From a326d38ebab65fb889a172e8b09b5546beb4fab7 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 17:46:45 +0100 Subject: [PATCH] Documentation on vpn --- doc/EN/app_vpn.org | 81 +++++++++ doc/EN/apps.org | 4 + website/EN/app_vpn.html | 386 ++++++++++++++++++++++++++++++++++++++++ website/EN/apps.html | 220 ++++++++++++----------- 4 files changed, 587 insertions(+), 104 deletions(-) create mode 100644 doc/EN/app_vpn.org create mode 100644 website/EN/app_vpn.html diff --git a/doc/EN/app_vpn.org b/doc/EN/app_vpn.org new file mode 100644 index 00000000..d25c3e0c --- /dev/null +++ b/doc/EN/app_vpn.org @@ -0,0 +1,81 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@freedombone.net +#+KEYWORDS: freedombone, openvpn +#+DESCRIPTION: How to use OpenVPN on Freedombone +#+OPTIONS: ^:nil toc:nil +#+HTML_HEAD: + +#+BEGIN_CENTER +[[file:images/logo.png]] +#+END_CENTER + +#+BEGIN_EXPORT html +
+

OpenVPN

+
+#+END_EXPORT + +#+begin_quote +"/The Net interprets censorship as damage and routes around it./" -- John Gilmore +#+end_quote + +A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally. + +Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser. + +* Installation + +ssh into the system with: + +#+BEGIN_SRC bash +ssh myusername@mydomainname -p 2222 +#+END_SRC + +Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue. + +Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server. + +* Usage + +When the installation is complete you can download your VPN keys and configuration files onto your local machine. + +#+begin_src bash +scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn . +scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* . +#+end_src + +You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system: + +#+begin_src bash +sudp pacman -S openvpn stunnel4 +#+end_src + +Or on a Debian based system: + +#+begin_src bash +sudo apt-get install openvpn stunnel4 +#+end_src + +Now you can connect to your VPN with: + +#+begin_src bash +sudo stunnel stunnel-client.conf +sudo openvpn client.ovpn +#+end_src + +You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window. + +* Changing port number + +Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it. + +#+BEGIN_SRC bash +ssh myusername@mydomainname -p 2222 +#+END_SRC + +Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above. + +* Generating new keys + +It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above. diff --git a/doc/EN/apps.org b/doc/EN/apps.org index 7126510a..d46d7daf 100644 --- a/doc/EN/apps.org +++ b/doc/EN/apps.org @@ -154,6 +154,10 @@ A system for privately creating and sharing notes and images, similar to Evernot * Vim If you use the Mutt client to read your email then this will set it up to use vim for composing new mail. +* Virtual Private Network (VPN) +Set up a VPN on your server so that you can bypass local internet censorship. + +[[./app_vpn.html][How to use it]] * XMPP Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as /client state notification/ to save battery power on your mobile devices, support for seamless roaming between networks and /message carbons/ so that you can receive the same messages while being simultaneously logged in to your account on more than one device. diff --git a/website/EN/app_vpn.html b/website/EN/app_vpn.html new file mode 100644 index 00000000..59283898 --- /dev/null +++ b/website/EN/app_vpn.html @@ -0,0 +1,386 @@ + + + + + + + + + + + + + + + + + +
+ +
+
+
+ +
+

logo.png +

+
+
+ +
+

OpenVPN

+
+ +
+

+"The Net interprets censorship as damage and routes around it." – John Gilmore +

+
+ +

+A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "this content is not available in your area" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally. +

+ +

+Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser. +

+ +
+

Installation

+
+

+ssh into the system with: +

+ +
+
ssh myusername@mydomainname -p 2222
+
+
+ +

+Select Administrator controls then Add/Remove apps then vpn. Choose the port which you want the VPN to operate on and then the install will continue. +

+ +

+Only use ports 443 or 80 for VPN as an absolute last resort, since doing so will prevent other web based apps from running on your server. +

+
+
+ +
+

Usage

+
+

+When the installation is complete you can download your VPN keys and configuration files onto your local machine. +

+ +
+
scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
+scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
+
+
+ +

+You will need to ensure that the openvpn and stunnel packages are installed. On an Arch based system: +

+ +
+
sudp pacman -S openvpn stunnel4
+
+
+ +

+Or on a Debian based system: +

+ +
+
sudo apt-get install openvpn stunnel4
+
+
+ +

+Now you can connect to your VPN with: +

+ +
+
sudo stunnel stunnel-client.conf
+sudo openvpn client.ovpn
+
+
+ +

+You should see a series of messages with "Initialization Sequence Completed" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window. +

+
+
+ +
+

Changing port number

+
+

+Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it. +

+ +
+
ssh myusername@mydomainname -p 2222
+
+
+ +

+Select Administrator controls then App Settings then vpn. Choose Change TLS port and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the Usage section above. +

+
+
+ +
+

Generating new keys

+
+

+It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the Administrator controls by going to App Settings then vpn then choosing Regenerate keys for a user and downloading the new keys as described in the Usage section above. +

+
+
+
+
+ + + + +
+ + diff --git a/website/EN/apps.html b/website/EN/apps.html index d6ba427d..843c3e34 100644 --- a/website/EN/apps.html +++ b/website/EN/apps.html @@ -3,10 +3,10 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + - + -
-

CryptPad

-
+
+

CryptPad

+

Collaborate on editing documents, presentations and source code, or vote on things. All with a good level of security.

@@ -276,9 +276,9 @@ Collaborate on editing documents, presentations and source code, or vote on thin

-
-

DLNA

-
+
+

DLNA

+

Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.

@@ -288,9 +288,9 @@ Enables you to use the system as a music server which any DLNA compatible device

-
-

Dokuwiki

-
+
+

Dokuwiki

+

A databaseless wiki system.

@@ -300,9 +300,9 @@ A databaseless wiki system.

-
-

Emacs

-
+
+

Emacs

+

If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.

@@ -312,9 +312,9 @@ If you use the Mutt client to read your email then this will set it up to use em

-
-

Etherpad

-
+
+

Etherpad

+

Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.

@@ -324,9 +324,9 @@ Collaborate on creating documents in real time. Maybe you're planning a holiday

-
-

Friendica

-
+
+

Friendica

+

Federated social network system.

@@ -336,9 +336,9 @@ Federated social network system.

-
-

Ghost

-
+
+

Ghost

+

Modern looking blogging system.

@@ -348,9 +348,9 @@ Modern looking blogging system.

-
-

GNU Social

-
+
+

GNU Social

+

Federated social network. You can "remote follow" other users within the GNU Social federation.

@@ -360,9 +360,9 @@ Federated social network. You can "remote follow" other users within the

-
-

Gogs

-
+
+

Gogs

+

Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar fork-and-pull workflow. If you can use Github then you can also use Gogs.

@@ -372,9 +372,9 @@ Lightweight git project hosting system. You can mirror projects from Github, or

-
-

HTMLy

-
+
+

HTMLy

+

Databaseless blogging system. Quite simple and with a markdown-like format.

@@ -384,9 +384,9 @@ Databaseless blogging system. Quite simple and with a markdown-like format.

-
-

Hubzilla

-
+
+

Hubzilla

+

Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.

@@ -396,9 +396,9 @@ Web publishing platform with social network like features and good privacy contr

-
-

IRC Server (ngirc)

-
+
+

IRC Server (ngirc)

+

Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.

@@ -408,18 +408,18 @@ Run your own IRC chat channel which can be secured with a password and accessibl

-
-

Jitsi Meet

-
+
+

Jitsi Meet

+

Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.

-
-

KanBoard

-
+
+

KanBoard

+

A simple kanban system for managing projects or TODO lists.

@@ -429,9 +429,9 @@ A simple kanban system for managing projects or TODO lists.

-
-

Key Server

-
+
+

Key Server

+

An OpenPGP key server for storing and retrieving GPG public keys.

@@ -441,9 +441,9 @@ An OpenPGP key server for storing and retrieving GPG public keys.

-
-

Koel

-
+
+

Koel

+

Access your music collection from any internet connected device.

@@ -453,9 +453,9 @@ Access your music collection from any internet connected device.

-
-

Lychee

-
+
+

Lychee

+

Make your photo albums available on the web.

@@ -465,9 +465,9 @@ Make your photo albums available on the web.

-
-

Mailpile

-
+
+

Mailpile

+

Modern email client which supports GPG encryption.

@@ -477,9 +477,9 @@ Modern email client which supports GPG encryption.

-
-

Matrix

-
+
+

Matrix

+

Multi-user chat with some security and moderation controls.

@@ -489,9 +489,9 @@ Multi-user chat with some security and moderation controls.

-
-

Mediagoblin

-
+
+

Mediagoblin

+

Publicly host video and audio files so that you don't need to use YouTube/Vimeo/etc.

@@ -501,9 +501,9 @@ Publicly host video and audio files so that you don't need to use YouTube/Vimeo/

-
-

Mumble

-
+
+

Mumble

+

The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.

@@ -513,9 +513,9 @@ The popular VoIP and text chat system. Say goodbye to old-fashioned telephony co

-
-

NextCloud

-
+
+

NextCloud

+

Store files on your server and sync them with laptops or mobile devices. Includes many plugins including videoconferencing and collaborative document editing.

@@ -525,9 +525,9 @@ Store files on your server and sync them with laptops or mobile devices. Include

-
-

PI-Hole

-
+
+

PI-Hole

+

The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.

@@ -537,9 +537,9 @@ The black hole for web adverts. Block adverts at the domain name level within yo

-
-

PostActiv

-
+
+

PostActiv

+

An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.

@@ -549,9 +549,9 @@ An alternative federated social networking system compatible with GNU Social. It

-
-

Profanity

-
+
+

Profanity

+

A shell based XMPP client which you can run on the Freedombone server via ssh.

@@ -561,9 +561,9 @@ A shell based XMPP client which you can run on the Freedombone server via ssh.

-
-

Riot Web

-
+
+

Riot Web

+

A browser based user interface for the Matrix federated communications system, including WebRTC audio and video chat.

@@ -573,9 +573,9 @@ A browser based user interface for the Matrix federated communications system, i

-
-

SearX

-
+
+

SearX

+

A metasearch engine for customised and private web searches.

@@ -585,9 +585,9 @@ A metasearch engine for customised and private web searches.

-
-

tt-rss

-
+
+

tt-rss

+

Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "the right to read" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.

@@ -597,9 +597,9 @@ Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via a

-
-

Syncthing

-
+
+

Syncthing

+

Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.

@@ -609,9 +609,9 @@ Possibly the best way to synchronise files across all of your devices. Once it h

-
-

Tahoe-LAFS

-
+
+

Tahoe-LAFS

+

Robust and encrypted storage of files on one or more server.

@@ -621,9 +621,9 @@ Robust and encrypted storage of files on one or more server.

-
-

Tox

-
+
+

Tox

+

Client and bootstrap node for the Tox chat/VoIP system.

@@ -633,9 +633,9 @@ Client and bootstrap node for the Tox chat/VoIP system.

-
-

Turtl

-
+
+

Turtl

+

A system for privately creating and sharing notes and images, similar to Evernote but without the spying.

@@ -645,18 +645,30 @@ A system for privately creating and sharing notes and images, similar to Evernot

-
-

Vim

-
+
+

Vim

+

If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.

-
-

XMPP

-
+
+

Virtual Private Network (VPN)

+
+

+Set up a VPN on your server so that you can bypass local internet censorship. +

+ +

+How to use it +

+
+
+
+

XMPP

+

Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as client state notification to save battery power on your mobile devices, support for seamless roaming between networks and message carbons so that you can receive the same messages while being simultaneously logged in to your account on more than one device.