Merge branch 'master' into feature/cloud-init

2025-08-02 10:53:01 +02:00 · 2019-12-11 08:15:59 +01:00 · 2019-12-11 08:15:59 +01:00 · 31ace45b8d
commit 31ace45b8d
parent 586d6279f6 45aa0065cd
11 changed files with 211 additions and 78 deletions
--- a/README.md
+++ b/README.md
@ -4,12 +4,14 @@
 [![Twitter](https://img.shields.io/twitter/url/https/twitter.com/fold_left.svg?style=social&label=Follow%20%40AlgoVPN)](https://twitter.com/AlgoVPN)
 [![TravisCI Status](https://api.travis-ci.org/trailofbits/algo.svg?branch=master)](https://travis-ci.org/trailofbits/algo)
-Algo VPN is a set of Ansible scripts that simplify the setup of a personal Wireguard and IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices. See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) for more information.
+Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers. See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) for more information.
 ## Features
-* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) and [WireGuard](https://www.wireguard.com/)
+* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, macOS, and Linux
-* Generates Apple profiles to auto-configure iOS and macOS devices
+* Supports [WireGuard](https://www.wireguard.com/) for all of the above, in addition to Android and Windows 10
 * Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
 * Generates Apple profiles to auto-configure iOS and macOS devices for IPsec - no client software required
 * Includes a helper script to add and remove users
 * Blocks ads with a local DNS resolver (optional)
 * Sets up limited SSH users for tunneling traffic (optional)
@ -21,7 +23,6 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal Wireg
 * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
 * Does not install Tor, OpenVPN, or other risky servers
 * Does not depend on the security of [TLS](https://tools.ietf.org/html/rfc7457)
 * Does not require client software on most platforms
 * Does not claim to provide anonymity or censorship avoidance
 * Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster)
@ -37,14 +38,17 @@ The easiest way to get an Algo server running is to run it on your local system
    - Run the command `git clone https://github.com/trailofbits/algo.git` to create a directory named `algo` containing the Algo scripts.
-3. **Install Algo's core dependencies.** Algo requires that **Python 3** and at least one supporting package are installed on your system.
+3. **Install Algo's core dependencies.** Algo requires that **Python 3.6 or later** and at least one supporting package are installed on your system.
-    - **macOS:** Apple does not provide Python 3 with macOS. There are two ways to obtain it:
+    - **macOS:** Apple does not provide a suitable version of Python 3 with macOS. Here are two ways to obtain one:
        * Use the [Homebrew](https://brew.sh) package manager. After installing Homebrew install Python 3 by running `brew install python3`.
-        * Download and install the latest stable [Python 3 package](https://www.python.org/downloads/mac-osx/). Be sure to run the included *Install Certificates* command from Finder.
+        * Download and install the latest stable [Python 3.7.x package](https://www.python.org/downloads/mac-osx/) (currently Python 3.8 will not work). Be sure to run the included *Install Certificates* command from Finder.
        See [Deploy from macOS](docs/deploy-from-macos.md) for more detailed information on installing Python 3 on macOS.
        Once Python 3 is installed on your Mac, from Terminal run:
        ```bash
        python3 -m pip install --upgrade virtualenv
        ```
@ -75,7 +79,7 @@ The easiest way to get an Algo server running is to run it on your local system
    ```
    On Fedora add the option `--system-site-packages` to the first command above. On macOS install the C compiler if prompted.
-5. **List the users to create.** Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. Create a unique user for each device you plan to connect to your VPN. If you want to be able to add or delete users later, you **must** select `yes` at the `Do you want to retain the keys (PKI)?` prompt during the deployment.
+5. **Set your configuration options.** Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. Create a unique user for each device you plan to connect to your VPN. If you want to be able to add or delete users later, you **must** select `yes` at the `Do you want to retain the keys (PKI)?` prompt during the deployment. You should also review the other options before deployment, as changing your mind about them later [may require you to deploy a brand new server](https://github.com/trailofbits/algo/blob/master/docs/faq.md#i-deployed-an-algo-server-can-you-update-it-with-new-features).
 6. **Start the deployment.** Return to your terminal. In the Algo directory, run `./algo` and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in [here](docs/deploy-from-ansible.md).
--- a/config.cfg
+++ b/config.cfg
@ -9,44 +9,21 @@ users:
  - laptop
  - desktop
-### Advanced users only below this line ###
+### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
 # Change default SSH port for the cloud roles only
 # It doesn't apply if you deploy to your existing Ubuntu Server
 ssh_port: 4160
 # Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
 # Supports on MacOS and Linux only (including Windows Subsystem for Linux)
 pki_in_tmpfs: true
 # If True re-init all existing certificates. Boolean
 keys_clean_all: False
 # Deploy StrongSwan to enable IPsec support
 ipsec_enabled: true
 # StrongSwan log level
 # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
 strongswan_log_level: 2
 # rightsourceip for ipsec
 # ipv4
 strongswan_network: 10.19.48.0/24
 # ipv6
 strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
 # Deploy WireGuard
 # WireGuard will listen on 51820/UDP. You might need to change to another port
 # if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
 # mobile data networks.
 wireguard_enabled: true
 wireguard_port: 51820
 # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
 # This option will keep the "connection" open in the eyes of NAT.
 # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
 wireguard_PersistentKeepalive: 0
 # WireGuard network configuration
 wireguard_network_ipv4: 10.19.49.0/24
 wireguard_network_ipv6: fd9d:bc11:4021::/48
 # Reduce the MTU of the VPN tunnel
 # Some cloud and internet providers use a smaller MTU (Maximum Transmission
@ -71,6 +48,29 @@ adblock_lists:
 # DNS encryption can not be disabled if DNS adblocking is enabled
 dns_encryption: true
 # Block traffic between connected clients. Change this to false to enable
 # connected clients to reach each other, as well as other computers on the
 # same LAN as your Algo server (i.e. the "road warrior" setup). In this
 # case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
 BetweenClients_DROP: true
 # Block SMB/CIFS traffic
 block_smb: true
 # Block NETBIOS traffic
 block_netbios: true
 # Your Algo server will automatically install security updates. Some updates
 # require a reboot to take effect but your Algo server will not reboot itself
 # automatically unless you change 'enabled' below from 'false' to 'true', in
 # which case a reboot will take place if necessary at the time specified (as
 # HH:MM) in the time zone of your Algo server. The default time zone is UTC.
 unattended_reboot:
  enabled: false
  time: 06:00
 ### Advanced users only below this line ###
 # DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
 # providers may be specified, but avoid mixing providers that filter results
 # (like Cisco) with those that don't (like Cloudflare) or you could get
@ -94,27 +94,36 @@ dns_servers:
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001
 # Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
 # Supports on MacOS and Linux only (including Windows Subsystem for Linux)
 pki_in_tmpfs: true
 # Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users. 
 keys_clean_all: false
 # StrongSwan log level
 # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
 strongswan_log_level: 2
 # rightsourceip for ipsec
 # ipv4
 strongswan_network: 10.19.48.0/24
 # ipv6
 strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
 # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
 # This option will keep the "connection" open in the eyes of NAT.
 # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
 wireguard_PersistentKeepalive: 0
 # WireGuard network configuration
 wireguard_network_ipv4: 10.19.49.0/24
 wireguard_network_ipv6: fd9d:bc11:4021::/48
 # Randomly generated IP address for the local dns resolver
 local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 # Your Algo server will automatically install security updates. Some updates
 # require a reboot to take effect but your Algo server will not reboot itself
 # automatically unless you change 'enabled' below from 'false' to 'true', in
 # which case a reboot will take place if necessary at the time specified (as
 # HH:MM) in the time zone of your Algo server. The default time zone is UTC.
 unattended_reboot:
  enabled: false
  time: 06:00
 # Block traffic between connected clients
 BetweenClients_DROP: true
 # Block SMB/CIFS traffic
 block_smb: true
 # Block NETBIOS traffic
 block_netbios: true
 congrats:
  common: |
@ -145,7 +154,7 @@ cloud_providers:
    size: s-1vcpu-1gb
    image: "ubuntu-19-04-x64"
  ec2:
-    # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
+    # Change the encrypted flag to "false" to disable AWS volume encryption.
    encrypted: true
    # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
    # Additional prompt will be raised to determine which IP to use
--- a/docs/client-linux-wireguard.md
+++ b/docs/client-linux-wireguard.md
@ -5,10 +5,12 @@
 To connect to your AlgoVPN using [WireGuard](https://www.wireguard.com) from Ubuntu, first install WireGuard:
 ```shell
-# Add the WireGuard repository:
+# Ubuntu 19.04 and earlier:
 # Add the WireGuard repository
 sudo add-apt-repository ppa:wireguard/wireguard
-# Update the list of available packages (not necessary on 18.04 or later):
+# Ubuntu 17.10 and earlier:
 # Update the list of available packages
 sudo apt update
 # Install the tools and kernel module:
--- a/docs/deploy-from-ansible.md
+++ b/docs/deploy-from-ansible.md
@ -26,12 +26,12 @@ See below for more information about variables and roles.
 - `provider` - (Required) The provider to use. See possible values below
 - `server_name` - (Required) Server name. Default: algo
- `ondemand_cellular` (Optional) VPN On Demand when connected to cellular networks with IPsec. Default: false
+- `ondemand_cellular` (Optional) Enables VPN On Demand when connected to cellular networks for iOS/macOS clients using IPsec. Default: false
- `ondemand_wifi` - (Optional. See `ondemand_wifi_exclude`) VPN On Demand when connected to WiFi networks with IPsec. Default: false
+- `ondemand_wifi` - (Optional. See `ondemand_wifi_exclude`) Enables VPN On Demand when connected to WiFi networks for iOS/macOS clients using IPsec. Default: false
 - `ondemand_wifi_exclude` (Required if `ondemand_wifi` set) - WiFi networks to exclude from using the VPN. Comma-separated values
 - `dns_adblocking` - (Optional) Enables dnscrypt-proxy adblocking. Default: false
 - `ssh_tunneling` - (Optional) Enable SSH tunneling for each user. Default: false
- `store_cakey` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false
+- `store_pki` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false
 If any of the above variables are unspecified, ansible will ask the user to input them.
--- a/docs/deploy-from-macos.md
+++ b/docs/deploy-from-macos.md
@ -0,0 +1,85 @@
 # Deploy from macOS
 While you can't turn a macOS system in an AlgoVPN, you can install the Algo scripts on a macOS system and use them to deploy your AlgoVPN to a cloud provider.
 Algo uses [Ansible](https://www.ansible.com) which requires Python 3. macOS does not include a version of Python 3 that you can use with Algo. (It does include an obsolete version of Python 2 installed as `/usr/bin/python` which you should ignore.)
 You'll need to install Python 3 before you can run Algo. Python 3 is available from several different packagers, three of which are listed below.
 **IMPORTANT:** At this time you **cannot** use Python 3.8 or later with Ansible on macOS. Choose a recent version of Python 3.7 instead.
 ## macOS 10.15 Catalina
 Catalina comes with `/usr/bin/python3` installed. This file, and certain others like `/usr/bin/git`, start out as stub files that prompt you to install the Developer Command Line Tools the first time you run them. Having `git` installed can be useful but whether or not you choose to install the Command Line Tools you **cannot** use this version of Python 3 with Algo at this time. Instead install one of the versions below.
 ## Ansible and SSL Validation
 Ansible validates SSL network connections using OpenSSL but macOS includes LibreSSL which behaves differently. Therefore each version of Python below includes or depends on its own copy of OpenSSL.
 OpenSSL needs access to a list of trusted CA certificates in order to validate SSL connections. Each packager handles initializing this certificate store differently. If you see the error `CERTIFICATE_VERIFY_FAILED` when running Algo make sure you've followed the packager-specific instructions correctly, and that you're not inadvertently running Catalina's `/usr/bin/python3`.
 ## Install Python 3
 Choose one of the packagers below as your source for Python 3. Avoid installing versions from multiple packagers on the same Mac as you may encounter conflicts. In particular they might fight over creating symbolic links in `/usr/local/bin`.
 ### Option 1: Install using the Homebrew package manager
 If you're comfortable using the command line in Terminal the [Homebrew](https://brew.sh) project is a great source of software for macOS.
 First install Homebrew using the instructions on the [Homebrew](https://brew.sh) page.
 The install command below takes care of initializing the CA certificate store.
 #### Installation
 ```
 brew install python3
 ```
 After installation open a new tab or window in Terminal and verify that the command `which python3` returns `/usr/local/bin/python3`.
 #### Removal
 ```
 brew uninstall python3
 ```
 ### Option 2: Install a package from Python.org
 If you don't want to install a package manager you can download a Python package for macOS from [python.org](https://www.python.org/downloads/mac-osx/).
 #### Installation
 Download the most recent version of Python 3.7 and install it like any other macOS package. Then initialize the CA certificate store from Finder by double-clicking on the file `Install Certificates.command` found in the `/Applications/Python 3.7` folder.
 When you double-click on `Install Certificates.command` a new Terminal window will open. If the window remains blank then the command has not run correctly. This can happen if you've changed the default shell in Terminal Preferences. Try changing it back to the default and run `Install Certificates.command` again.
 After installation open a new tab or window in Terminal and verify that the command `which python3` returns either `/usr/local/bin/python3` or  `/Library/Frameworks/Python.framework/Versions/3.7/bin/python3`.
 #### Removal
 Unfortunately the python.org package does not include an uninstaller and removing it requires several steps:
 1. In Finder, delete the package folder found in `/Applications`.
 2. In Finder, delete the *rest* of the package found under ` /Library/Frameworks/Python.framework/Versions`.
 3. In Terminal, undo the changes to your `PATH` by running:
 ```mv ~/.bash_profile.pysave ~/.bash_profile```
 4. In Terminal, remove the dozen or so symbolic links the package created in `/usr/local/bin`. Or just leave them because installing another version of Python will overwrite most of them.
 ### Option 3: Install using the Macports package manager
 [Macports](https://www.macports.org) is another command line based package manager like Homebrew. Most users will find Macports far more complex than Homebrew, but developers might find Macports more flexible. If you search for "Macports vs. Homebrew" you will find many opinions.
 First install Macports per the [instructions](https://www.macports.org/install.php).
 In addition to installing Python you'll need to install the package containing the CA certificates.
 #### Installation
 ```
 sudo port install python37
 sudo port install curl-ca-bundle
 ```
 After installation open a new tab or window in Terminal and verify that the command `which python3` returns `/opt/local/bin/python3`.
 #### Removal
 ```
 sudo port uninstall python37
 sudo port uninstall curl-ca-bundle
 ```
--- a/docs/deploy-from-script-or-cloud-init-to-localhost.md
+++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md
@ -1,8 +1,7 @@
 # Deploy from script or cloud-init
 You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. 
-
+The script doesn't configure any parameters in your cloud, so you're on your own to configure related [firewall rules](/docs/firewalls.md), a floating IP address and other resources you may need. The output of the install script (including the p12 and CA passwords) can be found at `/var/log/algo.log`, and user config files will be installed into the `/opt/algo/configs/localhost` directory. If you need to update users later, `cd /opt/algo`, change the user list in `config.cfg`, install additional dependencies as in step 4 of the [main README](https://github.com/trailofbits/algo/blob/master/README.md), and run `./algo update-users` from that directory.
 The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory.
 ## Cloud init deployment
--- a/docs/deploy-from-windows.md
+++ b/docs/deploy-from-windows.md
@ -1,8 +1,15 @@
-# Windows client prerequisite
+# Deploy from Windows
 The Algo scripts can't be run directly on Windows, but you can use the Windows Subsystem for Linux (WSL) to run a copy of Ubuntu Linux right on your Windows system.
 To run WSL you will need:
 * A 64-bit system
 * 64-bit Windows 10 (Anniversary update or later version)
-Once you verify your system is 64-bit (32-bit is not supported) and up to date, you have to do a few manual steps to enable the 'Windows Subsystem for Linux':
+## Install WSL
 Enable the 'Windows Subsystem for Linux':
 1. Open 'Settings'
 2. Click 'Update & Security', then click the 'For developers' option on the left.
@ -17,17 +24,25 @@ Wait a minute for Windows to install a few things in the background (it will eve
 5. Restart Windows and then [install Ubuntu from the Windows Store](https://www.microsoft.com/p/ubuntu/9nblggh4msv6).
 6. Run Ubuntu from the Start menu. It will take a few minutes to install. It will have you create a separate user account for the Linux subsystem. Once that's done, you will finally have Ubuntu running somewhat integrated with Windows.
 ## Install Algo
-Install additional packages:
+Run these commands in the Ubuntu Terminal to install a prerequisite package and download the Algo scripts to your home directory. Note that when using WSL you should **not** install Algo in the `/mnt/c` directory due to problems with file permissions.
 You may need to follow [these directions](https://devblogs.microsoft.com/commandline/copy-and-paste-arrives-for-linuxwsl-consoles/) in order to paste commands into the Ubuntu Terminal.
 ```shell
-sudo apt-get update && sudo apt-get install git build-essential libssl-dev libffi-dev python3-dev python3-pip python3-setuptools python3-virtualenv -y
+cd
 umask 0002
 sudo apt update
 sudo apt install -y python3-virtualenv
 git clone https://github.com/trailofbits/algo
 cd algo
 ```
-Clone the Algo repository:
+Now you can continue by following the [README](https://github.com/trailofbits/algo#deploy-the-algo-server) from the 4th step to deploy your Algo server!
 You'll be instructed to edit the file `config.cfg` in order to specify the Algo user accounts to be created. If you're new to Linux the simplest editor to use is `nano`. To edit the file while in the `algo` directory, run:
 ```shell
-cd ~ && git clone https://github.com/trailofbits/algo && cd algo
+nano config.cfg
 ```
-
+Once `./algo` has finished you can use the `cp` command to copy the configuration files from the `configs` directory into your Windows directory under `/mnt/c/Users` for easier access.
 Now, you can go through the [README](https://github.com/trailofbits/algo#deploy-the-algo-server) (start from the 4th step) and deploy your Algo server!
--- a/docs/deploy-to-ubuntu.md
+++ b/docs/deploy-to-ubuntu.md
@ -8,4 +8,11 @@ Install to existing Ubuntu 18.04, 19.04, or 19.10 server (Advanced)
 ```
 Make sure your target server is running an unmodified copy of the operating system version specified. The target can be the same system where you've installed the Algo scripts, or a remote system that you are able to access as root via SSH without needing to enter the SSH key passphrase (such as when using `ssh-agent`).
 # Road Warrior setup
 Some may find it useful to set up an Algo server on an Ubuntu box on your home LAN, with the intention of being able to securely access your LAN and any resources on it when you're traveling elsewhere (the ["road warrior" setup](https://en.wikipedia.org/wiki/Road_warrior_(computing))). A few tips if you're doing so:
 - Make sure you forward any [relevant incoming ports](/docs/firewalls.md#external-firewall) to the Algo server from your router;
 - Change `BetweenClients_DROP` in `config.cfg` to `false`, and also consider changing `block_smb` and `block_netbios` to `false`;
 - If you want to use a DNS server on your LAN to resolve local domain names properly (e.g. a Pi-hole), set the `dns_encryption` flag in `config.cfg` to `false`, and change `dns_servers` to the local DNS server IP (i.e. `192.168.1.2`).
 **PLEASE NOTE**: Algo is intended for use to create a _dedicated_ VPN server. No uninstallation option is provided. If you install Algo on an existing server any existing services might break. In particular, the firewall rules will be overwritten. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
--- a/docs/faq.md
+++ b/docs/faq.md
@ -1,6 +1,7 @@
 # FAQ
 * [Has Algo been audited?](#has-algo-been-audited)
 * [What's the current status of WireGuard?](#whats-the-current-status-of-wireguard)
 * [Why aren't you using Tor?](#why-arent-you-using-tor)
 * [Why aren't you using Racoon, LibreSwan, or OpenSwan?](#why-arent-you-using-racoon-libreswan-or-openswan)
 * [Why aren't you using a memory-safe or verified IKE daemon?](#why-arent-you-using-a-memory-safe-or-verified-ike-daemon)
@ -11,6 +12,8 @@
 * [Can DNS filtering be disabled?](#can-dns-filtering-be-disabled)
 * [Wasn't IPSEC backdoored by the US government?](#wasnt-ipsec-backdoored-by-the-us-government)
 * [What inbound ports are used?](#what-inbound-ports-are-used)
 * [How do I monitor user activity?](#how-do-i-monitor-user-activity)
 * [How do I reach another connected client?](#how-do-i-reach-another-connected-client)
 ## Has Algo been audited?
@ -18,7 +21,7 @@ No. This project is under active development. We're happy to [accept and fix iss
 ## What's the current status of WireGuard?
-[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available.
+[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available. Your Algo server will automatically upgrade and restart WireGuard from the [official WireGuard PPA for Ubuntu](https://launchpad.net/~wireguard/+archive/ubuntu/wireguard) by default.
 ## Why aren't you using Tor?
@ -42,11 +45,11 @@ Alpine Linux is not supported out-of-the-box by any major cloud provider. We are
 ## I deployed an Algo server. Can you update it with new features?
-No. By design, the Algo development team has no access to any Algo server that our users haved deployed. We cannot modify the configuration, update the software, or sniff the traffic that goes through your personal Algo VPN server. This prevents scenarios where we are legally compelled or hacked to push down backdoored updates that surveil our users.
+No. By design, the Algo development team has no access to any Algo server that our users have deployed. We cannot modify the configuration, update the software, or sniff the traffic that goes through your personal Algo VPN server. This prevents scenarios where we are legally compelled or hacked to push down backdoored updates that surveil our users.
-As a result, once your Algo server has been deployed, it is yours to maintain. If you want to take advantage of new features available in the current release of Algo, then you have two options. You can use the [SSH administrative interface](/README.md#ssh-into-algo-server) to make the changes you want on your own or you can shut down the server and deploy a new one (recommended).
+As a result, once your Algo server has been deployed, it is yours to maintain. It will use unattended-upgrades by default to apply security and feature updates to Ubuntu, as well as to the core VPN software of strongSwan, dnscrypt-proxy and WireGuard. However, if you want to take advantage of new features available in the current release of Algo, then you have two options. You can use the [SSH administrative interface](/README.md#ssh-into-algo-server) to make the changes you want on your own or you can shut down the server and deploy a new one (recommended).
-In the future, we will make it easier for users who want to update their own servers by providing official releases of Algo. Each official release will summarize the changes from the last release to make it easier to follow along with them.
+As an extension of this rationale, most configuration options (other than users) available in `config.cfg` can only be set at the time of initial deployment.
 ## Where did the name "Algo" come from?
@ -54,7 +57,7 @@ Algo is short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhe
 ## Can DNS filtering be disabled?
-You can temporarily disable DNS filtering for all IPsec clients at once with the following workaround: SSH to your Algo server (using the 'shell access' command printed upon a successful deployment), edit `/etc/ipsec.conf`, and change `rightdns=<random_ip>` to `rightdns=8.8.8.8`. Then run `sudo systemctl restart strongswan`. DNS filtering for Wireguard clients has to be disabled on each client device separately by modifying the settings in the app, or by directly modifying the `DNS` setting on the `clientname.conf` file. If all else fails, we recommend deploying a new Algo server without the adblocking feature enabled.
+You can temporarily disable DNS filtering for all IPsec clients at once with the following workaround: SSH to your Algo server (using the 'shell access' command printed upon a successful deployment), edit `/etc/ipsec.conf`, and change `rightdns=<random_ip>` to `rightdns=8.8.8.8`. Then run `sudo systemctl restart strongswan`. DNS filtering for WireGuard clients has to be disabled on each client device separately by modifying the settings in the app, or by directly modifying the `DNS` setting on the `clientname.conf` file. If all else fails, we recommend deploying a new Algo server without the adblocking feature enabled.
 ## Wasn't IPSEC backdoored by the US government?
@ -79,3 +82,11 @@ No.
 ## What inbound ports are used?
 You should only need 4160/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
 ## How do I monitor user activity?
 Your Algo server will track IPsec client logins by default in `/var/log/syslog`. This will give you client names, date/time of connection and reconnection, and what IP addresses they're connecting from. This can be disabled entirely by setting `strongswan_log_level` to `-1` in `config.cfg`. WireGuard doesn't save any logs, but entering `sudo wg` on the server will give you the last endpoint and contact time of each client. Disabling this is [paradoxically difficult](https://git.zx2c4.com/blind-operator-mode/about/). There isn't any out-of-the-box way to monitor actual user _activity_ (e.g. websites browsed, etc.)
 ## How do I reach another connected client?
 By default, your Algo server doesn't allow connections between connected clients. This can be changed at the time of deployment by enabling the `BetweenClients_DROP` flag in `config.cfg`. See the ["Road Warrior" instructions](/docs/deploy-to-ubuntu.md#road-warrior-setup) for more details.
--- a/docs/index.md
+++ b/docs/index.md
@ -5,14 +5,15 @@
  - Deploy from [Windows](deploy-from-windows.md)
  - Deploy from a [Docker container](deploy-from-docker.md)
  - Deploy from [Ansible](deploy-from-ansible.md) non-interactively
-  - Deploy onto a [cloud server at time of creation](deploy-from-script-or-cloud-init-to-localhost.md)
+  - Deploy onto a [cloud server at time of creation with shell script or cloud-init](deploy-from-script-or-cloud-init-to-localhost.md)
  - Deploy from [macOS](deploy-from-macos.md)
 * Client setup
  - Setup [Android](client-android.md) clients
  - Setup [Generic/Linux](client-linux.md) clients with Ansible
  - Setup Ubuntu clients to use [WireGuard](client-linux-wireguard.md)
-  - Setup Linux clients to use [IPSEC](client-linux-ipsec.md)
+  - Setup Linux clients to use [IPsec](client-linux-ipsec.md)
-  - Setup Apple devices to use [IPSEC](client-apple-ipsec.md)
+  - Setup Apple devices to use [IPsec](client-apple-ipsec.md)
-  - Setup Macs running macOS 10.13 or older to use [Wireguard](client-macos-wireguard.md)
+  - Setup Macs running macOS 10.13 or older to use [WireGuard](client-macos-wireguard.md)
 * Cloud provider setup
  - Configure [Amazon EC2](cloud-amazon-ec2.md)
  - Configure [Azure](cloud-azure.md)
@ -23,7 +24,7 @@
  - Configure [Hetzner Cloud](cloud-hetzner.md)
 * Advanced Deployment
  - Deploy to your own [FreeBSD](deploy-to-freebsd.md) server
-  - Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server
+  - Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server, and road warrior setup
  - Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md)
 * [FAQ](faq.md)
 * [Firewalls](firewalls.md)
--- a/input.yml
+++ b/input.yml
@ -21,7 +21,7 @@
      - { name: Scaleway, alias: scaleway}
      - { name: OpenStack (DreamCompute optimised), alias: openstack }
      - { name: CloudStack (Exoscale optimised), alias: cloudstack }
-      - { name: Install to existing Ubuntu 18.04, 19.04, or 19.10 server (Advanced), alias: local }
+      - { name: "Install to existing Ubuntu 18.04, 19.04, or 19.10 server (Advanced)", alias: local }
  vars_files:
    - config.cfg