diff --git a/doc/freedombox-manual.xml b/doc/freedombox-manual.xml index 82838724e..7be1635a9 100644 --- a/doc/freedombox-manual.xml +++ b/doc/freedombox-manual.xml @@ -660,21 +660,42 @@ sub 2048R/2A624357 2015-12-22
- Deluge -
- What is Deluge? - Your FreedomBox provides a Deluge application to enable. Deluge is a lightweight Bit Torrent client. Bit Torrent is a communications protocol using peer-to-peer (P2P) file sharing. P2P is a system that aims to interconnect end-user machines. Highly configurable, Deluge offers functionalities in the form of plugins. -
-
-
- Transmission + Bit Torrent (Transmission)
What is Transmission ? In addition to Deluge Bit Torrent, your FreedomBox provides a Transmission application to enable. Transmission is a lightweight Bit Torrent client allowing end-user machine to share files (documents, pictures, sounds, videos and programs). Transmission is well known for its simplicity and a default configuration that "Just Works".
- Shaarli + Bit Torrent (Deluge) +
+ What is Deluge? + Your FreedomBox provides a Deluge application to enable. Deluge is a lightweight Bit Torrent client. Bit Torrent is a communications protocol using peer-to-peer (P2P) file sharing. P2P is a system that aims to interconnect end-user machines. Highly configurable, Deluge offers functionalities in the form of plugins. +
+
+
+ Block Sandbox (Minetest) + Minetest is a multiplayer infinite-world block sandbox. This module enables the Minetest server to be run on this FreedomBox, on the default port (30000). To connect to the server, a Minetest client is needed. +
+
+ GnuSocial + + + GnuSocial is currently not available + + GnuSocial is currently not available in the FreedomBox + +
+ What is GNU social? + GNU social is a continuation of the StatusNet project. It is social communication software for both public and private communications. It is widely supported and has a large userbase. It is already used by the Free Software Foundation, and Richard Stallman himself. Think of GNU Social as twitter and beyond. +
+
+ Status of package + GNU Social is still getting packaged for debian and will be available soon for everyone to use. check the progress by tracking the bug #782812. +
+
+
+ Bookmarks (Shaarli) Currently not functional @@ -686,6 +707,199 @@ sub 2048R/2A624357 2015-12-22 Shaarli is personal (single-user) bookmarking application to install on your FreedomBox. It can also be used for micro-blogging, pastebin, online notepad and snippet archive. Shaarli is designed as a no-database delicious clone. As such, it provides very fast services, easy backup and import/export links as desktop or mobile browser bookmarks. Links stored can be public or private. Shaarli delivers ATOM and RSS feeds from its minimalist interface.
+
+ Calendar and Addressbook (Radicale) + With Radicale you can synchronize your personal Calendars, ToDo-Lists and Addressbooks with your various computers, tables, smartphones etc. and share them with friends without letting third parties know your personal Schedule or Contacts. +
+ Why running Radicale? + Using Radicale, you can get rid of centralized services like Google Calendar or Apple Calendar (iCloud) mining your events and social connections. +
+
+ How to setup Radicale? + First, the Radicale server needs to be activated on your box. + + + Within Plinth + + + select Applications + + + go to Calendar and Addressbook (Radicale) and + + + install the application. After the installation is complete, make sure the application is marked "enabled" in the FreedomBox interface. Enabling the application launches the Radicale server CalDAV. + + + define the access rights: + + + Only the owner of a calendar/addressbook can view or make changes + + + Any user can view any calendar/addressbook, but only the owner can make changes + + + Any user can view or make changes to any calendar/addressbook + + + + + + + Note, that only users with a FreedomBox login can access Radicale. + + + + + + + Radicale-Plinth.png + + + + If you want to share a calendar with only some users, the simplest approach is to create an additional user-name for these users and to share that user-name and password with them. + Radicale does not have a user interface. An external supported client application is needed. + Now open your client application to create new calendar and address books that will use your FreedomBox and Radicale server. The Radicale website provides tutorials to setup a large selection of clients. Below are the steps for two examples: + + + Example of setup with Evolution client: + + + Calendar + + + Create a new calendar + + + For "Type," select "CalDAV" + + + When "CalDAV" is selected, additional options will appear in the dialogue window. + + + URL: https://IP address or domain for your server/radicale/user/contact file name.ics/. Items in italics need to be changed to match your settings. + + + note the trailing / in the path, it is important. + + + + + Select/check "Use a secure connection." + + + Name the calendar + + + + + + + Radicale-Evolution-Docu.png + + + + + + + + TODO/Tasks list: Adding a TODO/Tasks list is basically the same as a calendar. + + + Contacts + + + Follow the same steps described above and replace CalDAV with WebDAV. The extension of the address book will be .vcf. + + + + + + + Android + + + There are various Apps that allow the integration of the *radicale* server. This example uses DAVdroid, which is available e.g. on F-Droid. + + + If you intend to use ToDo-Lists as well, the compatible app OpenTasks has to be installed first. + + + Install DAVdroid + + + Create an accound DAVdroid with the same settings as described for Evolution + + + Click the newly created account and synchronize. + + + The settings, such as periodicity of synchronizsation, can be adjusted. + + + A contact or calendar file, that was created before appears. + + + Enable it. + + + It may take some minutes before e.g. the calendar is visible in your calendar app. + + + + +
+
+ Advanced Users +
+ Sharing ressources + Above was shown an easy way to create a resource for a group of people by creating a dedicated account for all. Here will be described an alternative method where two users User1 and User2 are granted access to a calendar. This requires SSH-access to the FreedomBox. + + + create a file /etc/radicale/rights + + + [friends_calendar] +user: ^(User1|User2)$ +collection: ^.*/calendar_of_my_friends.ics$ +permission: rw + +# Give write access to owners +[owner-write] +user: .+ +collection: ^%(login)s/.+$ +permission: rw + + + [friends_calendar] is just an identifier, can be any name. + + + The [owner-write] section makes sure that owners have access to their own files + + + + + edit file /etc/radicale/config and make the following changes in section [rights) + + + [rights] +type = from_file +file = /etc/radicale/rights + + + + + Restart the radicale server or the FreedbomBox + + +
+
+ Importing files + If you are using a contacts file exported from another service or application, it should be copied to: /var/lib/radicale/collections/user/contact file name.vcf. +
+
+
Chat Server (XMPP)
@@ -694,9 +908,9 @@ sub 2048R/2A624357 2015-12-22
Setting the Domain Name - For XMPP to work, your FreedomBox needs to have a Domain Name that can be accessed over the public Internet. You can read more about obtaining a Domain Name in the Dynamic DNS section of this manual. - Once you have a Domain Name, you can tell your FreedomBox to use it by setting the Domain Name in the System Config. - Please note that Pagekite does not support the XMPP protocol at this time. + For XMPP to work, your FreedomBox needs to have a Domain Name that can be accessed over the public Internet. You can read more about obtaining a Domain Name in the Dynamic DNS section of this manual. + Once you have a Domain Name, you can tell your FreedomBox to use it by setting the Domain Name in the System Configuration. + Please note that Pagekite does not support the XMPP protocol at this time.
Registering XMPP users through SSO @@ -704,135 +918,129 @@ sub 2048R/2A624357 2015-12-22
- Dynamic DNS -
- What is Dynamic DNS? - In order to reach a server on the Internet, the server needs to have permanent address also know as the static IP address. Many Internet service providers don't provide home users with a static IP address or they charge more providing a static IP address. Instead they provide the home user with an IP address that changes every time the user connects to the Internet. Clients wishing to contact the server will have difficulty reaching the server. - Dynamic DNS service providers assist in working around a problem. First they provide you with a domain name, such as 'myhost.example.org'. Then they associate your IP address, whenever it changes, with this domain name. Then anyone intending to reach the server will be to contact the server using the domain name 'myhost.example.org' which always points to the latest IP address of the server. - For this to work, every time you connect to the Internet, you will have to tell your Dynamic DNS provider what your current IP address is. Hence you need special software on your server to perform this operation. The Dynamic DNS function in FreedomBox will allow users without a static public IP address to push the current public IP address to a Dynamic DNS Server. This allows you to expose services on FreedomBox, such as ownCloud, to the Internet. -
-
- GnuDIP vs. Update URL - There are two main mechanism to notify the Dynamic DNS server of your new IP address; using the GnuDIP protocol and using the Update URL mechanism. - If a service provided using update URL is not properly secured using HTTPS, your credentials may be visible to an adversary. Once an adversary gains your credentials, they will be able to replay your request your server and hijack your domain. - On the other hand, the GnuDIP protocol will only transport a salted MD5 value of your password, in a way that is secure against replay attacks. -
-
- Using the GnuDIP protocol - - - Register an account with any Dynamic DNS service provider. A free service provided by the FreedomBox community is available at . - - - In FreedomBox UI, enable the Dynamic DNS Service. - - - Select GnuDIP as Service type, enter your Dynamic DNS service provider address (for example, gnudip.datasystems24.net) into GnuDIP Server Address field. - - - Fill Domain Name, Username, Password information given by your provider into the corresponding fields. - - -
-
- Using an Update URL - This feature is implemented because the most popular Dynamic DNS providers are using Update URLs mechanism. - - - Register an account with a Dynamic DNS service provider providing their service using Update URL mechanism. Some example providers are listed in the configuration page itself. - - - In FreedomBox UI, enable the Dynamic DNS service. - - - Select other Update URL as Service type, enter the update URL given by your provider into Update URL field. - - - If you browse the update URL with your Internet browser and a warning message about untrusted certificate appears, then enable accept all SSL certificates. WARNING: your credentials may be readable here because man-in-the-middle attacks are possible! Consider choosing a better service provider instead. - - - If you browse the update URL with your Internet browser and the username/password box appears, enable use HTTP basic authentication checkbox and provide the Username and Password. - - - If the update URL contains your current IP address, replace the IP address with the string <Ip>. - - -
-
- Checking If It Works - - - Make sure that external services you have enabled such as /jwchat, /roundcube and /ikiwiki are available on your domain address. - - - Go to the Status page, make sure that the NAT type is detected correctly. If your FreedomBox is behind a NAT device, this should be detected over there (Text: Behind NAT). If your FreedomBox has a public IP address assigned, the text should be "Direct connection to the Internet". - - - Check that the last update status is not failed. - - -
-
- Recap: How to create a DNS name with GnuDIP - - to delete or to replace the old text - - - - Access to GnuIP login page (answer Yes to all pop ups) - - - Click on "Self Register" - - - Fill the registration form (Username and domain will form the public IP address [username.domain]) - - - Take note of the username/hostname and password that will be used on the FreedomBox app. - - - Save and return to the GnuDIP login page to verify your username, domain and password (enter the datas, click login). - - - Login output should display your new domain name along with your current public IP address (this is a unique address provided by your router for all your local devices). - - - Leave the GnuDIP interface and open the Dynamic DNS Client app page in your FreedomBox. - - - Click on "Set Up" in the top menu. - - - Activate Dynamic DNS - - - Choose GnuDIP service. - - - Add server address (gnudip.datasystems24.net) - - - Add your fresh domain name (username.domain, ie [username].freedombox.rocks) - - - Add your fresh username (the one used in your new IP address) and password - - - Add your GnuDIP password - - - Fill the option with (try this url in your browser, you will figure out immediatly) - - -
-
-
- Roundcube + Email Client (Roundcube)
What is Roundcube? RoundCube is a browser-based multilingual email client with an application-like user interface. RoundCube is using the Internet Message Access Protocol (IMAP) to access e-mail on a remote mail server. It supports MIME to send files, and provides particularly address book, folder management, message searching and spell checking.
+
+ IRC Client (Quassel) + Quassel is an IRC application that is split into two parts, a "core" and a "client". This allows the core to remain connected to IRC servers, and to continue receiving messages, even when the client is disconnected. FreedomBox can run the Quassel core service keeping you always online and one or more Quassel clients from a desktop or a mobile device can be used to connect and disconnect from it. +
+ Why running Quassel? + Many discussions about FreedomBox are being done on the IRC-Channel irc://irc.debian.org/freedombox. If your FreedomBox is running Quassel, it will collect all discussions while you are away, such as responses to your questions. Remember, the FreedomBox project is a worldwide project with people from nearly every time zone. You use your client to connect to the Quassel core to read and respond whenever you have time and are available. +
+
+ How to setup Quassel? + + + Within Plinth + + + select Applications + + + go to IRC Client (Quassel) and + + + install the application and make sure it is enabled + + + + + + + Quassel_Installation.png + + + + + + now your Quassel core is running + + + + + Configure in your router port forwarding for port 4242 + + + on my device, this setting can be found in the section Network > NAT & Port rules > Port Forwarding + + + + + + + Quassel_PortForwarding.png + + + + + + + +
+
+ Clients + Clients to connect to Quassel from your desktop and mobile devices are available. + In a Debian system, you can e.g. use quassel-client + + + With the first start you create a user-ID you want to use in your IRC channel + + + Configure the network connection, e.g. server irc.debian.org/freedombox + + + Communication takes place in a channel, e.g. freedombox + + + Add a core + + + Chose an account name + + + Computer name is the DNS name to access your FreedomBox + + + Port: 4242 + + + User and password + + + + + For Android devices you may use e.g. Quasseldroid from F-Droid + + + enter core, username etc. as above + + + + + + + + + Quasseldroid.png + + + + + + + + By the way, the German verb quasseln means talking a lot, to jabber. +
+
+
+ News Feed Reader (Tiny Tiny RSS) + Tiny Tiny RSS is a news feed (RSS/Atom) reader and aggregator, designed to allow reading news from any location, while feeling as close to a real desktop application as possible. + When enabled, Tiny Tiny RSS will be available from /tt-rss path on the web server. +
ownCloud @@ -874,60 +1082,81 @@ sub 2048R/2A624357 2015-12-22
- PageKite + SIP Server (repro)
- What is PageKite? - PageKite makes local websites and services publicly accessible immediately without creating yourself a public IP address. PageKite provides "Kites" and "Services". Kites aims to make accessible in a second a web page (for instance foo.pagekite.me). Services can expose a file or a folder. Technically speaking, PageKite is free Software solution for tunneling HTTP, HTTPS and SSH servers through firewalls and NAT. -
-
- Use PageKite - See PageKite website. + How to set up the SIP server + + + Configure the domain at /repro/domains.html on the FreedomBox. + + + Add users at /repro/addUser.html. + + + Disable and re-enable the repro application in Plinth. + +
- Secure Shell + Virtual Private Network (OpenVPN)
- What is Secure Shell? - FreedomBox runs openssh-server server by default allowing remote logins from all interfaces. If your hardware device is connected to a monitor and a keyboard, you may login directly as well. Regular operation of FreedomBox does not require you to use the shell. However, some tasks or identifying a problem may require you to login to a shell. + What is OpenVPN? + OpenVPN provides to your FreedomBox a virtual private network service. You can use this software for remote access, site-to-site VPNs and Wi-Fi security. OpenVPN includes support for dynamic IP addresses and NAT.
- Default User Account - The pre-built FreedomBox images have a default user account called "fbx". However the password is not set for this account, so it will not be possible to log in with this account by default. - There is a script included in the freedom-maker program, that will allow you to set the password for this account, if it is needed. To set a password for the "fbx" user: - 1. Decompress the image file. - 2. Get a copy of freedom-maker from . - 3. Run sudo ./bin/passwd-in-image <image-file> fbx. - 4. Copy the image file to SD card and boot device as normal. - The "fbx" user also has superuser privileges via sudo. + Setting up + + + In Plinth install Virtual Private Network (OpenVPN) + + + + + + + plinth_openvpn.png + + + + + + Wait for the installation to finish. This could take a while. + + + Once the installation of the OpenVPN server is done you can download your profile. This will download a file called <USER>.ovpn, where <USER> is the name of a freedombox user. Each freedombox user will be able to download a different profile. + + + The ovpn file contains all the information a vpn client needs to connect to the server. + + + If you are behind a modem, you may have to change the ip address (if not, you can skip this step). Open the ovpn file in any text editor. The second line shows the IP address or hostname the client will try to connect to. This should be your WAN IP address or your hostname. This line also contains the port number, 1194 being the default. You may have to open this port on your modem and enable port forwarding. + + + client +remote mybox.sds-ip.de 1194 +proto udp + + + Install an OpenVPN client for your system + + + Open the ovpn file with the OpenVPN client. + + + Try to ping the freedombox or other devices on the local network. + +
- Logging In - To login via SSH, to your FreedomBox: - $ ssh fbx@freedombox - Replace fbx with the name of the user you wish to login as. freedombox should be replaced with the hostname or IP address of you FreedomBox device as found in the Quick Start process. - fbx is the default user present on FreedomBox with superuser privileges. Any other user created using Plinth and belonging to the group admin will be able to login. The root account has no password set and will not be able to login. Access will be denied to all other users. - fbx and users in admin group will also be able to login on the terminal directly. Other users will be denied access. - If you repeatedly try to login as a user and fail, you will be blocked from logging in for some time. This is due to libpam-abl package that FreedomBox installs by default. To control this behavior consult libpam-abl documentation. -
-
- Becoming Superuser - After logging in, if you want to become the superuser for performing administrative activities: - $ sudo su - Make a habit of logging in as root only when you need to. If you aren't logged in as root, you can't accidentally break everything. + External Links - +
-
- Changing Password - To change the password of a user managed by Plinth, use the change password page. However, the fbx default user is not managed by Plinth and its password cannot be changed in the web interface. - To change password on the terminal, log in to your FreedomBox as the user whose password you want to change. Then, run the following command: - $ passwd - This will ask you for your current password before giving you the opportunity to set a new one. -
- Mumble + Voice Chat (Mumble)
What is Mumble? Mumble is a voice chat software. Primarily intended for use while gaming, it is suitable for simple talking with high audio quality, noise suppression, encrypted communication, public/private-key authentication by default, and "wizards" to configure your microphone for instance. A user can be marked as a "priority speaker" within a channel. @@ -937,42 +1166,38 @@ sub 2048R/2A624357 2015-12-22 Web Proxy (Privoxy) A web proxy acts as a filter for incoming and outgoing internet traffic. Thus, you can instruct any computer in your network to pass internet traffic through the proxy to remove unwanted ads and tracking mechanisms. Privoxy is a software for security, privacy, and accurate control over the web. It provides a much more powerful web proxy (and anonymity on the web) than what your browser can offer. Privoxy "is a proxy that is primarily focused on privacy enhancement, ad and junk elimination and freeing the user from restrictions placed on his activities" (source: Privoxy FAQ). +
+ Screencast + Watch the screencast on how to setup and use Privoxy in FreedomBox. +
Setting up - In Plinth install Web Proxy (Privoxy) - - - - - - - - - Privoxy-Installation.png - - - - - + In Plinth install Web Proxy (Privoxy) + + + + + + + Privoxy-Installation.png + + + Adapt your browser proxy settings to your FreedomBox hostname (or IP address) with port 8118. Please note that Privoxy can only proxy HTTP and HTTPS traffic. It will not work with FTP or other protocols. - - - - - - - - - Privoxy-BrowserSettings.png - - - - - + + + + + + + Privoxy-BrowserSettings.png + + + Go to page or . If Privoxy is installed properly, you will be able to configure it in detail; if not you will see an error message. @@ -1008,11 +1233,10 @@ sub 2048R/2A624357 2015-12-22 The Quickstart is a good starting point to read on how to define own blocking and filtering rules. - Screencast of the setting-up: Privoxy_Installation.webm
- Wiki & Blog (Ikiwiki) + Wiki and Blog (Ikiwiki)
What is Ikiwiki? Ikiwiki converts wiki pages into HTML pages suitable for publishing on a website. It provides particularly blogging, podcasting, calendars and a large selection of plugins. @@ -1137,309 +1361,183 @@ sub 2048R/2A624357 2015-12-22 Finish the OAuth flow by authenticating with your password and authorizing access, then you should get redirected back to the Unhosted app, and be able to use it. All data of the Unhosted web app is now stored on your FreedomBox.
-
- OpenVPN -
- What is OpenVPN? - OpenVPN provides to your FreedomBox a virtual private network service. You can use this software for remote access, site-to-site VPNs and Wi-Fi security. OpenVPN includes support for dynamic IP addresses and NAT. -
-
-
- GnuSocial -
- What is GNU social? - GNU social is a continuation of the StatusNet project. It is social communication software for both public and private communications. It is widely supported and has a large userbase. It is already used by the Free Software Foundation, and Richard Stallman himself. Think of GNU Social as twitter and beyond. -
-
- Status of package - GNU Social is still getting packaged for debian and will be available soon for everyone to use. check the progress by tracking the bug #782812. -
-
-
- Calendar, ToDo-List and Addressbook Server (through radicale) - With radicale you can synchronize your personal Calendars, ToDo-Lists and Addressbooks with your various computers, tables, smartphones etc. and share them with friends without letting third parties know your personal Schedule or Contacts. -
- Why running Radicale? - Using Radicale, you can get rid of centralized services like Google Calendar or Apple Calendar (iCloud) mining your events and social connections. -
-
- How to setup Radicale? - First, the Radicale server needs to be activated on your box. - - - Within Plinth - - - select Applications - - - go to Calendar and Addressbook (Radicale) and - - - install the application. After the installation is complete, make sure the application is marked "enabled" in the FreedomBox interface. Enabling the application launches the Radicale server CalDAV. Radicale-Plinth-Docu.png - - - - - Radicale can be accessed by any user with a FreedomBox login. However, each user only has access to his data. If you want to share a calendar with friends, the simplest approach is to create an additional user for your friends and to share that user name and password with them. - Radicale does not have a user interface. An external supported client application is needed. - Now open your client application to create new calendar and address books that will use your FreedomBox and Radicale server. The Radicale website provides tutorials to setup a large selection of clients. Below are the steps for two examples: - - - Example of setup with Evolution client: - - - Calendar - - - Create a new calendar - - - For "Type," select "CalDAV" - - - When "CalDAV" is selected, additional options will appear in the dialogue window. - - - URL: https://IP address or domain for your server/radicale/user/contact file name.ics/. Items in italics need to be changed to match your settings. - - - note the trailing / in the path, it is important. - - - - - Select/check "Use a secure connection." - - - Name the calendar - - - A ToDo-List is basically the same as a calendar. Radicale-Evolution-Docu.png - - - - - Contacts - - - Follow the same steps described above and replace CalDAV with WebDAV. The extension of the address book will be .vcf. - - - - - - - Android - - - There are various Apps that allow the integration of the *radicale* server. This example uses DAVdroid, which is available e.g. on F-Droid. - - - If you intend to use ToDo-Lists as well, the compatible app OpenTasks has to be installed first. - - - Install DAVdroid - - - Create an accound DAVdroid with the same settings as described for Evolution - - - Click the newly created account and synchronize. - - - The settings, such as periodicity of synchronizsation, can be adjusted. - - - A contact or calendar file, that was created before appears. - - - Enable it. - - - It may take some minutes before e.g. the calendar is visible in your calendar app. - - - - -
-
- Experienced Users -
- Sharing ressources - Above was shown an easy way to create a ressource for a group of people by creating a dedicated account for all. Here will be described an alternative method where two users User1 and User2 are granted access to a calendar. This requires SSH-access to the FreedomBox. - - - create a file /etc/radicale/rights - - - [friends_calendar] -user: ^(User1|User2)$ -collection: ^.*/calendar_of_my_friends.ics$ -permission: rw - -# Give write access to owners -[owner-write] -user: .+ -collection: ^%(login)s/.+$ -permission: rw - - - [friends_calendar] is just an identifier, can be any name. - - - The [owner-write] section makes sure that owners have access to their own files - - - - - edit file /etc/radicale/config and make the following changes in section [rights) - - - [rights] -type = from_file -file = /etc/radicale/rights - - - - - Restart the radicale server or the FreedbomBox - - -
-
- Importing files - If you are using a contacts file exported from another service or application, it should be copied to: /var/lib/radicale/collections/user/contact file name.vcf. -
-
-
-
- SIP Server (repro) -
- How to set up the SIP server - - - Configure the domain at /repro/domains.html on the FreedomBox. - - - Add users at /repro/addUser.html. - - - Disable and re-enable the repro application in Plinth. - - -
-
System
- Networks - This section describes how networking is setup by default in FreedomBox and how you can customize it. See also the Firewall section for more information on how firewall works. -
- Default setup - In a fresh image of FreedomBox, network is not configured at all. When the image is written to an SD card and the device boots, configuration is done. During first boot, FreedomBox setup package detects the networks interfaces and tries to automatically configure them so that FreedomBox is available for further configuration via the web interface from another machine without the need to connect a monitor. Automatic configuration also tries to make FreedomBox useful, out of the box, for the most important scenarios FreedomBox is used for. - There are two scenarios it handles: when is a single ethernet interface and when there are multiple ethernet interfaces. -
- Single ethernet interface - When there is only single ethernet interface available on the hardware device, there is not much scope for it to play the role of a router. In this case, the device is assumed to be just another machine in the network. Accordingly, the only available interface is configured to be an internal interface in automatic configuration mode. This means that it connects to the Internet using the configuration provided by a router in the network and also makes all (internal and external) of its services available to all the clients on this network. -
-
- Multiple ethernet interface - When there are multiple ethernet interfaces available on the hardware device, the device can act as a router. The interfaces are then configured to perform this function. - The first network interface is configured to be an WAN or external interface in automatic configuration mode. This means that it connects to the Internet using network configuration provided by the Internet Service Provider (ISP). Only services that are meant to be provided across the entire Internet (external services) will be exposed on this interface. You must plug your Internet connection into the port of this ethernet interface. If you wish to continue to have your existing router manage the Internet connection for you, then plug a connection from your router to the port on this interface. - The remaining network interfaces are configured for the clients of a router. They are configured as LAN or internal interfaces in shared configuration mode. This means that all the services (both external and internal) services are provided to who ever connects on this interface. Further, the shared mode means that clients will be able to receive details of automatic network connection on this interface. Specifically, DHCP configuration and DNS servers are provided on this interface. The Internet connection available to the device using the first network interface will be shared with clients using this interface. This all means that you can connect your computers to this network interface and they will get automatically configured and will be able to access the Internet via the FreedomBox. - Currently, it is not very clear which interface will be come the WAN interface (and the remaining being LAN interfaces) although the assignment process is deterministic. So, it take a bit of trail and error to figure out which one is which. In future, for each device, this will be well documented. -
-
- Wi-Fi configuration - All Wi-Fi interfaces are configured to be LAN or internal interfaces in shared configuration mode. They are also configured to become Wi-Fi access points with following details. - - - Name of the access point will be FreedomBox plus the name of the interface (to handle the case where there are multiple of them). - - - Password for connecting to the interface will be freedombox123. - - -
-
-
- Internet Connection Sharing - Although the primary duty of FreedomBox is to provide decentralized services, it can also act like a home router. Hence, in most cases, FreedomBox connects to the Internet and provides other machines in the network the ability to use that Internet connection. FreedomBox can do this in two ways: using a shared mode connection or using an internal connection. - When an interface is set in shared mode, you may connect your machine directly to it. This is either by plugging in an ethernet cable from this interface to your machine or by connecting to a Wi-Fi access point. This case is the simplest to use, as FreedomBox automatically provides your machine with the necessary network configuration. Your machine will automatically connect to FreedomBox provided network and will be able to connect to the Internet given that FreedomBox can itself connect to the Internet. - Sometimes the above setup may not be possible because the hardware device may have only one network interface or for other reasons. Even in this case, your machine can still connect to the Internet via FreedomBox. For this to work, make sure that the network interface that your machine is connecting to is in internal mode. Then, connect your machine to network in which FreedomBox is present. After this, in your machine's network configuration, set FreedomBox's IP address as the gateway. FreedomBox will then accept your network traffic from your machine and send it over to the Internet. This works because network interfaces in internal mode are configured to masquerade packets from local machines to the Internet and receive packets from Internet and forward them back to local machines. -
-
- Customization - The above default configuration may not be fit for your setup. You can customize the configuration to suit your needs from the Networks area in the 'setup' section of the FreedomBox web interface. -
- PPPoE connections - If your ISP does not provide automatic network configuration via DHCP and requires you to connection via PPPoE. To configure PPPoE, remove any network connection existing on an interface and add a PPPoE connection. Here, optionally, provide the account username and password given by your ISP and activate the connection. -
-
- Connect to Internet via Wi-Fi - By default Wi-Fi devices attached during first boot will be configured as access points. They can be configured as regular Wi-Fi devices instead to connection to a local network or an existing Wi-Fi router. To do this, click on the Wi-Fi connection to edit it. Change the mode to Infrastructure instead of Access Point mode and IPv4 Addressing Method to Automatic (DHCP) instead of Shared mode. Then the SSID provided will mean the Wi-Fi network name you wish to connect to and passphrase will be the used to while making the connection. -
-
- Adding a new network device - When a new network device is added, network manager will automatically configure it. In most cases this will not work to your liking. Delete the automatic configuration created on the interface and create a new network connection. Select your newly added network interface in the add connection page. - - - Then set firewall zone to internal and external appropriately. - - - You can configure the interface to connect to a network or provide network configuration to whatever machine connects to it. - - - Similarly, if it is a Wi-Fi interface, you can configure it to become a Wi-FI access point or to connect to an existing access points in the network. - - -
-
-
- Manual Network Operation - FreedomBox automatically configures networks by default and provides a simplified interface to customize the configuration to specific needs. In most cases, manual operation is not necessary. The following steps describe how to manually operate network configuration in the event that a user finds FreedomBox interface to insufficient for task at hand or to diagnose a problem that FreedomBox does not identify. - On the command line interface: - To see the list of available network devices: - nmcli device - To see the list of configured connections: - nmcli connection - To see the current status of a connection: - nmcli connection show '<conneciton_name>' - To see the current firewall zone assigned to a network interface: - nmcli connection show '<conneciton_name>' | grep zone - or - firewall-cmd --zone=internal --list=all -firewall-cmd --zone=external --list=all - To create a new network connection: - nmcli con add con-name "<connection_name>" ifname "<interface>" type ethernet -nmcli con modify "<connection_name>" connection.autoconnect TRUE -nmcli con modify "<connection_name>" connection.zone internal - To change the firewall zone for a connection: - nmcli con modify "<connection_name>" connection.zone "<internal|external>" - For more information on how to use nmcli command, see its man page. Also for a full list of configuration settings and type of connections accepted by Network Manager see: - - - - To see the current status of the firewall and manually operate it, see the Firewall section. -
+ Configure + Configure covers a couple of general topics: + + + Hostname + Hostname is the local name by which other devices on the local network can reach your FreedomBox. Default is freedombox. + + + Domain Name + Domain name is the global name by which other devices on the Internet can reach your FreedomBox. + + + Language Language for the web administration interface Plinth + +
- Upgrades - FreedomBox can automatically install security upgrades. On the Upgrades page of the Settings section in Plinth you can turn on automatic upgrades. For FreedomBox versions above 0.5, this feature is enabled by default and there is no manual action necessary. It is strongly recommended that you have this option enabled to keep your FreedomBox secure. - Upgrades are performed every day at night. If you wish to shutdown FreedomBox every day after use, keep it running at night once a week or so to let the automatic upgrades happen. Alternatively, you can perform manual upgrades as described below. + Date & Time + This network time server is a program that maintains the system time in synchronization with servers on the Internet. + You can select your time zone by picking a big city nearby (they are sorted by Continent/City) or select directly the zone with respect to GMT (Greenwich Mean Time). +
+
+ Diagnostics + The system diagnostic test will run a number of checks on your system to confirm that applications and services are working as expected. + Just click Run Diagnostics. This may take some minutes. +
+
+ Disks + Disks shows free space of mounted partitions. + If there is some free space left after the root partition, the option to expand the root partition is also available. + In this example, a 32 GB micro-SD card is being used and the entire space is already allocated. + + + + + + + Disks.png + + + +
+
+ Dynamic DNS Client
- Manual Upgrades - In the Plinth web interface, you can initiate a manual upgrade process from Upgrades page of the Settings section. Note that once the upgrades start, it may take a long time to complete and Plinth may seem to wait for the page to load. - Under some circumstances, automatic upgrades may fail and require you perform a manual upgrade action. Even upgrades initiated from Plinth may not finish properly. This may be because the upgrade process requires you to make a decision. In these cases, manual upgrade on the terminal may be the only option. - In addition, while the upgrade task is running any application installations will wait until the upgrade task is finished. Depending on the hardware, the upgrade task may take a little time, therefore, giving the impression that the application installation stalled. - To perform manual upgrades on the terminal, login into FreedomBox on a terminal or using a remote secure shell (see Secure Shell section). Then run the following commands: - $ sudo su - -Password: -# apt-get update -# apt-get dist-upgrade - This will ask you if it is alright to install/upgrade (or remove) some packages and use (or release) some disk space. Say yes after review. In some cases, during the upgrades process you will be asked questions about modified configuration files, answering with a default Keep current configuration is usually safe. + What is Dynamic DNS? + In order to reach a server on the Internet, the server needs to have permanent address also know as the static IP address. Many Internet service providers don't provide home users with a static IP address or they charge more providing a static IP address. Instead they provide the home user with an IP address that changes every time the user connects to the Internet. Clients wishing to contact the server will have difficulty reaching the server. + Dynamic DNS service providers assist in working around a problem. First they provide you with a domain name, such as 'myhost.example.org'. Then they associate your IP address, whenever it changes, with this domain name. Then anyone intending to reach the server will be to contact the server using the domain name 'myhost.example.org' which always points to the latest IP address of the server. + For this to work, every time you connect to the Internet, you will have to tell your Dynamic DNS provider what your current IP address is. Hence you need special software on your server to perform this operation. The Dynamic DNS function in FreedomBox will allow users without a static public IP address to push the current public IP address to a Dynamic DNS Server. This allows you to expose services on FreedomBox, such as ownCloud, to the Internet. +
+
+ GnuDIP vs. Update URL + There are two main mechanism to notify the Dynamic DNS server of your new IP address; using the GnuDIP protocol and using the Update URL mechanism. + If a service provided using update URL is not properly secured using HTTPS, your credentials may be visible to an adversary. Once an adversary gains your credentials, they will be able to replay your request your server and hijack your domain. + On the other hand, the GnuDIP protocol will only transport a salted MD5 value of your password, in a way that is secure against replay attacks. +
+
+ Using the GnuDIP protocol + + + Register an account with any Dynamic DNS service provider. A free service provided by the FreedomBox community is available at . + + + In FreedomBox UI, enable the Dynamic DNS Service. + + + Select GnuDIP as Service type, enter your Dynamic DNS service provider address (for example, gnudip.datasystems24.net) into GnuDIP Server Address field. + + + + + + + DynamicDNS-Settings.png + + + + + + Fill Domain Name, Username, Password information given by your provider into the corresponding fields. + + +
+
+ Using an Update URL + This feature is implemented because the most popular Dynamic DNS providers are using Update URLs mechanism. + + + Register an account with a Dynamic DNS service provider providing their service using Update URL mechanism. Some example providers are listed in the configuration page itself. + + + In FreedomBox UI, enable the Dynamic DNS service. + + + Select other Update URL as Service type, enter the update URL given by your provider into Update URL field. + + + If you browse the update URL with your Internet browser and a warning message about untrusted certificate appears, then enable accept all SSL certificates. WARNING: your credentials may be readable here because man-in-the-middle attacks are possible! Consider choosing a better service provider instead. + + + If you browse the update URL with your Internet browser and the username/password box appears, enable use HTTP basic authentication checkbox and provide the Username and Password. + + + If the update URL contains your current IP address, replace the IP address with the string <Ip>. + + +
+
+ Checking If It Works + + + Make sure that external services you have enabled such as /jwchat, /roundcube and /ikiwiki are available on your domain address. + + + Go to the Status page, make sure that the NAT type is detected correctly. If your FreedomBox is behind a NAT device, this should be detected over there (Text: Behind NAT). If your FreedomBox has a public IP address assigned, the text should be "Direct connection to the Internet". + + + Check that the last update status is not failed. + + +
+
+ Recap: How to create a DNS name with GnuDIP + + to delete or to replace the old text + + + + Access to GnuIP login page (answer Yes to all pop ups) + + + Click on "Self Register" + + + Fill the registration form (Username and domain will form the public IP address [username.domain]) + + + Take note of the username/hostname and password that will be used on the FreedomBox app. + + + Save and return to the GnuDIP login page to verify your username, domain and password (enter the datas, click login). + + + Login output should display your new domain name along with your current public IP address (this is a unique address provided by your router for all your local devices). + + + Leave the GnuDIP interface and open the Dynamic DNS Client app page in your FreedomBox. + + + Click on "Set Up" in the top menu. + + + Activate Dynamic DNS + + + Choose GnuDIP service. + + + Add server address (gnudip.datasystems24.net) + + + Add your fresh domain name (username.domain, ie [username].freedombox.rocks) + + + Add your fresh username (the one used in your new IP address) and password + + + Add your GnuDIP password + + + Fill the option with (try this url in your browser, you will figure out immediatly) + +
@@ -2915,6 +3013,498 @@ firewall-cmd --permanent --zone=internal --add-interface=eth0
+
+ Monkeysphere + With Monkeysphere, an OpenPGP key can be generated for each configured domain serving SSH. The OpenPGP public key can then be uploaded to the OpenPGP keyservers. Users connecting to this machine through SSH can verify that they are connecting to the correct host. For users to trust the key, at least one person (usually the machine owner) must sign the key using the regular OpenPGP key signing process. See the Monkeysphere SSH documentation for more details. + Monkeysphere can also generate an OpenPGP key for each Secure Web Server (HTTPS) certificate installed on this machine. The OpenPGP public key can then be uploaded to the OpenPGP keyservers. Users accessing the web server through HTTPS can verify that they are connecting to the correct host. To validate the certificate, the user will need to install some software that is available on the Monkeysphere website. +
+
+ Name Services + Name Services provides an overview of the enabled and disabled services for the domain name, tor hidden services and Pagekite. +
+
+ Networks + This section describes how networking is setup by default in FreedomBox and how you can customize it. See also the Firewall section for more information on how firewall works. +
+ Default setup + In a fresh image of FreedomBox, network is not configured at all. When the image is written to an SD card and the device boots, configuration is done. During first boot, FreedomBox setup package detects the networks interfaces and tries to automatically configure them so that FreedomBox is available for further configuration via the web interface from another machine without the need to connect a monitor. Automatic configuration also tries to make FreedomBox useful, out of the box, for the most important scenarios FreedomBox is used for. + There are two scenarios it handles: when is a single ethernet interface and when there are multiple ethernet interfaces. +
+ Single ethernet interface + When there is only single ethernet interface available on the hardware device, there is not much scope for it to play the role of a router. In this case, the device is assumed to be just another machine in the network. Accordingly, the only available interface is configured to be an internal interface in automatic configuration mode. This means that it connects to the Internet using the configuration provided by a router in the network and also makes all (internal and external) of its services available to all the clients on this network. +
+
+ Multiple ethernet interface + When there are multiple ethernet interfaces available on the hardware device, the device can act as a router. The interfaces are then configured to perform this function. + The first network interface is configured to be an WAN or external interface in automatic configuration mode. This means that it connects to the Internet using network configuration provided by the Internet Service Provider (ISP). Only services that are meant to be provided across the entire Internet (external services) will be exposed on this interface. You must plug your Internet connection into the port of this ethernet interface. If you wish to continue to have your existing router manage the Internet connection for you, then plug a connection from your router to the port on this interface. + The remaining network interfaces are configured for the clients of a router. They are configured as LAN or internal interfaces in shared configuration mode. This means that all the services (both external and internal) services are provided to who ever connects on this interface. Further, the shared mode means that clients will be able to receive details of automatic network connection on this interface. Specifically, DHCP configuration and DNS servers are provided on this interface. The Internet connection available to the device using the first network interface will be shared with clients using this interface. This all means that you can connect your computers to this network interface and they will get automatically configured and will be able to access the Internet via the FreedomBox. + Currently, it is not very clear which interface will be come the WAN interface (and the remaining being LAN interfaces) although the assignment process is deterministic. So, it take a bit of trail and error to figure out which one is which. In future, for each device, this will be well documented. +
+
+ Wi-Fi configuration + All Wi-Fi interfaces are configured to be LAN or internal interfaces in shared configuration mode. They are also configured to become Wi-Fi access points with following details. + + + Name of the access point will be FreedomBox plus the name of the interface (to handle the case where there are multiple of them). + + + Password for connecting to the interface will be freedombox123. + + +
+
+
+ Internet Connection Sharing + Although the primary duty of FreedomBox is to provide decentralized services, it can also act like a home router. Hence, in most cases, FreedomBox connects to the Internet and provides other machines in the network the ability to use that Internet connection. FreedomBox can do this in two ways: using a shared mode connection or using an internal connection. + When an interface is set in shared mode, you may connect your machine directly to it. This is either by plugging in an ethernet cable from this interface to your machine or by connecting to a Wi-Fi access point. This case is the simplest to use, as FreedomBox automatically provides your machine with the necessary network configuration. Your machine will automatically connect to FreedomBox provided network and will be able to connect to the Internet given that FreedomBox can itself connect to the Internet. + Sometimes the above setup may not be possible because the hardware device may have only one network interface or for other reasons. Even in this case, your machine can still connect to the Internet via FreedomBox. For this to work, make sure that the network interface that your machine is connecting to is in internal mode. Then, connect your machine to network in which FreedomBox is present. After this, in your machine's network configuration, set FreedomBox's IP address as the gateway. FreedomBox will then accept your network traffic from your machine and send it over to the Internet. This works because network interfaces in internal mode are configured to masquerade packets from local machines to the Internet and receive packets from Internet and forward them back to local machines. +
+
+ Customization + The above default configuration may not be fit for your setup. You can customize the configuration to suit your needs from the Networks area in the 'setup' section of the FreedomBox web interface. +
+ PPPoE connections + If your ISP does not provide automatic network configuration via DHCP and requires you to connection via PPPoE. To configure PPPoE, remove any network connection existing on an interface and add a PPPoE connection. Here, optionally, provide the account username and password given by your ISP and activate the connection. +
+
+ Connect to Internet via Wi-Fi + By default Wi-Fi devices attached during first boot will be configured as access points. They can be configured as regular Wi-Fi devices instead to connection to a local network or an existing Wi-Fi router. To do this, click on the Wi-Fi connection to edit it. Change the mode to Infrastructure instead of Access Point mode and IPv4 Addressing Method to Automatic (DHCP) instead of Shared mode. Then the SSID provided will mean the Wi-Fi network name you wish to connect to and passphrase will be the used to while making the connection. +
+
+ Adding a new network device + When a new network device is added, network manager will automatically configure it. In most cases this will not work to your liking. Delete the automatic configuration created on the interface and create a new network connection. Select your newly added network interface in the add connection page. + + + Then set firewall zone to internal and external appropriately. + + + You can configure the interface to connect to a network or provide network configuration to whatever machine connects to it. + + + Similarly, if it is a Wi-Fi interface, you can configure it to become a Wi-FI access point or to connect to an existing access points in the network. + + +
+
+ Configuring a mesh network + FreedomBox has rudimentary support for participating in BATMAN-Adv based mesh networks. It is possible to either join an existing network in your area or create a new mesh network and share your Internet connection with the rest of the nodes that join the network. Currently, two connections have to be created and activated manually to join or create a mesh network. +
+ Joining a mesh network + To join an existing mesh network in your area, first consult the organizers and get information about the mesh network. + + + Create a new connection, then select the connection type as Wi-Fi. In the following dialog, provide the following values: + + + + + + + + + + Field Name + + + + + Example Value + + + + + Explanation + + + + + + + Connection Name + + + + Mesh Join - BATMAN + + + The name must end with 'BATMAN' (uppercase) + + + + + + Physical Interface + + + + wlan0 + + + The Wi-Fi device you wish to use for joining the mesh network + + + + + + Firewall Zone + + + + External + + + Since you don't wish that participants in mesh network to use internal services of FreedomBox + + + + + + SSID + + + + ch1.freifunk.net + + + As provided to you by the operators of the mesh network. You should see this as a network in Nearby Wi-Fi Networks + + + + + + Mode + + + + Ad-hoc + + + Because this is a peer-to-peer network + + + + + + Frequency Band + + + + 2.4Ghz + + + As provided to you by the operators of the mesh network + + + + + + Channel + + + + 1 + + + As provided to you by the operators of the mesh network + + + + + + BSSID + + + + 12:CA:FF:EE:BA:BE + + + As provided to you by the operators of the mesh network + + + + + + Authentication + + + + Open + + + Leave this as open, unless you know your mesh network needs it be otherwise + + + + + + Passphrase + + + + + Leave empty unless you know your mesh network requires one + + + + + + IPv4 Addressing Method + + + + Disabled + + + We don't want to request IP configuration information yet + + + + + + Save the connection. Join the mesh network by activating this newly created connection. + + + Create a second new connection, then select the connection type as Generic. In the following dialog, provide this following values: + + + + + + + + + + Field Name + + + + + Example Value + + + + + Explanation + + + + + + + Connection Name + + + + Mesh Connect + + + Any name to identify this connection + + + + + + Physical Interface + + + + bat0 + + + This interface will only show up after you successfully activate the connection in first step + + + + + + Firewall Zone + + + + External + + + Since you don't wish that participants in mesh network to use internal services of FreedomBox + + + + + + IPv4 Addressing Method + + + + Auto + + + Mesh networks usually have a DHCP server somewhere that provide your machine with IP configuration. If not, consult the operator and configure IP address setting accordingly with Manual method + + + + + + Save the connection. Configure your machine for participation in the network by activating this connection. Currently, this connection has to be manually activated every time you need to join the network. In future, FreedomBox will do this automatically. You will now be able reach other nodes in the network. You will also be able to connect to the Internet via the mesh network if there is an Internet connection point somewhere in mesh as setup by the operators. + + +
+
+ Creating a mesh network + To create your own mesh network and share your Internet connection with the rest of the nodes in the network: + + + Follow the instructions as provided above in step 1 of Joining a mesh network but choose and fix upon your own valid values for SSID (a name for you mesh network), Frequency Band (usually 2.4Ghz), Channel (1 to 11 in 2.4Ghz band) and BSSID (a hex value like 12:CA:DE:AD:BE:EF). Create this connection and activate it. + + + Follow the instructions as provided above in step 2 of Joining a mesh network but select IPv4 Addressing Method as Shared. This will provide automatic IP configuration to other nodes in the network as well as share the Internet connection on your machine (achieved using a second Wi-Fi interface, using Ethernet, etc.) with other nodes in the mesh network. + + + Spread the word about your mesh network to your neighbors and let them know the parameters you have provided when creating the network. When other nodes connect to this mesh network, they have to follow steps in Joining a mesh network but use the values for SSID, Frequency Band and Channel that you have chosen when you created the mesh network. +
+
+
+
+ Manual Network Operation + FreedomBox automatically configures networks by default and provides a simplified interface to customize the configuration to specific needs. In most cases, manual operation is not necessary. The following steps describe how to manually operate network configuration in the event that a user finds FreedomBox interface to insufficient for task at hand or to diagnose a problem that FreedomBox does not identify. + On the command line interface: + For text based user interface for configuring network connections: + nmtui + To see the list of available network devices: + nmcli device + To see the list of configured connections: + nmcli connection + To see the current status of a connection: + nmcli connection show '<conneciton_name>' + To see the current firewall zone assigned to a network interface: + nmcli connection show '<conneciton_name>' | grep zone + or + firewall-cmd --zone=internal --list=all +firewall-cmd --zone=external --list=all + To create a new network connection: + nmcli con add con-name "<connection_name>" ifname "<interface>" type ethernet +nmcli con modify "<connection_name>" connection.autoconnect TRUE +nmcli con modify "<connection_name>" connection.zone internal + To change the firewall zone for a connection: + nmcli con modify "<connection_name>" connection.zone "<internal|external>" + For more information on how to use nmcli command, see its man page. Also for a full list of configuration settings and type of connections accepted by Network Manager see: + + + + To see the current status of the firewall and manually operate it, see the Firewall section. +
+
+
+ Power + Power provides an easy way to restart or shut down FreedomBox. +
+
+ Public Visibility (PageKite) +
+ What is PageKite? + PageKite makes local websites and services publicly accessible immediately without creating yourself a public IP address. PageKite provides "Kites" and "Services". Kites aims to make accessible in a second a web page (for instance foo.pagekite.me). Services can expose a file or a folder. Technically speaking, PageKite is free Software solution for tunneling HTTP, HTTPS and SSH servers through firewalls and NAT. +
+
+ Use PageKite + See PageKite website. +
+
+
+ Secure Shell +
+ What is Secure Shell? + FreedomBox runs openssh-server server by default allowing remote logins from all interfaces. If your hardware device is connected to a monitor and a keyboard, you may login directly as well. Regular operation of FreedomBox does not require you to use the shell. However, some tasks or identifying a problem may require you to login to a shell. +
+
+ Default User Account + The pre-built FreedomBox images have a default user account called "fbx". However the password is not set for this account, so it will not be possible to log in with this account by default. + There is a script included in the freedom-maker program, that will allow you to set the password for this account, if it is needed. To set a password for the "fbx" user: + 1. Decompress the image file. + 2. Get a copy of freedom-maker from . + 3. Run sudo ./bin/passwd-in-image <image-file> fbx. + 4. Copy the image file to SD card and boot device as normal. + The "fbx" user also has superuser privileges via sudo. +
+
+ Logging In + To login via SSH, to your FreedomBox: + $ ssh fbx@freedombox + Replace fbx with the name of the user you wish to login as. freedombox should be replaced with the hostname or IP address of you FreedomBox device as found in the Quick Start process. + fbx is the default user present on FreedomBox with superuser privileges. Any other user created using Plinth and belonging to the group admin will be able to login. The root account has no password set and will not be able to login. Access will be denied to all other users. + fbx and users in admin group will also be able to login on the terminal directly. Other users will be denied access. + If you repeatedly try to login as a user and fail, you will be blocked from logging in for some time. This is due to libpam-abl package that FreedomBox installs by default. To control this behavior consult libpam-abl documentation. +
+
+ Becoming Superuser + After logging in, if you want to become the superuser for performing administrative activities: + $ sudo su + Make a habit of logging in as root only when you need to. If you aren't logged in as root, you can't accidentally break everything. + + + +
+
+ Changing Password + To change the password of a user managed by Plinth, use the change password page. However, the fbx default user is not managed by Plinth and its password cannot be changed in the web interface. + To change password on the terminal, log in to your FreedomBox as the user whose password you want to change. Then, run the following command: + $ passwd + This will ask you for your current password before giving you the opportunity to set a new one. +
+
+
+ Security + When this option is enabled, only users in the "admin" group will be able to log in to console or via SSH. Console users may be able to access some services without further authorization. + You can define the group of the users in the Users section. + + + + + + + Security.png + + + +
+
+ Service Discovery + Service discovery allows other devices on the network to discover your FreedomBox and services running on it. + It also allows FreedomBox to discover other devices and services running on your local network. + Service discovery is not essential and works only on internal networks. It may be disabled to improve security especially when connecting to a hostile local network. +
+
+ Software Upgrades + FreedomBox can automatically install security upgrades. On the Upgrades page of the Settings section in Plinth you can turn on automatic upgrades. For FreedomBox versions above 0.5, this feature is enabled by default and there is no manual action necessary. It is strongly recommended that you have this option enabled to keep your FreedomBox secure. + Upgrades are performed every day at night. If you wish to shutdown FreedomBox every day after use, keep it running at night once a week or so to let the automatic upgrades happen. Alternatively, you can perform manual upgrades as described below. +
+ Manual Upgrades + In the Plinth web interface, you can initiate a manual upgrade process from Upgrades page of the Settings section. Note that once the upgrades start, it may take a long time to complete and Plinth may seem to wait for the page to load. + Under some circumstances, automatic upgrades may fail and require you perform a manual upgrade action. Even upgrades initiated from Plinth may not finish properly. This may be because the upgrade process requires you to make a decision. In these cases, manual upgrade on the terminal may be the only option. + In addition, while the upgrade task is running any application installations will wait until the upgrade task is finished. Depending on the hardware, the upgrade task may take a little time, therefore, giving the impression that the application installation stalled. + To perform manual upgrades on the terminal, login into FreedomBox on a terminal or using a remote secure shell (see Secure Shell section). Then run the following commands: + $ sudo su - +Password: +# apt-get update +# apt-get dist-upgrade + This will ask you if it is alright to install/upgrade (or remove) some packages and use (or release) some disk space. Say yes after review. In some cases, during the upgrades process you will be asked questions about modified configuration files, answering with a default Keep current configuration is usually safe. +
+
+
+ Users and Groups + You can grant access to your FreedomBox for other users. Provide the Username with a password and assign a group to it. Currently the groups + + + admin + + + wiki + + + are supported. + The user will be able to log in to services that support single sign-on through LDAP, if they are in the appropriate group. + Users in the admin group will be able to log in to all services. They can also log in to the system through SSH and have administrative privileges (sudo). + These characteristics can also be changed later-on. + It is also possible to set an SSH public key which will allow this user to securely log in to the system without using a password. You may enter multiple keys, one on each line. Blank lines and lines starting with # will be ignored. + To temporarily disable user, he can be deactivated. +
Hardware @@ -4239,10 +4829,6 @@ $ sudo umount /tmp/vbox-root1 Use a fresh Debian installation Installing FreedomBox changes your Debian system in many important ways. This includes installing a firewall and regenerating server certificates. It is hence recommended that you install FreedomBox on a fresh Debian installation instead of an existing setup. - - use "fbx" as the login name - - If you choose to create an initial user account, use "fbx" as the login name. (Once the FreedomBox setup program completes, all user accounts except for the "fbx" account will be locked out via pam_access. This also affects sudo access.)
Installing on Debian diff --git a/doc/images/Disks.png b/doc/images/Disks.png new file mode 100644 index 000000000..43d44712c Binary files /dev/null and b/doc/images/Disks.png differ diff --git a/doc/images/DynamicDNS-Settings.png b/doc/images/DynamicDNS-Settings.png new file mode 100644 index 000000000..f827e0929 Binary files /dev/null and b/doc/images/DynamicDNS-Settings.png differ diff --git a/doc/images/Quassel_Installation.png b/doc/images/Quassel_Installation.png new file mode 100644 index 000000000..134856a44 Binary files /dev/null and b/doc/images/Quassel_Installation.png differ diff --git a/doc/images/Quassel_PortForwarding.png b/doc/images/Quassel_PortForwarding.png new file mode 100644 index 000000000..0559fa8f4 Binary files /dev/null and b/doc/images/Quassel_PortForwarding.png differ diff --git a/doc/images/Quasseldroid.png b/doc/images/Quasseldroid.png new file mode 100644 index 000000000..835e4a78a Binary files /dev/null and b/doc/images/Quasseldroid.png differ diff --git a/doc/images/Radicale-Plinth.png b/doc/images/Radicale-Plinth.png new file mode 100644 index 000000000..d6d13e23f Binary files /dev/null and b/doc/images/Radicale-Plinth.png differ diff --git a/doc/images/Security.png b/doc/images/Security.png new file mode 100644 index 000000000..8a4abcef1 Binary files /dev/null and b/doc/images/Security.png differ diff --git a/doc/images/plinth_openvpn.png b/doc/images/plinth_openvpn.png new file mode 100644 index 000000000..9a898565e Binary files /dev/null and b/doc/images/plinth_openvpn.png differ