Merge branch 'stretch' of https://github.com/bashrc/freedombone

doc/EN/app_vpn.org

 You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:
 
 #+begin_src bash
-sudp pacman -S openvpn stunnel4
+sudo pacman -S openvpn stunnel4
 #+end_src
 
 Or on a Debian based system:

doc/EN/index.org

 
 If you have a single board ARM computer which isn't one of the officially supported ones, such as Raspberry Pi, then you may still be able to install [[./armbian.html][Freedombone with Armbian]].
 
-Want to make a community mesh network which doesn't depend upon the internet? The [[./mesh.html][Freedombone Mesh]] is a wireless solution for autonomous communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised.
+Want to make a community mesh network which can either be fully autonomous or connected to the internet? The [[./mesh.html][Freedombone Mesh]] is a wireless solution for networked communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised, or used as an infrastructural community service similar to [[https://en.wikipedia.org/wiki/Freifunk][Freifunk]].
 
 After installation it's possible that you might want some advice on how to run your system and set up apps to work nicely with it.
 

doc/EN/mesh.org

  "/I see mesh networks naturally evolving to become the dominant form of network over the next few decades, because it’s the most practical solution to a number of problems that will have to be solved in order to build the VR web as well as to connect the entire world to the internet. Centralized networks are only possible in highly developed countries with existing infrastructures like power and telephone grids, as well as roads. You can’t build a tower where you don’t have either power or access. For vast areas of the world, mesh networks will be the only feasible solution./" -- Valkyrie Ice
 #+end_quote
 
-The Freedombone Mesh is a wireless solution for autonomous communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised.
+The Freedombone Mesh is a wireless solution for autonomous or internet connected communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised.
 
-Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small business internal office communications, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies. The down side is that you can't access any internet content. The upside is that you can securely communicate with anyone on the local mesh. No ISPs. No payments or subscriptions beyond the cost of obtaining the hardware. Systems need to be within wifi range of each other for the mesh to be created. It can be an ultra-convenient way to do purely local communications.
+Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small businesses who don't want the overhead of server maintenance, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies.
+
+If an internet connection is available then it can make use of that, but otherwise it can still work regardless of whether the internet exists. So it's not dependent upon ISPs and additional infrastructure other than USB drives isn't required.
+
+Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
 
 The Freedombone mesh roughly follows MondoNet's ten social specifications:
 
 
  - Discovery of other users on the network
  - Text based chat, one-to-one and in groups
- - Voice chat (VoIP)
+ - Voice chat (VoIP) and video calls
  - Private and public sharing of files
  - Blogging
+ - Creating and broadcasting audio media/podcasts
  - Social network stream. Follow/unfollow other peers
  - No network administration required
- - No servers, internet connection or cabling is needed
+ - No servers
+ - Internet connection is optional
  - Works from bootable USB drives or microSD drives
  - Data is mesh routed between systems
  - Private communications is end-to-end secured and forward secret
  - Publicly shared data is /content addressable/
 
-This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
+This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Gossiping between SSB peers may be slower, but the [[https://en.wikipedia.org/wiki/Small-world_network][small world effect]] will presumably still make for quite efficient delivery in a large network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
 
 * Disk Images
 ** Writing many images quickly
 #+END_CENTER
 
 When you are finished close the window and then select the /Network Restart/ desktop icon, which will restart the B.A.T.M.A.N. network. You can also use the restart icon if you are within range of the mesh network but the /Chat/ and /Other Users/ icons do not automatically appear after a few minutes.
+** Connecting to the internet
+If you need to be able to access the internet from the mesh then connect one of the peers to an internet router using an ethernet cable, then reboot it. Other peers in the mesh, including any attached mobile devices, will then be able to access the internet using the ethernet attached peer as a gateway. [[https://en.wikipedia.org/wiki/Freifunk][Freifunk]] works in a similar way.
+
+After connecting one peer to the internet you may need to reboot other peers in order to update their network configurations.
+
+If for legal reasons you need to connect to the internet via a VPN then openvpn is preinstalled and you can run the command:
+
+#+begin_src bash
+sudo openvpn myclient.ovpn
+#+end_src
+
+Where /myclient.ovpn/ comes from your VPN provider and with the password "/freedombone/".
+** Connecting two meshes over the internet via a VPN tunnel
+Maybe the internet exists, but you don't care about getting any content from it and just want to use it as a way to connect mesh networks from different geographical locations together. VPN configuration, pem and stunnel files exist within the home directory. Edit the configuration with:
+
+#+begin_src bash
+nano ~/client.ovpn
+#+end_src
+
+Edit the IP address or domain for the mesh that you wish to connect to within the /route/ command:
+
+#+begin_src bash
+route [mesh IP or domain] 255.255.255.255 net_gateway
+#+end_src
+
+Then you can connect to the other mesh with:
+
+#+begin_src bash
+cd /home/fbone
+sudo stunnel stunnel-client.conf
+sudo openvpn client.ovpn
+#+end_src
+
+Using the password "/freedombone/". From a deep packet inspection point of view the traffic going over the internet will just look like any other TLS connection to a server.
+
+** Mobile devices (phones, etc)
+To allow mobile devices to connect to the mesh you will need a second wifi adapter connected to your laptop/netbook/SBC. Plug in a second wifi adapter then reboot the system. The second adaptor will then create a wifi hotspot which mobile devices can connect to. The hotspot name also contains its local IP address (eg. "/mesh-192.168.1.83/").
+
+On a typical Android device go to *Settings* then *Security* and ensure that *Unknown sources* is enabled. Also within *Wifi* from the *Settings* screen select the mesh hotspot. The password is "/freedombone/". Open a non-Tor browser and navigate to the IP address showing in the hotspot name. You can then download and install mesh apps.
+
+#+BEGIN_CENTER
+[[file:images/mesh_mobileapps.jpg]]
+#+END_CENTER
 
+On some android devices you may need to move the downloaded APK file from the *Downloads* directory to your *home* directory before you can install it.
 ** Chat System
 
 Ensure that you're within wifi range of at least one other mesh peer (could be a router or client) and then you should see that the /Chat/ and /Other Users/ icons appear. Select the users icon and you should see a list of users on the mesh. Select the /Chat/ icon and once you are connected you should see the status light turn green. If after a few minutes you don't get the green status light then try closing and re-opening the Tox chat application. Select the plus button to add a friend and then copy and paste in a Tox ID from the users list.

doc/EN/meshindex.org

+#+TITLE:
+#+AUTHOR: Bob Mottram
+#+EMAIL: bob@freedombone.net
+#+KEYWORDS: mesh, freedombone, apps
+#+DESCRIPTION: Download apps for use on the mesh
+#+OPTIONS: ^:nil toc:nil
+#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
+
+#+BEGIN_CENTER
+[[file:images/logo.png]]
+#+END_CENTER
+
+#+BEGIN_EXPORT html
+<center>
+<h3>Welcome to the Freedombone Mesh</h3>
+</center>
+#+END_EXPORT
+
+The following apps are available:
+
+#+BEGIN_EXPORT html
+ <center>
+ <table style="width:80%; border:0">
+  <tr>
+    <td><center><b><a href="ssb.apk"><img src="images/ssb.png"/></a></b><br><a href="ssb.apk">Secure Scuttlebutt</a></center></td>
+    <td><center><b><h3></h3></b><br></center></td>
+  </tr>
+</table>
+</center>
+#+END_EXPORT

src/freedombone-app-scuttlebot

 #
 #                    Freedom in the Cloud
 #
-# scuttlebot pub application
+# scuttlebot pub application. Enables nat traversal for SSB.
 # https://scuttlebot.io
-# Problem: on occasion uses 100% of the CPU, severely impacting other services
 #
 # License
 # =======
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-VARIANTS=''
+VARIANTS='full full-vim social'
 
 IN_DEFAULT_INSTALL=0
 SHOW_ON_ABOUT=0
 SHOW_ICANN_ADDRESS_ON_ABOUT=0
 
-SCUTTLEBOT_VERSION='9.8.0'
-SCUTTLEBOT_PORT=8008
+SCUTTLEBOT_VERSION='10.4.6'
+SCUTTLEBOT_PORT=8010
 
 scuttlebot_variables=(MY_USERNAME
                       DEFAULT_DOMAIN_NAME
     sed -i '/scuttlebot /d' $COMPLETION_FILE
 }
 
+function mesh_install_scuttlebot {
+    cat <<EOF > $rootdir/usr/bin/install_scuttlebot
+#!/bin/bash
+npm install -g scuttlebot@${SCUTTLEBOT_VERSION}
+EOF
+    chroot "$rootdir" /bin/chmod +x /usr/bin/install_scuttlebot
+    chroot "$rootdir" /usr/bin/install_scuttlebot
+    rm $rootdir/usr/bin/install_scuttlebot
+
+    if [ ! -f $rootdir/usr/local/bin/sbot ]; then
+        echo $'Scuttlebot was not installed'
+        exit 528253
+    fi
+
+    if [ ! -d $rootdir/etc/scuttlebot ]; then
+        mkdir -p $rootdir/etc/scuttlebot
+    fi
+
+    # an unprivileged user to run as
+    chroot "$rootdir" useradd -d /etc/scuttlebot/ scuttlebot
+
+    # daemon
+    echo '[Unit]' > $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'Description=Scuttlebot (messaging system)' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'After=syslog.target' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'After=network.target' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo '' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo '[Service]' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'Type=simple' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'User=scuttlebot' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'Group=scuttlebot' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo "WorkingDirectory=/etc/scuttlebot" >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'ExecStart=/usr/local/bin/sbot server' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'Restart=always' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'Environment="USER=scuttlebot"' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo '' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo '[Install]' >> $rootdir/etc/systemd/system/scuttlebot.service
+    echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/scuttlebot.service
+}
+
 function install_scuttlebot {
     function_check install_nodejs
     install_nodejs scuttlebot

src/freedombone-app-tox

 SHOW_ON_ABOUT=1
 
 TOX_PORT=33445
+
+# upstream is https://github.com/TokTok/c-toxcore
 TOXCORE_REPO="https://github.com/bashrc/toxcore"
-TOXCORE_COMMIT='532629d486e3361c7d8d95b38293cc7d61dc4ee5'
+TOXCORE_COMMIT='987ad5eac173442d6ad2d5cd80c2da763a815a9a'
+
 TOXID_REPO="https://github.com/bashrc/toxid"
 TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt
 # These are some default nodes, but you can replace them with trusted nodes
 #  '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE'
 #)
 TOXIC_REPO="https://github.com/Tox/toxic"
-TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2'
+TOXIC_COMMIT='5cc83a7cb584886d90d7da15e8398215fed0d315'
 TOXIC_FILE=/usr/local/bin/toxic
 
 QTOX_REPO="https://github.com/bashrc/qTox"
     chroot "${rootdir}" apt-get -yq install libspeex-dev yasm pkg-config libopenjp2-7-dev
     chroot "${rootdir}" apt-get -yq install libx264-dev mjpegtools libmjpegtools-dev libav-tools
 
+    chroot "${rootdir}" apt-get -yq install build-essential cmake ffmpeg libexif-dev libgdk-pixbuf2.0-dev libglib2.0-dev libgtk2.0-dev libopenal-dev libqrencode-dev libqt5opengl5-dev libqt5svg5-dev libsqlcipher-dev libxss-dev pkg-config qrencode qt5-default qt5-qmake qttools5-dev qttools5-dev-tools yasm
+
     if [ -d /repos/qtox ]; then
         mkdir ${rootdir}$INSTALL_DIR/qtox
         cp -r -p /repos/qtox/. ${rootdir}$INSTALL_DIR/qtox
     git checkout $QTOX_COMMIT -b $QTOX_COMMIT
     chroot ${rootdir} /bin/bash -x <<EOF
 cd ${INSTALL_DIR}/qtox
-qmake
+export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:/usr/local/lib/pkgconfig"
+cmake .
 make
 make install
 EOF
-    if [ ! -f ${rootdir}/usr/bin/qtox ]; then
+    if [ ! -f ${rootdir}/usr/local/bin/qtox ]; then
         exit 75784
     fi
+    cp ${rootdir}/usr/local/bin/qtox ${rootdir}/usr/bin/qtox
 }
 
 function reconfigure_tox {
     if [ ${rootdir} ]; then
         chroot ${rootdir} apt-get -yq install libncursesw5-dev libconfig-dev libqrencode-dev
         chroot ${rootdir} apt-get -yq install libcurl4-openssl-dev libvpx-dev libopenal-dev
+        chroot ${rootdir} apt-get -yq install libqrencode-dev
     else
         apt-get -yq install libncursesw5-dev libconfig-dev libqrencode-dev
         apt-get -yq install libcurl4-openssl-dev libvpx-dev libopenal-dev
+        apt-get -yq install libqrencode-dev
     fi
 
     TEMP_SCRIPT_NAME=fbtmp728353.sh

src/freedombone-app-vpn

 VPN_UNIT="Freedombone Unit"
 STUNNEL_PORT=3439
 VPN_TLS_PORT=553
+VPN_MESH_TLS_PORT=653
 
 vpn_variables=(MY_EMAIL_ADDRESS
                DEFAULT_DOMAIN_NAME
     new_username="$1"
 }
 
-function install_stunnel {
-    apt-get -yq install stunnel4
+function mesh_setup_vpn {
+    vpn_generate_keys
+
+    if [ -d /home/fbone ]; then
+        cp /etc/stunnel/stunnel-client.conf /home/fbone/stunnel-client.conf
+        chown fbone:fbone /home/fbone/stunnel*
+    fi
+
+    generate_stunnel_keys
 
-    cd /etc/stunnel
+    systemctl restart openvpn
+}
 
+function generate_stunnel_keys {
     openssl req -x509 -nodes -days 3650 -sha256 \
             -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
-            -newkey rsa:2048 -keyout key.pem \
-            -out cert.pem
-    if [ ! -f key.pem ]; then
+            -newkey rsa:2048 -keyout /etc/stunnel/key.pem \
+            -out /etc/stunnel/cert.pem
+    if [ ! -f /etc/stunnel/key.pem ]; then
         echo $'stunnel key not created'
         exit 793530
     fi
-    if [ ! -f cert.pem ]; then
+    if [ ! -f /etc/stunnel/cert.pem ]; then
         echo $'stunnel cert not created'
         exit 204587
     fi
-    chmod 400 key.pem
-    chmod 640 cert.pem
+    chmod 400 /etc/stunnel/key.pem
+    chmod 640 /etc/stunnel/cert.pem
 
-    cat key.pem cert.pem >> stunnel.pem
-    chmod 640 stunnel.pem
+    cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
+    chmod 640 /etc/stunnel/stunnel.pem
 
-    openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem -passout pass:
-    if [ ! -f stunnel.p12 ]; then
+    openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
+    if [ ! -f /etc/stunnel/stunnel.p12 ]; then
         echo $'stunnel pkcs12 not created'
         exit 639353
     fi
-    chmod 640 stunnel.p12
-
-    echo 'chroot = /var/lib/stunnel4' > stunnel.conf
-    echo 'pid = /stunnel4.pid' >> stunnel.conf
-    echo 'setuid = stunnel4' >> stunnel.conf
-    echo 'setgid = stunnel4' >> stunnel.conf
-    echo 'socket = l:TCP_NODELAY=1' >> stunnel.conf
-    echo 'socket = r:TCP_NODELAY=1' >> stunnel.conf
-    echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
-    echo '[openvpn]' >> stunnel.conf
-    echo "accept = $VPN_TLS_PORT" >> stunnel.conf
-    echo 'connect = localhost:1194' >> stunnel.conf
-    echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf
-
-    sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4
-
-    echo '[openvpn]' > stunnel-client.conf
-    echo 'client = yes' >> stunnel-client.conf
-    echo "accept = $STUNNEL_PORT" >> stunnel-client.conf
-    echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> stunnel-client.conf
-    echo 'cert = stunnel.pem' >> stunnel-client.conf
-
-    echo '[Unit]' > /etc/systemd/system/stunnel.service
-    echo 'Description=SSL tunnel for network daemons' >> /etc/systemd/system/stunnel.service
-    echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> /etc/systemd/system/stunnel.service
-    echo 'DefaultDependencies=no' >> /etc/systemd/system/stunnel.service
-    echo 'After=network.target' >> /etc/systemd/system/stunnel.service
-    echo 'After=syslog.target' >> /etc/systemd/system/stunnel.service
-    echo '' >> /etc/systemd/system/stunnel.service
-    echo '[Install]' >> /etc/systemd/system/stunnel.service
-    echo 'WantedBy=multi-user.target' >> /etc/systemd/system/stunnel.service
-    echo 'Alias=stunnel.target' >> /etc/systemd/system/stunnel.service
-    echo '' >> /etc/systemd/system/stunnel.service
-    echo '[Service]' >> /etc/systemd/system/stunnel.service
-    echo 'Type=forking' >> /etc/systemd/system/stunnel.service
-    echo 'RuntimeDirectory=stunnel' >> /etc/systemd/system/stunnel.service
-    echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
-    echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service
-    echo 'ExecStop=/usr/bin/killall -9 stunnel' >> /etc/systemd/system/stunnel.service
-    echo 'RemainAfterExit=yes' >> /etc/systemd/system/stunnel.service
-
-    if [ $VPN_TLS_PORT -eq 443 ]; then
-        systemctl stop nginx
-        systemctl disable nginx
-    else
-        systemctl enable nginx
-        systemctl restart nginx
-    fi
-
-    systemctl enable stunnel
-    systemctl daemon-reload
-    systemctl start stunnel
+    chmod 640 /etc/stunnel/stunnel.p12
 
     cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
     cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
-    cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
-    chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
+    chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
 }
 
-function install_vpn {
-    apt-get -yq install fastd openvpn easy-rsa
+function install_stunnel {
+    prefix=
+    prefixchroot=
+    if [ $rootdir ]; then
+        prefix=$rootdir
+        prefixchroot="chroot $rootdir"
+        VPN_TLS_PORT=$VPN_MESH_TLS_PORT
+    fi
+
+    $prefixchroot apt-get -yq install stunnel4
+
+    if [ ! $prefix ]; then
+        cd /etc/stunnel
+        generate_stunnel_keys
+    fi
+
+    echo 'chroot = /var/lib/stunnel4' > $prefix/etc/stunnel/stunnel.conf
+    echo 'pid = /stunnel4.pid' >> $prefix/etc/stunnel/stunnel.conf
+    echo 'setuid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
+    echo 'setgid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
+    echo 'socket = l:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
+    echo 'socket = r:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
+    echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
+    echo '[openvpn]' >> $prefix/etc/stunnel/stunnel.conf
+    echo "accept = $VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel.conf
+    echo 'connect = localhost:1194' >> $prefix/etc/stunnel/stunnel.conf
+    echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
+
+    sed -i 's|ENABLED=.*|ENABLED=1|g' $prefix/etc/default/stunnel4
+
+    echo '[openvpn]' > $prefix/etc/stunnel/stunnel-client.conf
+    echo 'client = yes' >> $prefix/etc/stunnel/stunnel-client.conf
+    echo "accept = $STUNNEL_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
+    echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
+    echo 'cert = stunnel.pem' >> $prefix/etc/stunnel/stunnel-client.conf
+
+    echo '[Unit]' > $prefix/etc/systemd/system/stunnel.service
+    echo 'Description=SSL tunnel for network daemons' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'DefaultDependencies=no' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'After=network.target' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'After=syslog.target' >> $prefix/etc/systemd/system/stunnel.service
+    echo '' >> $prefix/etc/systemd/system/stunnel.service
+    echo '[Install]' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'WantedBy=multi-user.target' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'Alias=stunnel.target' >> $prefix/etc/systemd/system/stunnel.service
+    echo '' >> $prefix/etc/systemd/system/stunnel.service
+    echo '[Service]' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'Type=forking' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'RuntimeDirectory=stunnel' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'ExecStop=/usr/bin/killall -9 stunnel' >> $prefix/etc/systemd/system/stunnel.service
+    echo 'RemainAfterExit=yes' >> $prefix/etc/systemd/system/stunnel.service
+
+    if [ ! $prefix ]; then
+        if [ $VPN_TLS_PORT -eq 443 ]; then
+            systemctl stop nginx
+            systemctl disable nginx
+        else
+            systemctl enable nginx
+            systemctl restart nginx
+        fi
 
-    groupadd vpn
-    useradd -r -s /bin/false -g vpn vpn
+        systemctl enable stunnel
+        systemctl daemon-reload
+        systemctl start stunnel
 
-    # server configuration
-    echo 'port 1194' > /etc/openvpn/server.conf
-    echo 'proto tcp' >> /etc/openvpn/server.conf
-    echo 'dev tun' >> /etc/openvpn/server.conf
-    echo 'tun-mtu 1500' >> /etc/openvpn/server.conf
-    echo 'tun-mtu-extra 32' >> /etc/openvpn/server.conf
-    echo 'mssfix 1450' >> /etc/openvpn/server.conf
-    echo 'ca /etc/openvpn/ca.crt' >> /etc/openvpn/server.conf
-    echo 'cert /etc/openvpn/server.crt' >> /etc/openvpn/server.conf
-    echo 'key /etc/openvpn/server.key' >> /etc/openvpn/server.conf
-    echo 'dh /etc/openvpn/dh2048.pem' >> /etc/openvpn/server.conf
-    echo 'server 10.8.0.0 255.255.255.0' >> /etc/openvpn/server.conf
-    echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
-    echo "push \"dhcp-option DNS 85.214.73.63\"" >> /etc/openvpn/server.conf
-    echo "push \"dhcp-option DNS 213.73.91.35\"" >> /etc/openvpn/server.conf
-    echo 'keepalive 5 30' >> /etc/openvpn/server.conf
-    echo 'comp-lzo' >> /etc/openvpn/server.conf
-    echo 'persist-key' >> /etc/openvpn/server.conf
-    echo 'persist-tun' >> /etc/openvpn/server.conf
-    echo 'status /dev/null' >> /etc/openvpn/server.conf
-    echo 'verb 3' >> /etc/openvpn/server.conf
-    echo '' >> /etc/openvpn/server.conf
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
-    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
-    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
-
-    cp -r /usr/share/easy-rsa/ /etc/openvpn
-    if [ ! -d /etc/openvpn/easy-rsa/keys ]; then
-        mkdir /etc/openvpn/easy-rsa/keys
+        cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
+        chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
     fi
+}
 
-    # keys configuration
-    sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" /etc/openvpn/easy-rsa/vars
-    sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" /etc/openvpn/easy-rsa/vars
-    sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" /etc/openvpn/easy-rsa/vars
-    sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" /etc/openvpn/easy-rsa/vars
-    sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" /etc/openvpn/easy-rsa/vars
-    sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" /etc/openvpn/easy-rsa/vars
-    sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" /etc/openvpn/easy-rsa/vars
-
+function vpn_generate_keys {
     # generate host keys
     if [ ! -f /etc/openvpn/dh2048.pem ]; then
-        openssl dhparam -out /etc/openvpn/dh2048.pem 2048
+        ${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
     fi
     if [ ! -f /etc/openvpn/dh2048.pem ]; then
         echo $'vpn dhparams were not generated'
     sed -i 's| --interact||g' build-key-server
     sed -i 's| --interact||g' build-ca
     ./build-ca
-    ./build-key-server $OPENVPN_SERVER_NAME
+    ./build-key-server ${OPENVPN_SERVER_NAME}
     if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
         echo $'OpenVPN crt not found'
         exit 7823352
     fi
     cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
 
-    create_user_vpn_key $MY_USERNAME
+    create_user_vpn_key ${MY_USERNAME}
+}
+
+function install_vpn {
+    prefix=
+    prefixchroot=
+    if [ $rootdir ]; then
+        prefix=$rootdir
+        prefixchroot="chroot $rootdir"
+        VPN_TLS_PORT=$VPN_MESH_TLS_PORT
+    fi
+    $prefixchroot apt-get -yq install fastd openvpn easy-rsa
 
-    firewall_enable_vpn
+    $prefixchroot groupadd vpn
+    $prefixchroot useradd -r -s /bin/false -g vpn vpn
 
-    if [ $VPN_TLS_PORT -ne 443 ]; then
-        firewall_add VPN-TLS $VPN_TLS_PORT tcp
+    # server configuration
+    echo 'port 1194' > $prefix/etc/openvpn/server.conf
+    echo 'proto tcp' >> $prefix/etc/openvpn/server.conf
+    echo 'dev tun' >> $prefix/etc/openvpn/server.conf
+    echo 'tun-mtu 1500' >> $prefix/etc/openvpn/server.conf
+    echo 'tun-mtu-extra 32' >> $prefix/etc/openvpn/server.conf
+    echo 'mssfix 1450' >> $prefix/etc/openvpn/server.conf
+    echo 'ca /etc/openvpn/ca.crt' >> $prefix/etc/openvpn/server.conf
+    echo 'cert /etc/openvpn/server.crt' >> $prefix/etc/openvpn/server.conf
+    echo 'key /etc/openvpn/server.key' >> $prefix/etc/openvpn/server.conf
+    echo 'dh /etc/openvpn/dh2048.pem' >> $prefix/etc/openvpn/server.conf
+    echo 'server 10.8.0.0 255.255.255.0' >> $prefix/etc/openvpn/server.conf
+    echo 'push "redirect-gateway def1 bypass-dhcp"' >> $prefix/etc/openvpn/server.conf
+    echo "push \"dhcp-option DNS 85.214.73.63\"" >> $prefix/etc/openvpn/server.conf
+    echo "push \"dhcp-option DNS 213.73.91.35\"" >> $prefix/etc/openvpn/server.conf
+    echo 'keepalive 5 30' >> $prefix/etc/openvpn/server.conf
+    echo 'comp-lzo' >> $prefix/etc/openvpn/server.conf
+    echo 'persist-key' >> $prefix/etc/openvpn/server.conf
+    echo 'persist-tun' >> $prefix/etc/openvpn/server.conf
+    echo 'status /dev/null' >> $prefix/etc/openvpn/server.conf
+    echo 'verb 3' >> $prefix/etc/openvpn/server.conf
+    echo '' >> $prefix/etc/openvpn/server.conf
+
+    if [ ! $prefix ]; then
+        echo 1 > /proc/sys/net/ipv4/ip_forward
+    fi
+    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
+    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
+    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' $prefix/etc/sysctl.conf
+
+    cp -r $prefix/usr/share/easy-rsa/ $prefix/etc/openvpn
+    if [ ! -d $prefix/etc/openvpn/easy-rsa/keys ]; then
+        mkdir $prefix/etc/openvpn/easy-rsa/keys
     fi
 
-    systemctl start openvpn
+    # keys configuration
+    sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" $prefix/etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" $prefix/etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" $prefix/etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" $prefix/etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" $prefix/etc/openvpn/easy-rsa/vars
+    sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
+
+    if [ ! $prefix ]; then
+        vpn_generate_keys
+        firewall_enable_vpn
+
+        if [ ${VPN_TLS_PORT} -ne 443 ]; then
+            firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
+        fi
+
+        systemctl start openvpn
+    fi
 
     install_stunnel
 
-    systemctl restart openvpn
+    if [ ! $prefix ]; then
+        systemctl restart openvpn
+    fi
 
     APP_INSTALLED=1
 }

src/freedombone-dhparam

             shift
             RECALCULATE=${1}
             ;;
+        -o|--output)
+            shift
+            FAST='yes'
+            calc_dh ${1}
+            exit 0
+            ;;
         --fast)
             shift
             if [[ ${1} == $"yes" || ${1} == $"y" ]]; then

src/freedombone-image-customise

 PATCHWORK_REPO="https://github.com/ssbc/patchwork"
 PATCHWORK_COMMIT='60111a9e3385d65be0d17aa0d15fd20e5fb311ce'
 
+FERMENT_REPO="https://github.com/LolaShare/ferment"
+FERMENT_COMMIT='6e0e434114cd4cc652a03f6dcc6ddcec007b0058'
+
 install_patchwork() {
     if [[ $VARIANT != "meshclient" ]]; then
         return
     cp $rootdir/root/$PROJECT_NAME/img/icon_patchwork.png $rootdir/etc/patchwork/icon_patchwork.png
 }
 
+install_ferment() {
+    if [[ $VARIANT != "meshclient" ]]; then
+        return
+    fi
+
+    get_npm_arch
+
+    git clone $FERMENT_REPO $rootdir/etc/ferment
+    if [ ! -d $rootdir/etc/ferment ]; then
+        exit 5239465
+    fi
+    cd $rootdir/etc/ferment
+    git checkout $FERMENT_COMMIT -b $FERMENT_COMMIT
+
+    cat <<EOF > $rootdir/usr/bin/install_ferment
+#!/bin/bash
+cd /etc/ferment
+npm install --arch=$NPM_ARCH --build-from-source
+npm install --arch=$NPM_ARCH --save-dev electron-rebuild
+./node_modules/.bin/electron-rebuild
+npm install --arch=$NPM_ARCH git-ssb
+EOF
+    chroot "$rootdir" /bin/chmod +x /usr/bin/install_ferment
+    chroot "$rootdir" /usr/bin/install_ferment
+    rm $rootdir/usr/bin/install_ferment
+
+    echo '#!/bin/bash' > $rootdir/usr/bin/start_ferment
+    echo 'cd /etc/ferment' >> $rootdir/usr/bin/start_ferment
+    echo 'npm start' >> $rootdir/usr/bin/start_ferment
+    chmod +x $rootdir/usr/bin/start_ferment
+
+    # Copy icon to an accesible location
+    cp $rootdir/root/$PROJECT_NAME/img/icon_ferment.png $rootdir/etc/patchwork/icon_ferment.png
+}
+
+mesh_shutdown_script() {
+    echo '[Unit]' > $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'Description=Shuts down the mesh' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'Before=shutdown.target' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo '[Service]' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'ExecStart=/bin/true' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'ExecStop=/bin/bash /usr/local/bin/batman stop' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'RemainAfterExit=yes' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo '[Install]' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/meshshutdown.service
+    chroot "$rootdir" systemctl enable meshshutdown
+}
+
 initialise_mesh() {
     if [[ $VARIANT != "mesh"* ]]; then
         return
     configure_firewall
     install_avahi
     install_batman
+    mesh_shutdown_script
+    install_vpn
     install_tomb
     #install_tahoelafs
     #install_librevault
     install_patchwork
+    mesh_install_scuttlebot
+    #install_ferment
     install_ipfs
     install_tox
     install_web_server
     # USB cloning tool
     chroot "$rootdir" apt-get -yq install gnome-multi-writer
 
+    # clipboard
+    chroot "$rootdir" apt-get -yq install xclip
+
+    # audio recording
+    chroot "$rootdir" apt-get -yq install audacity
+
     # Produce a text file on the desktop listing users on the mesh
     cat <<EOF > $rootdir/usr/bin/list-tox-users
 #!/bin/bash
+ethernet_connected=$(cat /sys/class/net/eth0/carrier)
 users_list=\$(lstox | awk -F ' ' '{\$1=""; print \$0}' | sed -e 's/^[[:space:]]*//' | sort -d | uniq)
 if [ ! \$users_list ]; then
     no_of_users=0
         echo 'Comment=A decentralized messaging and sharing app built on top of Secure Scuttlebutt (SSB)' >> /home/$MY_USERNAME/Desktop/social.desktop
         echo 'Exec=bash /usr/bin/start_patchwork' >> /home/$MY_USERNAME/Desktop/social.desktop
         echo "Icon=/etc/patchwork/icon_patchwork.png" >> /home/$MY_USERNAME/Desktop/social.desktop
-        echo 'StartupNotify=true' >> /home/$MY_USERNAME/Desktop/social.desktop
+        echo 'Terminal=false' >> /home/$MY_USERNAME/Desktop/social.desktop
+        echo 'Categories=Application;' >> /home/$MY_USERNAME/Desktop/social.desktop
         chmod +x /home/$MY_USERNAME/Desktop/social.desktop
         chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Desktop/social.desktop
     else
         fi
     fi
 
+    #if [ ! -f /home/$MY_USERNAME/Desktop/audio.desktop ]; then
+    #    echo '[Desktop Entry]' > /home/$MY_USERNAME/Desktop/audio.desktop
+    #    echo 'Name=Audio/Music' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #    echo 'Type=Application' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #    echo 'Comment=Audio publishing and streaming' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #    echo 'Exec=bash /usr/bin/start_ferment' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #    echo "Icon=/etc/patchwork/icon_ferment.png" >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #    echo 'Terminal=false' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #    echo 'Categories=Application;' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #    chmod +x /home/$MY_USERNAME/Desktop/audio.desktop
+    #    chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Desktop/audio.desktop
+    #else
+    #    if grep -q "Offline" /home/$MY_USERNAME/Desktop/audio.desktop; then
+    #        sed -i 's|Name=.*|Name=Audio/Music|g' /home/$MY_USERNAME/Desktop/audio.desktop
+    #    fi
+    #fi
+
     if [ -f /tmp/.ipfs-users ]; then
         echo '[Desktop Entry]' > /home/$MY_USERNAME/Desktop/sites.desktop
         echo 'Type=Application' >> /home/$MY_USERNAME/Desktop/sites.desktop
         chmod +x /home/$MY_USERNAME/Desktop/tox.desktop
         chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Desktop/tox.desktop
     fi
+
+    # If ethernet is connected then add the invite icon to help enable
+    # SSB nat traversal
+    if [[ "$ethernet_connected" != "0" ]]; then
+        if [ ! -f /home/$MY_USERNAME/Desktop/invite.desktop ]; then
+            echo '[Desktop Entry]' > /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Version=1.0' >> /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Name=Create Invite' >> /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Type=Application' >> /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Comment=Create an invite for Patchwork or Ferment' >> /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Exec=mate-terminal -e freedombone-mesh-invite' >> /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Icon=/usr/share/freedombone/avatars/invite.png' >> /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Terminal=false' >> /home/$MY_USERNAME/Desktop/invite.desktop
+            echo 'Categories=Application;' >> /home/$MY_USERNAME/Desktop/invite.desktop
+        fi
+    else
+        if [ -f /home/$MY_USERNAME/Desktop/invite.desktop ]; then
+            rm /home/$MY_USERNAME/Desktop/invite.desktop
+        fi
+    fi
 else
     if [ -f /tmp/Users.txt ]; then
         rm /tmp/Users.txt
                 sed -i 's|Name=.*|Name=Social (Offline)|g' /home/$MY_USERNAME/Desktop/social.desktop
             fi
         fi
+        #if [ -f /home/$MY_USERNAME/Desktop/audio.desktop ]; then
+        #    if ! grep -q "Offline" /home/$MY_USERNAME/Desktop/audio.desktop; then
+        #        sed -i 's|Name=.*|Name=Audio/Music (Offline)|g' /home/$MY_USERNAME/Desktop/audio.desktop
+        #    fi
+        #fi
         pkill qtox
     fi
+
+    # If there is no ethernet then remove the invite icon
+    if [[ "$ethernet_connected" == "0" ]]; then
+        if [ -f /home/$MY_USERNAME/Desktop/invite.desktop ]; then
+            rm /home/$MY_USERNAME/Desktop/invite.desktop
+        fi
+    fi
 fi
 EOF
     chroot "$rootdir" /bin/chown $MY_USERNAME:$MY_USERNAME /usr/bin/list-tox-users

src/freedombone-image-make

  --grub \
  --roottype btrfs \
 "   ;;
-    meshclient)
-        extra_opts="\
- --grub \
- --roottype btrfs \
-"   ;;
     all)
         extra_opts="\
  --grub \
- --roottype btrfs \
+ --roottype ext4 \
 "   ;;
 esac
 

src/freedombone-image-mesh

 
 CURRENT_BLOG_INDEX=/home/$MY_USERNAME/.blog-index
 
+OPENVPN_SERVER_NAME="server"
+OPENVPN_KEY_FILENAME='client.ovpn'
+VPN_COUNTRY_CODE="US"
+VPN_AREA="Apparent Free Speech Zone"
+VPN_LOCATION="Freedomville"
+VPN_ORGANISATION="Freedombone"
+VPN_UNIT="Freedombone Unit"
+STUNNEL_PORT=3439
+VPN_TLS_PORT=553
+VPN_MESH_TLS_PORT=653
+
+SCUTTLEBOT_PORT=8010
+
 # Debian stretch has a problem where the formerly predictable wlan0 and eth0
 # device names get assigned random names. This is a hacky workaround.
 # Also adding net.ifnames=0 to kernel options on bootloader may work.
     echo 'Terminal=false' >> /home/$MY_USERNAME/Desktop/new_identity.desktop
     echo 'Categories=Application;' >> /home/$MY_USERNAME/Desktop/new_identity.desktop
 
+    echo '[Desktop Entry]' > /home/$MY_USERNAME/Desktop/social.desktop
+    echo 'Name=Social (Offline)' >> /home/$MY_USERNAME/Desktop/social.desktop
+    echo 'Type=Application' >> /home/$MY_USERNAME/Desktop/social.desktop
+    echo 'Comment=A decentralized messaging and sharing app built on top of Secure Scuttlebutt (SSB)' >> /home/$MY_USERNAME/Desktop/social.desktop
+    echo 'Exec=bash /usr/bin/start_patchwork' >> /home/$MY_USERNAME/Desktop/social.desktop
+    echo "Icon=/etc/patchwork/icon_patchwork.png" >> /home/$MY_USERNAME/Desktop/social.desktop
+    echo 'Terminal=false' >> /home/$MY_USERNAME/Desktop/social.desktop
+    echo 'Categories=Application;' >> /home/$MY_USERNAME/Desktop/social.desktop
+
+    #echo '[Desktop Entry]' > /home/$MY_USERNAME/Desktop/audio.desktop
+    #echo 'Name=Audio/Music (Offline)' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #echo 'Type=Application' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #echo 'Comment=Audio publishing and streaming' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #echo 'Exec=bash /usr/bin/start_ferment' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #echo "Icon=/etc/patchwork/icon_ferment.png" >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #echo 'Terminal=false' >> /home/$MY_USERNAME/Desktop/audio.desktop
+    #echo 'Categories=Application;' >> /home/$MY_USERNAME/Desktop/audio.desktop
+
     # set permissions
     chmod +x /home/$MY_USERNAME/Desktop/*.desktop
     chown ${MY_USERNAME}:${MY_USERNAME} /home/$MY_USERNAME/Desktop/*
     echo $'Configured Tahoe-LAFS' >> $INSTALL_LOG
 }
 
+function create_user_vpn_key {
+    username=$1
+
+    if [ ! -d /home/$username ]; then
+        return
+    fi
+
+    echo $"Creating VPN key for $username" >> /var/log/${PROJECT_NAME}.log
+
+    cd /etc/openvpn/easy-rsa
+
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.crt
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.key
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.csr
+    fi
+
+    sed -i 's| --interact||g' build-key
+    ./build-key "$username"
+
+    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
+        echo $'VPN user cert not generated' >> /var/log/${PROJECT_NAME}.log
+        exit 783528
+    fi
+    user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
+    if [ ${#user_cert} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/$username.crt
+        echo $'User cert generation failed' >> /var/log/${PROJECT_NAME}.log
+        exit 634659
+    fi
+    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
+        echo $'VPN user key not generated'
+        exit 682523
+    fi
+    user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
+    if [ ${#user_key} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/$username.key
+        echo $'User key generation failed'
+        exit 285838
+    fi
+
+    user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
+
+    echo 'client' > $user_vpn_cert_file
+    echo 'dev tun' >> $user_vpn_cert_file
+    echo 'proto tcp' >> $user_vpn_cert_file
+    echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
+    echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
+    echo 'resolv-retry infinite' >> $user_vpn_cert_file
+    echo 'nobind' >> $user_vpn_cert_file
+    echo 'tun-mtu 1500' >> $user_vpn_cert_file
+    echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
+    echo 'mssfix 1450' >> $user_vpn_cert_file
+    echo 'persist-key' >> $user_vpn_cert_file
+    echo 'persist-tun' >> $user_vpn_cert_file
+    echo 'auth-nocache' >> $user_vpn_cert_file
+    echo 'remote-cert-tls server' >> $user_vpn_cert_file
+    echo 'comp-lzo' >> $user_vpn_cert_file
+    echo 'verb 3' >> $user_vpn_cert_file
+    echo '' >> $user_vpn_cert_file
+
+    echo '<ca>' >> $user_vpn_cert_file
+    cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
+    echo '</ca>' >> $user_vpn_cert_file
+
+    echo '<cert>' >> $user_vpn_cert_file
+    cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
+    echo '</cert>' >> $user_vpn_cert_file
+
+    echo '<key>' >> $user_vpn_cert_file
+    cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
+    echo '</key>' >> $user_vpn_cert_file
+
+    chown $username:$username $user_vpn_cert_file
+
+    # keep a backup
+    cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
+
+    #rm /etc/openvpn/easy-rsa/keys/$username.crt
+    #rm /etc/openvpn/easy-rsa/keys/$username.csr
+    shred -zu /etc/openvpn/easy-rsa/keys/$username.key
+
+    echo $"VPN key created at $user_vpn_cert_file" >> /var/log/${PROJECT_NAME}.log
+}
+
+function vpn_generate_keys {
+    # generate host keys
+    if [ ! -f /etc/openvpn/dh2048.pem ]; then
+        ${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
+    fi
+    if [ ! -f /etc/openvpn/dh2048.pem ]; then
+        echo $'vpn dhparams were not generated' >> /var/log/${PROJECT_NAME}.log
+        exit 73724523
+    fi
+    cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
+
+    cd /etc/openvpn/easy-rsa
+    . ./vars
+    ./clean-all
+    vpn_openssl_version='1.0.0'
+    if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
+        echo $"openssl-${vpn_openssl_version}.cnf was not found" >> /var/log/${PROJECT_NAME}.log
+        exit 7392353
+    fi
+    cp openssl-${vpn_openssl_version}.cnf openssl.cnf
+
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
+    fi
+    sed -i 's| --interact||g' build-key-server
+    sed -i 's| --interact||g' build-ca
+    ./build-ca
+    ./build-key-server ${OPENVPN_SERVER_NAME}
+    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
+        echo $'OpenVPN crt not found' >> /var/log/${PROJECT_NAME}.log
+        exit 7823352
+    fi
+    server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
+    if [ ${#server_cert} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
+        echo $'Server cert generation failed' >> /var/log/${PROJECT_NAME}.log
+        exit 3284682
+    fi
+
+    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
+        echo $'OpenVPN key not found' >> /var/log/${PROJECT_NAME}.log
+        exit 6839436
+    fi
+    if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
+        echo $'OpenVPN ca not found' >> /var/log/${PROJECT_NAME}.log
+        exit 7935203
+    fi
+    cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
+
+    create_user_vpn_key ${MY_USERNAME}
+}
+
+function generate_stunnel_keys {
+    echo "Creating stunnel keys" >> /var/log/${PROJECT_NAME}.log
+    openssl req -x509 -nodes -days 3650 -sha256 \
+            -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
+            -newkey rsa:2048 -keyout /etc/stunnel/key.pem \
+            -out /etc/stunnel/cert.pem
+    if [ ! -f /etc/stunnel/key.pem ]; then
+        echo $'stunnel key not created' >> /var/log/${PROJECT_NAME}.log
+        exit 793530
+    fi
+    if [ ! -f /etc/stunnel/cert.pem ]; then
+        echo $'stunnel cert not created' >> /var/log/${PROJECT_NAME}.log
+        exit 204587
+    fi
+    chmod 400 /etc/stunnel/key.pem
+    chmod 640 /etc/stunnel/cert.pem
+
+    cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
+    chmod 640 /etc/stunnel/stunnel.pem
+
+    openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
+    if [ ! -f /etc/stunnel/stunnel.p12 ]; then
+        echo $'stunnel pkcs12 not created' >> /var/log/${PROJECT_NAME}.log
+        exit 639353
+    fi
+    chmod 640 /etc/stunnel/stunnel.p12
+
+    cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
+    cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
+    chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
+    echo "stunnel keys created" >> /var/log/${PROJECT_NAME}.log
+}
+
+function mesh_setup_vpn {
+    vpn_generate_keys
+
+    cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
+    chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
+
+    generate_stunnel_keys
+
+    sed -i 's|tun-mtu .*|tun-mtu 1532|g' /home/$MY_USERNAME/client.ovpn
+
+    systemctl restart openvpn
+}
+
+function initialise_scuttlebot_pub {
+    chown -R scuttlebot:scuttlebot /etc/scuttlebot
+
+    systemctl enable scuttlebot.service
+    systemctl daemon-reload
+    systemctl start scuttlebot.service
+
+    sleep 3
+
+    if [ ! -d /etc/scuttlebot/.ssb ]; then
+        echo $'Scuttlebot config not generated' >> /var/log/${PROJECT_NAME}.log
+        exit 73528
+    fi
+
+    echo '{' > /etc/scuttlebot/.ssb/config
+    echo "  \"host\": \"${HOSTNAME}\"," >> /etc/scuttlebot/.ssb/config
+    echo "  \"port\": ${SCUTTLEBOT_PORT}," >> /etc/scuttlebot/.ssb/config
+    echo '  "allowPrivate": true,' >> /etc/scuttlebot/.ssb/config
+    echo '  "timeout": 30000,' >> /etc/scuttlebot/.ssb/config
+    echo '  "pub": true,' >> /etc/scuttlebot/.ssb/config
+    echo '  "local": true,' >> /etc/scuttlebot/.ssb/config
+    echo '  "friends": {' >> /etc/scuttlebot/.ssb/config
+    echo '    "dunbar": 150,' >> /etc/scuttlebot/.ssb/config
+    echo '    "hops": 3' >> /etc/scuttlebot/.ssb/config
+    echo '  },' >> /etc/scuttlebot/.ssb/config
+    echo '  "gossip": {' >> /etc/scuttlebot/.ssb/config
+    echo '    "connections": 2' >> /etc/scuttlebot/.ssb/config
+    echo '  },' >> /etc/scuttlebot/.ssb/config
+    echo '  "master": [],' >> /etc/scuttlebot/.ssb/config
+    echo '  "logging": {' >> /etc/scuttlebot/.ssb/config
+    echo '    "level": "error"' >> /etc/scuttlebot/.ssb/config
+    echo '  }' >> /etc/scuttlebot/.ssb/config
+    echo '}' >> /etc/scuttlebot/.ssb/config
+    chown scuttlebot:scuttlebot /etc/scuttlebot/.ssb/config
+    systemctl restart scuttlebot.service
+}
+
 # whether to reset the identity
 set_new_identity=
 if [ $2 ]; then
         rm -rf /home/$MY_USERNAME/.ssb
     fi
 
+    # Remove vpn keys
+    if [ -d /etc/openvpn/easy-rsa/keys ]; then
+        rm -rf /etc/openvpn/easy-rsa/keys/*
+    fi
+
     echo $'Beginning mesh node setup' >> $INSTALL_LOG
 
     if [ -d /home/$MY_USERNAME/.config ]; then
     configure_toxcore
     create_tox_user
     #setup_tahoelafs
+    mesh_setup_vpn
+    initialise_scuttlebot_pub
     setup_ipfs
     mesh_amnesic
     make_root_read_only

src/freedombone-mesh-batman

 # License
 # =======
 #
-# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
+# Copyright (C) 2015-2017 Bob Mottram <bob@freedombone.net>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 
 PROJECT_NAME='freedombone'
 COMPLETION_FILE=/root/${PROJECT_NAME}-completed.txt
-HOTSPOT_PASSPHRASE='mesh'
+
+# hotspot passphrase must be 5 characters or longer
+HOTSPOT_PASSPHRASE="${PROJECT_NAME}"
 
 source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-wifi
 
     . /etc/default/batctl
 fi
 
+function get_ipv4_wlan {
+    echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
+}
+
+function mesh_hotspot_ip_address {
+    echo $(ip -o -f inet addr show dev "$BRIDGE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
+}
+
 function global_rate_limit {
     if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
         echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
     fi
     if [ "$EIFACE" ]; then
         brctl delif $BRIDGE bat0
-        brctl delif $BRIDGE $EIFACE
         ifconfig $BRIDGE down || true
+        ethernet_connected=$(cat /sys/class/net/$EIFACE/carrier)
+        if [[ "$ethernet_connected" != "0" ]]; then
+            systemctl stop hostapd
+            brctl delif $BRIDGE $EIFACE
+            ifconfig $EIFACE down -promisc
+        fi
         brctl delbr $BRIDGE
-        ifconfig $EIFACE down -promisc
-    fi
-    if [ $IFACE_SECONDARY ]; then
-        systemctl stop hostapd
-        brctl delif $BRIDGE_HOTSPOT bat0
-        ifconfig $BRIDGE_HOTSPOT down || true
-        brctl delbr $BRIDGE_HOTSPOT
     fi
 
     avahi-autoipd -k $BRIDGE
     ifconfig bat0 down -promisc
 
     batctl if del $IFACE
-    rmmod batman-adv
     ifconfig $IFACE mtu 1500
     ifconfig $IFACE down
     iwconfig $IFACE mode managed
 
+    if [ $IFACE_SECONDARY ]; then
+        systemctl stop hostapd
+        systemctl disable hostapd
+        batctl if del $IFACE_SECONDARY
+        ifconfig $IFACE_SECONDARY mtu 1500
+        ifconfig $IFACE_SECONDARY down
+        iwconfig $IFACE_SECONDARY mode managed
+    fi
+
+    rmmod batman-adv
+
     iptables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
     iptables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
     iptables -D INPUT -p tcp --dport 80 -j ACCEPT
     iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
     iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
     iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
-    # SSB/Patchwork
+    # SSB/Scuttlebot/Patchwork
     iptables -D INPUT -p udp --dport 8008 -j ACCEPT
     iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
+    iptables -D INPUT -p udp --dport 8010 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
+    # vpn over the internet
+    iptables -D INPUT -p tcp --dport 653 -j ACCEPT
+    iptables -D INPUT -p udp --dport 653 -j ACCEPT
+    iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
+    iptables -D INPUT -i tun+ -j ACCEPT
+    iptables -D FORWARD -i tun+ -j ACCEPT
+    iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
+    iptables -D OUTPUT -o tun+ -j ACCEPT
+
+    echo 0 > /proc/sys/net/ipv4/ip_forward
+    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
 
     systemctl restart network-manager
 }
         fi
         echo -n "${octet}"
     done
-    echo ''
+}
+
+function add_wifi_interface {
+    ifname=$1
+    ifssid=$WIFI_SSID
+    if [ $2 ]; then
+        ifssid=$2
+    fi
+    ifmode=ad-hoc
+    if [ $3 ]; then
+        ifmode=$3
+    fi
+    ifchannel=$CHANNEL
+    if [ $4 ]; then
+        ifchannel=$4
+    fi
+
+    ifconfig $ifname down
+    ifconfig $ifname mtu 1532
+    peermac=$(assign_peer_address)
+    if [ ! $peermac ]; then
+        echo $"Unable to obtain MAC address for $peermac on $ifname"
+        return
+    fi
+    ifconfig $ifname hw ether $peermac
+    echo $"$ifname assigned MAC address $peermac"
+    iwconfig $ifname enc off
+    iwconfig $ifname mode $ifmode essid $ifssid channel $ifchannel
+
+    batctl if add $ifname
+    ifconfig $ifname up
+}
+
+function mesh_create_app_downloads_page {
+    if [ ! -d /root/$PROJECT_NAME/image_build/mesh_apps ]; then
+        return
+    fi
+    if [ ! -d /var/www/html ]; then
+        return
+    fi
+    cp /root/$PROJECT_NAME/website/EN/meshindex.html /var/www/html/index.html
+    if [ ! -f /var/www/html/ssb.apk ]; then
+        cp /root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk /var/www/html/ssb.apk
+    fi
+    if [ ! -d /var/www/html/images ]; then
+        mkdir /var/www/html/images
+    fi
+    if [ ! -f /var/www/html/images/logo.png ]; then
+        cp /root/$PROJECT_NAME/img/logo.png /var/www/html/images/logo.png
+    fi
+    if [ ! -f /var/www/html/images/ssb.png ]; then
+        cp /root/$PROJECT_NAME/img/icon_patchwork.png /var/www/html/images/ssb.png
+    fi
+    if [ ! -f /var/www/html/freedombone.css ]; then
+        cp /root/$PROJECT_NAME/website/freedombone.css /var/www/html/freedombone.css
+    fi
+    chown -R www-data:www-data /var/www/html/*
 }
 
 function start {
     # Might have to re-enable wifi
     rfkill unblock $(rfkill list|awk -F: "/phy/ {print $1}") || true
 
-    ifconfig $IFACE down
-    ifconfig $IFACE mtu 1532
-    ifconfig $IFACE hw ether $(assign_peer_address)
-    iwconfig $IFACE enc off
-    iwconfig $IFACE mode ad-hoc essid $WIFI_SSID channel $CHANNEL
-    sleep 1
-    iwconfig $IFACE ap $CELLID
+    secondary_wifi_available=
+    if [ $IFACE_SECONDARY ]; then
+        if [[ $IFACE != $IFACE_SECONDARY ]]; then
+            if [ -d /etc/hostapd ]; then
+                if [ ${#HOTSPOT_PASSPHRASE} -gt 4 ]; then
+                    secondary_wifi_available=1
+                else
+                    echo $'Hotspot passphrase is too short'
+                fi
+            fi
+        fi
+    fi
 
     modprobe batman-adv
-    batctl if add $IFACE
-    ifconfig $IFACE up
+
+    add_wifi_interface $IFACE $WIFI_SSID ad-hoc $CHANNEL
     avahi-autoipd --force-bind --daemonize --wait $IFACE
-    ifconfig bat0 up promisc
 
-    #Use persistent HWAddr
-    ether_new=$(ifconfig eth0 | grep HWaddr | sed -e "s/.*HWaddr //")
-    if [ ! -f /var/lib/mesh-node/bat0 ]; then
-        mkdir /var/lib/mesh-node
-        echo "${ether_new}" > /var/lib/mesh-node/bat0
-    else
-        ether=$(cat /var/lib/mesh-node/bat0)
-        ifconfig bat0 hw ether ${ether}
-    fi
+    # NOTE: Don't connect the secondary wifi device. hostapd will handle that by itself
 
-    if [ "$EIFACE" ] ; then
-        brctl addbr $BRIDGE
-        brctl addif $BRIDGE bat0
-        brctl addif $BRIDGE $EIFACE
-        ifconfig bat0 0.0.0.0
-        ifconfig $EIFACE 0.0.0.0
-        ifconfig $EIFACE up promisc
-        ifconfig $BRIDGE up
-        avahi-autoipd --force-bind --daemonize --wait $BRIDGE
-    fi
+    ifconfig bat0 up promisc
 
-    if [ $IFACE_SECONDARY ]; then
-        if [[ $IFACE != $IFACE_SECONDARY ]]; then
-            if [ -d /etc/hostapd ]; then
-                # bridge between mesh and wifi hotspot for mobile
-                HOTSPOT_NAME=$"${WIFI_SSID}-hotspot"
-                ifconfig $IFACE_SECONDARY down
-                ifconfig $IFACE_SECONDARY mtu 1500
-                ifconfig $IFACE_SECONDARY hw ether $(assign_peer_address)
-                iwconfig $IFACE_SECONDARY enc open
-                iwconfig $IFACE_SECONDARY mode managed essid $HOTSPOT_NAME channel ${HOTSPOT_CHANNEL}
-                iwconfig $IFACE_SECONDARY ap $CELLID
-
-                brctl addbr $BRIDGE_HOTSPOT
-                brctl addif $BRIDGE_HOTSPOT bat0
-                brctl addif $BRIDGE_HOTSPOT $IFACE_SECONDARY
-                ifconfig bat0 0.0.0.0
-                ifconfig $IFACE_SECONDARY 0.0.0.0
-
-                sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
-
-                echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
-                echo "bridge=${BRIDGE_HOTSPOT}" >> /etc/hostapd/hostapd.conf
-                echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
-                echo "country_code=UK" >> /etc/hostapd/hostapd.conf
-                echo "ssid=$HOTSPOT_NAME" >> /etc/hostapd/hostapd.conf
-                echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
-                echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
-                echo 'wpa=2' >> /etc/hostapd/hostapd.conf
-                echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
-                echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
-                echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
-                echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
-                echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
-                echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
-
-                ifconfig $BRIDGE_HOTSPOT up
-                avahi-autoipd --force-bind --daemonize --wait $BRIDGE_HOTSPOT
-                ifconfig $IFACE_SECONDARY up promisc
-                #ifconfig $IFACE_SECONDARY auto-dhcp start
-                systemctl start hostapd
-            fi
+    brctl addbr $BRIDGE
+    brctl addif $BRIDGE bat0
+    ifconfig bat0 0.0.0.0
+    if [ "$EIFACE" ] ; then
+        ethernet_connected=$(cat /sys/class/net/$EIFACE/carrier)
+        if [[ "$ethernet_connected" != "0" ]]; then
+            echo $'Trying ethernet bridge to the internet'
+            brctl addif $BRIDGE $EIFACE
+            ifconfig $EIFACE 0.0.0.0
+            ifconfig $EIFACE up promisc
+            echo $'End of ethernet bridge'
+        else
+            echo $"$EIFACE is not connected"
         fi
     fi
+    ifconfig $BRIDGE up
+    dhclient $BRIDGE
+
+    if [ $secondary_wifi_available ]; then
+        sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
+
+        echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
+        echo "bridge=${BRIDGE}" >> /etc/hostapd/hostapd.conf
+        echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
+        echo "country_code=UK" >> /etc/hostapd/hostapd.conf
+        echo "ssid=${WIFI_SSID}-$(mesh_hotspot_ip_address)" >> /etc/hostapd/hostapd.conf
+        echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
+        echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
+        echo 'wpa=2' >> /etc/hostapd/hostapd.conf
+        echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
+        echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
+        echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
+        echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
+        echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
+        echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
+
+        systemctl enable hostapd
+        systemctl restart hostapd
+        mesh_create_app_downloads_page
+    fi
 
     iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
     iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
     iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
     iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
     iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
-    # SSB/Patchwork
+    # SSB/Scuttlebot/Patchwork
     iptables -A INPUT -p udp --dport 8008 -j ACCEPT
     iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
+    iptables -A INPUT -p udp --dport 8010 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
+    # vpn over the internet
+    iptables -A INPUT -p tcp --dport 653 -j ACCEPT
+    iptables -A INPUT -p udp --dport 653 -j ACCEPT
+    iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
+    iptables -A INPUT -i tun+ -j ACCEPT
+    iptables -A FORWARD -i tun+ -j ACCEPT
+    iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
+    iptables -A OUTPUT -o tun+ -j ACCEPT
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
+    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
+    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
 
     systemctl restart avahi-daemon
 
+    if [ -f /etc/scuttlebot/.ssb/config ]; then
+        ethernet_connected=$(cat /sys/class/net/eth0/carrier)
+        if [[ "$ethernet_connected" != "0" ]]; then
+            sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config
+            systemctl restart scuttlebot
+        else
+            systemctl stop scuttlebot
+        fi
+    fi
+
     verify
 }
 

src/freedombone-mesh-invite

+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Creates a scuttlebot invite for use with Ferment or Patchwork
+#
+# License
+# =======
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+PROJECT_NAME='freedombone'
+
+export TEXTDOMAIN=${PROJECT_NAME}-mesh-invite
+export TEXTDOMAINDIR="/usr/share/locale"
+
+invite=$(sudo -- bash -c 'su -c "sbot invite.create 1" - scuttlebot' | awk -F '"' '{print $2}')
+
+if [ ${#invite} -lt 10 ]; then
+   dialog --title $"Create Invite" \
+          --msgbox $"\nThe invite could not be created" 7 70
+   exit 1
+fi
+
+echo "$invite" | xclip -selection c
+
+dialog --title $"Create Invite" \
+       --msgbox $"\nThe invite has been copied to the clipboard.\n\nYou can paste it with CTRL+v" 9 70
+
+exit 0

src/freedombone-mesh-reset

        sudo pkill firefox
        sudo pkill iceweasel
        sudo pkill midori
+       sudo pkill patchwork
        sudo rm -f $MESH_INSTALL_COMPLETED
        sudo ${PROJECT_NAME}-image-mesh $USER new
        sudo batman start

src/freedombone-utils-wifi

     IFACE_SECONDARY=
 
     for i in $(seq 10 -1 0); do
+        ifdown --force wlan${i}
+    done
+
+    for i in $(seq 10 -1 0); do
         if grep -q "wlan${i}" /proc/net/dev; then
             if [ ! $IFACE ]; then
                 IFACE="wlan${i}"

website/EN/app_vpn.html

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-09-27 Wed 17:58 -->
+<!-- 2017-10-05 Thu 14:51 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>&lrm;</title>
 On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
 </p>
 
-<div id="outline-container-org778c839" class="outline-2">
-<h2 id="org778c839">Installation</h2>
-<div class="outline-text-2" id="text-org778c839">
+<div id="outline-container-orgb96ecdd" class="outline-2">
+<h2 id="orgb96ecdd">Installation</h2>
+<div class="outline-text-2" id="text-orgb96ecdd">
 <p>
 ssh into the system with:
 </p>
 </div>
 </div>
 
-<div id="outline-container-org2cfcc49" class="outline-2">
-<h2 id="org2cfcc49">Usage</h2>
-<div class="outline-text-2" id="text-org2cfcc49">
+<div id="outline-container-orgc55576d" class="outline-2">
+<h2 id="orgc55576d">Usage</h2>
+<div class="outline-text-2" id="text-orgc55576d">
 <p>
 When the installation is complete you can download your VPN keys and configuration files onto your local machine.
 </p>
 </p>
 
 <div class="org-src-container">
-<pre class="src src-bash">sudp pacman -S openvpn stunnel4
+<pre class="src src-bash">sudo pacman -S openvpn stunnel4
 </pre>
 </div>
 
 </div>
 </div>
 
-<div id="outline-container-orgc7282cd" class="outline-2">
-<h2 id="orgc7282cd">Changing port number</h2>
-<div class="outline-text-2" id="text-orgc7282cd">
+<div id="outline-container-org8a983c5" class="outline-2">
+<h2 id="org8a983c5">Changing port number</h2>
+<div class="outline-text-2" id="text-org8a983c5">
 <p>
 Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
 </p>
 </div>
 
 <p>
-Select <b>Administrator controls</b> then <b>App Settings</b> then <b>vpn</b>. Choose <b>Change TLS port</b> and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the <a href="#org2cfcc49">Usage</a> section above.
+Select <b>Administrator controls</b> then <b>App Settings</b> then <b>vpn</b>. Choose <b>Change TLS port</b> and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the <a href="#orgc55576d">Usage</a> section above.
 </p>
 </div>
 </div>
 
-<div id="outline-container-orgbe4ddea" class="outline-2">
-<h2 id="orgbe4ddea">Generating new keys</h2>
-<div class="outline-text-2" id="text-orgbe4ddea">
+<div id="outline-container-orgc802140" class="outline-2">
+<h2 id="orgc802140">Generating new keys</h2>
+<div class="outline-text-2" id="text-orgc802140">
 <p>
-It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the <b>Administrator controls</b> by going to <b>App Settings</b> then <b>vpn</b> then choosing <b>Regenerate keys for a user</b> and downloading the new keys as described in the <a href="#org2cfcc49">Usage</a> section above.
+It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the <b>Administrator controls</b> by going to <b>App Settings</b> then <b>vpn</b> then choosing <b>Regenerate keys for a user</b> and downloading the new keys as described in the <a href="#orgc55576d">Usage</a> section above.
 </p>
 </div>
 </div>

website/EN/index.html

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-09-28 Thu 10:42 -->
+<!-- 2017-10-05 Thu 13:21 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>&lrm;</title>
 </p>
 
 <p>
-Want to make a community mesh network which doesn't depend upon the internet? The <a href="./mesh.html">Freedombone Mesh</a> is a wireless solution for autonomous communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised.
+Want to make a community mesh network which can either be fully autonomous or connected to the internet? The <a href="./mesh.html">Freedombone Mesh</a> is a wireless solution for networked communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised, or used as an infrastructural community service similar to <a href="https://en.wikipedia.org/wiki/Freifunk">Freifunk</a>.
 </p>
 
 <p>

website/EN/mesh.html

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-09-23 Sat 21:46 -->
+<!-- 2017-10-05 Thu 15:10 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>&lrm;</title>
 </colgroup>
 <tbody>
 <tr>
-<td class="org-left"><a href="#org802af98">What the system can do</a></td>
+<td class="org-left"><a href="#orgb0dd1ad">What the system can do</a></td>
 <td class="org-left">-</td>
-<td class="org-left"><a href="#org38eda48">Disk Images</a></td>
+<td class="org-left"><a href="#org2b727b3">Disk Images</a></td>
 <td class="org-left">-</td>
-<td class="org-left"><a href="#org0c3a295">Building Disk Images</a></td>
+<td class="org-left"><a href="#org520845e">Building Disk Images</a></td>
 <td class="org-left">-</td>
-<td class="org-left"><a href="#org5f6418e">How to use it</a></td>
+<td class="org-left"><a href="#org315aa35">How to use it</a></td>
 </tr>
 </tbody>
 </table>
 </blockquote>
 
 <p>
-The Freedombone Mesh is a wireless solution for autonomous communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised.
+The Freedombone Mesh is a wireless solution for autonomous or internet connected communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised.
 </p>
 
 <p>
-Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small business internal office communications, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies. The down side is that you can't access any internet content. The upside is that you can securely communicate with anyone on the local mesh. No ISPs. No payments or subscriptions beyond the cost of obtaining the hardware. Systems need to be within wifi range of each other for the mesh to be created. It can be an ultra-convenient way to do purely local communications.
+Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small businesses who don't want the overhead of server maintenance, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies.
+</p>
+
+<p>
+If an internet connection is available then it can make use of that, but otherwise it can still work regardless of whether the internet exists. So it's not dependent upon ISPs and additional infrastructure other than USB drives isn't required.
+</p>
+
+<p>
+Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
 </p>
 
 <p>
 <li><b>Evolvable</b>: The network should be built with future development in mind. The platform should be flexible enough to support technologies, protocols and modes of usage that have not yet been developed.</li>
 </ul>
 
-<div id="outline-container-org802af98" class="outline-2">
-<h2 id="org802af98">What the system can do</h2>
-<div class="outline-text-2" id="text-org802af98">
+<div id="outline-container-orgb0dd1ad" class="outline-2">
+<h2 id="orgb0dd1ad">What the system can do</h2>
+<div class="outline-text-2" id="text-orgb0dd1ad">
 <ul class="org-ul">
 <li>Discovery of other users on the network</li>
 <li>Text based chat, one-to-one and in groups</li>
-<li>Voice chat (VoIP)</li>
+<li>Voice chat (VoIP) and video calls</li>
 <li>Private and public sharing of files</li>
 <li>Blogging</li>
+<li>Creating and broadcasting audio media/podcasts</li>
 <li>Social network stream. Follow/unfollow other peers</li>
 <li>No network administration required</li>
-<li>No servers, internet connection or cabling is needed</li>
+<li>No servers</li>
+<li>Internet connection is optional</li>
 <li>Works from bootable USB drives or microSD drives</li>
 <li>Data is mesh routed between systems</li>
 <li>Private communications is end-to-end secured and forward secret</li>
 </ul>
 
 <p>
-This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
+This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Gossiping between SSB peers may be slower, but the <a href="https://en.wikipedia.org/wiki/Small-world_network">small world effect</a> will presumably still make for quite efficient delivery in a large network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org38eda48" class="outline-2">
-<h2 id="org38eda48">Disk Images</h2>
-<div class="outline-text-2" id="text-org38eda48">
+<div id="outline-container-org2b727b3" class="outline-2">
+<h2 id="org2b727b3">Disk Images</h2>
+<div class="outline-text-2" id="text-org2b727b3">
 </div>
-<div id="outline-container-org2291a28" class="outline-3">
-<h3 id="org2291a28">Writing many images quickly</h3>
-<div class="outline-text-3" id="text-org2291a28">
+<div id="outline-container-org4dcc4ac" class="outline-3">
+<h3 id="org4dcc4ac">Writing many images quickly</h3>
+<div class="outline-text-3" id="text-org4dcc4ac">
 <p>
 There may be situations where you need to write the same disk image to multiple drives at the same time in order to maximize rate of deployment. In the instructions given below the <b>dd</b> command is used for writing to the target drive, but to write to multiple drives you can use a tool such as <a href="https://wiki.gnome.org/Apps/MultiWriter">GNOME MultiWriter</a>.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgd0546b8" class="outline-3">
-<h3 id="orgd0546b8">Client images</h3>
-<div class="outline-text-3" id="text-orgd0546b8">
+<div id="outline-container-orgd331956" class="outline-3">
+<h3 id="orgd331956">Client images</h3>
+<div class="outline-text-3" id="text-orgd331956">
 <div class="org-center">
 
 <div class="figure">
 </div>
 </div>
 
-<div id="outline-container-orgefe9dc5" class="outline-3">
-<h3 id="orgefe9dc5">Router images</h3>
-<div class="outline-text-3" id="text-orgefe9dc5">
+<div id="outline-container-org513ddc4" class="outline-3">
+<h3 id="org513ddc4">Router images</h3>
+<div class="outline-text-3" id="text-org513ddc4">
 <p>
 Routers are intended to build network coverage for an area using small and low cost hardware. You can bolt them to walls or leave them on window ledges. They don't have any user interface and their only job is to haul network traffic across the mesh and to enable peers to find each other via running bootstrap nodes for Tox and IPFS. Copy the image to a microSD card and insert it into the router, plug in an Atheros wifi dongle and power on. That should be all you need to do.
 </p>
 </div>
-<div id="outline-container-org2f4e6c1" class="outline-4">
-<h4 id="org2f4e6c1">Beaglebone Black</h4>
-<div class="outline-text-4" id="text-org2f4e6c1">
+<div id="outline-container-orgfa33a6f" class="outline-4">
+<h4 id="orgfa33a6f">Beaglebone Black</h4>
+<div class="outline-text-4" id="text-orgfa33a6f">
 <div class="org-center">
 
 <div class="figure">
 </div>
 </div>
 
-<div id="outline-container-org0c3a295" class="outline-2">
-<h2 id="org0c3a295">Building Disk Images</h2>
-<div class="outline-text-2" id="text-org0c3a295">
+<div id="outline-container-org520845e" class="outline-2">
+<h2 id="org520845e">Building Disk Images</h2>
+<div class="outline-text-2" id="text-org520845e">
 <p>
 It's better not to trust images downloaded from random places on the interwebs. Chances are that unless you are in the web of trust of the above GPG signatures then they don't mean very much to you. If you actually want something trustworthy then build the images from scratch. It will take some time. Here's how to do it.
 </p>
 </div>
 </div>
 
-<div id="outline-container-orgdbfa9a8" class="outline-2">
-<h2 id="orgdbfa9a8">Customisation</h2>
-<div class="outline-text-2" id="text-orgdbfa9a8">
+<div id="outline-container-org138c835" class="outline-2">
+<h2 id="org138c835">Customisation</h2>
+<div class="outline-text-2" id="text-org138c835">
 <p>
 If you want to make your own specially branded version, such as for a particular event, then to change the default desktop backgrounds edit the images within <b>img/backgrounds</b> and to change the available avatars and desktop icons edit the images within <b>img/avatars</b>. Re-create disk images using the instructions shown previously.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org5f6418e" class="outline-2">
-<h2 id="org5f6418e">How to use it</h2>
-<div class="outline-text-2" id="text-org5f6418e">
+<div id="outline-container-org315aa35" class="outline-2">
+<h2 id="org315aa35">How to use it</h2>
+<div class="outline-text-2" id="text-org315aa35">
 <p>
 When you first boot from the USB drive the system will create some encryption keys, assign a unique network address to the system and then reboot itself. When that's done you should see a prompt asking for a username. This username just makes it easy for others to initially find you on the mesh and will appear in the list of users.
 </p>
 </p>
 </div>
 
-<div id="outline-container-org6f259f7" class="outline-3">
-<h3 id="org6f259f7">Boot trouble</h3>
-<div class="outline-text-3" id="text-org6f259f7">
+<div id="outline-container-org1b3364a" class="outline-3">
+<h3 id="org1b3364a">Boot trouble</h3>
+<div class="outline-text-3" id="text-org1b3364a">
 <p>
 If the system doesn't boot and reports an error which includes <b>/dev/mapper/loop0p1</b> then reboot with <b>Ctrl-Alt-Del</b> and when you see the grub menu press <b>e</b> and manually change <b>/dev/mapper/loop0p1</b> to <b>/dev/sdb1</b>, then press <b>Ctrl-x</b>. If that doesn't work then reboot and try <b>/dev/sdc1</b> instead.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org32ab229" class="outline-3">
-<h3 id="org32ab229">Set the Date</h3>
-<div class="outline-text-3" id="text-org32ab229">
+<div id="outline-container-orgde8506a" class="outline-3">
+<h3 id="orgde8506a">Set the Date</h3>
+<div class="outline-text-3" id="text-orgde8506a">
 <p>
 On the ordinary internet the date and time of your system would be set automatically via NTP. But this is not the internet and so you will need to manually ensure that your date and time settings are correct. You might need to periodically do this if your clock drifts. It's not essential that the time on your system be highly accurate, but if it drifts too far or goes back to epoch then things could become a little confusing in regard to the order of blog posts.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org0a0c31f" class="outline-3">
-<h3 id="org0a0c31f">Check network status</h3>
-<div class="outline-text-3" id="text-org0a0c31f">
+<div id="outline-container-orgc819dda" class="outline-3">
+<h3 id="orgc819dda">Check network status</h3>
+<div class="outline-text-3" id="text-orgc819dda">
 <p>
 Unlike with ordinary wifi, on the mesh you don't get a signal strength icon and so it's not simple to see if you have a good connection.
 </p>
 </p>
 </div>
 </div>
+<div id="outline-container-org41bb113" class="outline-3">
+<h3 id="org41bb113">Connecting to the internet</h3>
+<div class="outline-text-3" id="text-org41bb113">
+<p>
+If you need to be able to access the internet from the mesh then connect one of the peers to an internet router using an ethernet cable, then reboot it. Other peers in the mesh, including any attached mobile devices, will then be able to access the internet using the ethernet attached peer as a gateway. <a href="https://en.wikipedia.org/wiki/Freifunk">Freifunk</a> works in a similar way.
+</p>
 
-<div id="outline-container-org334d737" class="outline-3">
-<h3 id="org334d737">Chat System</h3>
-<div class="outline-text-3" id="text-org334d737">
+<p>
+After connecting one peer to the internet you may need to reboot other peers in order to update their network configurations.
+</p>
+
+<p>
+If for legal reasons you need to connect to the internet via a VPN then openvpn is preinstalled and you can run the command:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">sudo openvpn myclient.ovpn
+</pre>
+</div>
+
+<p>
+Where <i>myclient.ovpn</i> comes from your VPN provider and with the password "<i>freedombone</i>".
+</p>
+</div>
+</div>
+<div id="outline-container-orgcffa0dd" class="outline-3">
+<h3 id="orgcffa0dd">Connecting two meshes over the internet via a VPN tunnel</h3>
+<div class="outline-text-3" id="text-orgcffa0dd">
+<p>
+Maybe the internet exists, but you don't care about getting any content from it and just want to use it as a way to connect mesh networks from different geographical locations together. VPN configuration, pem and stunnel files exist within the home directory. Edit the configuration with:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">nano ~/client.ovpn
+</pre>
+</div>
+
+<p>
+Edit the IP address or domain for the mesh that you wish to connect to within the <i>route</i> command:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash">route [mesh IP or domain] 255.255.255.255 net_gateway
+</pre>
+</div>
+
+<p>
+Then you can connect to the other mesh with:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-bash"><span class="org-builtin">cd</span> /home/fbone
+sudo stunnel stunnel-client.conf
+sudo openvpn client.ovpn
+</pre>
+</div>
+
+<p>
+Using the password "<i>freedombone</i>". From a deep packet inspection point of view the traffic going over the internet will just look like any other TLS connection to a server.
+</p>
+</div>
+</div>
+
+<div id="outline-container-org0071e68" class="outline-3">
+<h3 id="org0071e68">Mobile devices (phones, etc)</h3>
+<div class="outline-text-3" id="text-org0071e68">
+<p>
+To allow mobile devices to connect to the mesh you will need a second wifi adapter connected to your laptop/netbook/SBC. Plug in a second wifi adapter then reboot the system. The second adaptor will then create a wifi hotspot which mobile devices can connect to. The hotspot name also contains its local IP address (eg. "<i>mesh-192.168.1.83</i>").
+</p>
+
+<p>
+On a typical Android device go to <b>Settings</b> then <b>Security</b> and ensure that <b>Unknown sources</b> is enabled. Also within <b>Wifi</b> from the <b>Settings</b> screen select the mesh hotspot. The password is "<i>freedombone</i>". Open a non-Tor browser and navigate to the IP address showing in the hotspot name. You can then download and install mesh apps.
+</p>
+
+<div class="org-center">
+
+<div class="figure">
+<p><img src="images/mesh_mobileapps.jpg" alt="mesh_mobileapps.jpg" />
+</p>
+</div>
+</div>
+
+<p>
+On some android devices you may need to move the downloaded APK file from the <b>Downloads</b> directory to your <b>home</b> directory before you can install it.
+</p>
+</div>
+</div>
+<div id="outline-container-org15ce109" class="outline-3">
+<h3 id="org15ce109">Chat System</h3>
+<div class="outline-text-3" id="text-org15ce109">
 <p>
 Ensure that you're within wifi range of at least one other mesh peer (could be a router or client) and then you should see that the <i>Chat</i> and <i>Other Users</i> icons appear. Select the users icon and you should see a list of users on the mesh. Select the <i>Chat</i> icon and once you are connected you should see the status light turn green. If after a few minutes you don't get the green status light then try closing and re-opening the Tox chat application. Select the plus button to add a friend and then copy and paste in a Tox ID from the users list.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org2195683" class="outline-3">
-<h3 id="org2195683">Social Network</h3>
-<div class="outline-text-3" id="text-org2195683">
+<div id="outline-container-org9f229f4" class="outline-3">
+<h3 id="org9f229f4">Social Network</h3>
+<div class="outline-text-3" id="text-org9f229f4">
 <p>
 Patchwork is available as a social networking system for the mesh. Like all social network systems it has a stream of posts and you can follow or unfollow other users. You can also send private messages to other users with end-to-end encryption.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org41de3cc" class="outline-3">
-<h3 id="org41de3cc">Sharing Files</h3>
-<div class="outline-text-3" id="text-org41de3cc">
+<div id="outline-container-org31fc0a9" class="outline-3">
+<h3 id="org31fc0a9">Sharing Files</h3>
+<div class="outline-text-3" id="text-org31fc0a9">
 <p>
 You can make files publicly available on the network simply by dragging and dropping them into the <i>Public</i> folder on the desktop. To view the files belonging to another user select the desktop icon called <i>Visit a site</i> and enter the username or Tox ID of the other user.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org534896d" class="outline-3">
-<h3 id="org534896d">Blogging</h3>
-<div class="outline-text-3" id="text-org534896d">
+<div id="outline-container-org5a54e47" class="outline-3">
+<h3 id="org5a54e47">Blogging</h3>
+<div class="outline-text-3" id="text-org5a54e47">
 <p>
 To create a blog post select the <i>Blog</i> icon on the desktop and then use the up and down cursor keys, space bar and enter key to add a new entry. Edit the title of the entry and add your text. You can also include photos if you wish - just copy them to the <b>CreateBlog/content/images</b> directory and then link to them as shown.
 </p>

website/EN/meshindex.html

+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+<head>
+<!-- 2017-10-05 Thu 11:44 -->
+<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>&lrm;</title>
+<meta name="generator" content="Org mode" />
+<meta name="author" content="Bob Mottram" />
+<meta name="description" content="Download apps for use on the mesh"
+ />
+<meta name="keywords" content="mesh, freedombone, apps" />
+<style type="text/css">
+ <!--/*--><![CDATA[/*><!--*/
+  .title  { text-align: center;
+             margin-bottom: .2em; }
+  .subtitle { text-align: center;
+              font-size: medium;
+              font-weight: bold;
+              margin-top:0; }
+  .todo   { font-family: monospace; color: red; }
+  .done   { font-family: monospace; color: green; }
+  .priority { font-family: monospace; color: orange; }
+  .tag    { background-color: #eee; font-family: monospace;
+            padding: 2px; font-size: 80%; font-weight: normal; }
+  .timestamp { color: #bebebe; }
+  .timestamp-kwd { color: #5f9ea0; }
+  .org-right  { margin-left: auto; margin-right: 0px;  text-align: right; }
+  .org-left   { margin-left: 0px;  margin-right: auto; text-align: left; }
+  .org-center { margin-left: auto; margin-right: auto; text-align: center; }
+  .underline { text-decoration: underline; }
+  #postamble p, #preamble p { font-size: 90%; margin: .2em; }
+  p.verse { margin-left: 3%; }
+  pre {
+    border: 1px solid #ccc;
+    box-shadow: 3px 3px 3px #eee;
+    padding: 8pt;
+    font-family: monospace;
+    overflow: auto;
+    margin: 1.2em;
+  }
+  pre.src {
+    position: relative;
+    overflow: visible;
+    padding-top: 1.2em;
+  }
+  pre.src:before {
+    display: none;
+    position: absolute;
+    background-color: white;
+    top: -10px;
+    right: 10px;
+    padding: 3px;
+    border: 1px solid black;
+  }
+  pre.src:hover:before { display: inline;}
+  /* Languages per Org manual */
+  pre.src-asymptote:before { content: 'Asymptote'; }
+  pre.src-awk:before { content: 'Awk'; }
+  pre.src-C:before { content: 'C'; }
+  /* pre.src-C++ doesn't work in CSS */
+  pre.src-clojure:before { content: 'Clojure'; }
+  pre.src-css:before { content: 'CSS'; }
+  pre.src-D:before { content: 'D'; }
+  pre.src-ditaa:before { content: 'ditaa'; }
+  pre.src-dot:before { content: 'Graphviz'; }
+  pre.src-calc:before { content: 'Emacs Calc'; }
+  pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
+  pre.src-fortran:before { content: 'Fortran'; }
+  pre.src-gnuplot:before { content: 'gnuplot'; }
+  pre.src-haskell:before { content: 'Haskell'; }
+  pre.src-hledger:before { content: 'hledger'; }
+  pre.src-java:before { content: 'Java'; }
+  pre.src-js:before { content: 'Javascript'; }
+  pre.src-latex:before { content: 'LaTeX'; }
+  pre.src-ledger:before { content: 'Ledger'; }
+  pre.src-lisp:before { content: 'Lisp'; }
+  pre.src-lilypond:before { content: 'Lilypond'; }
+  pre.src-lua:before { content: 'Lua'; }
+  pre.src-matlab:before { content: 'MATLAB'; }
+  pre.src-mscgen:before { content: 'Mscgen'; }
+  pre.src-ocaml:before { content: 'Objective Caml'; }
+  pre.src-octave:before { content: 'Octave'; }
+  pre.src-org:before { content: 'Org mode'; }
+  pre.src-oz:before { content: 'OZ'; }
+  pre.src-plantuml:before { content: 'Plantuml'; }
+  pre.src-processing:before { content: 'Processing.js'; }
+  pre.src-python:before { content: 'Python'; }
+  pre.src-R:before { content: 'R'; }
+  pre.src-ruby:before { content: 'Ruby'; }
+  pre.src-sass:before { content: 'Sass'; }
+  pre.src-scheme:before { content: 'Scheme'; }
+  pre.src-screen:before { content: 'Gnu Screen'; }
+  pre.src-sed:before { content: 'Sed'; }
+  pre.src-sh:before { content: 'shell'; }
+  pre.src-sql:before { content: 'SQL'; }
+  pre.src-sqlite:before { content: 'SQLite'; }
+  /* additional languages in org.el's org-babel-load-languages alist */
+  pre.src-forth:before { content: 'Forth'; }
+  pre.src-io:before { content: 'IO'; }
+  pre.src-J:before { content: 'J'; }
+  pre.src-makefile:before { content: 'Makefile'; }
+  pre.src-maxima:before { content: 'Maxima'; }
+  pre.src-perl:before { content: 'Perl'; }
+  pre.src-picolisp:before { content: 'Pico Lisp'; }
+  pre.src-scala:before { content: 'Scala'; }
+  pre.src-shell:before { content: 'Shell Script'; }
+  pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
+  /* additional language identifiers per "defun org-babel-execute"
+       in ob-*.el */
+  pre.src-cpp:before  { content: 'C++'; }
+  pre.src-abc:before  { content: 'ABC'; }
+  pre.src-coq:before  { content: 'Coq'; }
+  pre.src-groovy:before  { content: 'Groovy'; }
+  /* additional language identifiers from org-babel-shell-names in
+     ob-shell.el: ob-shell is the only babel language using a lambda to put
+     the execution function name together. */
+  pre.src-bash:before  { content: 'bash'; }
+  pre.src-csh:before  { content: 'csh'; }
+  pre.src-ash:before  { content: 'ash'; }
+  pre.src-dash:before  { content: 'dash'; }
+  pre.src-ksh:before  { content: 'ksh'; }
+  pre.src-mksh:before  { content: 'mksh'; }
+  pre.src-posh:before  { content: 'posh'; }
+  /* Additional Emacs modes also supported by the LaTeX listings package */
+  pre.src-ada:before { content: 'Ada'; }
+  pre.src-asm:before { content: 'Assembler'; }
+  pre.src-caml:before { content: 'Caml'; }
+  pre.src-delphi:before { content: 'Delphi'; }
+  pre.src-html:before { content: 'HTML'; }
+  pre.src-idl:before { content: 'IDL'; }
+  pre.src-mercury:before { content: 'Mercury'; }
+  pre.src-metapost:before { content: 'MetaPost'; }
+  pre.src-modula-2:before { content: 'Modula-2'; }
+  pre.src-pascal:before { content: 'Pascal'; }
+  pre.src-ps:before { content: 'PostScript'; }
+  pre.src-prolog:before { content: 'Prolog'; }
+  pre.src-simula:before { content: 'Simula'; }
+  pre.src-tcl:before { content: 'tcl'; }
+  pre.src-tex:before { content: 'TeX'; }
+  pre.src-plain-tex:before { content: 'Plain TeX'; }
+  pre.src-verilog:before { content: 'Verilog'; }
+  pre.src-vhdl:before { content: 'VHDL'; }
+  pre.src-xml:before { content: 'XML'; }
+  pre.src-nxml:before { content: 'XML'; }
+  /* add a generic configuration mode; LaTeX export needs an additional
+     (add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
+  pre.src-conf:before { content: 'Configuration File'; }
+
+  table { border-collapse:collapse; }
+  caption.t-above { caption-side: top; }
+  caption.t-bottom { caption-side: bottom; }
+  td, th { vertical-align:top;  }
+  th.org-right  { text-align: center;  }
+  th.org-left   { text-align: center;   }
+  th.org-center { text-align: center; }
+  td.org-right  { text-align: right;  }
+  td.org-left   { text-align: left;   }
+  td.org-center { text-align: center; }
+  dt { font-weight: bold; }
+  .footpara { display: inline; }
+  .footdef  { margin-bottom: 1em; }
+  .figure { padding: 1em; }
+  .figure p { text-align: center; }
+  .inlinetask {
+    padding: 10px;
+    border: 2px solid gray;
+    margin: 10px;
+    background: #ffffcc;
+  }
+  #org-div-home-and-up
+   { text-align: right; font-size: 70%; white-space: nowrap; }
+  textarea { overflow-x: auto; }
+  .linenr { font-size: smaller }
+  .code-highlighted { background-color: #ffff00; }
+  .org-info-js_info-navigation { border-style: none; }
+  #org-info-js_console-label
+    { font-size: 10px; font-weight: bold; white-space: nowrap; }
+  .org-info-js_search-highlight
+    { background-color: #ffff00; color: #000000; font-weight: bold; }
+  .org-svg { width: 90%; }
+  /*]]>*/-->
+</style>
+<link rel="stylesheet" type="text/css" href="freedombone.css" />
+<script type="text/javascript">
+/*
+@licstart  The following is the entire license notice for the
+JavaScript code in this tag.
+
+Copyright (C) 2012-2017 Free Software Foundation, Inc.
+
+The JavaScript code in this tag is free software: you can
+redistribute it and/or modify it under the terms of the GNU
+General Public License (GNU GPL) as published by the Free Software
+Foundation, either version 3 of the License, or (at your option)
+any later version.  The code is distributed WITHOUT ANY WARRANTY;
+without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.
+
+As additional permission under GNU GPL version 3 section 7, you
+may distribute non-source (e.g., minimized or compacted) forms of
+that code without the copy of the GNU GPL normally required by
+section 4, provided you include this license notice and a URL
+through which recipients can access the Corresponding Source.
+
+
+@licend  The above is the entire license notice
+for the JavaScript code in this tag.
+*/
+<!--/*--><![CDATA[/*><!--*/
+ function CodeHighlightOn(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(null != target) {
+     elem.cacheClassElem = elem.className;
+     elem.cacheClassTarget = target.className;
+     target.className = "code-highlighted";
+     elem.className   = "code-highlighted";
+   }
+ }
+ function CodeHighlightOff(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(elem.cacheClassElem)
+     elem.className = elem.cacheClassElem;
+   if(elem.cacheClassTarget)
+     target.className = elem.cacheClassTarget;
+ }
+/*]]>*///-->
+</script>
+</head>
+<body>
+<div id="preamble" class="status">
+<a name="top" id="top"></a>
+</div>
+<div id="content">
+<div class="org-center">
+
+<div class="figure">
+<p><img src="images/logo.png" alt="logo.png" />
+</p>
+</div>
+</div>
+
+<center>
+<h3>Welcome to the Freedombone Mesh</h3>
+</center>
+
+<p>
+The following apps are available:
+</p>
+
+ <center>
+ <table style="width:80%; border:0">
+  <tr>
+    <td><center><b><a href="ssb.apk"><img src="images/ssb.png"/></a></b><br><a href="ssb.apk">Secure Scuttlebutt</a></center></td>
+    <td><center><b><h3></h3></b><br></center></td>
+  </tr>
+</table>
+</center>
+</div>
+<div id="postamble" class="status">
+
+<style type="text/css">
+.back-to-top {
+    position: fixed;
+    bottom: 2em;
+    right: 0px;
+    text-decoration: none;
+    color: #000000;
+    background-color: rgba(235, 235, 235, 0.80);
+    font-size: 12px;
+    padding: 1em;
+    display: none;
+}
+
+.back-to-top:hover {
+    background-color: rgba(135, 135, 135, 0.50);
+}
+</style>
+
+<div class="back-to-top">
+<a href="#top">Back to top</a> | <a href="mailto:bob@freedombone.net">E-mail me</a>
+</div>
+</div>
+</body>
+</html>