diff --git a/README.md b/README.md
index c4016c85..40da8bd5 100644
--- a/README.md
+++ b/README.md
@@ -93,11 +93,13 @@ WireGuard is used to provide VPN services on Apple devices. Algo generates a Wir
 
 On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
 
-On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. Enable "Connect on Demand" by editing the tunnel configuration in the WireGuard app.
+On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. 
+
+On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.) 
 
 Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md).
 
-If you prefer to use the built-in IPSEC VPN on Apple devices, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md).
+If you prefer to use the built-in IPSEC VPN on Apple devices, or need "Connect on Demand" or excluded Wi-Fi networks automatically configured, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md).
 
 ### Android Devices
 
@@ -247,4 +249,4 @@ All donations support continued development. Thanks!
 * Use our [referral code](https://m.do.co/c/4d7f4ff9cfe4) when you sign up to Digital Ocean for a $10 credit.
 * We also accept and appreciate contributions of new code and bugfixes via Github Pull Requests.
 
-Algo is licensed and distributed under the AGPLv3. If you want to distribute a closed-source modification or service based on Algo, then please consider <a href="mailto:opensource@trailofbits.com">purchasing an exception</a> . As with the methods above, this will help support continued development.
\ No newline at end of file
+Algo is licensed and distributed under the AGPLv3. If you want to distribute a closed-source modification or service based on Algo, then please consider <a href="mailto:opensource@trailofbits.com">purchasing an exception</a> . As with the methods above, this will help support continued development.
diff --git a/config.cfg b/config.cfg
index 16411cf0..a652749f 100644
--- a/config.cfg
+++ b/config.cfg
@@ -70,9 +70,7 @@ reduce_mtu: 0
 # If you load very large blocklists, you may also have to modify resource limits:
 # /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
 adblock_lists:
- - "http://winhelp2002.mvps.org/hosts.txt"
- - "https://adaway.org/hosts.txt"
- - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
+ - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
  - "https://hosts-file.net/ad_servers.txt"
 
 # Enable DNS encryption.
diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md
index 7a99d6b2..6070562c 100644
--- a/docs/deploy-from-script-or-cloud-init-to-localhost.md
+++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md
@@ -8,7 +8,7 @@ You can copy-paste the snippet below to the user data (cloud-init or startup scr
 
 ```
 #!/bin/bash
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
 ```
 The command will prepare the environment and install AlgoVPN with default parameters. If you want to modify the behaviour you may define additional variables.
 
@@ -19,15 +19,15 @@ The command will prepare the environment and install AlgoVPN with default parame
 `ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false  
 `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.  
 `WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false  
-`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false
-`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false
+`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false.   
+`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false.   
 `SSH_TUNNELING` -  Enable SSH tunneling for each user. Default: false  
 `ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE or Azure if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address.  
-`USERS` - list of VPN users. Comma-separated list.
-`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo
-`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master
-`EXTRA_VARS` - Additional extra variables.
-`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`
+`USERS` - list of VPN users. Comma-separated list.  
+`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo.   
+`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master.  
+`EXTRA_VARS` - Additional extra variables.  
+`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`.   
 
 ## Examples
 
@@ -38,7 +38,7 @@ The command will prepare the environment and install AlgoVPN with default parame
 export ONDEMAND_CELLULAR=true
 export WINDOWS=true
 export SSH_TUNNELING=true
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
 ```
 
 ##### How to deploy locally without using cloud-init
@@ -46,7 +46,7 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s
 ```
 export METHOD=local
 export ONDEMAND_CELLULAR=true
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
 ```
 
 ##### How to deploy a server using arguments
@@ -54,5 +54,5 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s
 The arguments order as per [variables](#variables) above
 
 ```
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x -s local true false _null true true true true myvpnserver.com
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x -s local true false _null true true true true myvpnserver.com
 ```
diff --git a/install.sh b/install.sh
index 248f3784..ed385e73 100644
--- a/install.sh
+++ b/install.sh
@@ -50,7 +50,7 @@ getAlgo() {
 publicIpFromInterface() {
   echo "Couldn't find a valid ipv4 address, using the first IP found on the interfaces as the endpoint."
   DEFAULT_INTERFACE="$(ip -4 route list match default | grep -Eo "dev .*" | awk '{print $2}')"
-  ENDPOINT=$(ip -4 addr sh dev eth0 | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
+  ENDPOINT=$(ip -4 addr sh dev $DEFAULT_INTERFACE | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
   export ENDPOINT=$ENDPOINT
   echo "Using ${ENDPOINT} as the endpoint"
 }
diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml
index 694bb83c..fd38611a 100644
--- a/roles/strongswan/tasks/openssl.yml
+++ b/roles/strongswan/tasks/openssl.yml
@@ -151,6 +151,23 @@
     with_items: "{{ users }}"
     register: p12
 
+  - name: Build the client's p12 with the CA cert included
+    shell: >
+      umask 077;
+      {{ openssl_bin }} pkcs12
+      -in certs/{{ item }}.crt
+      -inkey private/{{ item }}.key
+      -export
+      -name {{ item }}
+      -out private/{{ item }}_ca.p12
+      -certfile cacert.pem
+      -passout pass:"{{ p12_export_password }}"
+    args:
+      chdir: "{{ ipsec_pki_path }}"
+      executable: bash
+    with_items: "{{ users }}"
+    register: p12
+
   - name: Copy the p12 certificates
     copy:
       src: "{{ ipsec_pki_path }}/private/{{ item }}.p12"
@@ -209,3 +226,13 @@
     - gencrl.changed
   notify:
     - rereadcrls
+
+- name: Delete the CA key
+  local_action:
+    module: file
+    path: "{{ ipsec_pki_path }}/private/cakey.pem"
+    state: absent
+  become: false
+  when:
+    - ipsec_enabled
+    - not algo_store_cakey
diff --git a/server.yml b/server.yml
index 40326830..349150cb 100644
--- a/server.yml
+++ b/server.yml
@@ -37,16 +37,6 @@
         tags: ssh_tunneling
 
       - block:
-        - name: Delete the CA key
-          local_action:
-            module: file
-            path: "{{ ipsec_pki_path }}/private/cakey.pem"
-            state: absent
-          become: false
-          when:
-            - ipsec_enabled
-            - not algo_store_cakey
-
         - name: Dump the configuration
           local_action:
             module: copy