From 52c7530e806df0603a7ea0164eb54ef4b4035b22 Mon Sep 17 00:00:00 2001
From: czesiek <czesiek@hackerspace.pl>
Date: Sat, 1 Nov 2014 18:48:56 +0100
Subject: [PATCH] Added the OpenVPN files and Makefile, Makefile.guest. Updated
 the README.

---
 Makefile            | 116 ++++++++++++++++++++++++++++++++++++++++++++
 Makefile.guest      |  26 ++++++++++
 README              |  10 ++--
 openvpn/client.conf |  29 +++++++++++
 openvpn/test.crt    |  24 +++++++++
 5 files changed, 202 insertions(+), 3 deletions(-)
 create mode 100644 Makefile
 create mode 100644 Makefile.guest
 create mode 100644 openvpn/client.conf
 create mode 100644 openvpn/test.crt

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..9ad59b3
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,116 @@
+UPSTREAM_ISO_NAME=tails-i386-1.2.iso
+WORK_DIR=work
+CHROOT_DIR=${WORK_DIR}/chroot
+ISOLINUX_DIR=${WORK_DIR}/cd/isolinux
+
+setup:
+	mkdir -p ${CHROOT_DIR} ${WORK_DIR}/cd
+
+	mkdir -p ${WORK_DIR}/mountpoint
+	mount -o loop upstream/${UPSTREAM_ISO_NAME} ${WORK_DIR}/mountpoint
+	rsync --exclude=/live/filesystem.squashfs -a ${WORK_DIR}/mountpoint/ ${WORK_DIR}/cd
+
+	mkdir -p ${WORK_DIR}/squashfs
+	mount -t squashfs -o loop ${WORK_DIR}/mountpoint/live/filesystem.squashfs ${WORK_DIR}/squashfs
+	cp -a ${WORK_DIR}/squashfs/* ${CHROOT_DIR}
+	umount ${WORK_DIR}/squashfs
+	rmdir ${WORK_DIR}/squashfs
+
+	umount ${WORK_DIR}/mountpoint
+	rmdir ${WORK_DIR}/mountpoint
+
+	# TODO: move setup here, teardown to target 'image'
+
+chroot:
+	mount --bind /dev     ${CHROOT_DIR}/dev
+	mount --bind /dev/pts ${CHROOT_DIR}/dev/pts
+	mount --bind /proc    ${CHROOT_DIR}/proc
+
+	cp /etc/resolv.conf /etc/hosts ${CHROOT_DIR}/etc/
+
+	# boot menu
+	cp isolinux/clearnet486.cfg   ${ISOLINUX_DIR}/
+	cp isolinux/clearnetamd64.cfg ${ISOLINUX_DIR}/
+	cp isolinux/live486.cfg       ${ISOLINUX_DIR}/
+	cp isolinux/liveamd64.cfg     ${ISOLINUX_DIR}/
+
+	# for chroot work
+	cp Makefile.guest ${CHROOT_DIR}/Makefile
+	mv ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy.disabled
+	echo 'rootfs / rootfs rw 0 0' > ${CHROOT_DIR}/etc/mtab
+
+	mkdir -p ${CHROOT_DIR}/etc/openvpn
+	# prep for openvpn testing
+	cp openvpn/test.crt     ${CHROOT_DIR}/etc/openvpn/ca.crt
+
+	cp openvpn/client.conf       ${CHROOT_DIR}/etc/openvpn/  # TODO: move to Makefile.guest
+	cp ferm-clear.conf   ${CHROOT_DIR}/etc/ferm/
+	cp unfermify         ${CHROOT_DIR}/etc/init.d/
+	cp untorify          ${CHROOT_DIR}/etc/init.d/
+	cp environment.clean ${CHROOT_DIR}/etc/  # required by untorify
+
+	chroot ${CHROOT_DIR} apt-get update
+	chroot ${CHROOT_DIR} apt-get install -y make
+	chroot ${CHROOT_DIR} make
+
+	# launchers
+	cp yokai-openvpn-launcher  ${CHROOT_DIR}/usr/local/bin/
+	cp yokai-sshuttle-launcher ${CHROOT_DIR}/usr/local/bin/
+	cp yokai-launcher          ${CHROOT_DIR}/usr/local/bin/
+	cp yokai-launcher-nosudo   ${CHROOT_DIR}/usr/local/bin/
+	cp 60-yokai-launcher.sh    ${CHROOT_DIR}/etc/NetworkManager/dispatcher.d/
+
+	#chroot ${CHROOT_DIR} /bin/bash
+
+	# reverse the adjustments made for chroot
+	rm ${CHROOT_DIR}/etc/mtab
+	mv ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy.disabled ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy
+	rm ${CHROOT_DIR}/Makefile
+
+	umount ${CHROOT_DIR}/proc
+	umount ${CHROOT_DIR}/dev/pts
+	umount ${CHROOT_DIR}/dev
+
+justchroot:
+	mount --bind /dev     ${CHROOT_DIR}/dev
+	mount --bind /dev/pts ${CHROOT_DIR}/dev/pts
+	mount --bind /proc    ${CHROOT_DIR}/proc
+
+	cp /etc/resolv.conf /etc/hosts ${CHROOT_DIR}/etc/
+
+	# setup
+	cp Makefile.guest ${CHROOT_DIR}/Makefile
+	mv ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy.disabled
+	echo 'rootfs / rootfs rw 0 0' | sudo tee ${CHROOT_DIR}/etc/mtab > /dev/null
+
+	chroot ${CHROOT_DIR} /bin/bash
+
+	# teardown
+	rm ${CHROOT_DIR}/etc/mtab
+	mv ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy.disabled ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy
+	rm ${CHROOT_DIR}/Makefile
+
+	umount ${CHROOT_DIR}/proc
+	umount ${CHROOT_DIR}/dev/pts
+	umount ${CHROOT_DIR}/dev
+
+unfail:
+	# teardown
+	rm ${CHROOT_DIR}/etc/mtab
+	mv ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy.disabled ${CHROOT_DIR}/etc/apt/apt.conf.d/0000runtime-proxy
+	rm ${CHROOT_DIR}/Makefile
+
+	umount ${CHROOT_DIR}/proc
+	umount ${CHROOT_DIR}/dev/pts
+	umount ${CHROOT_DIR}/dev
+
+image:
+	mksquashfs ${CHROOT_DIR} work/cd/live/filesystem.squashfs -noappend
+	genisoimage -r -V "TAILS-Custom" -b isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l -no-emul-boot -boot-load-size 4 -boot-info-table -o work/tails-custom.iso work/cd
+	isohybrid work/heads.iso --entry 4 --type 0x1c
+
+imagecopy:
+	cp work/heads.iso heads-`date +%Y%m%d%H%M`.iso
+
+clean:
+	rm -rf ${WORK_DIR}
diff --git a/Makefile.guest b/Makefile.guest
new file mode 100644
index 0000000..872d6ae
--- /dev/null
+++ b/Makefile.guest
@@ -0,0 +1,26 @@
+default:
+	#apt-get upgrade -y --force-yes  # Note: DumbIdea(tm)
+	apt-get install -y openvpn
+	touch /etc/openvpn/credentials
+	apt-get install -y ssh-askpass-gnome
+	#apt-get install -y network-manager-openvpn-gnome  # XXX testing new approach
+	git clone https://github.com/apenwarr/sshuttle.git /opt/sshuttle
+
+	# XXX: for testing
+	apt-get install -y midori
+
+	# start ferm on 2 3 4 5 instead of S (allows for unfermify)
+	sed -i '/Default-Start/s/\<S\>/2 3 4 5/' /etc/init.d/ferm
+	insserv -r ferm
+	insserv ferm
+	# disable polipo on 3 4 5
+	sed -i '/Default-Start/s/2 3 4 5/2/' /etc/init.d/polipo
+	insserv -r polipo
+	insserv polipo
+	#insserv  # update rc* after copying /etc/init.d/unfermify
+
+	insserv unfermify
+	insserv untorify
+
+	# fix the .ICEauthority bug
+	sed -i 's/^exit 0/chown -R Debian-gdm:Debian-gdm \/var\/lib\/gdm3\nexit 0/' /etc/rc.local
diff --git a/README b/README
index 6dadea0..d05b9a8 100644
--- a/README
+++ b/README
@@ -14,9 +14,13 @@ to unpack the Tails image into work/ (automatically created). Then
   $ sudo make chroot
 to make changes to the image. Finally, do
   $ sudo make image
-to build the new ISO from the working dir. ISO should appear as
-heads-TIMESTAMP.iso.
+to build the new ISO from the working dir. It should appear as
+work/heads.iso. To get the timestamped version, do
+  $ sudo make imagecopy
+(simply copies the image to ./heads-TIMESTAMP.iso).
 
 Known issues
 ------------
-WIP
+(Work in progress)
+ - unhack the tor-browser to provide working Iceweasel experience in
+   VPN/SSH/direct modes
diff --git a/openvpn/client.conf b/openvpn/client.conf
new file mode 100644
index 0000000..b43e3db
--- /dev/null
+++ b/openvpn/client.conf
@@ -0,0 +1,29 @@
+client
+auth-user-pass /etc/openvpn/credentials
+dev tun
+proto udp
+remote hackerspace.pl 20001
+resolv-retry infinite
+nobind
+
+log /var/log/openvpn.client.log
+
+#user nobody
+#group nobody
+
+persist-key
+persist-tun
+
+ca /etc/openvpn/ca.crt 
+
+ns-cert-type server
+
+comp-lzo
+
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+
+verb 3
+
+redirect-gateway def1
diff --git a/openvpn/test.crt b/openvpn/test.crt
new file mode 100644
index 0000000..3bff449
--- /dev/null
+++ b/openvpn/test.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEATCCA2qgAwIBAgIJAOeMKeXDIl0cMA0GCSqGSIb3DQEBBQUAMIGyMQswCQYD
+VQQGEwJQTDEUMBIGA1UECBMLTWF6b3dpZWNraWUxETAPBgNVBAcTCFdhcnN6YXdh
+MR0wGwYDVQQKExRIYWNrZXJzcGFjZSBXYXJzemF3YTEPMA0GA1UECxMGaXRhbmlj
+MQ8wDQYDVQQDEwZpdGFuaWMxDzANBgNVBCkTBml0YW5pYzEoMCYGCSqGSIb3DQEJ
+ARYZaG9zdG1hc3RlckBoYWNrZXJzcGFjZS5wbDAeFw0xMjAzMDgwMDE4NDBaFw0y
+MjAzMDYwMDE4NDBaMIGyMQswCQYDVQQGEwJQTDEUMBIGA1UECBMLTWF6b3dpZWNr
+aWUxETAPBgNVBAcTCFdhcnN6YXdhMR0wGwYDVQQKExRIYWNrZXJzcGFjZSBXYXJz
+emF3YTEPMA0GA1UECxMGaXRhbmljMQ8wDQYDVQQDEwZpdGFuaWMxDzANBgNVBCkT
+Bml0YW5pYzEoMCYGCSqGSIb3DQEJARYZaG9zdG1hc3RlckBoYWNrZXJzcGFjZS5w
+bDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4s7pSdaNEzc7dh5YYgBtSa8v
+TOPOjPVMBbfdqVQerTrG9Vg9mc2p+v630yCaxUrXYu6oNYlFkq/4qB5wosACyhIp
+DUwaDdwlBCF26dBBFtVvLEoWkvBaZCYJqcqoPwuk9Ws4Db0tbbOPgVi7mwG4y7dd
+j7F3tzn/yqhQFJSabv8CAwEAAaOCARswggEXMB0GA1UdDgQWBBSBVgtOU89it/lb
+sBzRQa0u5DKaATCB5wYDVR0jBIHfMIHcgBSBVgtOU89it/lbsBzRQa0u5DKaAaGB
+uKSBtTCBsjELMAkGA1UEBhMCUEwxFDASBgNVBAgTC01hem93aWVja2llMREwDwYD
+VQQHEwhXYXJzemF3YTEdMBsGA1UEChMUSGFja2Vyc3BhY2UgV2Fyc3phd2ExDzAN
+BgNVBAsTBml0YW5pYzEPMA0GA1UEAxMGaXRhbmljMQ8wDQYDVQQpEwZpdGFuaWMx
+KDAmBgkqhkiG9w0BCQEWGWhvc3RtYXN0ZXJAaGFja2Vyc3BhY2UucGyCCQDnjCnl
+wyJdHDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADD3Hqnp6rXTa74L
+Zx/uhm5VemwpYZGbsI2BA80FFIJcMiG/9154aT+dWXrkDKuZPeiPHD1uBfFDIQas
+/aFBWII9q9mZdr74wdSsZg93jKn0xT4+1ioATUvVNSRCxfARfFVR+AfszhlKpZFl
+yfpMKmVpmJl0F8qf4pj/VmCshyOY
+-----END CERTIFICATE-----