Merge branch 'stretch' of https://github.com/bashrc/freedombone

doc/EN/app_vpn.org

@@ -0,0 +1,83 @@
+#+TITLE:
+#+AUTHOR: Bob Mottram
+#+EMAIL: bob@freedombone.net
+#+KEYWORDS: freedombone, openvpn
+#+DESCRIPTION: How to use OpenVPN on Freedombone
+#+OPTIONS: ^:nil toc:nil
+#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
+
+#+BEGIN_CENTER
+[[file:images/logo.png]]
+#+END_CENTER
+
+#+BEGIN_EXPORT html
+<center>
+<h1>OpenVPN</h1>
+</center>
+#+END_EXPORT
+
+#+begin_quote
+"/The Net interprets censorship as damage and routes around it./" -- John Gilmore
+#+end_quote
+
+A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.
+
+Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.
+
+On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
+
+* Installation
+
+ssh into the system with:
+
+#+BEGIN_SRC bash
+ssh myusername@mydomainname -p 2222
+#+END_SRC
+
+Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue.
+
+Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server.
+
+* Usage
+
+When the installation is complete you can download your VPN keys and configuration files onto your local machine.
+
+#+begin_src bash
+scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
+scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
+#+end_src
+
+You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:
+
+#+begin_src bash
+sudp pacman -S openvpn stunnel4
+#+end_src
+
+Or on a Debian based system:
+
+#+begin_src bash
+sudo apt-get install openvpn stunnel4
+#+end_src
+
+Now you can connect to your VPN with:
+
+#+begin_src bash
+sudo stunnel stunnel-client.conf
+sudo openvpn client.ovpn
+#+end_src
+
+You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.
+
+* Changing port number
+
+Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
+
+#+BEGIN_SRC bash
+ssh myusername@mydomainname -p 2222
+#+END_SRC
+
+Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above.
+
+* Generating new keys
+
+It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above.

doc/EN/apps.org

@@ -154,6 +154,10 @@ A system for privately creating and sharing notes and images, similar to Evernot
 * Vim
 If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
 
+* Virtual Private Network (VPN)
+Set up a VPN on your server so that you can bypass local internet censorship.
+
+[[./app_vpn.html][How to use it]]
 * XMPP
 Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as /client state notification/ to save battery power on your mobile devices, support for seamless roaming between networks and /message carbons/ so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
 

src/freedombone-addcert

@@ -49,7 +49,7 @@ HOSTNAME=
 remove_cert=
 LETSENCRYPT_HOSTNAME=
 COUNTRY_CODE="US"
-AREA="Free Speech Zone"
+AREA="Apparent Free Speech Zone"
 LOCATION="Freedomville"
 ORGANISATION="Freedombone"
 UNIT="Freedombone Unit"

src/freedombone-app-vpn

@@ -9,11 +9,14 @@
 #                    Freedom in the Cloud
 #
 # VPN functions
+# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
+# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
+# http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php
 #
 # License
 # =======
 #
-# Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
+# Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -28,12 +31,31 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-VARIANTS=''
+VARIANTS='full full-vim'
 
 IN_DEFAULT_INSTALL=0
 SHOW_ON_ABOUT=0
 
-vpn_variables=()
+OPENVPN_SERVER_NAME="server"
+OPENVPN_KEY_FILENAME='client.ovpn'
+
+VPN_COUNTRY_CODE="US"
+VPN_AREA="Apparent Free Speech Zone"
+VPN_LOCATION="Freedomville"
+VPN_ORGANISATION="Freedombone"
+VPN_UNIT="Freedombone Unit"
+STUNNEL_PORT=3439
+VPN_TLS_PORT=553
+
+vpn_variables=(MY_EMAIL_ADDRESS
+               DEFAULT_DOMAIN_NAME
+               MY_USERNAME
+               VPN_COUNTRY_CODE
+               VPN_AREA
+               VPN_LOCATION
+               VPN_ORGANISATION
+               VPN_UNIT
+               VPN_TLS_PORT)
 
 function logging_on_vpn {
     echo -n ''
@@ -44,10 +66,135 @@ function logging_off_vpn {
 }
 
 function install_interactive_vpn {
-    echo -n ''
+    read_config_param VPN_TLS_PORT
+    if [ ! $VPN_TLS_PORT ]; then
+        VPN_TLS_PORT=553
+    fi
+    VPN_DETAILS_COMPLETE=
+    while [ ! $VPN_DETAILS_COMPLETE ]
+    do
+        data=$(tempfile 2>/dev/null)
+        trap "rm -f $data" 0 1 2 5 15
+        currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')
+        if [ $currtlsport ]; then
+            VPN_TLS_PORT=$currtlsport
+        fi
+        dialog --backtitle $"Freedombone Configuration" \
+               --title $"VPN Configuration" \
+               --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
+               $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \
+               2> $data
+        sel=$?
+        case $sel in
+            1) exit 1;;
+            255) exit 1;;
+        esac
+        tlsport=$(cat $data | sed -n 1p)
+        if [ ${#tlsport} -gt 1 ]; then
+            if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
+                VPN_TLS_PORT="$tlsport"
+                VPN_DETAILS_COMPLETE="yes"
+                write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
+            fi
+        fi
+    done
+    clear
     APP_INSTALLED=1
 }
 
+function vpn_change_tls_port {
+    EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT
+
+    data=$(tempfile 2>/dev/null)
+    trap "rm -f $data" 0 1 2 5 15
+    dialog --title $"VPN Configuration" \
+           --backtitle $"Freedombone Control Panel" \
+           --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data
+    sel=$?
+    case $sel in
+        0)
+            tlsport=$(<$data)
+            if [ ${#tlsport} -gt 0 ]; then
+                if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
+                    clear
+                    VPN_TLS_PORT=$tlsport
+                    write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
+                    sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
+                    sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf
+
+                    for d in /home/*/ ; do
+                        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+                        if [ -f /home/$USERNAME/stunnel-client.conf ]; then
+                            cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf
+                            chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf
+                        fi
+                    done
+
+                    if [ $VPN_TLS_PORT -eq 443 ]; then
+                        systemctl stop nginx
+                        systemctl disable nginx
+                    else
+                        systemctl enable nginx
+                        systemctl restart nginx
+                    fi
+
+                    systemctl restart stunnel
+
+                    dialog --title $"VPN Configuration" \
+                           --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60
+                fi
+            fi
+            ;;
+    esac
+}
+
+function vpn_regenerate_client_keys {
+    data=$(tempfile 2>/dev/null)
+    trap "rm -f $data" 0 1 2 5 15
+    dialog --title $"Regenerate VPN keys for a user" \
+           --backtitle $"Freedombone Control Panel" \
+           --inputbox $'username' 10 50 2>$data
+    sel=$?
+    case $sel in
+        0)
+            USERNAME=$(<$data)
+            if [ ${#USERNAME} -gt 0 ]; then
+                if [ -d /home/$USERNAME ]; then
+                    clear
+                    create_user_vpn_key $USERNAME
+                    dialog --title $"Regenerate VPN keys for a user" \
+                           --msgbox $"VPN keys were regenerated for $USERNAME" 6 60
+                fi
+            fi
+            ;;
+    esac
+}
+
+function configure_interactive_vpn {
+    read_config_param VPN_TLS_PORT
+    while true
+    do
+        data=$(tempfile 2>/dev/null)
+        trap "rm -f $data" 0 1 2 5 15
+        dialog --backtitle $"Freedombone Control Panel" \
+               --title $"VPN Configuration" \
+               --radiolist $"Choose an operation:" 13 70 3 \
+               1 $"Change TLS port (currently $VPN_TLS_PORT)" off \
+               2 $"Regenerate keys for a user" off \
+               3 $"Exit" on 2> $data
+        sel=$?
+        case $sel in
+            1) return;;
+            255) return;;
+        esac
+        case $(cat $data) in
+            1) vpn_change_tls_port;;
+            2) vpn_regenerate_client_keys;;
+            3) break;;
+        esac
+    done
+}
+
 function reconfigure_vpn {
     echo -n ''
 }
@@ -57,40 +204,457 @@ function upgrade_vpn {
 }
 
 function backup_local_vpn {
-    echo -n ''
+    for d in /home/*/ ; do
+        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
+            cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
+        fi
+    done
+
+    function_check backup_directory_to_usb
+    backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
+    backup_directory_to_usb /etc/stunnel vpnstunnel
 }
 
 function restore_local_vpn {
-    echo -n ''
+    temp_restore_dir=/root/tempvpn
+    restore_directory_from_usb $temp_restore_dir vpn
+    if [ -d ${temp_restore_dir} ]; then
+        cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
+        cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
+        cp -r ${temp_restore_dir}/dh* /etc/openvpn/
+        rm -rf ${temp_restore_dir}
+
+        for d in /home/*/ ; do
+            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+            if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
+                cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
+                chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
+            fi
+        done
+    fi
+    temp_restore_dir=/root/tempvpnstunnel
+    restore_directory_from_usb $temp_restore_dir vpnstunnel
+    if [ -d ${temp_restore_dir} ]; then
+        cp -r ${temp_restore_dir}/* /etc/stunnel
+        rm -rf ${temp_restore_dir}
+        for d in /home/*/ ; do
+            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+            if [ -f /home/$USERNAME/stunnel.pem ]; then
+                cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
+                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
+            fi
+            if [ -f /home/$USERNAME/stunnel.p12 ]; then
+                cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
+                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
+            fi
+        done
+    fi
 }
 
 function backup_remote_vpn {
-    echo -n ''
+    for d in /home/*/ ; do
+        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
+            cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
+        fi
+    done
+
+    function_check backup_directory_to_friend
+    backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
+    backup_directory_to_friend /etc/stunnel vpnstunnel
 }
 
 function restore_remote_vpn {
-    echo -n ''
+    temp_restore_dir=/root/tempvpn
+    restore_directory_from_friend $temp_restore_dir vpn
+    if [ -d ${temp_restore_dir} ]; then
+        cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
+        cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
+        cp -r ${temp_restore_dir}/dh* /etc/openvpn/
+        rm -rf ${temp_restore_dir}
+
+        for d in /home/*/ ; do
+            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+            if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
+                cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
+                chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
+            fi
+        done
+    fi
+    temp_restore_dir=/root/tempvpnstunnel
+    restore_directory_from_friend $temp_restore_dir vpnstunnel
+    if [ -d ${temp_restore_dir} ]; then
+        cp -r ${temp_restore_dir}/* /etc/stunnel
+        rm -rf ${temp_restore_dir}
+        for d in /home/*/ ; do
+            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+            if [ -f /home/$USERNAME/stunnel.pem ]; then
+                cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
+                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
+            fi
+            if [ -f /home/$USERNAME/stunnel.p12 ]; then
+                cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
+                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
+            fi
+        done
+    fi
 }
 
 function remove_vpn {
-    apt-get -yq remove --purge fastd
+    systemctl stop stunnel
+    systemctl disable stunnel
+    rm /etc/systemd/system/stunnel.service
+
+    systemctl stop openvpn
+    if [ $VPN_TLS_PORT -ne 443 ]; then
+        firewall_remove VPN-TLS $VPN_TLS_PORT
+    else
+        systemctl enable nginx
+        systemctl restart nginx
+    fi
+
+    apt-get -yq remove --purge fastd openvpn easy-rsa
+    apt-get -yq remove stunnel4
+    if [ -d /etc/openvpn ]; then
+        rm -rf /etc/openvpn
+    fi
+    firewall_disable_vpn
+
+    echo 0 > /proc/sys/net/ipv4/ip_forward
+    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
+
     remove_completion_param install_vpn
+
+    # remove any client keys
+    for d in /home/*/ ; do
+        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
+            shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
+        fi
+        rm /home/$USERNAME/stunnel*
+    done
+    userdel -f vpn
+    groupdel -f vpn
+
+    if [ -d /etc/stunnel ]; then
+        rm -rf /etc/stunnel
+    fi
+}
+
+function create_user_vpn_key {
+    username=$1
+
+    if [ ! -d /home/$username ]; then
+        return
+    fi
+
+    echo $"Creating VPN key for $username"
+
+    cd /etc/openvpn/easy-rsa
+
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.crt
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.key
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.csr
+    fi
+
+    sed -i 's| --interact||g' build-key
+    ./build-key "$username"
+
+    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
+        echo $'VPN user cert not generated'
+        exit 783528
+    fi
+    user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
+    if [ ${#user_cert} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/$username.crt
+        echo $'User cert generation failed'
+        exit 634659
+    fi
+    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
+        echo $'VPN user key not generated'
+        exit 682523
+    fi
+    user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
+    if [ ${#user_key} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/$username.key
+        echo $'User key generation failed'
+        exit 285838
+    fi
+
+    user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
+
+    echo 'client' > $user_vpn_cert_file
+    echo 'dev tun' >> $user_vpn_cert_file
+    echo 'proto tcp' >> $user_vpn_cert_file
+    echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
+    echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
+    echo 'resolv-retry infinite' >> $user_vpn_cert_file
+    echo 'nobind' >> $user_vpn_cert_file
+    echo 'tun-mtu 1500' >> $user_vpn_cert_file
+    echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
+    echo 'mssfix 1450' >> $user_vpn_cert_file
+    echo 'persist-key' >> $user_vpn_cert_file
+    echo 'persist-tun' >> $user_vpn_cert_file
+    echo 'auth-nocache' >> $user_vpn_cert_file
+    echo 'remote-cert-tls server' >> $user_vpn_cert_file
+    echo 'comp-lzo' >> $user_vpn_cert_file
+    echo 'verb 3' >> $user_vpn_cert_file
+    echo '' >> $user_vpn_cert_file
+
+    echo '<ca>' >> $user_vpn_cert_file
+    cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
+    echo '</ca>' >> $user_vpn_cert_file
+
+    echo '<cert>' >> $user_vpn_cert_file
+    cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
+    echo '</cert>' >> $user_vpn_cert_file
+
+    echo '<key>' >> $user_vpn_cert_file
+    cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
+    echo '</key>' >> $user_vpn_cert_file
+
+    chown $username:$username $user_vpn_cert_file
+
+    # keep a backup
+    cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
+
+    #rm /etc/openvpn/easy-rsa/keys/$username.crt
+    #rm /etc/openvpn/easy-rsa/keys/$username.csr
+    shred -zu /etc/openvpn/easy-rsa/keys/$username.key
+
+    echo $"VPN key created at $user_vpn_cert_file"
+}
+
+function add_user_vpn {
+    new_username="$1"
+    new_user_password="$2"
+
+    create_user_vpn_key $new_username
+    if [ -f /etc/stunnel/stunnel.pem ]; then
+        cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem
+        chown $new_username:$new_username /home/$new_username/stunnel.pem
+    fi
+    if [ -f /etc/stunnel/stunnel.p12 ]; then
+        cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12
+        chown $new_username:$new_username /home/$new_username/stunnel.p12
+    fi
+    cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf
+    chown $new_username:$new_username /home/$new_username/stunnel-client.conf
+}
+
+function remove_user_vpn {
+    new_username="$1"
+}
+
+function install_stunnel {
+    apt-get -yq install stunnel4
+
+    cd /etc/stunnel
+
+    openssl req -x509 -nodes -days 3650 -sha256 \
+            -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
+            -newkey rsa:2048 -keyout key.pem \
+            -out cert.pem
+    if [ ! -f key.pem ]; then
+        echo $'stunnel key not created'
+        exit 793530
+    fi
+    if [ ! -f cert.pem ]; then
+        echo $'stunnel cert not created'
+        exit 204587
+    fi
+    chmod 400 key.pem
+    chmod 640 cert.pem
+
+    cat key.pem cert.pem >> stunnel.pem
+    chmod 640 stunnel.pem
+
+    openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem -passout pass:
+    if [ ! -f stunnel.p12 ]; then
+        echo $'stunnel pkcs12 not created'
+        exit 639353
+    fi
+    chmod 640 stunnel.p12
+
+    echo 'chroot = /var/lib/stunnel4' > stunnel.conf
+    echo 'pid = /stunnel4.pid' >> stunnel.conf
+    echo 'setuid = stunnel4' >> stunnel.conf
+    echo 'setgid = stunnel4' >> stunnel.conf
+    echo 'socket = l:TCP_NODELAY=1' >> stunnel.conf
+    echo 'socket = r:TCP_NODELAY=1' >> stunnel.conf
+    echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
+    echo '[openvpn]' >> stunnel.conf
+    echo "accept = $VPN_TLS_PORT" >> stunnel.conf
+    echo 'connect = localhost:1194' >> stunnel.conf
+    echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
+
+    sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4
+
+    echo '[openvpn]' > stunnel-client.conf
+    echo 'client = yes' >> stunnel-client.conf
+    echo "accept = $STUNNEL_PORT" >> stunnel-client.conf
+    echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> stunnel-client.conf
+    echo 'cert = stunnel.pem' >> stunnel-client.conf
+
+    echo '[Unit]' > /etc/systemd/system/stunnel.service
+    echo 'Description=SSL tunnel for network daemons' >> /etc/systemd/system/stunnel.service
+    echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> /etc/systemd/system/stunnel.service
+    echo 'DefaultDependencies=no' >> /etc/systemd/system/stunnel.service
+    echo 'After=network.target' >> /etc/systemd/system/stunnel.service
+    echo 'After=syslog.target' >> /etc/systemd/system/stunnel.service
+    echo '' >> /etc/systemd/system/stunnel.service
+    echo '[Install]' >> /etc/systemd/system/stunnel.service
+    echo 'WantedBy=multi-user.target' >> /etc/systemd/system/stunnel.service
+    echo 'Alias=stunnel.target' >> /etc/systemd/system/stunnel.service
+    echo '' >> /etc/systemd/system/stunnel.service
+    echo '[Service]' >> /etc/systemd/system/stunnel.service
+    echo 'Type=forking' >> /etc/systemd/system/stunnel.service
+    echo 'RuntimeDirectory=stunnel' >> /etc/systemd/system/stunnel.service
+    echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
+    echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
+    echo 'ExecStop=/usr/bin/killall -9 stunnel' >> /etc/systemd/system/stunnel.service
+    echo 'RemainAfterExit=yes' >> /etc/systemd/system/stunnel.service
+
+    if [ $VPN_TLS_PORT -eq 443 ]; then
+        systemctl stop nginx
+        systemctl disable nginx
+    else
+        systemctl enable nginx
+        systemctl restart nginx
+    fi
+
+    systemctl enable stunnel
+    systemctl daemon-reload
+    systemctl start stunnel
+
+    cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
+    cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
+    cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
+    chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
 }
 
 function install_vpn {
-    if ! grep -q "repo.universe-factory.net" /etc/apt/sources.list; then
-        echo 'deb http://repo.universe-factory.net/debian/ sid main' >> /etc/apt/sources.list
-        gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C
-        if [ ! "$?" = "0" ]; then
-            exit 76272
-        fi
-        gpg -a --export 16EF3F64CB201D9C | sudo apt-key add -
-        apt-get update
-        apt-get -yq install fastd
-        if [ ! "$?" = "0" ]; then
-            exit 52026
-        fi
+    apt-get -yq install fastd openvpn easy-rsa
+
+    groupadd vpn
+    useradd -r -s /bin/false -g vpn vpn
+
+    # server configuration
+    echo 'port 1194' > /etc/openvpn/server.conf
+    echo 'proto tcp' >> /etc/openvpn/server.conf
+    echo 'dev tun' >> /etc/openvpn/server.conf
+    echo 'tun-mtu 1500' >> /etc/openvpn/server.conf
+    echo 'tun-mtu-extra 32' >> /etc/openvpn/server.conf
+    echo 'mssfix 1450' >> /etc/openvpn/server.conf
+    echo 'ca /etc/openvpn/ca.crt' >> /etc/openvpn/server.conf
+    echo 'cert /etc/openvpn/server.crt' >> /etc/openvpn/server.conf
+    echo 'key /etc/openvpn/server.key' >> /etc/openvpn/server.conf
+    echo 'dh /etc/openvpn/dh2048.pem' >> /etc/openvpn/server.conf
+    echo 'server 10.8.0.0 255.255.255.0' >> /etc/openvpn/server.conf
+    echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
+    echo "push \"dhcp-option DNS 85.214.73.63\"" >> /etc/openvpn/server.conf
+    echo "push \"dhcp-option DNS 213.73.91.35\"" >> /etc/openvpn/server.conf
+    echo 'keepalive 5 30' >> /etc/openvpn/server.conf
+    echo 'comp-lzo' >> /etc/openvpn/server.conf
+    echo 'persist-key' >> /etc/openvpn/server.conf
+    echo 'persist-tun' >> /etc/openvpn/server.conf
+    echo 'status /dev/null' >> /etc/openvpn/server.conf
+    echo 'verb 3' >> /etc/openvpn/server.conf
+    echo '' >> /etc/openvpn/server.conf
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
+    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
+    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
+
+    cp -r /usr/share/easy-rsa/ /etc/openvpn
+    if [ ! -d /etc/openvpn/easy-rsa/keys ]; then
+        mkdir /etc/openvpn/easy-rsa/keys
+    fi
+
+    # keys configuration
+    sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" /etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" /etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" /etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" /etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" /etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" /etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" /etc/openvpn/easy-rsa/vars
+
+    # generate host keys
+    if [ ! -f /etc/openvpn/dh2048.pem ]; then
+        openssl dhparam -out /etc/openvpn/dh2048.pem 2048
+    fi
+    if [ ! -f /etc/openvpn/dh2048.pem ]; then
+        echo $'vpn dhparams were not generated'
+        exit 73724523
+    fi
+    cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
+
+    cd /etc/openvpn/easy-rsa
+    . ./vars
+    ./clean-all
+    vpn_openssl_version='1.0.0'
+    if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
+        echo $"openssl-${vpn_openssl_version}.cnf was not found"
+        exit 7392353
+    fi
+    cp openssl-${vpn_openssl_version}.cnf openssl.cnf
+
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
     fi
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
+    fi
+    sed -i 's| --interact||g' build-key-server
+    sed -i 's| --interact||g' build-ca
+    ./build-ca
+    ./build-key-server $OPENVPN_SERVER_NAME
+    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
+        echo $'OpenVPN crt not found'
+        exit 7823352
+    fi
+    server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
+    if [ ${#server_cert} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
+        echo $'Server cert generation failed'
+        exit 3284682
+    fi
+
+    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
+        echo $'OpenVPN key not found'
+        exit 6839436
+    fi
+    if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
+        echo $'OpenVPN ca not found'
+        exit 7935203
+    fi
+    cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
+
+    create_user_vpn_key $MY_USERNAME
+
+    firewall_enable_vpn
+
+    if [ $VPN_TLS_PORT -ne 443 ]; then
+        firewall_add VPN-TLS $VPN_TLS_PORT tcp
+    fi
+
+    systemctl start openvpn
+
+    install_stunnel
+
+    systemctl restart openvpn
+
     APP_INSTALLED=1
 }
 

src/freedombone-controlpanel

@@ -519,7 +519,7 @@ function show_ip_addresses {
     echo $'IP/DNS addresses'
     echo '================'
     echo ''
-    echo -n "IPv4: $(get_ipv4_address)"
+    echo -n "IPv4: $(get_ipv4_address)/$(get_external_ipv4_address)"
     ipv6_address="$(get_ipv6_address)"
     if [ ${#ipv6_address} -gt 0 ]; then
         echo "    IPv6: ${ipv6_address}"

src/freedombone-utils-firewall

@@ -32,6 +32,8 @@
 
 FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
 FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
+FIREWALL_EIFACE=eth0
+EXTERNAL_IPV4_ADDRESS=
 
 function save_firewall_settings {
     iptables-save > /etc/firewall.conf
@@ -108,6 +110,30 @@ function enable_ipv6 {
     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 }
 
+function firewall_disable_vpn {
+    firewall_remove VPN 1194
+    iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
+    iptables -D INPUT -i tun+ -j ACCEPT
+    iptables -D FORWARD -i tun+ -j ACCEPT
+    iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
+    iptables -D OUTPUT -o tun+ -j ACCEPT
+    save_firewall_settings
+}
+
+function firewall_enable_vpn {
+    firewall_add VPN 1194 tcp
+    iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
+    iptables -A INPUT -i tun+ -j ACCEPT
+    iptables -A FORWARD -i tun+ -j ACCEPT
+    iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE
+    iptables -A OUTPUT -o tun+ -j ACCEPT
+    save_firewall_settings
+}
+
 function configure_firewall {
     if [ $INSTALLING_MESH ]; then
         mesh_firewall

src/freedombone-utils-network

@@ -31,6 +31,13 @@
 # If the system is on an IPv6 network
 IPV6_NETWORK='2001:470:26:307'
 
+# Destinations used to get the local IP address of this system
+# Google ipv6 DNS   2001:4860:4860::8888
+# OpenDNS ipv6 DNS  2620:0:ccc::2
+IPV4_ADDRESS_TEST_DESTINATION='85.214.73.63'
+IPV6_ADDRESS_TEST_DESTINATION='2620:0:ccc::2'
+EXTERNAL_IP_LOOKUP_URL='ifcfg.me'
+
 # The static IP address of the system within the local network
 # By default the IP address is dynamic within your LAN
 LOCAL_NETWORK_STATIC_IP_ADDRESS=
@@ -64,13 +71,31 @@ function install_static_network {
     mark_completed $FUNCNAME
 }
 
+function get_external_ipv4_address {
+    nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print $2}'
+}
+
 function get_ipv4_address {
-    IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
+    IPv4dev=$(ip route get $IPV4_ADDRESS_TEST_DESTINATION | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
     echo $(ip -o -f inet addr show dev "$IPv4dev" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
 }
 
 function get_ipv6_address {
-    echo $(ip -6 route get 2001:4860:4860::8888 | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }')
+    retval=$(ip -6 route get $IPV6_ADDRESS_TEST_DESTINATION 2> /dev/null)
+    echo $(echo "$retval" | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }')
+}
+
+function update_external_ip {
+    ip_update_script=/usr/bin/externalipupdate
+    echo '#!/bin/bash' >> $ip_update_script
+    echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script
+    echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script
+    echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script
+    echo "  sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script
+    echo "  echo \"\$(date)\" >> ~/${PROJECT_NAME}-external-ip-changes.txt" >> $ip_update_script
+    echo 'fi' >> $ip_update_script
+
+    cron_add_mins 10 $ip_update_script
 }
 
 # NOTE: deliberately no exit 0

website/EN/app_vpn.html

@@ -0,0 +1,390 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+<head>
+<!-- 2017-09-27 Wed 17:58 -->
+<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>&lrm;</title>
+<meta name="generator" content="Org mode" />
+<meta name="author" content="Bob Mottram" />
+<meta name="description" content="How to use OpenVPN on Freedombone"
+ />
+<meta name="keywords" content="freedombone, openvpn" />
+<style type="text/css">
+ <!--/*--><![CDATA[/*><!--*/
+  .title  { text-align: center;
+             margin-bottom: .2em; }
+  .subtitle { text-align: center;
+              font-size: medium;
+              font-weight: bold;
+              margin-top:0; }
+  .todo   { font-family: monospace; color: red; }
+  .done   { font-family: monospace; color: green; }
+  .priority { font-family: monospace; color: orange; }
+  .tag    { background-color: #eee; font-family: monospace;
+            padding: 2px; font-size: 80%; font-weight: normal; }
+  .timestamp { color: #bebebe; }
+  .timestamp-kwd { color: #5f9ea0; }
+  .org-right  { margin-left: auto; margin-right: 0px;  text-align: right; }
+  .org-left   { margin-left: 0px;  margin-right: auto; text-align: left; }
+  .org-center { margin-left: auto; margin-right: auto; text-align: center; }
+  .underline { text-decoration: underline; }
+  #postamble p, #preamble p { font-size: 90%; margin: .2em; }
+  p.verse { margin-left: 3%; }
+  pre {
+    border: 1px solid #ccc;
+    box-shadow: 3px 3px 3px #eee;
+    padding: 8pt;
+    font-family: monospace;
+    overflow: auto;
+    margin: 1.2em;
+  }
+  pre.src {
+    position: relative;
+    overflow: visible;
+    padding-top: 1.2em;
+  }
+  pre.src:before {
+    display: none;
+    position: absolute;
+    background-color: white;
+    top: -10px;
+    right: 10px;
+    padding: 3px;
+    border: 1px solid black;
+  }
+  pre.src:hover:before { display: inline;}
+  /* Languages per Org manual */
+  pre.src-asymptote:before { content: 'Asymptote'; }
+  pre.src-awk:before { content: 'Awk'; }
+  pre.src-C:before { content: 'C'; }
+  /* pre.src-C++ doesn't work in CSS */
+  pre.src-clojure:before { content: 'Clojure'; }
+  pre.src-css:before { content: 'CSS'; }
+  pre.src-D:before { content: 'D'; }
+  pre.src-ditaa:before { content: 'ditaa'; }
+  pre.src-dot:before { content: 'Graphviz'; }
+  pre.src-calc:before { content: 'Emacs Calc'; }
+  pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
+  pre.src-fortran:before { content: 'Fortran'; }
+  pre.src-gnuplot:before { content: 'gnuplot'; }
+  pre.src-haskell:before { content: 'Haskell'; }
+  pre.src-hledger:before { content: 'hledger'; }
+  pre.src-java:before { content: 'Java'; }
+  pre.src-js:before { content: 'Javascript'; }
+  pre.src-latex:before { content: 'LaTeX'; }
+  pre.src-ledger:before { content: 'Ledger'; }
+  pre.src-lisp:before { content: 'Lisp'; }
+  pre.src-lilypond:before { content: 'Lilypond'; }
+  pre.src-lua:before { content: 'Lua'; }
+  pre.src-matlab:before { content: 'MATLAB'; }
+  pre.src-mscgen:before { content: 'Mscgen'; }
+  pre.src-ocaml:before { content: 'Objective Caml'; }
+  pre.src-octave:before { content: 'Octave'; }
+  pre.src-org:before { content: 'Org mode'; }
+  pre.src-oz:before { content: 'OZ'; }
+  pre.src-plantuml:before { content: 'Plantuml'; }
+  pre.src-processing:before { content: 'Processing.js'; }
+  pre.src-python:before { content: 'Python'; }
+  pre.src-R:before { content: 'R'; }
+  pre.src-ruby:before { content: 'Ruby'; }
+  pre.src-sass:before { content: 'Sass'; }
+  pre.src-scheme:before { content: 'Scheme'; }
+  pre.src-screen:before { content: 'Gnu Screen'; }
+  pre.src-sed:before { content: 'Sed'; }
+  pre.src-sh:before { content: 'shell'; }
+  pre.src-sql:before { content: 'SQL'; }
+  pre.src-sqlite:before { content: 'SQLite'; }
+  /* additional languages in org.el's org-babel-load-languages alist */
+  pre.src-forth:before { content: 'Forth'; }
+  pre.src-io:before { content: 'IO'; }
+  pre.src-J:before { content: 'J'; }
+  pre.src-makefile:before { content: 'Makefile'; }
+  pre.src-maxima:before { content: 'Maxima'; }
+  pre.src-perl:before { content: 'Perl'; }
+  pre.src-picolisp:before { content: 'Pico Lisp'; }
+  pre.src-scala:before { content: 'Scala'; }
+  pre.src-shell:before { content: 'Shell Script'; }
+  pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
+  /* additional language identifiers per "defun org-babel-execute"
+       in ob-*.el */
+  pre.src-cpp:before  { content: 'C++'; }
+  pre.src-abc:before  { content: 'ABC'; }
+  pre.src-coq:before  { content: 'Coq'; }
+  pre.src-groovy:before  { content: 'Groovy'; }
+  /* additional language identifiers from org-babel-shell-names in
+     ob-shell.el: ob-shell is the only babel language using a lambda to put
+     the execution function name together. */
+  pre.src-bash:before  { content: 'bash'; }
+  pre.src-csh:before  { content: 'csh'; }
+  pre.src-ash:before  { content: 'ash'; }
+  pre.src-dash:before  { content: 'dash'; }
+  pre.src-ksh:before  { content: 'ksh'; }
+  pre.src-mksh:before  { content: 'mksh'; }
+  pre.src-posh:before  { content: 'posh'; }
+  /* Additional Emacs modes also supported by the LaTeX listings package */
+  pre.src-ada:before { content: 'Ada'; }
+  pre.src-asm:before { content: 'Assembler'; }
+  pre.src-caml:before { content: 'Caml'; }
+  pre.src-delphi:before { content: 'Delphi'; }
+  pre.src-html:before { content: 'HTML'; }
+  pre.src-idl:before { content: 'IDL'; }
+  pre.src-mercury:before { content: 'Mercury'; }
+  pre.src-metapost:before { content: 'MetaPost'; }
+  pre.src-modula-2:before { content: 'Modula-2'; }
+  pre.src-pascal:before { content: 'Pascal'; }
+  pre.src-ps:before { content: 'PostScript'; }
+  pre.src-prolog:before { content: 'Prolog'; }
+  pre.src-simula:before { content: 'Simula'; }
+  pre.src-tcl:before { content: 'tcl'; }
+  pre.src-tex:before { content: 'TeX'; }
+  pre.src-plain-tex:before { content: 'Plain TeX'; }
+  pre.src-verilog:before { content: 'Verilog'; }
+  pre.src-vhdl:before { content: 'VHDL'; }
+  pre.src-xml:before { content: 'XML'; }
+  pre.src-nxml:before { content: 'XML'; }
+  /* add a generic configuration mode; LaTeX export needs an additional
+     (add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
+  pre.src-conf:before { content: 'Configuration File'; }
+
+  table { border-collapse:collapse; }
+  caption.t-above { caption-side: top; }
+  caption.t-bottom { caption-side: bottom; }
+  td, th { vertical-align:top;  }
+  th.org-right  { text-align: center;  }
+  th.org-left   { text-align: center;   }
+  th.org-center { text-align: center; }
+  td.org-right  { text-align: right;  }
+  td.org-left   { text-align: left;   }
+  td.org-center { text-align: center; }
+  dt { font-weight: bold; }
+  .footpara { display: inline; }
+  .footdef  { margin-bottom: 1em; }
+  .figure { padding: 1em; }
+  .figure p { text-align: center; }
+  .inlinetask {
+    padding: 10px;
+    border: 2px solid gray;
+    margin: 10px;
+    background: #ffffcc;
+  }
+  #org-div-home-and-up
+   { text-align: right; font-size: 70%; white-space: nowrap; }
+  textarea { overflow-x: auto; }
+  .linenr { font-size: smaller }
+  .code-highlighted { background-color: #ffff00; }
+  .org-info-js_info-navigation { border-style: none; }
+  #org-info-js_console-label
+    { font-size: 10px; font-weight: bold; white-space: nowrap; }
+  .org-info-js_search-highlight
+    { background-color: #ffff00; color: #000000; font-weight: bold; }
+  .org-svg { width: 90%; }
+  /*]]>*/-->
+</style>
+<link rel="stylesheet" type="text/css" href="freedombone.css" />
+<script type="text/javascript">
+/*
+@licstart  The following is the entire license notice for the
+JavaScript code in this tag.
+
+Copyright (C) 2012-2017 Free Software Foundation, Inc.
+
+The JavaScript code in this tag is free software: you can
+redistribute it and/or modify it under the terms of the GNU
+General Public License (GNU GPL) as published by the Free Software
+Foundation, either version 3 of the License, or (at your option)
+any later version.  The code is distributed WITHOUT ANY WARRANTY;
+without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.
+
+As additional permission under GNU GPL version 3 section 7, you
+may distribute non-source (e.g., minimized or compacted) forms of
+that code without the copy of the GNU GPL normally required by
+section 4, provided you include this license notice and a URL
+through which recipients can access the Corresponding Source.
+
+
+@licend  The above is the entire license notice
+for the JavaScript code in this tag.
+*/
+<!--/*--><![CDATA[/*><!--*/
+ function CodeHighlightOn(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(null != target) {
+     elem.cacheClassElem = elem.className;
+     elem.cacheClassTarget = target.className;
+     target.className = "code-highlighted";
+     elem.className   = "code-highlighted";
+   }
+ }
+ function CodeHighlightOff(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(elem.cacheClassElem)
+     elem.className = elem.cacheClassElem;
+   if(elem.cacheClassTarget)
+     target.className = elem.cacheClassTarget;
+ }
+/*]]>*///-->
+</script>
+</head>
+<body>
+<div id="preamble" class="status">
+<a name="top" id="top"></a>
+</div>
+<div id="content">
+<div class="org-center">
+
+<div class="figure">
+<p><img src="images/logo.png" alt="logo.png" />
+</p>
+</div>
+</div>
+
+<center>
+<h1>OpenVPN</h1>
+</center>
+
+<blockquote>
+<p>
+"<i>The Net interprets censorship as damage and routes around it.</i>" &#x2013; John Gilmore
+</p>
+</blockquote>
+
+<p>
+A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "<i>this content is not available in your area</i>" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.
+</p>
+
+<p>
+Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.
+</p>
+
+<p>
+On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
+</p>
+
+<div id="outline-container-org778c839" class="outline-2">
+<h2 id="org778c839">Installation</h2>
+<div class="outline-text-2" id="text-org778c839">
+<p>
+ssh into the system with:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">ssh myusername@mydomainname -p 2222
+</pre>
+</div>
+
+<p>
+Select <b>Administrator controls</b> then <b>Add/Remove apps</b> then <b>vpn</b>. Choose the port which you want the VPN to operate on and then the install will continue.
+</p>
+
+<p>
+Only use ports 443 or 80 for VPN as an <i>absolute last resort</i>, since doing so will prevent other web based apps from running on your server.
+</p>
+</div>
+</div>
+
+<div id="outline-container-org2cfcc49" class="outline-2">
+<h2 id="org2cfcc49">Usage</h2>
+<div class="outline-text-2" id="text-org2cfcc49">
+<p>
+When the installation is complete you can download your VPN keys and configuration files onto your local machine.
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
+scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
+</pre>
+</div>
+
+<p>
+You will need to ensure that the <i>openvpn</i> and <i>stunnel</i> packages are installed. On an Arch based system:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">sudp pacman -S openvpn stunnel4
+</pre>
+</div>
+
+<p>
+Or on a Debian based system:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">sudo apt-get install openvpn stunnel4
+</pre>
+</div>
+
+<p>
+Now you can connect to your VPN with:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">sudo stunnel stunnel-client.conf
+sudo openvpn client.ovpn
+</pre>
+</div>
+
+<p>
+You should see a series of messages with "<i>Initialization Sequence Completed</i>" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgc7282cd" class="outline-2">
+<h2 id="orgc7282cd">Changing port number</h2>
+<div class="outline-text-2" id="text-orgc7282cd">
+<p>
+Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">ssh myusername@mydomainname -p 2222
+</pre>
+</div>
+
+<p>
+Select <b>Administrator controls</b> then <b>App Settings</b> then <b>vpn</b>. Choose <b>Change TLS port</b> and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the <a href="#org2cfcc49">Usage</a> section above.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgbe4ddea" class="outline-2">
+<h2 id="orgbe4ddea">Generating new keys</h2>
+<div class="outline-text-2" id="text-orgbe4ddea">
+<p>
+It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the <b>Administrator controls</b> by going to <b>App Settings</b> then <b>vpn</b> then choosing <b>Regenerate keys for a user</b> and downloading the new keys as described in the <a href="#org2cfcc49">Usage</a> section above.
+</p>
+</div>
+</div>
+</div>
+<div id="postamble" class="status">
+
+<style type="text/css">
+.back-to-top {
+    position: fixed;
+    bottom: 2em;
+    right: 0px;
+    text-decoration: none;
+    color: #000000;
+    background-color: rgba(235, 235, 235, 0.80);
+    font-size: 12px;
+    padding: 1em;
+    display: none;
+}
+
+.back-to-top:hover {
+    background-color: rgba(135, 135, 135, 0.50);
+}
+</style>
+
+<div class="back-to-top">
+<a href="#top">Back to top</a> | <a href="mailto:bob@freedombone.net">E-mail me</a>
+</div>
+</div>
+</body>
+</html>

website/EN/apps.html

@@ -3,10 +3,10 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-07-28 Fri 22:42 -->
+<!-- 2017-09-27 Wed 17:45 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
-<title></title>
+<title>&lrm;</title>
 <meta name="generator" content="Org mode" />
 <meta name="author" content="Bob Mottram" />
 <meta name="description" content="List of apps available on freedombone"
@@ -264,9 +264,9 @@ The base install of the system just contains an email server and Mutt client, bu
 </div>
 </div>
 
-<div id="outline-container-orgbe17d63" class="outline-2">
-<h2 id="orgbe17d63">CryptPad</h2>
-<div class="outline-text-2" id="text-orgbe17d63">
+<div id="outline-container-orge12e0d4" class="outline-2">
+<h2 id="orge12e0d4">CryptPad</h2>
+<div class="outline-text-2" id="text-orge12e0d4">
 <p>
 Collaborate on editing documents, presentations and source code, or vote on things. All with a good level of security.
 </p>
@@ -276,9 +276,9 @@ Collaborate on editing documents, presentations and source code, or vote on thin
 </p>
 </div>
 </div>
-<div id="outline-container-orgeb85cd1" class="outline-2">
-<h2 id="orgeb85cd1">DLNA</h2>
-<div class="outline-text-2" id="text-orgeb85cd1">
+<div id="outline-container-orgaaead32" class="outline-2">
+<h2 id="orgaaead32">DLNA</h2>
+<div class="outline-text-2" id="text-orgaaead32">
 <p>
 Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.
 </p>
@@ -288,9 +288,9 @@ Enables you to use the system as a music server which any DLNA compatible device
 </p>
 </div>
 </div>
-<div id="outline-container-orge7dce56" class="outline-2">
-<h2 id="orge7dce56">Dokuwiki</h2>
-<div class="outline-text-2" id="text-orge7dce56">
+<div id="outline-container-orga0c144d" class="outline-2">
+<h2 id="orga0c144d">Dokuwiki</h2>
+<div class="outline-text-2" id="text-orga0c144d">
 <p>
 A databaseless wiki system.
 </p>
@@ -300,9 +300,9 @@ A databaseless wiki system.
 </p>
 </div>
 </div>
-<div id="outline-container-org16980fe" class="outline-2">
-<h2 id="org16980fe">Emacs</h2>
-<div class="outline-text-2" id="text-org16980fe">
+<div id="outline-container-orgad65042" class="outline-2">
+<h2 id="orgad65042">Emacs</h2>
+<div class="outline-text-2" id="text-orgad65042">
 <p>
 If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.
 </p>
@@ -312,9 +312,9 @@ If you use the Mutt client to read your email then this will set it up to use em
 </p>
 </div>
 </div>
-<div id="outline-container-orge6eede4" class="outline-2">
-<h2 id="orge6eede4">Etherpad</h2>
-<div class="outline-text-2" id="text-orge6eede4">
+<div id="outline-container-org7ba525b" class="outline-2">
+<h2 id="org7ba525b">Etherpad</h2>
+<div class="outline-text-2" id="text-org7ba525b">
 <p>
 Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.
 </p>
@@ -324,9 +324,9 @@ Collaborate on creating documents in real time. Maybe you're planning a holiday
 </p>
 </div>
 </div>
-<div id="outline-container-org72aea62" class="outline-2">
-<h2 id="org72aea62">Friendica</h2>
-<div class="outline-text-2" id="text-org72aea62">
+<div id="outline-container-orgb7656a4" class="outline-2">
+<h2 id="orgb7656a4">Friendica</h2>
+<div class="outline-text-2" id="text-orgb7656a4">
 <p>
 Federated social network system.
 </p>
@@ -336,9 +336,9 @@ Federated social network system.
 </p>
 </div>
 </div>
-<div id="outline-container-org75bbd1d" class="outline-2">
-<h2 id="org75bbd1d">Ghost</h2>
-<div class="outline-text-2" id="text-org75bbd1d">
+<div id="outline-container-org9b12dc6" class="outline-2">
+<h2 id="org9b12dc6">Ghost</h2>
+<div class="outline-text-2" id="text-org9b12dc6">
 <p>
 Modern looking blogging system.
 </p>
@@ -348,9 +348,9 @@ Modern looking blogging system.
 </p>
 </div>
 </div>
-<div id="outline-container-org879241a" class="outline-2">
-<h2 id="org879241a">GNU Social</h2>
-<div class="outline-text-2" id="text-org879241a">
+<div id="outline-container-org507ecb0" class="outline-2">
+<h2 id="org507ecb0">GNU Social</h2>
+<div class="outline-text-2" id="text-org507ecb0">
 <p>
 Federated social network. You can "<i>remote follow</i>" other users within the GNU Social federation.
 </p>
@@ -360,9 +360,9 @@ Federated social network. You can "<i>remote follow</i>" other users within the
 </p>
 </div>
 </div>
-<div id="outline-container-org0c63c0d" class="outline-2">
-<h2 id="org0c63c0d">Gogs</h2>
-<div class="outline-text-2" id="text-org0c63c0d">
+<div id="outline-container-org8309404" class="outline-2">
+<h2 id="org8309404">Gogs</h2>
+<div class="outline-text-2" id="text-org8309404">
 <p>
 Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar <i>fork-and-pull</i> workflow. If you can use Github then you can also use Gogs.
 </p>
@@ -372,9 +372,9 @@ Lightweight git project hosting system. You can mirror projects from Github, or
 </p>
 </div>
 </div>
-<div id="outline-container-org8d5a195" class="outline-2">
-<h2 id="org8d5a195">HTMLy</h2>
-<div class="outline-text-2" id="text-org8d5a195">
+<div id="outline-container-orgc12018c" class="outline-2">
+<h2 id="orgc12018c">HTMLy</h2>
+<div class="outline-text-2" id="text-orgc12018c">
 <p>
 Databaseless blogging system. Quite simple and with a markdown-like format.
 </p>
@@ -384,9 +384,9 @@ Databaseless blogging system. Quite simple and with a markdown-like format.
 </p>
 </div>
 </div>
-<div id="outline-container-orgbc0a684" class="outline-2">
-<h2 id="orgbc0a684">Hubzilla</h2>
-<div class="outline-text-2" id="text-orgbc0a684">
+<div id="outline-container-org7c97a23" class="outline-2">
+<h2 id="org7c97a23">Hubzilla</h2>
+<div class="outline-text-2" id="text-org7c97a23">
 <p>
 Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.
 </p>
@@ -396,9 +396,9 @@ Web publishing platform with social network like features and good privacy contr
 </p>
 </div>
 </div>
-<div id="outline-container-org4f18360" class="outline-2">
-<h2 id="org4f18360">IRC Server (ngirc)</h2>
-<div class="outline-text-2" id="text-org4f18360">
+<div id="outline-container-org15dcaac" class="outline-2">
+<h2 id="org15dcaac">IRC Server (ngirc)</h2>
+<div class="outline-text-2" id="text-org15dcaac">
 <p>
 Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.
 </p>
@@ -408,18 +408,18 @@ Run your own IRC chat channel which can be secured with a password and accessibl
 </p>
 </div>
 </div>
-<div id="outline-container-orgc105f39" class="outline-2">
-<h2 id="orgc105f39">Jitsi Meet</h2>
-<div class="outline-text-2" id="text-orgc105f39">
+<div id="outline-container-orga195719" class="outline-2">
+<h2 id="orga195719">Jitsi Meet</h2>
+<div class="outline-text-2" id="text-orga195719">
 <p>
 Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org10fbc88" class="outline-2">
-<h2 id="org10fbc88">KanBoard</h2>
-<div class="outline-text-2" id="text-org10fbc88">
+<div id="outline-container-org67269ac" class="outline-2">
+<h2 id="org67269ac">KanBoard</h2>
+<div class="outline-text-2" id="text-org67269ac">
 <p>
 A simple kanban system for managing projects or TODO lists.
 </p>
@@ -429,9 +429,9 @@ A simple kanban system for managing projects or TODO lists.
 </p>
 </div>
 </div>
-<div id="outline-container-orgb3097e7" class="outline-2">
-<h2 id="orgb3097e7">Key Server</h2>
-<div class="outline-text-2" id="text-orgb3097e7">
+<div id="outline-container-org5db580b" class="outline-2">
+<h2 id="org5db580b">Key Server</h2>
+<div class="outline-text-2" id="text-org5db580b">
 <p>
 An OpenPGP key server for storing and retrieving GPG public keys.
 </p>
@@ -441,9 +441,9 @@ An OpenPGP key server for storing and retrieving GPG public keys.
 </p>
 </div>
 </div>
-<div id="outline-container-orga3542ee" class="outline-2">
-<h2 id="orga3542ee">Koel</h2>
-<div class="outline-text-2" id="text-orga3542ee">
+<div id="outline-container-org6675f8f" class="outline-2">
+<h2 id="org6675f8f">Koel</h2>
+<div class="outline-text-2" id="text-org6675f8f">
 <p>
 Access your music collection from any internet connected device.
 </p>
@@ -453,9 +453,9 @@ Access your music collection from any internet connected device.
 </p>
 </div>
 </div>
-<div id="outline-container-orga662c8f" class="outline-2">
-<h2 id="orga662c8f">Lychee</h2>
-<div class="outline-text-2" id="text-orga662c8f">
+<div id="outline-container-orgdfd8572" class="outline-2">
+<h2 id="orgdfd8572">Lychee</h2>
+<div class="outline-text-2" id="text-orgdfd8572">
 <p>
 Make your photo albums available on the web.
 </p>
@@ -465,9 +465,9 @@ Make your photo albums available on the web.
 </p>
 </div>
 </div>
-<div id="outline-container-orgccf23ee" class="outline-2">
-<h2 id="orgccf23ee">Mailpile</h2>
-<div class="outline-text-2" id="text-orgccf23ee">
+<div id="outline-container-org5f70509" class="outline-2">
+<h2 id="org5f70509">Mailpile</h2>
+<div class="outline-text-2" id="text-org5f70509">
 <p>
 Modern email client which supports GPG encryption.
 </p>
@@ -477,9 +477,9 @@ Modern email client which supports GPG encryption.
 </p>
 </div>
 </div>
-<div id="outline-container-orgdee374a" class="outline-2">
-<h2 id="orgdee374a">Matrix</h2>
-<div class="outline-text-2" id="text-orgdee374a">
+<div id="outline-container-orgacaf2b5" class="outline-2">
+<h2 id="orgacaf2b5">Matrix</h2>
+<div class="outline-text-2" id="text-orgacaf2b5">
 <p>
 Multi-user chat with some security and moderation controls.
 </p>
@@ -489,9 +489,9 @@ Multi-user chat with some security and moderation controls.
 </p>
 </div>
 </div>
-<div id="outline-container-org7faaca0" class="outline-2">
-<h2 id="org7faaca0">Mediagoblin</h2>
-<div class="outline-text-2" id="text-org7faaca0">
+<div id="outline-container-org4c6673d" class="outline-2">
+<h2 id="org4c6673d">Mediagoblin</h2>
+<div class="outline-text-2" id="text-org4c6673d">
 <p>
 Publicly host video and audio files so that you don't need to use YouTube/Vimeo/etc.
 </p>
@@ -501,9 +501,9 @@ Publicly host video and audio files so that you don't need to use YouTube/Vimeo/
 </p>
 </div>
 </div>
-<div id="outline-container-orgfa87291" class="outline-2">
-<h2 id="orgfa87291">Mumble</h2>
-<div class="outline-text-2" id="text-orgfa87291">
+<div id="outline-container-org5778590" class="outline-2">
+<h2 id="org5778590">Mumble</h2>
+<div class="outline-text-2" id="text-org5778590">
 <p>
 The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.
 </p>
@@ -513,9 +513,9 @@ The popular VoIP and text chat system. Say goodbye to old-fashioned telephony co
 </p>
 </div>
 </div>
-<div id="outline-container-org88bc444" class="outline-2">
-<h2 id="org88bc444">NextCloud</h2>
-<div class="outline-text-2" id="text-org88bc444">
+<div id="outline-container-orgbecac51" class="outline-2">
+<h2 id="orgbecac51">NextCloud</h2>
+<div class="outline-text-2" id="text-orgbecac51">
 <p>
 Store files on your server and sync them with laptops or mobile devices. Includes many plugins including videoconferencing and collaborative document editing.
 </p>
@@ -525,9 +525,9 @@ Store files on your server and sync them with laptops or mobile devices. Include
 </p>
 </div>
 </div>
-<div id="outline-container-orgd909087" class="outline-2">
-<h2 id="orgd909087">PI-Hole</h2>
-<div class="outline-text-2" id="text-orgd909087">
+<div id="outline-container-org4e52617" class="outline-2">
+<h2 id="org4e52617">PI-Hole</h2>
+<div class="outline-text-2" id="text-org4e52617">
 <p>
 The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.
 </p>
@@ -537,9 +537,9 @@ The black hole for web adverts. Block adverts at the domain name level within yo
 </p>
 </div>
 </div>
-<div id="outline-container-org54cc393" class="outline-2">
-<h2 id="org54cc393">PostActiv</h2>
-<div class="outline-text-2" id="text-org54cc393">
+<div id="outline-container-org77c5c76" class="outline-2">
+<h2 id="org77c5c76">PostActiv</h2>
+<div class="outline-text-2" id="text-org77c5c76">
 <p>
 An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.
 </p>
@@ -549,9 +549,9 @@ An alternative federated social networking system compatible with GNU Social. It
 </p>
 </div>
 </div>
-<div id="outline-container-orgbf4385b" class="outline-2">
-<h2 id="orgbf4385b">Profanity</h2>
-<div class="outline-text-2" id="text-orgbf4385b">
+<div id="outline-container-org0bf6985" class="outline-2">
+<h2 id="org0bf6985">Profanity</h2>
+<div class="outline-text-2" id="text-org0bf6985">
 <p>
 A shell based XMPP client which you can run on the Freedombone server via ssh.
 </p>
@@ -561,9 +561,9 @@ A shell based XMPP client which you can run on the Freedombone server via ssh.
 </p>
 </div>
 </div>
-<div id="outline-container-orgda318c9" class="outline-2">
-<h2 id="orgda318c9">Riot Web</h2>
-<div class="outline-text-2" id="text-orgda318c9">
+<div id="outline-container-org3a8644d" class="outline-2">
+<h2 id="org3a8644d">Riot Web</h2>
+<div class="outline-text-2" id="text-org3a8644d">
 <p>
 A browser based user interface for the Matrix federated communications system, including WebRTC audio and video chat.
 </p>
@@ -573,9 +573,9 @@ A browser based user interface for the Matrix federated communications system, i
 </p>
 </div>
 </div>
-<div id="outline-container-org99449d0" class="outline-2">
-<h2 id="org99449d0">SearX</h2>
-<div class="outline-text-2" id="text-org99449d0">
+<div id="outline-container-org072b2ee" class="outline-2">
+<h2 id="org072b2ee">SearX</h2>
+<div class="outline-text-2" id="text-org072b2ee">
 <p>
 A metasearch engine for customised and private web searches.
 </p>
@@ -585,9 +585,9 @@ A metasearch engine for customised and private web searches.
 </p>
 </div>
 </div>
-<div id="outline-container-org761a652" class="outline-2">
-<h2 id="org761a652">tt-rss</h2>
-<div class="outline-text-2" id="text-org761a652">
+<div id="outline-container-orge6d7a97" class="outline-2">
+<h2 id="orge6d7a97">tt-rss</h2>
+<div class="outline-text-2" id="text-orge6d7a97">
 <p>
 Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "<i>the right to read</i>" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
 </p>
@@ -597,9 +597,9 @@ Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via a
 </p>
 </div>
 </div>
-<div id="outline-container-orga6e23d7" class="outline-2">
-<h2 id="orga6e23d7">Syncthing</h2>
-<div class="outline-text-2" id="text-orga6e23d7">
+<div id="outline-container-orgb533fa3" class="outline-2">
+<h2 id="orgb533fa3">Syncthing</h2>
+<div class="outline-text-2" id="text-orgb533fa3">
 <p>
 Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.
 </p>
@@ -609,9 +609,9 @@ Possibly the best way to synchronise files across all of your devices. Once it h
 </p>
 </div>
 </div>
-<div id="outline-container-org643b86b" class="outline-2">
-<h2 id="org643b86b">Tahoe-LAFS</h2>
-<div class="outline-text-2" id="text-org643b86b">
+<div id="outline-container-orgae3276a" class="outline-2">
+<h2 id="orgae3276a">Tahoe-LAFS</h2>
+<div class="outline-text-2" id="text-orgae3276a">
 <p>
 Robust and encrypted storage of files on one or more server.
 </p>
@@ -621,9 +621,9 @@ Robust and encrypted storage of files on one or more server.
 </p>
 </div>
 </div>
-<div id="outline-container-org8eb9d12" class="outline-2">
-<h2 id="org8eb9d12">Tox</h2>
-<div class="outline-text-2" id="text-org8eb9d12">
+<div id="outline-container-orga445624" class="outline-2">
+<h2 id="orga445624">Tox</h2>
+<div class="outline-text-2" id="text-orga445624">
 <p>
 Client and bootstrap node for the Tox chat/VoIP system.
 </p>
@@ -633,9 +633,9 @@ Client and bootstrap node for the Tox chat/VoIP system.
 </p>
 </div>
 </div>
-<div id="outline-container-org5a0e4e5" class="outline-2">
-<h2 id="org5a0e4e5">Turtl</h2>
-<div class="outline-text-2" id="text-org5a0e4e5">
+<div id="outline-container-org176644c" class="outline-2">
+<h2 id="org176644c">Turtl</h2>
+<div class="outline-text-2" id="text-org176644c">
 <p>
 A system for privately creating and sharing notes and images, similar to Evernote but without the spying.
 </p>
@@ -645,18 +645,30 @@ A system for privately creating and sharing notes and images, similar to Evernot
 </p>
 </div>
 </div>
-<div id="outline-container-orgdeeab5b" class="outline-2">
-<h2 id="orgdeeab5b">Vim</h2>
-<div class="outline-text-2" id="text-orgdeeab5b">
+<div id="outline-container-org8d3d9ed" class="outline-2">
+<h2 id="org8d3d9ed">Vim</h2>
+<div class="outline-text-2" id="text-org8d3d9ed">
 <p>
 If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
 </p>
 </div>
 </div>
 
-<div id="outline-container-orgdbd802c" class="outline-2">
-<h2 id="orgdbd802c">XMPP</h2>
-<div class="outline-text-2" id="text-orgdbd802c">
+<div id="outline-container-orgbab78c1" class="outline-2">
+<h2 id="orgbab78c1">Virtual Private Network (VPN)</h2>
+<div class="outline-text-2" id="text-orgbab78c1">
+<p>
+Set up a VPN on your server so that you can bypass local internet censorship.
+</p>
+
+<p>
+<a href="./app_vpn.html">How to use it</a>
+</p>
+</div>
+</div>
+<div id="outline-container-org76fcabc" class="outline-2">
+<h2 id="org76fcabc">XMPP</h2>
+<div class="outline-text-2" id="text-org76fcabc">
 <p>
 Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as <i>client state notification</i> to save battery power on your mobile devices, support for seamless roaming between networks and <i>message carbons</i> so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
 </p>