</div>
</div>
<div id="outline-container-org719e222" class="outline-2">
<h2 id="org719e222">I don't have a static IP address. Can I still install this system?</h2>
<div class="outline-text-2" id="text-org719e222">
<div id="outline-container-orgdcdffc6" class="outline-2">
<h2 id="orgdcdffc6">I don't have a static IP address. Can I still install this system?</h2>
<div class="outline-text-2" id="text-orgdcdffc6">
<p>
Yes. The minimum requirements are to have some hardware that you can install Debian onto and also that you have administrator access to your internet router so that you can forward ports to the system which has Freedombone installed.
</p>
@ -406,17 +410,17 @@ The lack of a static IP address can be worked around by using a dynamic DNS serv
</p>
</div>
</div>
<div id="outline-container-org997ae78" class="outline-2">
<h2 id="org997ae78">Why Freedombone and not FreedomBox?</h2>
<div class="outline-text-2" id="text-org997ae78">
<div id="outline-container-org04dca90" class="outline-2">
<h2 id="org04dca90">Why Freedombone and not FreedomBox?</h2>
<div class="outline-text-2" id="text-org04dca90">
<p>
When the project began in late 2013 the FreedomBox project seemed to be going nowhere, and was only designed to work with the DreamPlug hardware. There was some new hardware out - the Beaglebone Black - which could run Debian and was also a free hardware design so seemed more appropriate. Hence the name "Freedombone", being like FreedomBox but on a Beaglebone. There are some similarities and differences between the two projects:
</p>
</div>
<div id="outline-container-org33179aa" class="outline-3">
<h3 id="org33179aa">Similarities</h3>
<div class="outline-text-3" id="text-org33179aa">
<div id="outline-container-org306add8" class="outline-3">
<h3 id="org306add8">Similarities</h3>
<div class="outline-text-3" id="text-org306add8">
<ul class="org-ul">
<li>Uses freedom-maker and vmdebootstrap to build debian images</li>
<li>Supports the use of Tor onion addresses to access websites</li>
@ -430,9 +434,9 @@ When the project began in late 2013 the FreedomBox project seemed to be going no
</ul>
</div>
</div>
<div id="outline-container-orgc193b4e" class="outline-3">
<h3 id="orgc193b4e">Differences</h3>
<div class="outline-text-3" id="text-orgc193b4e">
<div id="outline-container-orge8d4938" class="outline-3">
<h3 id="orge8d4938">Differences</h3>
<div class="outline-text-3" id="text-orge8d4938">
<ul class="org-ul">
<li>FreedomBox is a Debian pure blend. Freedombone is not</li>
<li>Freedombone only supports Free Software. FreedomBox includes some closed binary boot blobs for certain ARM boards</li>
@ -447,9 +451,9 @@ When the project began in late 2013 the FreedomBox project seemed to be going no
</div>
</div>
</div>
<div id="outline-container-org0fe5706" class="outline-2">
<h2 id="org0fe5706">Why not support building images for Raspberry Pi?</h2>
<div class="outline-text-2" id="text-org0fe5706">
<div id="outline-container-org250c12d" class="outline-2">
<h2 id="org250c12d">Why not support building images for Raspberry Pi?</h2>
<div class="outline-text-2" id="text-org250c12d">
<p>
The FreedomBox project supports Raspberry Pi builds, and the image build system for Freedombone is based on the same system. However, although the Raspberry Pi can run a version of Debian it requires a closed proprietary blob in order to boot the hardware. Who knows what that blob might contain or what exploits it could facilitate. From an adversarial point of view if you were trying to deliver "bulk equipment interference" then it doesn't get any better than piggybacking on something which has control of the boot process, and hence all subsequently run processes.
</p>
@ -459,9 +463,9 @@ So although the Raspberry Pi is cheap and hugely popular it's not supported by t
</p>
</div>
</div>
<div id="outline-container-orgf565b16" class="outline-2">
<h2 id="orgf565b16">Why use Tor? I've heard it's used by bad people</h2>
<div class="outline-text-2" id="text-orgf565b16">
<div id="outline-container-orgd5c1184" class="outline-2">
<h2 id="orgd5c1184">Why use Tor? I've heard it's used by bad people</h2>
<div class="outline-text-2" id="text-orgd5c1184">
<p>
Years ago Tor was usually depicted in the mainstream media as something scary inhabited by cyberterrorists and other bad cybers, but today to a large extent Tor is accepted as just another way of routing data in a network. Depending upon where you live there may still be some amount of fearmongering about Tor, but it now seems clear that the trajectory is towards general acceptance.
</p>
@ -482,9 +486,9 @@ On the negative side it's a complex system which is not fully decentralized.
</p>
</div>
</div>
<div id="outline-container-orgac61490" class="outline-2">
<h2 id="orgac61490">How is Tor integrated with Freedombone?</h2>
<div class="outline-text-2" id="text-orgac61490">
<div id="outline-container-org9591a28" class="outline-2">
<h2 id="org9591a28">How is Tor integrated with Freedombone?</h2>
<div class="outline-text-2" id="text-org9591a28">
<p>
Within this project Tor is used more to provide <i>accessibility</i> than the <i>anonymity</i> factor for which Tor is better known. The onion address system provides a way of being able to access sites even if you don't own a conventional domain name or don't have administrator access to your local internet router to be able to do port forwarding.
</p>
@ -502,17 +506,17 @@ Even if you're running the "onion only" build, this only means that sites are ac
</p>
</div>
</div>
<div id="outline-container-orgbe35250" class="outline-2">
<h2 id="orgbe35250">Can I add a clearnet domain to an onion build?</h2>
<div class="outline-text-2" id="text-orgbe35250">
<div id="outline-container-orgda2b251" class="outline-2">
<h2 id="orgda2b251">Can I add a clearnet domain to an onion build?</h2>
<div class="outline-text-2" id="text-orgda2b251">
<p>
You could if you manually edited the relevant nginx configuration files and installed some dynamic DNS system yourself. If you already have sysadmin knowledge then that's probably not too hard. But the builds created with the <b>onion-addresses-only</b> option aren't really intended to support access via clearnet domains.
</p>
</div>
</div>
<div id="outline-container-org1ea193b" class="outline-2">
<h2 id="org1ea193b">Why use Github?</h2>
<div class="outline-text-2" id="text-org1ea193b">
<div id="outline-container-org2fcade7" class="outline-2">
<h2 id="org2fcade7">Why use Github?</h2>
<div class="outline-text-2" id="text-org2fcade7">
<p>
Github is paradoxically a centralized, closed and proprietary system which happens to mostly host free and open source projects. Up until now it has been relatively benign, but at some point in the name of "growth" it will likely start becoming more evil, or just become like SourceForge - which was also once much loved by FOSS developers, but turned into a den of malvertizing.
</p>
@ -530,9 +534,21 @@ Currently many of the repositories used for applications which are not yet packa
</p>
</div>
</div>
<div id="outline-container-org7057def" class="outline-2">
<h2 id="org7057def">Keys and emails should not be stored on servers. Why do you do that?</h2>
<div class="outline-text-2" id="text-org7057def">
<div id="outline-container-orgc5b7d76" class="outline-2">
<h2 id="orgc5b7d76">Should I upload my GPG keys to keybase.io?</h2>
<div class="outline-text-2" id="text-orgc5b7d76">
<p>
It's not recommended unless there exists some compelling reason for you to be on there. That site asks users to upload the <b>private keys</b>, and even if the keys are client side encrypted with a passphrase there's always the chance that there will be a data leak in future and letter agencies will then have a full time opportunity to crack the passphrases.
</p>
<p>
Saying something resembling <i>"only noobs will use crackable private key passphrases"</i> isn't good enough. A passphrase should not be considered to be a substitute for a private key.
</p>
</div>
</div>
<div id="outline-container-org1b54432" class="outline-2">
<h2 id="org1b54432">Keys and emails should not be stored on servers. Why do you do that?</h2>
<div class="outline-text-2" id="text-org1b54432">
<p>
Ordinarily this is good advice. However, the threat model for a device in your home is different from the one for a generic server in a massive warehouse. Compare and contrast:
</p>
@ -590,9 +606,9 @@ In the home environment a box with a good firewall and no GUI components install
</div>
</div>
<div id="outline-container-orge669711" class="outline-2">
<h2 id="orge669711">Why can't I access my .onion site with a Tor browser?</h2>
<div class="outline-text-2" id="text-orge669711">
<div id="outline-container-orgd51af85" class="outline-2">
<h2 id="orgd51af85">Why can't I access my .onion site with a Tor browser?</h2>
<div class="outline-text-2" id="text-orgd51af85">
<p>
Probably you need to add the site to the NoScript whitelist. Typically click/press on the noscript icon (or select from the menu on mobile) then select <i>whitelist</i> and add the site URL. You may also need to disable HTTPS Everywhere when using onion addresses, which don't use https.
</p>
@ -602,9 +618,9 @@ Another factor to be aware of is that it can take a while for the onion address
</p>
</div>
</div>
<div id="outline-container-orgdb3b7a6" class="outline-2">
<h2 id="orgdb3b7a6">What is the best hardware to run this system on?</h2>
<div class="outline-text-2" id="text-orgdb3b7a6">
<div id="outline-container-org4585a4a" class="outline-2">
<h2 id="org4585a4a">What is the best hardware to run this system on?</h2>
<div class="outline-text-2" id="text-org4585a4a">
<p>
It was originally designed to run on the Beaglebone Black, but that should be regarded as the most minimal system, because it's single core and has by today's standards a small amount of memory. Obviously the more powerful the hardware is the faster things like web pages (blog, social networking, etc) will be served but the more electricity such a system will require if you're running it 24/7. A good compromise between performance and energy consumption is something like an old netbook. The battery of an old netbook or laptop even gives you <a href="https://en.wikipedia.org/wiki/Uninterruptible_power_supply">UPS capability</a> to keep the system going during brief power outages or cable re-arrangements, and that means using full disk encryption on the server also becomes more practical.
</p>
@ -614,9 +630,9 @@ It was originally designed to run on the Beaglebone Black, but that should be re
</p>
</div>
</div>
<div id="outline-container-orgf1c38a0" class="outline-2">
<h2 id="orgf1c38a0">Can I add more users to the system?</h2>
<div class="outline-text-2" id="text-orgf1c38a0">
<div id="outline-container-org12ce8ec" class="outline-2">
<h2 id="org12ce8ec">Can I add more users to the system?</h2>
<div class="outline-text-2" id="text-org12ce8ec">
<p>
Yes. Freedombone can support a small number of users, for a "<i>friends and family</i>" type of home installation. This gives them access to an email account, XMPP, SIP phone and the blog (depending on whether the variant which you installed includes those).
</p>
@ -639,9 +655,9 @@ Another point is that Freedombone installations are not intended to support many
</p>
</div>
</div>
<div id="outline-container-orgd32f191" class="outline-2">
<h2 id="orgd32f191">Why not use Signal for mobile chat?</h2>
<div class="outline-text-2" id="text-orgd32f191">
<div id="outline-container-org6e6f0bd" class="outline-2">
<h2 id="org6e6f0bd">Why not use Signal for mobile chat?</h2>
<div class="outline-text-2" id="text-org6e6f0bd">
<p>
Celebrities recommend Signal. It's Free Software so it must be good, right?
</p>
@ -664,9 +680,9 @@ To give credit where it's due Signal is good, but it could be a lot better. The
</p>
</div>
</div>
<div id="outline-container-org16a21bb" class="outline-2">
<h2 id="org16a21bb">What is the most secure chat app to use on mobile?</h2>
<div class="outline-text-2" id="text-org16a21bb">
<div id="outline-container-orgb8a6086" class="outline-2">
<h2 id="orgb8a6086">What is the most secure chat app to use on mobile?</h2>
<div class="outline-text-2" id="text-orgb8a6086">
<p>
On mobile there are various options. The apps which are likely to be most secure are ones which have end-to-end encryption enabled by default and which can also be onion routed via Orbot. End-to-end encryption secures the content of the message and onion routing obscures the metadata, making it hard for a passive adversary to know who is communicating with who.
</p>
@ -676,13 +692,13 @@ The current safest way to chat is to use <a href="https://conversations.im">Conv
</p>
<p>
There are many <a href="#orgd32f191">other fashionable chat apps</a> with end-to-end security, but often they are closed source, have a single central server or can't be onion routed. It's also important to remember that closed source chat apps should be assumed to be untrustworthy, since their security cannot be independently verified.
There are many <a href="#org6e6f0bd">other fashionable chat apps</a> with end-to-end security, but often they are closed source, have a single central server or can't be onion routed. It's also important to remember that closed source chat apps should be assumed to be untrustworthy, since their security cannot be independently verified.
</p>
</div>
</div>
<div id="outline-container-org279eac7" class="outline-2">
<h2 id="org279eac7">How do I remove a user from the system?</h2>
<div class="outline-text-2" id="text-org279eac7">
<div id="outline-container-orgd46fade" class="outline-2">
<h2 id="orgd46fade">How do I remove a user from the system?</h2>
<div class="outline-text-2" id="text-orgd46fade">
<p>
To remove a user:
</p>
@ -697,9 +713,9 @@ Select <i>Administrator controls</i> then <i>Manage Users</i> and then <i>Delete
</p>
</div>
</div>
<div id="outline-container-org12ac09e" class="outline-2">
<h2 id="org12ac09e">Why is logging for web sites turned off by default?</h2>
<div class="outline-text-2" id="text-org12ac09e">
<div id="outline-container-org7fc4d88" class="outline-2">
<h2 id="org7fc4d88">Why is logging for web sites turned off by default?</h2>
<div class="outline-text-2" id="text-org7fc4d88">
<p>
If you're making profits out of the logs by running large server warehouses and then data mining what users click on - as is the business model of well known internet companies - then logging everything makes total sense. However, if you're running a home server then logging really only makes sense if you're trying to diagnose some specific problem with the system, and outside of that context logging everything becomes more of a liability than an asset.
</p>
@ -713,9 +729,9 @@ On the Freedombone system web logs containing IP addresses are turned off by def
</p>
</div>
</div>
<div id="outline-container-org5e9d3c7" class="outline-2">
<h2 id="org5e9d3c7">How do I reset the tripwire?</h2>
<div class="outline-text-2" id="text-org5e9d3c7">
<div id="outline-container-orge1a3788" class="outline-2">
<h2 id="orge1a3788">How do I reset the tripwire?</h2>
<div class="outline-text-2" id="text-orge1a3788">
<p>
The tripwire will be automatically reset once per week. If you want to reset it earlier then do the following:
</p>
@ -730,9 +746,9 @@ Select <i>Administrator controls</i> then "reset tripwire" using cursors and spa
</p>
</div>
</div>
<div id="outline-container-org0613054" class="outline-2">
<h2 id="org0613054">Is metadata protected?</h2>
<div class="outline-text-2" id="text-org0613054">
<div id="outline-container-org572f545" class="outline-2">
<h2 id="org572f545">Is metadata protected?</h2>
<div class="outline-text-2" id="text-org572f545">
<blockquote>
<p>
"<i>We kill people based on metadata</i>"
@ -748,9 +764,9 @@ Even when using Freedombone metadata analysis by third parties is still possible
</p>
</div>
</div>
<div id="outline-container-orgdf75721" class="outline-2">
<h2 id="orgdf75721">How do I create email processing rules?</h2>
<div class="outline-text-2" id="text-orgdf75721">
<div id="outline-container-org733a91b" class="outline-2">
<h2 id="org733a91b">How do I create email processing rules?</h2>
<div class="outline-text-2" id="text-org733a91b">
<div class="org-src-container">
<pre class="src src-bash">ssh username@domainname -p 2222
</pre>
@ -806,9 +822,9 @@ Spamassassin is also available and within Mutt you can use the S (shift+s) key t
</p>
</div>
</div>
<div id="outline-container-org5b21211" class="outline-2">
<h2 id="org5b21211">Why isn't dynamic DNS working?</h2>
<div class="outline-text-2" id="text-org5b21211">
<div id="outline-container-org78eef24" class="outline-2">
<h2 id="org78eef24">Why isn't dynamic DNS working?</h2>
<div class="outline-text-2" id="text-org78eef24">
<p>
If you run the command:
</p>
@ -831,9 +847,9 @@ https://www.privateinternetaccess.com/pages/whats-my-ip/
</div>
</div>
<div id="outline-container-org929e4ae" class="outline-2">
<h2 id="org929e4ae">How do I change my encryption settings?</h2>
<div class="outline-text-2" id="text-org929e4ae">
<div id="outline-container-org2c06ab3" class="outline-2">
<h2 id="org2c06ab3">How do I change my encryption settings?</h2>
<div class="outline-text-2" id="text-org2c06ab3">
<p>
Suppose that some new encryption vulnerability has been announced and that you need to change your encryption settings. Maybe an algorithm thought to be secure is now no longer so and you need to remove it. You can change your settings by doing the following:
</p>
@ -848,9 +864,9 @@ Select <i>Administrator controls</i> then select <i>Security Settings</i>. You w
</p>
</div>
</div>
<div id="outline-container-org087d147" class="outline-2">
<h2 id="org087d147">How do I get a domain name?</h2>
<div class="outline-text-2" id="text-org087d147">
<div id="outline-container-org5afac46" class="outline-2">
<h2 id="org5afac46">How do I get a domain name?</h2>
<div class="outline-text-2" id="text-org5afac46">
<p>
Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead.
</p>
@ -914,9 +930,9 @@ You should now be able to send an email from <i>postmaster@mynewdomainname</i> a
</div>
</div>
<div id="outline-container-org4bb381a" class="outline-2">
<h2 id="org4bb381a">How do I get a "real" SSL/TLS/HTTPS certificate?</h2>
<div class="outline-text-2" id="text-org4bb381a">
<div id="outline-container-org438f36d" class="outline-2">
<h2 id="org438f36d">How do I get a "real" SSL/TLS/HTTPS certificate?</h2>
<div class="outline-text-2" id="text-org438f36d">
<p>
If you did the full install or selected the social variant then the system will have tried to obtain a Let's Encrypt certificate automatically during the install process. If this failed for any reason, or if you have created a new site which you need a certificate for then do the following:
</p>
@ -935,9 +951,9 @@ One thing to be aware of is that Let's Encrypt doesn't support many dynamic DNS
</p>
</div>
</div>
<div id="outline-container-orgfbd420c" class="outline-2">
<h2 id="orgfbd420c">How do I renew a Let's Encrypt certificate?</h2>
<div class="outline-text-2" id="text-orgfbd420c">
<div id="outline-container-orge32e913" class="outline-2">
<h2 id="orge32e913">How do I renew a Let's Encrypt certificate?</h2>
<div class="outline-text-2" id="text-orge32e913">
<p>
Normally certificates will be automatically renewed once per month, so you don't need to be concerned about it. If anything goes wrong with the automatic renewal then you should receive a warning email.
</p>
@ -956,9 +972,9 @@ Select <i>Administrator controls</i> then <b>Security settings</b> then <b>Renew
</p>
</div>
</div>
<div id="outline-container-orgdaf57b7" class="outline-2">
<h2 id="orgdaf57b7">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</h2>
<div class="outline-text-2" id="text-orgdaf57b7">
<div id="outline-container-org44f909f" class="outline-2">
<h2 id="org44f909f">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</h2>
<div class="outline-text-2" id="text-org44f909f">
<p>
Most likely it's because Let's Encrypt doesn't support your particular domain or subdomain. Currently free subdomains tend not to work. You'll need to buy a domain name, link it to your dynamic DNS account and then do:
</p>
@ -973,17 +989,17 @@ Select <i>Administrator controls</i> then <b>Security settings</b> then <b>Creat
</p>
</div>
</div>
<div id="outline-container-org9fde76d" class="outline-2">
<h2 id="org9fde76d">Why not use the services of $company instead? They took the Seppuku pledge</h2>
<div class="outline-text-2" id="text-org9fde76d">
<div id="outline-container-org27439c3" class="outline-2">
<h2 id="org27439c3">Why not use the services of $company instead? They took the Seppuku pledge</h2>
<div class="outline-text-2" id="text-org27439c3">
<p>
<a href="https://cryptostorm.org/viewtopic.php?f=63&amp;t=2954&amp;sid=7de2d1e699cfde2f574e6a7f6ea5a173">That pledge</a> is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "<i>on our side</i>". Post-<a href="https://en.wikipedia.org/wiki/Nymwars">nymwars</a> and post-<a href="https://en.wikipedia.org/wiki/PRISM_(surveillance_program)">PRISM</a> we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.
</p>
</div>
</div>
<div id="outline-container-org71ce92c" class="outline-2">
<h2 id="org71ce92c">Why does my email keep getting rejected as spam by Gmail/etc?</h2>
<div class="outline-text-2" id="text-org71ce92c">
<div id="outline-container-org00d41d3" class="outline-2">
<h2 id="org00d41d3">Why does my email keep getting rejected as spam by Gmail/etc?</h2>
<div class="outline-text-2" id="text-org00d41d3">
<p>
Welcome to the world of email. Email is really the archetypal decentralized service, developed during the early days of the internet. In principle anyone can run an email server, and that's exactly what you're doing with Freedombone. Email is very useful, but it has a big problem, and that's that the protocols are totally insecure. That made it easy for spammers to do their thing, and in response highly elaborate spam filtering and blocking systems were developed. Chances are that your emails are being blocked in this way. Sometimes the blocking is so indisciminate that entire countries are excluded. What can you do about it? Unless you control the block list at the receiving end you may not be able to do much unless you can find an email proxy server which is trusted by the receiving server.
</p>
@ -1014,9 +1030,9 @@ So the situation with email presently is pretty bad, and there's a clear selecti
</p>
</div>
</div>
<div id="outline-container-org1bd542d" class="outline-2">
<h2 id="org1bd542d">Tor is censored/blocked in my area. What can I do?</h2>
<div class="outline-text-2" id="text-org1bd542d">
<div id="outline-container-org7ab9062" class="outline-2">
<h2 id="org7ab9062">Tor is censored/blocked in my area. What can I do?</h2>
<div class="outline-text-2" id="text-org7ab9062">
<p>
If you can find some details for an obfs4 Tor bridge (its IP address, port number and key or nickname) then you can set up the system to use it to connect to the Tor network. Unlike relay nodes the IP addresses for bridges are not public information and so can't be easily known and added to block lists by authoritarian regimes or over-zealous ISPs.
</p>
@ -1047,9 +1063,9 @@ Return to the <a href="index.html">home page</a>
</div>
</div>
<div id="outline-container-orgcf6a401" class="outline-2">
<h2 id="orgcf6a401">I want to block a particular domain from getting its content into my social network sites</h2>
<div class="outline-text-2" id="text-orgcf6a401">
<div id="outline-container-org5cd6bab" class="outline-2">
<h2 id="org5cd6bab">I want to block a particular domain from getting its content into my social network sites</h2>
<div class="outline-text-2" id="text-org5cd6bab">
<p>
If you're being pestered by some domain which contains bad/illegal/harrassing content or irritating users you can block domains at the firewall level. Go to the administrator control panel and select <i>domain blocking</i>. You can then block, unblock and view the list of blocked domains.
</p>
@ -1064,9 +1080,9 @@ Select <i>Administrator controls</i> then <i>Domain blocking</i>.
</div>
</div>
<div id="outline-container-org39004fe" class="outline-2">
<h2 id="org39004fe">The mesh system doesn't boot from USB drive</h2>
<div class="outline-text-2" id="text-org39004fe">
<div id="outline-container-orgafedf35" class="outline-2">
<h2 id="orgafedf35">The mesh system doesn't boot from USB drive</h2>
<div class="outline-text-2" id="text-orgafedf35">
<p>
If the system doesn't boot and reports an error which includes <b>/dev/mapper/loop0p1</b> then reboot with <b>Ctrl-Alt-Del</b> and when you see the grub menu press <b>e</b> and manually change <b>/dev/mapper/loop0p1</b> to <b>/dev/sdb1</b>, then press <b>Ctrl-x</b>. If that doesn't work then reboot and try <b>/dev/sdc1</b> instead.
</p>

6
website/EN/mesh.html
View File

@ -3,7 +3,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2017-12-29 Fri 22:58 -->
<!-- 2018-01-15 Mon 20:17 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>&lrm;</title>
@ -278,6 +278,10 @@ If an internet connection is available then it can make use of that, but otherwi
Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
</p>
<p>
Like <a href="https://libremesh.org">LibreMesh</a>, this system uses a combination of <a href="https://en.wikipedia.org/wiki/B.A.T.M.A.N.">batman-adv</a> on network layer 2 and <a href="http://bmx6.net">BMX</a> on layer 3.
</p>
<div class="org-center">
<p>
This site can also be accessed via a Tor browser at <a href="http://pazyv7nkllp76hqr.onion">http://pazyv7nkllp76hqr.onion</a>