Merge branch 'stretch' of https://github.com/bashrc/freedombone

doc/EN/faq.org

 | [[How is Tor integrated with Freedombone?]]                                                   |
 | [[Can I add a clearnet domain to an onion build?]]                                            |
 | [[Why use Github?]]                                                                           |
+| [[Should I upload my GPG keys to keybase.io?]]                                                |
 | [[Keys and emails should not be stored on servers. Why do you do that?]]                      |
 | [[Why can't I access my .onion site with a Tor browser?]]                                     |
 | [[What is the best hardware to run this system on?]]                                          |
 The source code for this project is experimentally independently hosted, and it is expected that in future the main development will shift over to an independent site, maybe with mirrors on Github if it still exists in a viable form.
 
 Currently many of the repositories used for applications which are not yet packaged for Debian are on Github, and to provide some degree of resilliance against depending too much upon that copies of them also exist within disk images.
+* Should I upload my GPG keys to keybase.io?
+It's not recommended unless there exists some compelling reason for you to be on there. That site asks users to upload the *private keys*, and even if the keys are client side encrypted with a passphrase there's always the chance that there will be a data leak in future and letter agencies will then have a full time opportunity to crack the passphrases.
+
+Saying something resembling /"only noobs will use crackable private key passphrases"/ isn't good enough. A passphrase should not be considered to be a substitute for a private key.
 * Keys and emails should not be stored on servers. Why do you do that?
 Ordinarily this is good advice. However, the threat model for a device in your home is different from the one for a generic server in a massive warehouse. Compare and contrast:
 

doc/EN/mesh.org

 
 Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
 
+Like [[https://libremesh.org][LibreMesh]], this system uses a combination of [[https://en.wikipedia.org/wiki/B.A.T.M.A.N.][batman-adv]] on network layer 2 and [[http://bmx6.net][BMX]] on layer 3.
+
 #+BEGIN_CENTER
 This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion
 #+END_CENTER

src/freedombone-app-gnusocial

 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-VARIANTS='full full-vim media'
+VARIANTS='full full-vim social'
 
 IN_DEFAULT_INSTALL=0
 SHOW_ON_ABOUT=1

src/freedombone-app-pleroma

 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-VARIANTS=''
+VARIANTS='full full-vim social'
 
 IN_DEFAULT_INSTALL=0
 SHOW_ON_ABOUT=1
 PLEROMA_PORT=4000
 PLEROMA_ONION_PORT=8011
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
-PLEROMA_COMMIT='c1fa1e8844c8eae1ad7638a2d7f9d00e8cd07ce8'
+PLEROMA_COMMIT='80f6ac412a632da090be9f3d86971eac0b95a53d'
 PLEROMA_ADMIN_PASSWORD=
 PLEROMA_DIR=/etc/pleroma
 PLEROMA_SECRET_KEY=""
     # lost during mix compile
     pleroma_secret=$PLEROMA_DIR/config/dev.secret.exs
     if ! grep -q 'watchers: [],' $pleroma_secret; then
-        sed -i 's|watchers: []|watchers: [],|g' $pleroma_secret
+        sed -i 's|watchers: \[\]|watchers: \[\],|g' $pleroma_secret
     fi
     if ! grep -q 'url:' $pleroma_secret; then
         if [[ $ONION_ONLY == 'no' ]]; then
-            sed -i "/watchers: []/a url: [host: \"$PLEROMA_DOMAIN_NAME\", scheme: \"https\", port: 443]" $pleroma_secret
+            sed -i "/watchers: /a url: [host: \"$PLEROMA_DOMAIN_NAME\", scheme: \"https\", port: 443]" $pleroma_secret
         else
-            sed -i "/watchers: []/a url: [host: \"$PLEROMA_ONION_HOSTNAME\", scheme: \"http\", port: 80]" $pleroma_secret
+            sed -i "/watchers: /a url: [host: \"$PLEROMA_ONION_HOSTNAME\", scheme: \"http\", port: 80]" $pleroma_secret
         fi
     fi
 

src/freedombone-app-tox

     chroot "${rootdir}" apt-get -yq install build-essential libatk1.0-0 libbz2-1.0 libc6 libcairo2 libdbus-1-3 libegl1-mesa libfontconfig1 libfreetype6 libgcc1 libgdk-pixbuf2.0-0 libgl1-mesa-glx libglib2.0-0 libgtk2.0-0 libice6 libicu57 libjpeg62-turbo libmng1 libmtdev1 libopenal1 libopus0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpng16-16 libqrencode3 libsm6 libsodium18 libsqlite3-0 libssl1.1 libstdc++6 libtiff5 libudev1 libvpx4 libwayland-client0 libwayland-cursor0 libwayland-egl1-mesa libwebp6 libx11-6 libx11-xcb1 libxcb-glx0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-sync1 libxcb-xfixes0 libxcb-xinerama0 libxcb1 libxext6 libxfixes3 libxi6 libxrender1 libxss1 zlib1g libopus-dev libvpx-dev
     chroot "${rootdir}" apt-get -yq install build-essential qt5-qmake qt5-default qttools5-dev-tools libqt5opengl5-dev libqt5svg5-dev libopenal-dev libxss-dev qrencode libqrencode-dev libglib2.0-dev libgdk-pixbuf2.0-dev libgtk2.0-dev libsqlcipher-dev libopus-dev libvpx-dev libavformat-dev libavdevice-dev libswscale-dev libavutil-dev libavcodec-dev libavcodec57 libavfilter-dev libavfilter6
 
+    chroot "$rootdir" apt-get clean
+    chroot "$rootdir" /bin/rm -rf /var/lib/apt/lists/*
+    chroot "$rootdir" apt-get clean
+
     # ffmpeg
     chroot "${rootdir}" apt-get -yq install build-essential
     chroot "${rootdir}" apt-get -yq install ffmpeg libmp3lame-dev libvorbis-dev libtheora-dev

src/freedombone-client

 function setup_avahi_client {
     echo $'Configuring Avahi'
     if [ ! -f /usr/bin/pacman ]; then
-        sudo apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
+        sudo apt-get -yq install avahi-utils avahi-dnsconfd
     else
         sudo pacman -S --noconfirm avahi nss-mdns
         sudo sed -i 's|hosts:.*|hosts: files mdns_minimal [NOTFOUND=return] dns myhostname|g' /etc/nsswitch.conf

src/freedombone-image

             sudo apt-get -yq install git python-docutils mktorrent xz-utils debootstrap
             sudo apt-get -yq install dosfstools btrfs-tools extlinux python-distro-info mbr
             sudo apt-get -yq install qemu-user-static binfmt-support u-boot-tools qemu
+            sudo apt-get -yq install python-cliapp
             ;;
         parabola|arch)
             sudo pacman -S --noconfirm libc++ git gcc gcc-libs python-docutils mktorrent patch
                 return
             fi
             debian_script_hash=$(sha256sum /usr/share/debootstrap/scripts/${DEBIAN_VERSION} | awk -F ' ' '{print $1}')
-            expected_debian_script_hash='94e01603091748e8a6a9d2c3beefec29f2a174d989500f81be4ab767830f4489'
+            expected_debian_script_hash='620fa84c7ef64d10349aed38fa9cc2e7f00a6fcd1bc425f33ca2b57cc946fd0c'
             if [[ "$debian_script_hash" != "$expected_debian_script_hash" ]]; then
                 echo $"Invalid hash for debootstrap ${DEBIAN_VERSION} script"
                 return

src/freedombone-image-customise

 # License
 # =======
 #
+# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 
 MESH_TEXT_EDITOR='pluma'
 
+BMX6_REPO="https://github.com/bmx-routing/bmx6"
+BMX6_COMMIT='39dd1f2d99ac5a3fa28e92f8173c15039132e181'
+
+BMX7_REPO="https://github.com/bmx-routing/bmx7"
+BMX7_COMMIT='0a82c7c10fef44b259b35e77ab33632aa132d219'
+
 PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
 
 function configure_backports {
 }
 
 mesh_shutdown_script() {
+    mesh_shutdown_script=$rootdir/usr/bin/meshshutdown
+    echo '#!/bin/bash' > $mesh_shutdown_script
+    echo 'batman stop' >> $mesh_shutdown_script
+    chroot "$rootdir" chmod +x /usr/bin/meshshutdown
+
     echo '[Unit]' > $rootdir/etc/systemd/system/meshshutdown.service
     echo 'Description=Shuts down the mesh' >> $rootdir/etc/systemd/system/meshshutdown.service
     echo 'Before=shutdown.target' >> $rootdir/etc/systemd/system/meshshutdown.service
     echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
     echo '[Service]' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'User=root' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'Group=root' >> $rootdir/etc/systemd/system/meshshutdown.service
     echo 'ExecStart=/bin/true' >> $rootdir/etc/systemd/system/meshshutdown.service
-    echo 'ExecStop=/bin/bash /usr/local/bin/batman stop' >> $rootdir/etc/systemd/system/meshshutdown.service
+    echo 'ExecStop=/bin/bash /usr/bin/meshshutdown' >> $rootdir/etc/systemd/system/meshshutdown.service
     echo 'RemainAfterExit=yes' >> $rootdir/etc/systemd/system/meshshutdown.service
     echo '' >> $rootdir/etc/systemd/system/meshshutdown.service
     echo '[Install]' >> $rootdir/etc/systemd/system/meshshutdown.service
     chroot "$rootdir" systemctl enable meshshutdown
 }
 
+install_bmx6() {
+    git clone $BMX6_REPO $rootdir/etc/bmx6
+
+    cat <<EOF > $rootdir/usr/bin/install_bmx6
+#!/bin/bash
+cd /etc/bmx6
+git checkout $BMX6_COMMIT -b $BMX6_COMMIT
+make
+make install
+
+cd /etc/bmx6/lib/bmx6_http_info
+make
+make install
+
+cd /etc/bmx6/lib/bmx6_json
+make
+make install
+
+cd /etc/bmx6/lib/bmx6_quagga
+make
+make install
+
+cd /etc/bmx6/lib/bmx6_sms
+make
+make install
+
+cd /etc/bmx6/lib/bmx6_table
+make
+make install
+
+cd /etc/bmx6/lib/bmx6_topology
+make
+make install
+EOF
+    chroot "$rootdir" chmod +x /usr/bin/install_bmx6
+    chroot "$rootdir" /usr/bin/install_bmx6
+
+    if [ ! -f $rootdir/usr/sbin/bmx6 ]; then
+        echo $'bmx6 was not installed'
+        exit 79835292
+    fi
+
+    rm $rootdir/usr/bin/install_bmx6
+
+    echo '[Unit]' > $rootdir/etc/systemd/system/bmx6.service
+    echo 'Description=BMX6 mesh routing protocol' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'Requires=network.target' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'After=network.target' >> $rootdir/etc/systemd/system/bmx6.service
+    echo '' >> $rootdir/etc/systemd/system/bmx6.service
+    echo '[Service]' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'Type=forking' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'User=root' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'Group=root' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'ExecStart=/usr/sbin/bmx6 dev=wlan0' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'ExecStop=/usr/bin/kill -15 $MAINPID' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'PIDFile=/var/run/bmx6/pid' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'Restart=on-failure' >> $rootdir/etc/systemd/system/bmx6.service
+    echo '' >> $rootdir/etc/systemd/system/bmx6.service
+    echo '[Install]' >> $rootdir/etc/systemd/system/bmx6.service
+    echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/bmx6.service
+}
+
+install_bmx7() {
+    chroot "$rootdir" apt-get -qy install libjson-c-dev zlib1g-dev libiw-dev
+
+    git clone $BMX7_REPO $rootdir/etc/bmx7
+
+    cat <<EOF > $rootdir/usr/bin/install_bmx7
+#!/bin/bash
+cd /etc
+wget https://polarssl.org/code/releases/polarssl-1.3.3-gpl.tgz
+tar xzvf polarssl-1.3.3-gpl.tgz
+cd /etc/polarssl-1.3.3
+make
+sudo make install
+
+cd /etc/bmx7
+git checkout $BMX7_COMMIT -b $BMX7_COMMIT
+make EXTRA_CFLAGS="-DCRYPTLIB=POLARSSL_1_3_3"
+make install
+
+cd /etc/bmx7/lib/bmx7_http_info
+make
+make install
+
+cd /etc/bmx7/lib/bmx7_json
+make
+make install
+
+cd /etc/bmx7/lib/bmx7_tun
+make
+make install
+
+cd /etc/bmx7/lib/bmx7_sms
+make
+make install
+
+cd /etc/bmx7/lib/bmx7_topology
+make
+make install
+EOF
+    chroot "$rootdir" chmod +x /usr/bin/install_bmx7
+    chroot "$rootdir" /usr/bin/install_bmx7
+
+    if [ ! -f $rootdir/usr/sbin/bmx7 ]; then
+        echo $'bmx7 was not installed'
+        exit 67836235
+    fi
+
+    rm $rootdir/usr/bin/install_bmx7
+
+    echo '[Unit]' > $rootdir/etc/systemd/system/bmx7.service
+    echo 'Description=BMX7 mesh routing protocol' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'Requires=network.target' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'After=network.target' >> $rootdir/etc/systemd/system/bmx7.service
+    echo '' >> $rootdir/etc/systemd/system/bmx7.service
+    echo '[Service]' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'Type=forking' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'User=root' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'Group=root' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'ExecStart=/usr/sbin/bmx7 dev=wlan0' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'ExecStop=/usr/bin/kill -15 $MAINPID' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'PIDFile=/var/run/bmx7/pid' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'Restart=on-failure' >> $rootdir/etc/systemd/system/bmx7.service
+    echo '' >> $rootdir/etc/systemd/system/bmx7.service
+    echo '[Install]' >> $rootdir/etc/systemd/system/bmx7.service
+    echo 'WantedBy=multi-user.target' >> $rootdir/etc/systemd/system/bmx7.service
+}
+
 initialise_mesh() {
     if [[ $VARIANT != "mesh"* ]]; then
         return
     # dhcp daemon for hotspot on secondary wifi adapter
     chroot "$rootdir" apt-get -yq install dnsmasq
 
+    # for debugging
+    chroot "$rootdir" apt-get -yq install traceroute
+
+    # set the default protocol to be used
+    echo 'bmx6' > $rootdir$MESH_DEFAULT_PROTOCOL
+
+    sed -i 's|#net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding=1|g' $rootdir/etc/sysctl.conf
+    sed -i 's|net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding=1|g' $rootdir/etc/sysctl.conf
+
+    sed -i 's|#net.ipv6.conf.all.accept_redirects.*|net.ipv6.conf.all.accept_redirects=1|g' $rootdir/etc/sysctl.conf
+    sed -i 's|net.ipv6.conf.all.accept_redirects.*|net.ipv6.conf.all.accept_redirects=1|g' $rootdir/etc/sysctl.conf
+
+    sed -i 's|#net.ipv6.conf.all.accept_source_route.*|net.ipv6.conf.all.accept_source_route=1|g' $rootdir/etc/sysctl.conf
+    sed -i 's|net.ipv6.conf.all.accept_source_route.*|net.ipv6.conf.all.accept_source_route=1|g' $rootdir/etc/sysctl.conf
+
     configure_firewall
     install_avahi
     install_batman
+    install_bmx6
+    install_bmx7
     mesh_shutdown_script
     install_vpn
     install_tomb
     chroot "$rootdir" apt-get -yq install avahi-daemon avahi-utils avahi-discover
     chroot "$rootdir" apt-get -yq install connect-proxy openssh-server
     chroot "$rootdir" apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
-    chroot "$rootdir" apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
+    chroot "$rootdir" apt-get -yq install avahi-discover iptables dnsutils net-tools
     chroot "$rootdir" apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
     chroot "$rootdir" apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
     chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
     chroot "$rootdir" apt-get install -y openssh-server
 fi
 chroot "$rootdir" apt-get install -y sudo git dialog build-essential
-chroot "$rootdir" apt-get install -y avahi-daemon avahi-utils avahi-discover avahi-autoipd
+chroot "$rootdir" apt-get install -y avahi-daemon avahi-utils avahi-discover
 chroot "$rootdir" apt-get install -y iptables dnsutils net-tools network-manager iputils-ping
 chroot "$rootdir" apt-get install -y libnss-mdns libnss-myhostname libnss-gw-name nano man ntp
 chroot "$rootdir" apt-get install -y locales locales-all debconf wireless-tools wpasupplicant usbutils

src/freedombone-image-makefile

 ARCHIVE = $(IMAGE).xz
 SIGNATURE = $(ARCHIVE).sig
 OWNER = 1000
-XZ = xz --no-warn --best --verbose --keep
+XZ = xz --no-warn --verbose --keep --threads=0 -3
 SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
 
 # settings for `make test`

src/freedombone-image-mesh

     systemctl disable tor
     echo $'TOR disabled' >> $INSTALL_LOG
 
+    systemctl stop bmx6
+    systemctl disable bmx6
+    echo $'BMX6 disabled' >> $INSTALL_LOG
+
+    systemctl stop bmx7
+    systemctl disable bmx7
+    echo $'BMX7 disabled' >> $INSTALL_LOG
+
     #tomb slam all
     tmp_ram_disk 100
     enable_predictable_device_names

src/freedombone-mesh-batman

 HOTSPOT_PASSPHRASE="${PROJECT_NAME}"
 
 source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-wifi
+source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-mesh
 
-if [[ $1 == "start" ]]; then
-    # install avahi
-    sed -i "s|#host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
-    sed -i "s|host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
-    sed -i "s|use-ipv4=.*|use-ipv4=yes|g" /etc/avahi/avahi-daemon.conf
-    sed -i "s|use-ipv6=.*|use-ipv6=no|g" /etc/avahi/avahi-daemon.conf
-    sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" /etc/avahi/avahi-daemon.conf
-    sed -i "s|hosts:.*|hosts:          files mdns4_minimal dns mdns4 mdns|g" /etc/nsswitch.conf
-fi
-
-# Mesh definition
-WIFI_SSID='mesh'
-if [ -f $COMPLETION_FILE ]; then
-    if grep -q "WIFI_SSID:" $COMPLETION_FILE; then
-        WIFI_SSID=$(cat $COMPLETION_FILE | grep "WIFI_SSID:" | awk -F ':' '{print $2}')
-    fi
-    sed -i "s|WIFI_SSID:.*|WIFI_SSID:${WIFI_SSID}|g" $COMPLETION_FILE
-fi
-CELLID='any'
-
-CHANNEL=2
-HOTSPOT_CHANNEL=6
-if [ -f $COMPLETION_FILE ]; then
-    if grep -q "Wifi channel:" $COMPLETION_FILE; then
-        CHANNEL=$(cat $COMPLETION_FILE | grep "Wifi channel:" | awk -F ':' '{print $2}')
-    fi
-    sed -i "s|Wifi channel:.*|Wifi channel:${CHANNEL}|g" $COMPLETION_FILE
-fi
-
-ZERONET_PORT=15441
-IPFS_PORT=4001
-TOX_PORT=33445
-TRACKER_PORT=6969
-LIBREVAULT_PORT=42345
-TAHOELAFS_PORT=50213
-GIT_SSB_PORT=7718
-NGINX_GIT_SSB_PORT=7719
-
-# Ethernet bridge definition (bridged to bat0)
-BRIDGE=br-mesh
-BRIDGE_HOTSPOT=br-hotspot
-IFACE=
-IFACE_SECONDARY=
-EIFACE=eth0
-WLAN_ADAPTORS=$(count_wlan)
-
-if [ $WLAN_ADAPTORS -eq 0 ]; then
-    echo $'No wlan adaptors found'
-    exit 0
-fi
-
+mesh_protocol_init
 update_wifi_adaptors
 
 if [ ! $IFACE ]; then
     . /etc/default/batctl
 fi
 
-function get_ipv4_wlan {
-    echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
-}
-
-function mesh_hotspot_ip_address {
-    echo $(ip -o -f inet addr show dev "${BRIDGE}" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
-}
+function status {
+    batctl o
 
-function global_rate_limit {
-    if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
-        echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
+    if grep -q "bmx6" $MESH_CURRENT_PROTOCOL; then
+        bmx6 -c show=originators
     else
-        sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
+        bmx7 -c show=originators
     fi
-    sysctl -p -q
-}
-
-function status {
-    batctl o
 }
 
 function stop {
+    if [ ! -f $MESH_CURRENT_PROTOCOL ]; then
+        return
+    fi
+
     if [ -z "$IFACE" ]; then
         echo 'error: unable to find wifi interface, not enabling batman-adv mesh'
         return
     fi
 
+    systemctl stop bmx6
+    systemctl stop bmx7
+    systemctl disable bmx6
+    systemctl disable bmx7
     systemctl stop dnsmasq
     systemctl disable dnsmasq
 
         brctl delbr $BRIDGE
     fi
 
-    avahi-autoipd -k $BRIDGE
-    avahi-autoipd -k $IFACE
     ifconfig bat0 down -promisc
 
     batctl if del $IFACE
 
     rmmod batman-adv
 
-    iptables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport 80 -j ACCEPT
-    iptables -D INPUT -p udp --dport 80 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 548 -j ACCEPT
-    iptables -D INPUT -p udp --dport 548 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 5353 -j ACCEPT
-    iptables -D INPUT -p udp --dport 5353 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 5354 -j ACCEPT
-    iptables -D INPUT -p udp --dport 5354 -j ACCEPT
-    iptables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
-    # SSB/Scuttlebot/Patchwork
-    iptables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport 8008 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
-    iptables -D INPUT -p udp --dport 8010 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
-    # vpn over the internet
-    iptables -D INPUT -p tcp --dport 653 -j ACCEPT
-    iptables -D INPUT -p udp --dport 653 -j ACCEPT
-    iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
-    iptables -D INPUT -i tun+ -j ACCEPT
-    iptables -D FORWARD -i tun+ -j ACCEPT
-    iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
-    iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-    iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
-    iptables -D OUTPUT -o tun+ -j ACCEPT
-
-    echo 0 > /proc/sys/net/ipv4/ip_forward
-    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
+    disable_mesh_firewall
 
     systemctl restart network-manager
+
+    if [ -f $MESH_CURRENT_PROTOCOL ]; then
+        rm $MESH_CURRENT_PROTOCOL
+    fi
 }
 
 function verify {
     rm $tempfile
 }
 
-function assign_peer_address {
-    for i in {1..6}; do
-        number=$RANDOM
-        let "number %= 255"
-        octet=$(echo "obase=16;$number" | bc)
-        if [ ${#octet} -lt 2 ]; then
-            octet="0${octet}"
-        fi
-        if [ $i -gt 1 ]; then
-            echo -n ":"
-        fi
-        echo -n "${octet}"
-    done
-}
-
 function add_wifi_interface {
     ifname=$1
     ifssid=$WIFI_SSID
     ifconfig $ifname up
 }
 
-function mesh_create_app_downloads_page {
-    if [ ! -d /root/$PROJECT_NAME/image_build/mesh_apps ]; then
-        return
-    fi
-    if [ ! -d /var/www/html ]; then
-        return
-    fi
-    # Don't go straight to cryptpad when navigating to the peer's IP address
-    if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
-        rm /etc/nginx/sites-enabled/cryptpad
-        ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-        if [ -d /etc/cryptpad ]; then
-            systemctl stop cryptpad
-            systemctl disable cryptpad
-        fi
-        systemctl restart nginx
-    fi
-    # Don't show the cryptpad icon on the desktop
-    if [ -f /home/fbone/Desktop/cryptpad.desktop ]; then
-        mv /home/fbone/Desktop/cryptpad.desktop /home/fbone/.cryptpad.desktop
-    fi
-
-    cp /root/$PROJECT_NAME/website/EN/meshindex.html /var/www/html/index.html
-    if [ ! -f /var/www/html/ssb.apk ]; then
-        cp /root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk /var/www/html/ssb.apk
-    fi
-    if [ ! -f /var/www/html/trifa.apk ]; then
-        cp /root/$PROJECT_NAME/image_build/mesh_apps/trifa.apk /var/www/html/trifa.apk
-    fi
-    if [ ! -d /var/www/html/images ]; then
-        mkdir /var/www/html/images
-    fi
-    if [ ! -f /var/www/html/images/logo.png ]; then
-        cp /root/$PROJECT_NAME/img/logo.png /var/www/html/images/logo.png
-    fi
-    if [ ! -f /var/www/html/images/ssb.png ]; then
-        cp /root/$PROJECT_NAME/img/icon_patchwork.png /var/www/html/images/ssb.png
-    fi
-    if [ ! -f /var/www/html/images/trifa.png ]; then
-        cp /root/$PROJECT_NAME/img/trifa.png /var/www/html/images/trifa.png
-    fi
-    if [ ! -f /var/www/html/freedombone.css ]; then
-        cp /root/$PROJECT_NAME/website/freedombone.css /var/www/html/freedombone.css
-    fi
-    chown -R www-data:www-data /var/www/html/*
-}
-
 function start {
     update_wifi_adaptors
 
     fi
     echo "info: enabling batman-adv mesh network $WIFI_SSID on $IFACE"
 
+    stop
     systemctl stop network-manager
     sleep 5
 
 
     modprobe batman-adv
 
+    # avahi on ipv6
+    sed -i 's|use-ipv4=.*|use-ipv4=no|g' /etc/avahi/avahi-daemon.conf
+    sed -i 's|use-ipv6=.*|use-ipv6=yes|g' /etc/avahi/avahi-daemon.conf
+
+    sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx6 dev=${IFACE}|g" /etc/systemd/system/bmx6.service
+    sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx7 dev=${IFACE}|g" /etc/systemd/system/bmx7.service
+    systemctl daemon-reload
+
     add_wifi_interface $IFACE $WIFI_SSID ad-hoc $CHANNEL
-    avahi-autoipd --force-bind --daemonize --wait $IFACE
 
     # NOTE: Don't connect the secondary wifi device. hostapd will handle that by itself
 
             ifconfig $EIFACE 0.0.0.0
             ifconfig $EIFACE up promisc
             echo $'End of ethernet bridge'
+
+            sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx6 dev=${IFACE} dev=${EIFACE}|g" /etc/systemd/system/bmx6.service
+            sed -i "s|ExecStart=.*|ExecStart=/usr/sbin/bmx7 dev=${IFACE} dev=${EIFACE}|g" /etc/systemd/system/bmx7.service
+            systemctl daemon-reload
         else
             echo $"$EIFACE is not connected"
         fi
     ifconfig $BRIDGE up
     dhclient $BRIDGE
 
-    if [ $secondary_wifi_available ]; then
-        sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
-
-        mesh_hotspot_address=$(mesh_hotspot_ip_address)
-        if [[ "$mesh_hotspot_address" == *'.'* ]]; then
-            echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
-            echo "bridge=${BRIDGE}" >> /etc/hostapd/hostapd.conf
-            echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
-            echo "country_code=UK" >> /etc/hostapd/hostapd.conf
-            echo "ssid=${WIFI_SSID}-${mesh_hotspot_address}" >> /etc/hostapd/hostapd.conf
-            echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
-            echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
-            echo 'wpa=2' >> /etc/hostapd/hostapd.conf
-            echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
-            echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
-            echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
-            echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
-            echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
-            echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
-
-            sed -i "s|#interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
-            sed -i "s|interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
-            sed -i "s|listen-address=.*|listen-address=127.0.0.1,$mesh_hotspot_address|g" /etc/dnsmasq.conf
-            sed -i 's|#listen-address|listen-address|g' /etc/dnsmasq.conf
-            systemctl enable dnsmasq
-            systemctl restart dnsmasq
-
-            systemctl enable hostapd
-            systemctl restart hostapd
-            mesh_create_app_downloads_page
-        else
-            secondary_wifi_available=
-            echo $'WARNING: No IP address could be obtained for the hotspot'
-        fi
-    fi
-
-    if [ ! $secondary_wifi_available ]; then
-        systemctl stop hostapd
-        systemctl disable hostapd
+    enable_mesh_seconary_wifi
 
-        # Recreate the cryptpad symlink
-        if [ -f /etc/nginx/sites-available/cryptpad ]; then
-            if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
-                rm /etc/nginx/sites-enabled/default
-            fi
-            systemctl enable cryptpad
-            systemctl start cryptpad
+    enable_mesh_firewall
 
-            if [ ! -L /etc/nginx/sites-enabled/cryptpad ]; then
-                ln -s /etc/nginx/sites-available/cryptpad /etc/nginx/sites-enabled/cryptpad
-                systemctl restart nginx
-            fi
-        fi
-        if [ -f /home/fbone/.cryptpad.desktop ]; then
-            mv /home/fbone/.cryptpad.desktop /home/fbone/Desktop/cryptpad.desktop
-        fi
-    fi
+    enable_mesh_scuttlebot
+    enable_mesh_tor
 
-    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-    iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
-    iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-    iptables -A INPUT -p udp --dport 80 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 548 -j ACCEPT
-    iptables -A INPUT -p udp --dport 548 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
-    iptables -A INPUT -p udp --dport 5353 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
-    iptables -A INPUT -p udp --dport 5354 -j ACCEPT
-    iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
-    iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
-    iptables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
-    iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
-    # SSB/Scuttlebot/Patchwork
-    iptables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
-    iptables -A INPUT -p udp --dport 8008 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
-    iptables -A INPUT -p udp --dport 8010 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
-    # vpn over the internet
-    # Note: the vpn firewall settings are needed in order for Patchwork
-    # to discover local peers
-    iptables -A INPUT -p tcp --dport 653 -j ACCEPT
-    iptables -A INPUT -p udp --dport 653 -j ACCEPT
-    iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
-    iptables -A INPUT -i tun+ -j ACCEPT
-    iptables -A FORWARD -i tun+ -j ACCEPT
-    iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
-    iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
-    iptables -A OUTPUT -o tun+ -j ACCEPT
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
-    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
-    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
+    sed -i "s|server_name .*|server_name ${HOSTNAME}.local;|g" /etc/nginx/sites-available/git_ssb
 
-    systemctl restart avahi-daemon
+    systemctl restart nginx
 
-    if [ -f /etc/scuttlebot/.ssb/config ]; then
-        ethernet_connected=$(cat /sys/class/net/eth0/carrier)
-        if [[ "$ethernet_connected" != "0" ]]; then
-            sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config
-            systemctl restart scuttlebot
-        else
-            if [ ! -f /etc/nginx/sites-available/git_ssb ]; then
-                systemctl stop scuttlebot
-            else
-                systemctl restart scuttlebot
-            fi
-        fi
+    if [ ! -f $MESH_DEFAULT_PROTOCOL ]; then
+        echo 'bmx6' > $MESH_DEFAULT_PROTOCOL
     fi
 
-    # if we have an ethernet connection to an internet router then create
-    # an onion address for this peer
-    if [[ "$ethernet_connected" != "0" ]]; then
-        systemctl enable tor
-        systemctl start tor
-        HIDDEN_SERVICE_PATH=/var/lib/tor/hidden_service_
-        if [ ! -f ${HIDDEN_SERVICE_PATH}mesh/hostname ]; then
-            echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}mesh/" >> /etc/tor/torrc
-            echo "HiddenServicePort 653 127.0.0.1:653" >> /etc/tor/torrc
-            systemctl restart tor
-        fi
+    if grep -q "bmx6" $MESH_DEFAULT_PROTOCOL; then
+        systemctl enable bmx6
+        systemctl restart bmx6
     else
-        systemctl stop tor
-        systemctl disable tor
+        systemctl enable bmx7
+        systemctl restart bmx7
     fi
 
-    sed -i "s|\"host\":.*|\"host\": \"${HOSTNAME}.local\",|g" /etc/scuttlebot/.ssb/config
-    sed -i "s|server_name .*|server_name ${HOSTNAME}.local;|g" /etc/nginx/sites-available/git_ssb
-    systemctl restart scuttlebot
-    systemctl restart nginx
+    systemctl restart avahi-daemon
 
     verify
+
+    echo "$(cat $MESH_DEFAULT_PROTOCOL)" > $MESH_CURRENT_PROTOCOL
 }
 
 function monitor {

src/freedombone-mesh-install

 }
 
 function mesh_avahi {
-    $CHROOT_PREFIX apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
+    $CHROOT_PREFIX apt-get -yq install avahi-utils avahi-dnsconfd
 
     decarray=( 1 2 3 4 5 6 7 8 9 0 )
     PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
     sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
 
     if [ ! -d $rootdir/etc/avahi/services ]; then
-    mkdir -p $rootdir/etc/avahi/services
+        mkdir -p $rootdir/etc/avahi/services
     fi
 
     # remove an avahi service which isn't used
     if [ -f $rootdir/etc/avahi/services/udisks.service ]; then
-    rm $rootdir/etc/avahi/services/udisks.service
+        rm $rootdir/etc/avahi/services/udisks.service
     fi
 
     # Add an ssh service
     $CHROOT_PREFIX apt-get -yq install wireless-tools rfkill
 
     if ! grep -q "batman_adv" $rootdir/etc/modules; then
-    echo 'batman_adv' >> $rootdir/etc/modules
+        echo 'batman_adv' >> $rootdir/etc/modules
     fi
 
     BATMAN_SCRIPT=$rootdir/var/lib/batman
 
     if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
-    cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
+        cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
     else
-    cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
+        cp /usr/bin/${PROJECT_NAME}-mesh-batman $BATMAN_SCRIPT
     fi
 
     BATMAN_DAEMON=$rootdir/etc/systemd/system/batman.service
     echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+
+    echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
     chmod +x $MESH_FIREWALL_SCRIPT
 
     echo '[Unit]' > $FIREWALL_FILENAME
     key="$1"
 
     case $key in
-    -h|--help)
-        show_help
-        ;;
-    -f|--function)
-        shift
-        FN="$1"
-        ;;
-    -r|--rootdir)
-        shift
-        rootdir="$1"
-        CHROOT_PREFIX='chroot "${rootdir}"'
-        ;;
-    -w|--wifi|--interface)
-        shift
-        WIFI_INTERFACE="$1"
-        ;;
-    --remove)
-        shift
-        REMOVE="$1"
-        ;;
-    *)
-        # unknown option
-        ;;
+        -h|--help)
+            show_help
+            ;;
+        -f|--function)
+            shift
+            FN="$1"
+            ;;
+        -r|--rootdir)
+            shift
+            rootdir="$1"
+            CHROOT_PREFIX='chroot "${rootdir}"'
+            ;;
+        -w|--wifi|--interface)
+            shift
+            WIFI_INTERFACE="$1"
+            ;;
+        --remove)
+            shift
+            REMOVE="$1"
+            ;;
+        *)
+            # unknown option
+            ;;
 
     esac
     shift
 fi
 if [[ $FN == 'batman' ]]; then
     if [[ $REMOVE != 'yes' ]]; then
-    install_batman
+        install_batman
     else
-    install_batman_remove
+        install_batman_remove
     fi
 fi
 if [[ $FN == 'qtox' ]]; then

src/freedombone-mesh-reset

 MESH_INSTALL_COMPLETED=/root/.mesh_setup_completed
 
 if ! zenity --question --title=$'New Identity' --text=$"Do you want to reset your identity? This will reset ALL data for this peer, and you will not be able to recover it." --ok-label=No --cancel-label=Yes --width=300; then
+
     sudo batman stop
+
     sudo pkill qtox
     sudo pkill firefox
     sudo pkill iceweasel
     sudo pkill patchwork
     sudo rm -f $MESH_INSTALL_COMPLETED
     sudo ${PROJECT_NAME}-image-mesh $USER new
+
     sudo batman start
+
     if [ -f $HOME/mesh-desktop.sh ]; then
         $HOME/mesh-desktop.sh
     else

src/freedombone-utils-avahi

 }
 
 function mesh_avahi {
-    chroot "$rootdir" apt-get -yq install avahi-utils avahi-autoipd avahi-dnsconfd
+    chroot "$rootdir" apt-get -yq install avahi-utils avahi-dnsconfd
 
     decarray=( 1 2 3 4 5 6 7 8 9 0 )
     PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}
     sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|use-ipv4=.*|use-ipv4=no|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|use-ipv6=.*|use-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#allow-interfaces=.*|allow-interfaces=wlan0, wlan1, wlan2, wlan3, wlan4, wlan5|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|allow-interfaces=.*|allow-interfaces=wlan0, wlan1, wlan2, wlan3, wlan4, wlan5|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#deny-interfaces=.*|deny-interfaces=eth0, eth1, eth2, eth3, eth4, eth5|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|deny-interfaces=.*|deny-interfaces=eth0, eth1, eth2, eth3, eth4, eth5|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|disallow-other-stacks=.*|disallow-other-stacks=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#publish_addresses=.*|publish_addresses=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|publish_addresses=.*|publish_addresses=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#publish-hinfo=.*|publish-hinfo=no|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|publish-hinfo=.*|publish-hinfo=no|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#publish-workstation=.*|publish-workstation=no|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|publish-workstation=.*|publish-workstation=no|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#publish-domain=.*|publish-domain=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|publish-domain=.*|publish-domain=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|#publish-a-on-ipv6=.*|publish-a-on-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
+    sed -i "s|publish-a-on-ipv6=.*|publish-a-on-ipv6=yes|g" $rootdir/etc/avahi/avahi-daemon.conf
 
     if [ ! -d $rootdir/etc/avahi/services ]; then
         mkdir -p $rootdir/etc/avahi/services

src/freedombone-utils-firewall

     echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
     echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
     echo '' >> $MESH_FIREWALL_SCRIPT
     echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
-    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
+    echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
     chmod +x $MESH_FIREWALL_SCRIPT
 
     echo '[Unit]' > $FIREWALL_FILENAME

src/freedombone-utils-gnusocialtools

 QVITTER_THEME_COMMIT='c6f09bda4e45be4290cf7409fa5efb4420538032'
 
 PLEROMA_FRONTEND_REPO="https://gitgud.io/lambadalambda/pleroma-fe"
-PLEROMA_FRONTEND_COMMIT='cbe652f2d94d81fa54a37378b7ff014c4391ca5e'
+PLEROMA_FRONTEND_COMMIT='3b3bbaab822b553f514a62d20d679acc5ce4414a'
 
 SHARINGS_REPO="http://github.com/bashrc/Sharings"
 SHARINGS_COMMIT='0d30fe7d153c7ab44e8459970b8f2b5dec06e43c'

src/freedombone-utils-mesh

+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# mesh utilities used by the batman and bmx commands
+#
+# License
+# =======
+#
+# Copyright (C) 2018 Bob Mottram <bob@freedombone.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# File which contains the current protocol in use
+MESH_CURRENT_PROTOCOL=/root/.mesh_protocol
+MESH_DEFAULT_PROTOCOL=/root/.mesh_protocol_default
+
+function mesh_protocol_init {
+    if [[ $1 == "start" ]]; then
+        # install avahi
+        sed -i "s|#host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
+        sed -i "s|host-name=.*|host-name=$(hostname)|g" /etc/avahi/avahi-daemon.conf
+        sed -i "s|use-ipv4=.*|use-ipv4=no|g" /etc/avahi/avahi-daemon.conf
+        sed -i "s|use-ipv6=.*|use-ipv6=yes|g" /etc/avahi/avahi-daemon.conf
+        sed -i "s|#disallow-other-stacks=.*|disallow-other-stacks=yes|g" /etc/avahi/avahi-daemon.conf
+        sed -i "s|hosts:.*|hosts:          files mdns4_minimal dns mdns4 mdns|g" /etc/nsswitch.conf
+    fi
+
+    # Mesh definition
+    WIFI_SSID='mesh'
+    if [ -f $COMPLETION_FILE ]; then
+        if grep -q "WIFI_SSID:" $COMPLETION_FILE; then
+            WIFI_SSID=$(cat $COMPLETION_FILE | grep "WIFI_SSID:" | awk -F ':' '{print $2}')
+        fi
+        sed -i "s|WIFI_SSID:.*|WIFI_SSID:${WIFI_SSID}|g" $COMPLETION_FILE
+    fi
+    CELLID='any'
+
+    CHANNEL=2
+    HOTSPOT_CHANNEL=6
+    if [ -f $COMPLETION_FILE ]; then
+        if grep -q "Wifi channel:" $COMPLETION_FILE; then
+            CHANNEL=$(cat $COMPLETION_FILE | grep "Wifi channel:" | awk -F ':' '{print $2}')
+        fi
+        sed -i "s|Wifi channel:.*|Wifi channel:${CHANNEL}|g" $COMPLETION_FILE
+    fi
+
+    ZERONET_PORT=15441
+    IPFS_PORT=4001
+    TOX_PORT=33445
+    TRACKER_PORT=6969
+    LIBREVAULT_PORT=42345
+    TAHOELAFS_PORT=50213
+    GIT_SSB_PORT=7718
+    NGINX_GIT_SSB_PORT=7719
+
+    # Ethernet bridge definition (bridged to bat0)
+    BRIDGE=br-mesh
+    BRIDGE_HOTSPOT=br-hotspot
+    IFACE=
+    IFACE_SECONDARY=
+    EIFACE=eth0
+    WLAN_ADAPTORS=$(count_wlan)
+
+    if [ $WLAN_ADAPTORS -eq 0 ]; then
+        echo $'No wlan adaptors found'
+        exit 0
+    fi
+}
+
+function get_ipv4_wlan {
+    echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
+}
+
+function mesh_hotspot_ip_address {
+    echo $(ip -o -f inet addr show dev "${BRIDGE}" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}')
+}
+
+function global_rate_limit {
+    if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
+        echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
+        echo 'net.ipv6.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
+    else
+        sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
+        sed -i 's|net.ipv6.tcp_challenge_ack_limit.*|net.ipv6.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
+    fi
+    sysctl -p -q
+}
+
+function assign_peer_address {
+    for i in {1..6}; do
+        number=$RANDOM
+        let "number %= 255"
+        octet=$(echo "obase=16;$number" | bc)
+        if [ ${#octet} -lt 2 ]; then
+            octet="0${octet}"
+        fi
+        if [ $i -gt 1 ]; then
+            echo -n ":"
+        fi
+        echo -n "${octet}"
+    done
+}
+
+function mesh_create_app_downloads_page {
+    if [ ! -d /root/$PROJECT_NAME/image_build/mesh_apps ]; then
+        return
+    fi
+    if [ ! -d /var/www/html ]; then
+        return
+    fi
+    # Don't go straight to cryptpad when navigating to the peer's IP address
+    if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
+        rm /etc/nginx/sites-enabled/cryptpad
+        ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+        if [ -d /etc/cryptpad ]; then
+            systemctl stop cryptpad
+            systemctl disable cryptpad
+        fi
+        systemctl restart nginx
+    fi
+    # Don't show the cryptpad icon on the desktop
+    if [ -f /home/fbone/Desktop/cryptpad.desktop ]; then
+        mv /home/fbone/Desktop/cryptpad.desktop /home/fbone/.cryptpad.desktop
+    fi
+
+    cp /root/$PROJECT_NAME/website/EN/meshindex.html /var/www/html/index.html
+    if [ ! -f /var/www/html/ssb.apk ]; then
+        cp /root/$PROJECT_NAME/image_build/mesh_apps/ssb.apk /var/www/html/ssb.apk
+    fi
+    if [ ! -f /var/www/html/trifa.apk ]; then
+        cp /root/$PROJECT_NAME/image_build/mesh_apps/trifa.apk /var/www/html/trifa.apk
+    fi
+    if [ ! -d /var/www/html/images ]; then
+        mkdir /var/www/html/images
+    fi
+    if [ ! -f /var/www/html/images/logo.png ]; then
+        cp /root/$PROJECT_NAME/img/logo.png /var/www/html/images/logo.png
+    fi
+    if [ ! -f /var/www/html/images/ssb.png ]; then
+        cp /root/$PROJECT_NAME/img/icon_patchwork.png /var/www/html/images/ssb.png
+    fi
+    if [ ! -f /var/www/html/images/trifa.png ]; then
+        cp /root/$PROJECT_NAME/img/trifa.png /var/www/html/images/trifa.png
+    fi
+    if [ ! -f /var/www/html/freedombone.css ]; then
+        cp /root/$PROJECT_NAME/website/freedombone.css /var/www/html/freedombone.css
+    fi
+    chown -R www-data:www-data /var/www/html/*
+}
+
+function enable_mesh_firewall {
+    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+    iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
+    iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
+    iptables -A INPUT -p udp --dport 6240 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 6240 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+    iptables -A INPUT -p udp --dport 80 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 548 -j ACCEPT
+    iptables -A INPUT -p udp --dport 548 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 5353 -j ACCEPT
+    iptables -A INPUT -p udp --dport 5353 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 5354 -j ACCEPT
+    iptables -A INPUT -p udp --dport 5354 -j ACCEPT
+    iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
+    iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
+    iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
+    iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+    iptables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
+    iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
+    iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
+    iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
+    # SSB/Scuttlebot/Patchwork
+    iptables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
+    iptables -A INPUT -p udp --dport 8008 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
+    iptables -A INPUT -p udp --dport 8010 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 8010 -j ACCEPT
+
+
+    ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
+    ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
+    ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
+    ip6tables -A INPUT -p udp --dport 6240 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport 6240 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
+    ip6tables -A INPUT -p udp --dport 80 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport 548 -j ACCEPT
+    ip6tables -A INPUT -p udp --dport 548 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport 5353 -j ACCEPT
+    ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport 5354 -j ACCEPT
+    ip6tables -A INPUT -p udp --dport 5354 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
+    ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+    ip6tables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
+    ip6tables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
+    # SSB/Scuttlebot/Patchwork
+    ip6tables -A INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
+    ip6tables -A INPUT -p udp --dport 8008 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport 8008 -j ACCEPT
+    ip6tables -A INPUT -p udp --dport 8010 -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport 8010 -j ACCEPT
+
+
+    # vpn over the internet
+    # Note: the vpn firewall settings are needed in order for Patchwork
+    # to discover local peers
+    iptables -A INPUT -p tcp --dport 653 -j ACCEPT
+    iptables -A INPUT -p udp --dport 653 -j ACCEPT
+    iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
+    iptables -A INPUT -i tun+ -j ACCEPT
+    iptables -A FORWARD -i tun+ -j ACCEPT
+    iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
+    iptables -A OUTPUT -o tun+ -j ACCEPT
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
+    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
+    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
+}
+
+function disable_mesh_firewall {
+    iptables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
+    iptables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
+    iptables -D INPUT -p udp --dport 6240 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 6240 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 80 -j ACCEPT
+    iptables -D INPUT -p udp --dport 80 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 548 -j ACCEPT
+    iptables -D INPUT -p udp --dport 548 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 5353 -j ACCEPT
+    iptables -D INPUT -p udp --dport 5353 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 5354 -j ACCEPT
+    iptables -D INPUT -p udp --dport 5354 -j ACCEPT
+    iptables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
+    iptables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
+    iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
+    iptables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
+    iptables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+    iptables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
+    iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
+    iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
+    iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
+    # SSB/Scuttlebot/Patchwork
+    iptables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
+    iptables -D INPUT -p udp --dport 8008 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
+    iptables -D INPUT -p udp --dport 8010 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 8010 -j ACCEPT
+
+
+    ip6tables -D INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT
+    ip6tables -D INPUT -p udp --dport $TRACKER_PORT -j ACCEPT
+    ip6tables -D INPUT -p udp --dport 6240 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport 6240 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport 80 -j ACCEPT
+    ip6tables -D INPUT -p udp --dport 80 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport 548 -j ACCEPT
+    ip6tables -D INPUT -p udp --dport 548 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport 5353 -j ACCEPT
+    ip6tables -D INPUT -p udp --dport 5353 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport 5354 -j ACCEPT
+    ip6tables -D INPUT -p udp --dport 5354 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT
+    ip6tables -D INPUT -p udp --dport $ZERONET_PORT -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
+    ip6tables -D INPUT -p udp --dport $IPFS_PORT -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+    ip6tables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
+    ip6tables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
+    # SSB/Scuttlebot/Patchwork
+    ip6tables -D INPUT -p tcp --dport $GIT_SSB_PORT -j ACCEPT
+    ip6tables -D INPUT -p udp --dport 8008 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport 8008 -j ACCEPT
+    ip6tables -D INPUT -p udp --dport 8010 -j ACCEPT
+    ip6tables -D INPUT -p tcp --dport 8010 -j ACCEPT
+
+
+    # vpn over the internet
+    iptables -D INPUT -p tcp --dport 653 -j ACCEPT
+    iptables -D INPUT -p udp --dport 653 -j ACCEPT
+    iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
+    iptables -D INPUT -i tun+ -j ACCEPT
+    iptables -D FORWARD -i tun+ -j ACCEPT
+    iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+    iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
+    iptables -D OUTPUT -o tun+ -j ACCEPT
+
+    echo 0 > /proc/sys/net/ipv4/ip_forward
+    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
+}
+
+function enable_mesh_scuttlebot {
+    if [ -f /etc/scuttlebot/.ssb/config ]; then
+        ethernet_connected=$(cat /sys/class/net/eth0/carrier)
+        if [[ "$ethernet_connected" != "0" ]]; then
+            sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config
+            systemctl restart scuttlebot
+        else
+            if [ ! -f /etc/nginx/sites-available/git_ssb ]; then
+                systemctl stop scuttlebot
+            else
+                systemctl restart scuttlebot
+            fi
+        fi
+    fi
+    sed -i "s|\"host\":.*|\"host\": \"${HOSTNAME}.local\",|g" /etc/scuttlebot/.ssb/config
+    systemctl restart scuttlebot
+}
+
+function enable_mesh_tor {
+    # if we have an ethernet connection to an internet router then create
+    # an onion address for this peer
+    if [[ "$ethernet_connected" != "0" ]]; then
+        systemctl enable tor
+        systemctl start tor
+        HIDDEN_SERVICE_PATH=/var/lib/tor/hidden_service_
+        if [ ! -f ${HIDDEN_SERVICE_PATH}mesh/hostname ]; then
+            echo "HiddenServiceDir ${HIDDEN_SERVICE_PATH}mesh/" >> /etc/tor/torrc
+            echo "HiddenServicePort 653 127.0.0.1:653" >> /etc/tor/torrc
+            systemctl restart tor
+        fi
+    else
+        systemctl stop tor
+        systemctl disable tor
+    fi
+}
+
+function enable_mesh_seconary_wifi {
+    if [ $secondary_wifi_available ]; then
+        sed -i 's|#DAEMON_CONF=.*|DAEMON_CONF="/etc/hostapd/hostapd.conf"|g' /etc/default/hostapd
+
+        mesh_hotspot_address=$(mesh_hotspot_ip_address)
+        if [[ "$mesh_hotspot_address" == *'.'* ]]; then
+            echo "interface=${IFACE_SECONDARY}" > /etc/hostapd/hostapd.conf
+            echo "bridge=${BRIDGE}" >> /etc/hostapd/hostapd.conf
+            echo 'driver=nl80211' >> /etc/hostapd/hostapd.conf
+            echo "country_code=UK" >> /etc/hostapd/hostapd.conf
+            echo "ssid=${WIFI_SSID}-${mesh_hotspot_address}" >> /etc/hostapd/hostapd.conf
+            echo 'hw_mode=g' >> /etc/hostapd/hostapd.conf
+            echo "channel=${HOTSPOT_CHANNEL}" >> /etc/hostapd/hostapd.conf
+            echo 'wpa=2' >> /etc/hostapd/hostapd.conf
+            echo "wpa_passphrase=$HOTSPOT_PASSPHRASE" >> /etc/hostapd/hostapd.conf
+            echo 'wpa_key_mgmt=WPA-PSK' >> /etc/hostapd/hostapd.conf
+            echo 'wpa_pairwise=TKIP' >> /etc/hostapd/hostapd.conf
+            echo 'rsn_pairwise=CCMP' >> /etc/hostapd/hostapd.conf
+            echo 'auth_algs=1' >> /etc/hostapd/hostapd.conf
+            echo 'macaddr_acl=0' >> /etc/hostapd/hostapd.conf
+
+            sed -i "s|#interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
+            sed -i "s|interface=.*|interface=${IFACE_SECONDARY}|g" /etc/dnsmasq.conf
+            sed -i "s|listen-address=.*|listen-address=127.0.0.1,$mesh_hotspot_address|g" /etc/dnsmasq.conf
+            sed -i 's|#listen-address|listen-address|g' /etc/dnsmasq.conf
+            systemctl enable dnsmasq
+            systemctl restart dnsmasq
+
+            systemctl enable hostapd
+            systemctl restart hostapd
+            mesh_create_app_downloads_page
+        else
+            secondary_wifi_available=
+            echo $'WARNING: No IP address could be obtained for the hotspot'
+        fi
+    fi
+
+    if [ ! $secondary_wifi_available ]; then
+        systemctl stop hostapd
+        systemctl disable hostapd
+
+        # Recreate the cryptpad symlink
+        if [ -f /etc/nginx/sites-available/cryptpad ]; then
+            if [ -L /etc/nginx/sites-enabled/cryptpad ]; then
+                rm /etc/nginx/sites-enabled/default
+            fi
+            systemctl enable cryptpad
+            systemctl start cryptpad
+
+            if [ ! -L /etc/nginx/sites-enabled/cryptpad ]; then
+                ln -s /etc/nginx/sites-available/cryptpad /etc/nginx/sites-enabled/cryptpad
+                systemctl restart nginx
+            fi
+        fi
+        if [ -f /home/fbone/.cryptpad.desktop ]; then
+            mv /home/fbone/.cryptpad.desktop /home/fbone/Desktop/cryptpad.desktop
+        fi
+    fi
+}
+
+# NOTE: deliberately there is no "exit 0"

src/freedombone-utils-setup

     apt-get -yq install cryptsetup libgfshare-bin duplicity sshpass wget avahi-daemon
     apt-get -yq install avahi-utils avahi-discover connect-proxy openssh-server
     apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
-    apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
+    apt-get -yq install avahi-discover iptables dnsutils net-tools
     apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
     apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
     apt-get -yq install wireless-tools wpasupplicant usbutils zsh cpulimit screen

src/freedombone-utils-wifi

     IFACE_SECONDARY=
 
     for i in $(seq 10 -1 0); do
-        ifdown --force wlan${i}
+        ifdown --force wlan${i} 2> /dev/null
     done
 
     for i in $(seq 10 -1 0); do

website/EN/faq.html

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-12-30 Sat 15:48 -->
+<!-- 2018-01-11 Thu 20:57 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>&lrm;</title>
 </colgroup>
 <tbody>
 <tr>
-<td class="org-left"><a href="#org416597b">What applications are supported?</a></td>
+<td class="org-left"><a href="#org3b9d551">What applications are supported?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org719e222">I don't have a static IP address. Can I still install this system?</a></td>
+<td class="org-left"><a href="#orgdcdffc6">I don't have a static IP address. Can I still install this system?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org997ae78">Why Freedombone and not FreedomBox?</a></td>
+<td class="org-left"><a href="#org04dca90">Why Freedombone and not FreedomBox?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org0fe5706">Why not support building images for Raspberry Pi?</a></td>
+<td class="org-left"><a href="#org250c12d">Why not support building images for Raspberry Pi?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgf565b16">Why use Tor? I've heard it's used by bad people</a></td>
+<td class="org-left"><a href="#orgd5c1184">Why use Tor? I've heard it's used by bad people</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgac61490">How is Tor integrated with Freedombone?</a></td>
+<td class="org-left"><a href="#org9591a28">How is Tor integrated with Freedombone?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgbe35250">Can I add a clearnet domain to an onion build?</a></td>
+<td class="org-left"><a href="#orgda2b251">Can I add a clearnet domain to an onion build?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org1ea193b">Why use Github?</a></td>
+<td class="org-left"><a href="#org2fcade7">Why use Github?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org7057def">Keys and emails should not be stored on servers. Why do you do that?</a></td>
+<td class="org-left"><a href="#orgc5b7d76">Should I upload my GPG keys to keybase.io?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orge669711">Why can't I access my .onion site with a Tor browser?</a></td>
+<td class="org-left"><a href="#org1b54432">Keys and emails should not be stored on servers. Why do you do that?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgdb3b7a6">What is the best hardware to run this system on?</a></td>
+<td class="org-left"><a href="#orgd51af85">Why can't I access my .onion site with a Tor browser?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgf1c38a0">Can I add more users to the system?</a></td>
+<td class="org-left"><a href="#org4585a4a">What is the best hardware to run this system on?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgd32f191">Why not use Signal for mobile chat?</a></td>
+<td class="org-left"><a href="#org12ce8ec">Can I add more users to the system?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org16a21bb">What is the most secure chat app to use on mobile?</a></td>
+<td class="org-left"><a href="#org6e6f0bd">Why not use Signal for mobile chat?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org279eac7">How do I remove a user from the system?</a></td>
+<td class="org-left"><a href="#orgb8a6086">What is the most secure chat app to use on mobile?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org12ac09e">Why is logging for web sites turned off by default?</a></td>
+<td class="org-left"><a href="#orgd46fade">How do I remove a user from the system?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org5e9d3c7">How do I reset the tripwire?</a></td>
+<td class="org-left"><a href="#org7fc4d88">Why is logging for web sites turned off by default?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org0613054">Is metadata protected?</a></td>
+<td class="org-left"><a href="#orge1a3788">How do I reset the tripwire?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgdf75721">How do I create email processing rules?</a></td>
+<td class="org-left"><a href="#org572f545">Is metadata protected?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org5b21211">Why isn't dynamic DNS working?</a></td>
+<td class="org-left"><a href="#org733a91b">How do I create email processing rules?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org929e4ae">How do I change my encryption settings?</a></td>
+<td class="org-left"><a href="#org78eef24">Why isn't dynamic DNS working?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org087d147">How do I get a domain name?</a></td>
+<td class="org-left"><a href="#org2c06ab3">How do I change my encryption settings?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org4bb381a">How do I get a "real" SSL/TLS/HTTPS certificate?</a></td>
+<td class="org-left"><a href="#org5afac46">How do I get a domain name?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgfbd420c">How do I renew a Let's Encrypt certificate?</a></td>
+<td class="org-left"><a href="#org438f36d">How do I get a "real" SSL/TLS/HTTPS certificate?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgdaf57b7">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</a></td>
+<td class="org-left"><a href="#orge32e913">How do I renew a Let's Encrypt certificate?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org9fde76d">Why not use the services of $company instead? They took the Seppuku pledge</a></td>
+<td class="org-left"><a href="#org44f909f">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org71ce92c">Why does my email keep getting rejected as spam by Gmail/etc?</a></td>
+<td class="org-left"><a href="#org27439c3">Why not use the services of $company instead? They took the Seppuku pledge</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org1bd542d">Tor is censored/blocked in my area. What can I do?</a></td>
+<td class="org-left"><a href="#org00d41d3">Why does my email keep getting rejected as spam by Gmail/etc?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgcf6a401">I want to block a particular domain from getting its content into my social network sites</a></td>
+<td class="org-left"><a href="#org7ab9062">Tor is censored/blocked in my area. What can I do?</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#org39004fe">The mesh system doesn't boot from USB drive</a></td>
+<td class="org-left"><a href="#org5cd6bab">I want to block a particular domain from getting its content into my social network sites</a></td>
+</tr>
+
+<tr>
+<td class="org-left"><a href="#orgafedf35">The mesh system doesn't boot from USB drive</a></td>
 </tr>
 </tbody>
 </table>
 </div>
 
-<div id="outline-container-org416597b" class="outline-2">
-<h2 id="org416597b">What applications are supported?</h2>
-<div class="outline-text-2" id="text-org416597b">
+<div id="outline-container-org3b9d551" class="outline-2">
+<h2 id="org3b9d551">What applications are supported?</h2>
+<div class="outline-text-2" id="text-org3b9d551">
 <p>
 <a href="./apps.html">See here</a> for the complete list of apps. In addition to those as part of the base install you get an email server.
 </p>
 </div>
 </div>
-<div id="outline-container-org719e222" class="outline-2">
-<h2 id="org719e222">I don't have a static IP address. Can I still install this system?</h2>
-<div class="outline-text-2" id="text-org719e222">
+<div id="outline-container-orgdcdffc6" class="outline-2">
+<h2 id="orgdcdffc6">I don't have a static IP address. Can I still install this system?</h2>
+<div class="outline-text-2" id="text-orgdcdffc6">
 <p>
 Yes. The minimum requirements are to have some hardware that you can install Debian onto and also that you have administrator access to your internet router so that you can forward ports to the system which has Freedombone installed.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org997ae78" class="outline-2">
-<h2 id="org997ae78">Why Freedombone and not FreedomBox?</h2>
-<div class="outline-text-2" id="text-org997ae78">
+<div id="outline-container-org04dca90" class="outline-2">
+<h2 id="org04dca90">Why Freedombone and not FreedomBox?</h2>
+<div class="outline-text-2" id="text-org04dca90">
 <p>
 When the project began in late 2013 the FreedomBox project seemed to be going nowhere, and was only designed to work with the DreamPlug hardware. There was some new hardware out - the Beaglebone Black - which could run Debian and was also a free hardware design so seemed more appropriate. Hence the name "Freedombone", being like FreedomBox but on a Beaglebone. There are some similarities and differences between the two projects:
 </p>
 </div>
 
-<div id="outline-container-org33179aa" class="outline-3">
-<h3 id="org33179aa">Similarities</h3>
-<div class="outline-text-3" id="text-org33179aa">
+<div id="outline-container-org306add8" class="outline-3">
+<h3 id="org306add8">Similarities</h3>
+<div class="outline-text-3" id="text-org306add8">
 <ul class="org-ul">
 <li>Uses freedom-maker and vmdebootstrap to build debian images</li>
 <li>Supports the use of Tor onion addresses to access websites</li>
 </ul>
 </div>
 </div>
-<div id="outline-container-orgc193b4e" class="outline-3">
-<h3 id="orgc193b4e">Differences</h3>
-<div class="outline-text-3" id="text-orgc193b4e">
+<div id="outline-container-orge8d4938" class="outline-3">
+<h3 id="orge8d4938">Differences</h3>
+<div class="outline-text-3" id="text-orge8d4938">
 <ul class="org-ul">
 <li>FreedomBox is a Debian pure blend. Freedombone is not</li>
 <li>Freedombone only supports Free Software. FreedomBox includes some closed binary boot blobs for certain ARM boards</li>
 </div>
 </div>
 </div>
-<div id="outline-container-org0fe5706" class="outline-2">
-<h2 id="org0fe5706">Why not support building images for Raspberry Pi?</h2>
-<div class="outline-text-2" id="text-org0fe5706">
+<div id="outline-container-org250c12d" class="outline-2">
+<h2 id="org250c12d">Why not support building images for Raspberry Pi?</h2>
+<div class="outline-text-2" id="text-org250c12d">
 <p>
 The FreedomBox project supports Raspberry Pi builds, and the image build system for Freedombone is based on the same system. However, although the Raspberry Pi can run a version of Debian it requires a closed proprietary blob in order to boot the hardware. Who knows what that blob might contain or what exploits it could facilitate. From an adversarial point of view if you were trying to deliver "bulk equipment interference" then it doesn't get any better than piggybacking on something which has control of the boot process, and hence all subsequently run processes.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgf565b16" class="outline-2">
-<h2 id="orgf565b16">Why use Tor? I've heard it's used by bad people</h2>
-<div class="outline-text-2" id="text-orgf565b16">
+<div id="outline-container-orgd5c1184" class="outline-2">
+<h2 id="orgd5c1184">Why use Tor? I've heard it's used by bad people</h2>
+<div class="outline-text-2" id="text-orgd5c1184">
 <p>
 Years ago Tor was usually depicted in the mainstream media as something scary inhabited by cyberterrorists and other bad cybers, but today to a large extent Tor is accepted as just another way of routing data in a network. Depending upon where you live there may still be some amount of fearmongering about Tor, but it now seems clear that the trajectory is towards general acceptance.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgac61490" class="outline-2">
-<h2 id="orgac61490">How is Tor integrated with Freedombone?</h2>
-<div class="outline-text-2" id="text-orgac61490">
+<div id="outline-container-org9591a28" class="outline-2">
+<h2 id="org9591a28">How is Tor integrated with Freedombone?</h2>
+<div class="outline-text-2" id="text-org9591a28">
 <p>
 Within this project Tor is used more to provide <i>accessibility</i> than the <i>anonymity</i> factor for which Tor is better known. The onion address system provides a way of being able to access sites even if you don't own a conventional domain name or don't have administrator access to your local internet router to be able to do port forwarding.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgbe35250" class="outline-2">
-<h2 id="orgbe35250">Can I add a clearnet domain to an onion build?</h2>
-<div class="outline-text-2" id="text-orgbe35250">
+<div id="outline-container-orgda2b251" class="outline-2">
+<h2 id="orgda2b251">Can I add a clearnet domain to an onion build?</h2>
+<div class="outline-text-2" id="text-orgda2b251">
 <p>
 You could if you manually edited the relevant nginx configuration files and installed some dynamic DNS system yourself. If you already have sysadmin knowledge then that's probably not too hard. But the builds created with the <b>onion-addresses-only</b> option aren't really intended to support access via clearnet domains.
 </p>
 </div>
 </div>
-<div id="outline-container-org1ea193b" class="outline-2">
-<h2 id="org1ea193b">Why use Github?</h2>
-<div class="outline-text-2" id="text-org1ea193b">
+<div id="outline-container-org2fcade7" class="outline-2">
+<h2 id="org2fcade7">Why use Github?</h2>
+<div class="outline-text-2" id="text-org2fcade7">
 <p>
 Github is paradoxically a centralized, closed and proprietary system which happens to mostly host free and open source projects. Up until now it has been relatively benign, but at some point in the name of "growth" it will likely start becoming more evil, or just become like SourceForge - which was also once much loved by FOSS developers, but turned into a den of malvertizing.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org7057def" class="outline-2">
-<h2 id="org7057def">Keys and emails should not be stored on servers. Why do you do that?</h2>
-<div class="outline-text-2" id="text-org7057def">
+<div id="outline-container-orgc5b7d76" class="outline-2">
+<h2 id="orgc5b7d76">Should I upload my GPG keys to keybase.io?</h2>
+<div class="outline-text-2" id="text-orgc5b7d76">
+<p>
+It's not recommended unless there exists some compelling reason for you to be on there. That site asks users to upload the <b>private keys</b>, and even if the keys are client side encrypted with a passphrase there's always the chance that there will be a data leak in future and letter agencies will then have a full time opportunity to crack the passphrases.
+</p>
+
+<p>
+Saying something resembling <i>"only noobs will use crackable private key passphrases"</i> isn't good enough. A passphrase should not be considered to be a substitute for a private key.
+</p>
+</div>
+</div>
+<div id="outline-container-org1b54432" class="outline-2">
+<h2 id="org1b54432">Keys and emails should not be stored on servers. Why do you do that?</h2>
+<div class="outline-text-2" id="text-org1b54432">
 <p>
 Ordinarily this is good advice. However, the threat model for a device in your home is different from the one for a generic server in a massive warehouse. Compare and contrast:
 </p>
 </div>
 </div>
 
-<div id="outline-container-orge669711" class="outline-2">
-<h2 id="orge669711">Why can't I access my .onion site with a Tor browser?</h2>
-<div class="outline-text-2" id="text-orge669711">
+<div id="outline-container-orgd51af85" class="outline-2">
+<h2 id="orgd51af85">Why can't I access my .onion site with a Tor browser?</h2>
+<div class="outline-text-2" id="text-orgd51af85">
 <p>
 Probably you need to add the site to the NoScript whitelist. Typically click/press on the noscript icon (or select from the menu on mobile) then select <i>whitelist</i> and add the site URL. You may also need to disable HTTPS Everywhere when using onion addresses, which don't use https.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgdb3b7a6" class="outline-2">
-<h2 id="orgdb3b7a6">What is the best hardware to run this system on?</h2>
-<div class="outline-text-2" id="text-orgdb3b7a6">
+<div id="outline-container-org4585a4a" class="outline-2">
+<h2 id="org4585a4a">What is the best hardware to run this system on?</h2>
+<div class="outline-text-2" id="text-org4585a4a">
 <p>
 It was originally designed to run on the Beaglebone Black, but that should be regarded as the most minimal system, because it's single core and has by today's standards a small amount of memory. Obviously the more powerful the hardware is the faster things like web pages (blog, social networking, etc) will be served but the more electricity such a system will require if you're running it 24/7. A good compromise between performance and energy consumption is something like an old netbook. The battery of an old netbook or laptop even gives you <a href="https://en.wikipedia.org/wiki/Uninterruptible_power_supply">UPS capability</a> to keep the system going during brief power outages or cable re-arrangements, and that means using full disk encryption on the server also becomes more practical.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgf1c38a0" class="outline-2">
-<h2 id="orgf1c38a0">Can I add more users to the system?</h2>
-<div class="outline-text-2" id="text-orgf1c38a0">
+<div id="outline-container-org12ce8ec" class="outline-2">
+<h2 id="org12ce8ec">Can I add more users to the system?</h2>
+<div class="outline-text-2" id="text-org12ce8ec">
 <p>
 Yes. Freedombone can support a small number of users, for a "<i>friends and family</i>" type of home installation. This gives them access to an email account, XMPP, SIP phone and the blog (depending on whether the variant which you installed includes those).
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgd32f191" class="outline-2">
-<h2 id="orgd32f191">Why not use Signal for mobile chat?</h2>
-<div class="outline-text-2" id="text-orgd32f191">
+<div id="outline-container-org6e6f0bd" class="outline-2">
+<h2 id="org6e6f0bd">Why not use Signal for mobile chat?</h2>
+<div class="outline-text-2" id="text-org6e6f0bd">
 <p>
 Celebrities recommend Signal. It's Free Software so it must be good, right?
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org16a21bb" class="outline-2">
-<h2 id="org16a21bb">What is the most secure chat app to use on mobile?</h2>
-<div class="outline-text-2" id="text-org16a21bb">
+<div id="outline-container-orgb8a6086" class="outline-2">
+<h2 id="orgb8a6086">What is the most secure chat app to use on mobile?</h2>
+<div class="outline-text-2" id="text-orgb8a6086">
 <p>
 On mobile there are various options. The apps which are likely to be most secure are ones which have end-to-end encryption enabled by default and which can also be onion routed via Orbot. End-to-end encryption secures the content of the message and onion routing obscures the metadata, making it hard for a passive adversary to know who is communicating with who.
 </p>
 </p>
 
 <p>
-There are many <a href="#orgd32f191">other fashionable chat apps</a> with end-to-end security, but often they are closed source, have a single central server or can't be onion routed. It's also important to remember that closed source chat apps should be assumed to be untrustworthy, since their security cannot be independently verified.
+There are many <a href="#org6e6f0bd">other fashionable chat apps</a> with end-to-end security, but often they are closed source, have a single central server or can't be onion routed. It's also important to remember that closed source chat apps should be assumed to be untrustworthy, since their security cannot be independently verified.
 </p>
 </div>
 </div>
-<div id="outline-container-org279eac7" class="outline-2">
-<h2 id="org279eac7">How do I remove a user from the system?</h2>
-<div class="outline-text-2" id="text-org279eac7">
+<div id="outline-container-orgd46fade" class="outline-2">
+<h2 id="orgd46fade">How do I remove a user from the system?</h2>
+<div class="outline-text-2" id="text-orgd46fade">
 <p>
 To remove a user:
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org12ac09e" class="outline-2">
-<h2 id="org12ac09e">Why is logging for web sites turned off by default?</h2>
-<div class="outline-text-2" id="text-org12ac09e">
+<div id="outline-container-org7fc4d88" class="outline-2">
+<h2 id="org7fc4d88">Why is logging for web sites turned off by default?</h2>
+<div class="outline-text-2" id="text-org7fc4d88">
 <p>
 If you're making profits out of the logs by running large server warehouses and then data mining what users click on - as is the business model of well known internet companies - then logging everything makes total sense. However, if you're running a home server then logging really only makes sense if you're trying to diagnose some specific problem with the system, and outside of that context logging everything becomes more of a liability than an asset.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org5e9d3c7" class="outline-2">
-<h2 id="org5e9d3c7">How do I reset the tripwire?</h2>
-<div class="outline-text-2" id="text-org5e9d3c7">
+<div id="outline-container-orge1a3788" class="outline-2">
+<h2 id="orge1a3788">How do I reset the tripwire?</h2>
+<div class="outline-text-2" id="text-orge1a3788">
 <p>
 The tripwire will be automatically reset once per week. If you want to reset it earlier then do the following:
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org0613054" class="outline-2">
-<h2 id="org0613054">Is metadata protected?</h2>
-<div class="outline-text-2" id="text-org0613054">
+<div id="outline-container-org572f545" class="outline-2">
+<h2 id="org572f545">Is metadata protected?</h2>
+<div class="outline-text-2" id="text-org572f545">
 <blockquote>
 <p>
 "<i>We kill people based on metadata</i>"
 </p>
 </div>
 </div>
-<div id="outline-container-orgdf75721" class="outline-2">
-<h2 id="orgdf75721">How do I create email processing rules?</h2>
-<div class="outline-text-2" id="text-orgdf75721">
+<div id="outline-container-org733a91b" class="outline-2">
+<h2 id="org733a91b">How do I create email processing rules?</h2>
+<div class="outline-text-2" id="text-org733a91b">
 <div class="org-src-container">
 <pre class="src src-bash">ssh username@domainname -p 2222
 </pre>
 </p>
 </div>
 </div>
-<div id="outline-container-org5b21211" class="outline-2">
-<h2 id="org5b21211">Why isn't dynamic DNS working?</h2>
-<div class="outline-text-2" id="text-org5b21211">
+<div id="outline-container-org78eef24" class="outline-2">
+<h2 id="org78eef24">Why isn't dynamic DNS working?</h2>
+<div class="outline-text-2" id="text-org78eef24">
 <p>
 If you run the command:
 </p>
 </div>
 </div>
 
-<div id="outline-container-org929e4ae" class="outline-2">
-<h2 id="org929e4ae">How do I change my encryption settings?</h2>
-<div class="outline-text-2" id="text-org929e4ae">
+<div id="outline-container-org2c06ab3" class="outline-2">
+<h2 id="org2c06ab3">How do I change my encryption settings?</h2>
+<div class="outline-text-2" id="text-org2c06ab3">
 <p>
 Suppose that some new encryption vulnerability has been announced and that you need to change your encryption settings. Maybe an algorithm thought to be secure is now no longer so and you need to remove it. You can change your settings by doing the following:
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org087d147" class="outline-2">
-<h2 id="org087d147">How do I get a domain name?</h2>
-<div class="outline-text-2" id="text-org087d147">
+<div id="outline-container-org5afac46" class="outline-2">
+<h2 id="org5afac46">How do I get a domain name?</h2>
+<div class="outline-text-2" id="text-org5afac46">
 <p>
 Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org4bb381a" class="outline-2">
-<h2 id="org4bb381a">How do I get a "real" SSL/TLS/HTTPS certificate?</h2>
-<div class="outline-text-2" id="text-org4bb381a">
+<div id="outline-container-org438f36d" class="outline-2">
+<h2 id="org438f36d">How do I get a "real" SSL/TLS/HTTPS certificate?</h2>
+<div class="outline-text-2" id="text-org438f36d">
 <p>
 If you did the full install or selected the social variant then the system will have tried to obtain a Let's Encrypt certificate automatically during the install process. If this failed for any reason, or if you have created a new site which you need a certificate for then do the following:
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgfbd420c" class="outline-2">
-<h2 id="orgfbd420c">How do I renew a Let's Encrypt certificate?</h2>
-<div class="outline-text-2" id="text-orgfbd420c">
+<div id="outline-container-orge32e913" class="outline-2">
+<h2 id="orge32e913">How do I renew a Let's Encrypt certificate?</h2>
+<div class="outline-text-2" id="text-orge32e913">
 <p>
 Normally certificates will be automatically renewed once per month, so you don't need to be concerned about it. If anything goes wrong with the automatic renewal then you should receive a warning email.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-orgdaf57b7" class="outline-2">
-<h2 id="orgdaf57b7">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</h2>
-<div class="outline-text-2" id="text-orgdaf57b7">
+<div id="outline-container-org44f909f" class="outline-2">
+<h2 id="org44f909f">I tried to renew a Let's Encrypt certificate and it failed. What should I do?</h2>
+<div class="outline-text-2" id="text-org44f909f">
 <p>
 Most likely it's because Let's Encrypt doesn't support your particular domain or subdomain. Currently free subdomains tend not to work. You'll need to buy a domain name, link it to your dynamic DNS account and then do:
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org9fde76d" class="outline-2">
-<h2 id="org9fde76d">Why not use the services of $company instead? They took the Seppuku pledge</h2>
-<div class="outline-text-2" id="text-org9fde76d">
+<div id="outline-container-org27439c3" class="outline-2">
+<h2 id="org27439c3">Why not use the services of $company instead? They took the Seppuku pledge</h2>
+<div class="outline-text-2" id="text-org27439c3">
 <p>
 <a href="https://cryptostorm.org/viewtopic.php?f=63&amp;t=2954&amp;sid=7de2d1e699cfde2f574e6a7f6ea5a173">That pledge</a> is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "<i>on our side</i>". Post-<a href="https://en.wikipedia.org/wiki/Nymwars">nymwars</a> and post-<a href="https://en.wikipedia.org/wiki/PRISM_(surveillance_program)">PRISM</a> we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.
 </p>
 </div>
 </div>
-<div id="outline-container-org71ce92c" class="outline-2">
-<h2 id="org71ce92c">Why does my email keep getting rejected as spam by Gmail/etc?</h2>
-<div class="outline-text-2" id="text-org71ce92c">
+<div id="outline-container-org00d41d3" class="outline-2">
+<h2 id="org00d41d3">Why does my email keep getting rejected as spam by Gmail/etc?</h2>
+<div class="outline-text-2" id="text-org00d41d3">
 <p>
 Welcome to the world of email. Email is really the archetypal decentralized service, developed during the early days of the internet. In principle anyone can run an email server, and that's exactly what you're doing with Freedombone. Email is very useful, but it has a big problem, and that's that the protocols are totally insecure. That made it easy for spammers to do their thing, and in response highly elaborate spam filtering and blocking systems were developed. Chances are that your emails are being blocked in this way. Sometimes the blocking is so indisciminate that entire countries are excluded. What can you do about it? Unless you control the block list at the receiving end you may not be able to do much unless you can find an email proxy server which is trusted by the receiving server.
 </p>
 </p>
 </div>
 </div>
-<div id="outline-container-org1bd542d" class="outline-2">
-<h2 id="org1bd542d">Tor is censored/blocked in my area. What can I do?</h2>
-<div class="outline-text-2" id="text-org1bd542d">
+<div id="outline-container-org7ab9062" class="outline-2">
+<h2 id="org7ab9062">Tor is censored/blocked in my area. What can I do?</h2>
+<div class="outline-text-2" id="text-org7ab9062">
 <p>
 If you can find some details for an obfs4 Tor bridge (its IP address, port number and key or nickname) then you can set up the system to use it to connect to the Tor network. Unlike relay nodes the IP addresses for bridges are not public information and so can't be easily known and added to block lists by authoritarian regimes or over-zealous ISPs.
 </p>
 </div>
 </div>
 
-<div id="outline-container-orgcf6a401" class="outline-2">
-<h2 id="orgcf6a401">I want to block a particular domain from getting its content into my social network sites</h2>
-<div class="outline-text-2" id="text-orgcf6a401">
+<div id="outline-container-org5cd6bab" class="outline-2">
+<h2 id="org5cd6bab">I want to block a particular domain from getting its content into my social network sites</h2>
+<div class="outline-text-2" id="text-org5cd6bab">
 <p>
 If you're being pestered by some domain which contains bad/illegal/harrassing content or irritating users you can block domains at the firewall level. Go to the administrator control panel and select <i>domain blocking</i>. You can then block, unblock and view the list of blocked domains.
 </p>
 </div>
 </div>
 
-<div id="outline-container-org39004fe" class="outline-2">
-<h2 id="org39004fe">The mesh system doesn't boot from USB drive</h2>
-<div class="outline-text-2" id="text-org39004fe">
+<div id="outline-container-orgafedf35" class="outline-2">
+<h2 id="orgafedf35">The mesh system doesn't boot from USB drive</h2>
+<div class="outline-text-2" id="text-orgafedf35">
 <p>
 If the system doesn't boot and reports an error which includes <b>/dev/mapper/loop0p1</b> then reboot with <b>Ctrl-Alt-Del</b> and when you see the grub menu press <b>e</b> and manually change <b>/dev/mapper/loop0p1</b> to <b>/dev/sdb1</b>, then press <b>Ctrl-x</b>. If that doesn't work then reboot and try <b>/dev/sdc1</b> instead.
 </p>

website/EN/mesh.html

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2017-12-29 Fri 22:58 -->
+<!-- 2018-01-15 Mon 20:17 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>&lrm;</title>
 Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
 </p>
 
+<p>
+Like <a href="https://libremesh.org">LibreMesh</a>, this system uses a combination of <a href="https://en.wikipedia.org/wiki/B.A.T.M.A.N.">batman-adv</a> on network layer 2 and <a href="http://bmx6.net">BMX</a> on layer 3.
+</p>
+
 <div class="org-center">
 <p>
 This site can also be accessed via a Tor browser at <a href="http://pazyv7nkllp76hqr.onion">http://pazyv7nkllp76hqr.onion</a>