Merge branch 'master' of github.com:trailofbits/algo

README.md

@@ -93,11 +93,13 @@ WireGuard is used to provide VPN services on Apple devices. Algo generates a Wir
 
 On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
 
-On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. Enable "Connect on Demand" by editing the tunnel configuration in the WireGuard app.
+On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. 
+
+On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.) 
 
 Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md).
 
-If you prefer to use the built-in IPSEC VPN on Apple devices, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md).
+If you prefer to use the built-in IPSEC VPN on Apple devices, or need "Connect on Demand" or excluded Wi-Fi networks automatically configured, then see [Using Apple Devices as a Client with IPSEC](docs/client-apple-ipsec.md).
 
 ### Android Devices
 

config.cfg

@@ -70,9 +70,7 @@ reduce_mtu: 0
 # If you load very large blocklists, you may also have to modify resource limits:
 # /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
 adblock_lists:
- - "http://winhelp2002.mvps.org/hosts.txt"
- - "https://adaway.org/hosts.txt"
- - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
+ - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
  - "https://hosts-file.net/ad_servers.txt"
 
 # Enable DNS encryption.

docs/deploy-from-script-or-cloud-init-to-localhost.md

@@ -8,7 +8,7 @@ You can copy-paste the snippet below to the user data (cloud-init or startup scr
 
 ```
 #!/bin/bash
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
 ```
 The command will prepare the environment and install AlgoVPN with default parameters. If you want to modify the behaviour you may define additional variables.
 
@@ -19,15 +19,15 @@ The command will prepare the environment and install AlgoVPN with default parame
 `ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false  
 `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.  
 `WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false  
-`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false
-`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false
+`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false.   
+`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false.   
 `SSH_TUNNELING` -  Enable SSH tunneling for each user. Default: false  
 `ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE or Azure if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address.  
 `USERS` - list of VPN users. Comma-separated list.  
-`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo
-`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master
+`REPO_SLUG` - Owner and repository that used to get the installation scripts from. Default: trailofbits/algo.   
+`REPO_BRANCH` - Branch for `REPO_SLUG`. Default: master.  
 `EXTRA_VARS` - Additional extra variables.  
-`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`
+`ANSIBLE_EXTRA_ARGS` - Any available ansible parameters. ie: `--skip-tags apparmor`.   
 
 ## Examples
 
@@ -38,7 +38,7 @@ The command will prepare the environment and install AlgoVPN with default parame
 export ONDEMAND_CELLULAR=true
 export WINDOWS=true
 export SSH_TUNNELING=true
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
 ```
 
 ##### How to deploy locally without using cloud-init
@@ -46,7 +46,7 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s
 ```
 export METHOD=local
 export ONDEMAND_CELLULAR=true
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x
 ```
 
 ##### How to deploy a server using arguments
@@ -54,5 +54,5 @@ curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | s
 The arguments order as per [variables](#variables) above
 
 ```
-curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo bash -x -s local true false _null true true true true myvpnserver.com
+curl -s https://raw.githubusercontent.com/trailofbits/algo/master/install.sh | sudo -E bash -x -s local true false _null true true true true myvpnserver.com
 ```

install.sh

@@ -50,7 +50,7 @@ getAlgo() {
 publicIpFromInterface() {
   echo "Couldn't find a valid ipv4 address, using the first IP found on the interfaces as the endpoint."
   DEFAULT_INTERFACE="$(ip -4 route list match default | grep -Eo "dev .*" | awk '{print $2}')"
-  ENDPOINT=$(ip -4 addr sh dev eth0 | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
+  ENDPOINT=$(ip -4 addr sh dev $DEFAULT_INTERFACE | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
   export ENDPOINT=$ENDPOINT
   echo "Using ${ENDPOINT} as the endpoint"
 }

roles/strongswan/tasks/openssl.yml

@@ -151,6 +151,23 @@
     with_items: "{{ users }}"
     register: p12
 
+  - name: Build the client's p12 with the CA cert included
+    shell: >
+      umask 077;
+      {{ openssl_bin }} pkcs12
+      -in certs/{{ item }}.crt
+      -inkey private/{{ item }}.key
+      -export
+      -name {{ item }}
+      -out private/{{ item }}_ca.p12
+      -certfile cacert.pem
+      -passout pass:"{{ p12_export_password }}"
+    args:
+      chdir: "{{ ipsec_pki_path }}"
+      executable: bash
+    with_items: "{{ users }}"
+    register: p12
+
   - name: Copy the p12 certificates
     copy:
       src: "{{ ipsec_pki_path }}/private/{{ item }}.p12"
@@ -209,3 +226,13 @@
     - gencrl.changed
   notify:
     - rereadcrls
+
+- name: Delete the CA key
+  local_action:
+    module: file
+    path: "{{ ipsec_pki_path }}/private/cakey.pem"
+    state: absent
+  become: false
+  when:
+    - ipsec_enabled
+    - not algo_store_cakey

server.yml

@@ -37,16 +37,6 @@
         tags: ssh_tunneling
 
       - block:
-        - name: Delete the CA key
-          local_action:
-            module: file
-            path: "{{ ipsec_pki_path }}/private/cakey.pem"
-            state: absent
-          become: false
-          when:
-            - ipsec_enabled
-            - not algo_store_cakey
-
         - name: Dump the configuration
           local_action:
             module: copy