From 1a004e7c4b7e2abdd61b2977b42bd1abec5adb20 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 8 Oct 2019 22:55:29 -0400
Subject: [PATCH 01/21] update variable name to store_pki

---
 docs/deploy-from-ansible.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md
index fb9458a6f..0a0dc545e 100644
--- a/docs/deploy-from-ansible.md
+++ b/docs/deploy-from-ansible.md
@@ -31,7 +31,7 @@ See below for more information about variables and roles.
 - `ondemand_wifi_exclude` (Required if `ondemand_wifi` set) - WiFi networks to exclude from using the VPN. Comma-separated values
 - `dns_adblocking` - (Optional) Enables dnscrypt-proxy adblocking. Default: false
 - `ssh_tunneling` - (Optional) Enable SSH tunneling for each user. Default: false
-- `store_cakey` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false
+- `store_pki` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false
 
 If any of the above variables are unspecified, ansible will ask the user to input them.
 

From 66da491b03437d33c419951889f81cd26ce164fb Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 8 Oct 2019 23:07:29 -0400
Subject: [PATCH 02/21] Document BetweenClients_DROP

---
 config.cfg | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config.cfg b/config.cfg
index 5cb3eaa2f..61b401afc 100644
--- a/config.cfg
+++ b/config.cfg
@@ -102,7 +102,10 @@ unattended_reboot:
   enabled: false
   time: 06:00
 
-# Block traffic between connected clients
+# Block traffic between connected clients. Change this to false to enable
+# connected clients to reach each other, as well as other computers on the
+# same LAN as your Algo server (i.e. the "road warrior" setup). In this
+# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
 BetweenClients_DROP: true
 
 # Block SMB/CIFS traffic

From 7c67fc95b3dd4b205dd98967029efb64ca391946 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 8 Oct 2019 23:11:58 -0400
Subject: [PATCH 03/21] Update README.md

---
 README.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 7717d468a..71f0b66fd 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 [![Twitter](https://img.shields.io/twitter/url/https/twitter.com/fold_left.svg?style=social&label=Follow%20%40AlgoVPN)](https://twitter.com/AlgoVPN)
 [![TravisCI Status](https://api.travis-ci.org/trailofbits/algo.svg?branch=master)](https://travis-ci.org/trailofbits/algo)
 
-Algo VPN is a set of Ansible scripts that simplify the setup of a personal Wireguard and IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices. See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) for more information.
+Algo VPN is a set of Ansible scripts that simplify the setup of a personal Wireguard and IPSEC VPN. It uses the most secure defaults available and works with common cloud providers. See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) for more information.
 
 ## Features
 
@@ -21,7 +21,6 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal Wireg
 * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
 * Does not install Tor, OpenVPN, or other risky servers
 * Does not depend on the security of [TLS](https://tools.ietf.org/html/rfc7457)
-* Does not require client software on most platforms
 * Does not claim to provide anonymity or censorship avoidance
 * Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster)
 
@@ -71,7 +70,7 @@ The easiest way to get an Algo server running is to run it on your local system
     ```
     On Fedora add the option `--system-site-packages` to the first command above. On macOS install the C compiler if prompted.
 
-5. **List the users to create.** Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. Create a unique user for each device you plan to connect to your VPN. If you want to be able to add or delete users later, you **must** select `yes` at the `Do you want to retain the keys (PKI)?` prompt during the deployment.
+5. **Set your configuration options.** Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. Create a unique user for each device you plan to connect to your VPN. If you want to be able to add or delete users later, you **must** select `yes` at the `Do you want to retain the keys (PKI)?` prompt during the deployment. You should also review the other options before deployment, as changing your mind about them later [may require you to deploy a brand new server](https://github.com/trailofbits/algo/blob/master/docs/faq.md#i-deployed-an-algo-server-can-you-update-it-with-new-features).
 
 6. **Start the deployment.** Return to your terminal. In the Algo directory, run `./algo` and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in [here](docs/deploy-from-ansible.md).
 

From 450b1ab93c5cffd354b005ce662c8d27b417c355 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 8 Oct 2019 23:15:14 -0400
Subject: [PATCH 04/21] Update faq.md

---
 docs/faq.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.md b/docs/faq.md
index 69d4d613e..583c01535 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -46,7 +46,7 @@ No. By design, the Algo development team has no access to any Algo server that o
 
 As a result, once your Algo server has been deployed, it is yours to maintain. If you want to take advantage of new features available in the current release of Algo, then you have two options. You can use the [SSH administrative interface](/README.md#ssh-into-algo-server) to make the changes you want on your own or you can shut down the server and deploy a new one (recommended).
 
-In the future, we will make it easier for users who want to update their own servers by providing official releases of Algo. Each official release will summarize the changes from the last release to make it easier to follow along with them.
+As an extension of this rationale, most configuration options (other than users) available in `config.cfg` can only be set at the time of initial deployment.
 
 ## Where did the name "Algo" come from?
 

From 38b4a4f0914095a8b32278ba7fc1dead24a0e1c5 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 8 Oct 2019 23:41:09 -0400
Subject: [PATCH 05/21] VPN On Demand is for Apple IPSEC clients only

---
 docs/deploy-from-ansible.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md
index 0a0dc545e..ffc52171d 100644
--- a/docs/deploy-from-ansible.md
+++ b/docs/deploy-from-ansible.md
@@ -26,8 +26,8 @@ See below for more information about variables and roles.
 
 - `provider` - (Required) The provider to use. See possible values below
 - `server_name` - (Required) Server name. Default: algo
-- `ondemand_cellular` (Optional) VPN On Demand when connected to cellular networks with IPsec. Default: false
-- `ondemand_wifi` - (Optional. See `ondemand_wifi_exclude`) VPN On Demand when connected to WiFi networks with IPsec. Default: false
+- `ondemand_cellular` (Optional) Enables VPN On Demand when connected to cellular networks for iOS/macOS clients using IPsec. Default: false
+- `ondemand_wifi` - (Optional. See `ondemand_wifi_exclude`) Enables VPN On Demand when connected to WiFi networks for iOS/macOS clients using IPsec. Default: false
 - `ondemand_wifi_exclude` (Required if `ondemand_wifi` set) - WiFi networks to exclude from using the VPN. Comma-separated values
 - `dns_adblocking` - (Optional) Enables dnscrypt-proxy adblocking. Default: false
 - `ssh_tunneling` - (Optional) Enable SSH tunneling for each user. Default: false

From 1e384a54d50133c6d2a7b6a26e1052f33731067a Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Tue, 8 Oct 2019 23:45:47 -0400
Subject: [PATCH 06/21] How to update users from cloud-init

---
 docs/deploy-from-script-or-cloud-init-to-localhost.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md
index fb1ca1521..e0bc4ac38 100644
--- a/docs/deploy-from-script-or-cloud-init-to-localhost.md
+++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md
@@ -2,7 +2,7 @@
 
 You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. 
 
-The script doesn't configure any parameters in your cloud, so it's on your own to configure related [firewall rules](/docs/firewalls.md), a floating ip address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory.
+The script doesn't configure any parameters in your cloud, so you're on your own to configure related [firewall rules](/docs/firewalls.md), a floating IP address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory. If you need to update users later, change the user list in `/opt/algo/config.cfg` and run `./algo update-users` from that directory.
 
 ## Cloud init deployment
 

From de7bf3eb9d8f00e9b887079da432fb84253d324a Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 9 Oct 2019 00:12:49 -0400
Subject: [PATCH 07/21] How to monitor user activity

---
 docs/faq.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/faq.md b/docs/faq.md
index 583c01535..3cb3a860c 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -11,6 +11,7 @@
 * [Can DNS filtering be disabled?](#can-dns-filtering-be-disabled)
 * [Wasn't IPSEC backdoored by the US government?](#wasnt-ipsec-backdoored-by-the-us-government)
 * [What inbound ports are used?](#what-inbound-ports-are-used)
+* [How do I monitor user activity?](#how-do-i-monitor-user-activity)
 
 ## Has Algo been audited?
 
@@ -79,3 +80,7 @@ No.
 ## What inbound ports are used?
 
 You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
+
+## How do I monitor user activity?
+
+Your Algo server will track IPsec client logins by default in `/var/log/syslog`. This will give you client names, date/time of connection and reconnection, and what IP addresses they're connecting from. This can be disabled entirely by setting `strongswan_log_level` to `-1` in `config.cfg`. Wireguard doesn't save any logs, but entering `sudo wg` on the server will give you the last endpoint and contact time of each client. Disabling this is [paradoxically difficult](https://git.zx2c4.com/blind-operator-mode/about/). There isn't any out-of-the-box way to monitor actual user _activity_ (e.g. websites browsed, etc.)

From bc6b37042805765746910a9fa90b5518c2760535 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 9 Oct 2019 00:24:02 -0400
Subject: [PATCH 08/21] Fix typo

---
 docs/faq.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.md b/docs/faq.md
index 3cb3a860c..5add6372b 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -43,7 +43,7 @@ Alpine Linux is not supported out-of-the-box by any major cloud provider. We are
 
 ## I deployed an Algo server. Can you update it with new features?
 
-No. By design, the Algo development team has no access to any Algo server that our users haved deployed. We cannot modify the configuration, update the software, or sniff the traffic that goes through your personal Algo VPN server. This prevents scenarios where we are legally compelled or hacked to push down backdoored updates that surveil our users.
+No. By design, the Algo development team has no access to any Algo server that our users have deployed. We cannot modify the configuration, update the software, or sniff the traffic that goes through your personal Algo VPN server. This prevents scenarios where we are legally compelled or hacked to push down backdoored updates that surveil our users.
 
 As a result, once your Algo server has been deployed, it is yours to maintain. If you want to take advantage of new features available in the current release of Algo, then you have two options. You can use the [SSH administrative interface](/README.md#ssh-into-algo-server) to make the changes you want on your own or you can shut down the server and deploy a new one (recommended).
 

From 4cb505f64f4d09e7b784b4847e75418cd801e224 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 9 Oct 2019 00:35:12 -0400
Subject: [PATCH 09/21] Update FAQ about WireGuard, fix typos

---
 docs/faq.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/faq.md b/docs/faq.md
index 5add6372b..45a1bf9b7 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -19,7 +19,7 @@ No. This project is under active development. We're happy to [accept and fix iss
 
 ## What's the current status of WireGuard?
 
-[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available.
+[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available. Your Algo server will automatically upgrade and restart WireGuard from the [official WireGuard PPA for Ubuntu] https://launchpad.net/~wireguard/+archive/ubuntu/wireguard by default.
 
 ## Why aren't you using Tor?
 
@@ -45,7 +45,7 @@ Alpine Linux is not supported out-of-the-box by any major cloud provider. We are
 
 No. By design, the Algo development team has no access to any Algo server that our users have deployed. We cannot modify the configuration, update the software, or sniff the traffic that goes through your personal Algo VPN server. This prevents scenarios where we are legally compelled or hacked to push down backdoored updates that surveil our users.
 
-As a result, once your Algo server has been deployed, it is yours to maintain. If you want to take advantage of new features available in the current release of Algo, then you have two options. You can use the [SSH administrative interface](/README.md#ssh-into-algo-server) to make the changes you want on your own or you can shut down the server and deploy a new one (recommended).
+As a result, once your Algo server has been deployed, it is yours to maintain. It will use unattended-upgrades by default to apply security and feature updates to Ubuntu, as well as to the core VPN software of strongSwan, dnscrypt-proxy and WireGuard. However, if you want to take advantage of new features available in the current release of Algo, then you have two options. You can use the [SSH administrative interface](/README.md#ssh-into-algo-server) to make the changes you want on your own or you can shut down the server and deploy a new one (recommended).
 
 As an extension of this rationale, most configuration options (other than users) available in `config.cfg` can only be set at the time of initial deployment.
 
@@ -55,7 +55,7 @@ Algo is short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhe
 
 ## Can DNS filtering be disabled?
 
-You can temporarily disable DNS filtering for all IPsec clients at once with the following workaround: SSH to your Algo server (using the 'shell access' command printed upon a successful deployment), edit `/etc/ipsec.conf`, and change `rightdns=<random_ip>` to `rightdns=8.8.8.8`. Then run `sudo systemctl restart strongswan`. DNS filtering for Wireguard clients has to be disabled on each client device separately by modifying the settings in the app, or by directly modifying the `DNS` setting on the `clientname.conf` file. If all else fails, we recommend deploying a new Algo server without the adblocking feature enabled.
+You can temporarily disable DNS filtering for all IPsec clients at once with the following workaround: SSH to your Algo server (using the 'shell access' command printed upon a successful deployment), edit `/etc/ipsec.conf`, and change `rightdns=<random_ip>` to `rightdns=8.8.8.8`. Then run `sudo systemctl restart strongswan`. DNS filtering for WireGuard clients has to be disabled on each client device separately by modifying the settings in the app, or by directly modifying the `DNS` setting on the `clientname.conf` file. If all else fails, we recommend deploying a new Algo server without the adblocking feature enabled.
 
 ## Wasn't IPSEC backdoored by the US government?
 
@@ -83,4 +83,4 @@ You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any fire
 
 ## How do I monitor user activity?
 
-Your Algo server will track IPsec client logins by default in `/var/log/syslog`. This will give you client names, date/time of connection and reconnection, and what IP addresses they're connecting from. This can be disabled entirely by setting `strongswan_log_level` to `-1` in `config.cfg`. Wireguard doesn't save any logs, but entering `sudo wg` on the server will give you the last endpoint and contact time of each client. Disabling this is [paradoxically difficult](https://git.zx2c4.com/blind-operator-mode/about/). There isn't any out-of-the-box way to monitor actual user _activity_ (e.g. websites browsed, etc.)
+Your Algo server will track IPsec client logins by default in `/var/log/syslog`. This will give you client names, date/time of connection and reconnection, and what IP addresses they're connecting from. This can be disabled entirely by setting `strongswan_log_level` to `-1` in `config.cfg`. WireGuard doesn't save any logs, but entering `sudo wg` on the server will give you the last endpoint and contact time of each client. Disabling this is [paradoxically difficult](https://git.zx2c4.com/blind-operator-mode/about/). There isn't any out-of-the-box way to monitor actual user _activity_ (e.g. websites browsed, etc.)

From dfae24fc8a8eca01fd53e77b69a2c357ee641404 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 23 Oct 2019 00:44:21 -0400
Subject: [PATCH 10/21] Correct locations of install log and user configs

---
 docs/deploy-from-script-or-cloud-init-to-localhost.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md
index e0bc4ac38..2ead3b025 100644
--- a/docs/deploy-from-script-or-cloud-init-to-localhost.md
+++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md
@@ -2,7 +2,7 @@
 
 You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. 
 
-The script doesn't configure any parameters in your cloud, so you're on your own to configure related [firewall rules](/docs/firewalls.md), a floating IP address and other resources you may need. The output of the install script (including the p12 and CA passwords) and user config files will be installed into the `/opt/algo` directory. If you need to update users later, change the user list in `/opt/algo/config.cfg` and run `./algo update-users` from that directory.
+The script doesn't configure any parameters in your cloud, so you're on your own to configure related [firewall rules](/docs/firewalls.md), a floating IP address and other resources you may need. The output of the install script (including the p12 and CA passwords) can be found at `/var/log/algo.log`, and user config files will be installed into the `/opt/algo/configs/localhost` directory. If you need to update users later, change the user list in `/opt/algo/config.cfg` and run `./algo update-users` from that directory.
 
 ## Cloud init deployment
 

From b9f40f80e8cecb1d06df9a07290ea90b6ab4bbf7 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 23 Oct 2019 00:56:19 -0400
Subject: [PATCH 11/21] Update-users from cloud-init

---
 docs/deploy-from-script-or-cloud-init-to-localhost.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md
index 2ead3b025..3207f5fc8 100644
--- a/docs/deploy-from-script-or-cloud-init-to-localhost.md
+++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md
@@ -1,8 +1,7 @@
 # Deploy from script or cloud-init
 
 You can use `install.sh` to prepare the environment and deploy AlgoVPN on the local Ubuntu server in one shot using cloud-init, or run the script directly on the server after it's been created. 
-
-The script doesn't configure any parameters in your cloud, so you're on your own to configure related [firewall rules](/docs/firewalls.md), a floating IP address and other resources you may need. The output of the install script (including the p12 and CA passwords) can be found at `/var/log/algo.log`, and user config files will be installed into the `/opt/algo/configs/localhost` directory. If you need to update users later, change the user list in `/opt/algo/config.cfg` and run `./algo update-users` from that directory.
+The script doesn't configure any parameters in your cloud, so you're on your own to configure related [firewall rules](/docs/firewalls.md), a floating IP address and other resources you may need. The output of the install script (including the p12 and CA passwords) can be found at `/var/log/algo.log`, and user config files will be installed into the `/opt/algo/configs/localhost` directory. If you need to update users later, `cd /opt/algo`, change the user list in `config.cfg`, install additional dependencies as in step 4 of the [main README](https://github.com/trailofbits/algo/blob/master/README.md), and run `./algo update-users` from that directory.
 
 ## Cloud init deployment
 

From d14cb0d6e4ac315426e00f156dc4ae7a061628ef Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 23 Oct 2019 01:13:15 -0400
Subject: [PATCH 12/21] Update features list

---
 README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 71f0b66fd..34d013053 100644
--- a/README.md
+++ b/README.md
@@ -4,12 +4,14 @@
 [![Twitter](https://img.shields.io/twitter/url/https/twitter.com/fold_left.svg?style=social&label=Follow%20%40AlgoVPN)](https://twitter.com/AlgoVPN)
 [![TravisCI Status](https://api.travis-ci.org/trailofbits/algo.svg?branch=master)](https://travis-ci.org/trailofbits/algo)
 
-Algo VPN is a set of Ansible scripts that simplify the setup of a personal Wireguard and IPSEC VPN. It uses the most secure defaults available and works with common cloud providers. See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) for more information.
+Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers. See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/) for more information.
 
 ## Features
 
-* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) and [WireGuard](https://www.wireguard.com/)
-* Generates Apple profiles to auto-configure iOS and macOS devices
+* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, macOS, and Linux
+* Supports [WireGuard](https://www.wireguard.com/) for all of the above, in addition to Android and Windows 10
+* Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
+* Generates Apple profiles to auto-configure iOS and macOS devices for IPsec - no client software required
 * Includes a helper script to add and remove users
 * Blocks ads with a local DNS resolver (optional)
 * Sets up limited SSH users for tunneling traffic (optional)

From c97c6d108db191830cb99aede956a9d326797516 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 23 Oct 2019 01:19:37 -0400
Subject: [PATCH 13/21] More "IPsec" and "WireGuard" changes

---
 docs/index.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 3b978dc96..e62f6dc8e 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -5,14 +5,14 @@
   - Deploy from [Windows](deploy-from-windows.md)
   - Deploy from a [Docker container](deploy-from-docker.md)
   - Deploy from [Ansible](deploy-from-ansible.md) non-interactively
-  - Deploy onto a [cloud server at time of creation](deploy-from-script-or-cloud-init-to-localhost.md)
+  - Deploy onto a [cloud server at time of creation with shell script or cloud-init](deploy-from-script-or-cloud-init-to-localhost.md)
 * Client setup
   - Setup [Android](client-android.md) clients
   - Setup [Generic/Linux](client-linux.md) clients with Ansible
   - Setup Ubuntu clients to use [WireGuard](client-linux-wireguard.md)
-  - Setup Linux clients to use [IPSEC](client-linux-ipsec.md)
-  - Setup Apple devices to use [IPSEC](client-apple-ipsec.md)
-  - Setup Macs running macOS 10.13 or older to use [Wireguard](client-macos-wireguard.md)
+  - Setup Linux clients to use [IPsec](client-linux-ipsec.md)
+  - Setup Apple devices to use [IPsec](client-apple-ipsec.md)
+  - Setup Macs running macOS 10.13 or older to use [WireGuard](client-macos-wireguard.md)
 * Cloud provider setup
   - Configure [Amazon EC2](cloud-amazon-ec2.md)
   - Configure [Azure](cloud-azure.md)

From fe4883873ec501df74f49a8f7bc5fbc72040185e Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 23 Oct 2019 01:25:05 -0400
Subject: [PATCH 14/21] fixed broken link/absent link in FAQ

---
 docs/faq.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/faq.md b/docs/faq.md
index 45a1bf9b7..2a377db8d 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -1,6 +1,7 @@
 # FAQ
 
 * [Has Algo been audited?](#has-algo-been-audited)
+* [What's the current status of WireGuard?](#whats-the-current-status-of-wireguard)
 * [Why aren't you using Tor?](#why-arent-you-using-tor)
 * [Why aren't you using Racoon, LibreSwan, or OpenSwan?](#why-arent-you-using-racoon-libreswan-or-openswan)
 * [Why aren't you using a memory-safe or verified IKE daemon?](#why-arent-you-using-a-memory-safe-or-verified-ike-daemon)
@@ -19,7 +20,7 @@ No. This project is under active development. We're happy to [accept and fix iss
 
 ## What's the current status of WireGuard?
 
-[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available. Your Algo server will automatically upgrade and restart WireGuard from the [official WireGuard PPA for Ubuntu] https://launchpad.net/~wireguard/+archive/ubuntu/wireguard by default.
+[WireGuard is a work in progress](https://www.wireguard.com/#work-in-progress). It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review, however, its authors are appropriately cautious about its safety and the protocol is subject to change. As a result, WireGuard does not yet have a "stable" 1.0 release. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available. Your Algo server will automatically upgrade and restart WireGuard from the [official WireGuard PPA for Ubuntu](https://launchpad.net/~wireguard/+archive/ubuntu/wireguard) by default.
 
 ## Why aren't you using Tor?
 

From 5f5aac19cb90d40598c9323f86a8642048b5c88a Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Wed, 23 Oct 2019 14:18:13 -0400
Subject: [PATCH 15/21] Python version README fix for #1622

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 34d013053..0a7d0a382 100644
--- a/README.md
+++ b/README.md
@@ -38,12 +38,12 @@ The easiest way to get an Algo server running is to run it on your local system
 
     - Run the command `git clone https://github.com/trailofbits/algo.git` to create a directory named `algo` containing the Algo scripts.
 
-3. **Install Algo's core dependencies.** Algo requires that **Python 3** and at least one supporting package are installed on your system.
+3. **Install Algo's core dependencies.** Algo requires that **Python 3.6 or later** and at least one supporting package are installed on your system.
 
     - **macOS:** Apple does not provide Python 3 with macOS. There are two ways to obtain it:
         * Use the [Homebrew](https://brew.sh) package manager. After installing Homebrew install Python 3 by running `brew install python3`.
 
-        * Download and install the latest stable [Python 3 package](https://www.python.org/downloads/mac-osx/). Be sure to run the included *Install Certificates* command from Finder.
+        * Download and install the latest stable [Python 3.7.x package](https://www.python.org/downloads/mac-osx/) (currently Python 3.8 will not work). Be sure to run the included *Install Certificates* command from Finder.
 
         Once Python 3 is installed on your Mac, from Terminal run:
         ```bash

From b7e0ae3980f1bfc2713a53bc963a598673202e9a Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Sun, 27 Oct 2019 13:30:13 -0400
Subject: [PATCH 16/21] road warrior instructions

---
 docs/deploy-to-ubuntu.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/deploy-to-ubuntu.md b/docs/deploy-to-ubuntu.md
index 500b8d60d..60bfe6c9e 100644
--- a/docs/deploy-to-ubuntu.md
+++ b/docs/deploy-to-ubuntu.md
@@ -8,4 +8,11 @@ Install to existing Ubuntu 18.04 or 19.04 server (Advanced)
 ```
 Make sure your target server is running an unmodified copy of the operating system version specified. The target can be the same system where you've installed the Algo scripts, or a remote system that you are able to access as root via SSH without needing to enter the SSH key passphrase (such as when using `ssh-agent`).
 
+# Road Warrior setup
+
+Some may find it useful to set up an Algo server on an Ubuntu box on your home LAN, with the intention of being able to securely access your LAN and any resources on it when you're traveling elsewhere (the ["road warrior" setup](https://en.wikipedia.org/wiki/Road_warrior_(computing))). A few tips if you're doing so:
+- Make sure you redirect any relevant incoming ports (UDP/500, UDP/4500, and UDP/51820) to the Algo server from your router;
+- Change `BetweenClients_DROP` in `config.cfg` to `false`, and also consider changing `block_smb` and `block_netbios` to `false`;
+- If you want to use a DNS server on your LAN to resolve local domain names properly (e.g. a Pi-hole), set the `dns_encryption` flag in `config.cfg` to `false`, and change `dns_servers` to the local DNS server IP (i.e. `192.168.1.2`).
+
 **PLEASE NOTE**: Algo is intended for use to create a _dedicated_ VPN server. No uninstallation option is provided. If you install Algo on an existing server any existing services might break. In particular, the firewall rules will be overwritten. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.

From 6253e944d33565413ca6266c43529255dcfac026 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Sun, 27 Oct 2019 13:35:46 -0400
Subject: [PATCH 17/21] Update index.md

---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index e62f6dc8e..3c6e9ea9d 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -23,7 +23,7 @@
   - Configure [Hetzner Cloud](cloud-hetzner.md)
 * Advanced Deployment
   - Deploy to your own [FreeBSD](deploy-to-freebsd.md) server
-  - Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server
+  - Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server, and road warrior setup
   - Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md)
 * [FAQ](faq.md)
 * [Firewalls](firewalls.md)

From d1fff030ab55107224fbd19a2b1c71c476d881df Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Sun, 27 Oct 2019 13:43:35 -0400
Subject: [PATCH 18/21] Reorganize config.cfg

As per @davidemyers suggestions
---
 config.cfg | 80 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 42 insertions(+), 38 deletions(-)

diff --git a/config.cfg b/config.cfg
index 61b401afc..06302dda9 100644
--- a/config.cfg
+++ b/config.cfg
@@ -9,39 +9,14 @@ users:
   - laptop
   - desktop
 
-### Advanced users only below this line ###
-
-# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
-# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
-pki_in_tmpfs: true
-
-# If True re-init all existing certificates. Boolean
-keys_clean_all: False
+### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
 
 # Deploy StrongSwan to enable IPsec support
 ipsec_enabled: true
 
-# StrongSwan log level
-# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
-strongswan_log_level: 2
-
-# rightsourceip for ipsec
-# ipv4
-strongswan_network: 10.19.48.0/24
-# ipv6
-strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
-
 # Deploy WireGuard
 wireguard_enabled: true
 wireguard_port: 51820
-# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
-# This option will keep the "connection" open in the eyes of NAT.
-# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
-wireguard_PersistentKeepalive: 0
-
-# WireGuard network configuration
-wireguard_network_ipv4: 10.19.49.0/24
-wireguard_network_ipv6: fd9d:bc11:4021::/48
 
 # Reduce the MTU of the VPN tunnel
 # Some cloud and internet providers use a smaller MTU (Maximum Transmission
@@ -66,6 +41,46 @@ adblock_lists:
 # DNS encryption can not be disabled if DNS adblocking is enabled
 dns_encryption: true
 
+# Block traffic between connected clients. Change this to false to enable
+# connected clients to reach each other, as well as other computers on the
+# same LAN as your Algo server (i.e. the "road warrior" setup). In this
+# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
+BetweenClients_DROP: true
+
+# Block SMB/CIFS traffic
+block_smb: true
+
+# Block NETBIOS traffic
+block_netbios: true
+
+### Advanced users only below this line ###
+
+# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
+# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
+pki_in_tmpfs: true
+
+# If True re-init all existing certificates. Boolean
+keys_clean_all: False
+
+# StrongSwan log level
+# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
+strongswan_log_level: 2
+
+# rightsourceip for ipsec
+# ipv4
+strongswan_network: 10.19.48.0/24
+# ipv6
+strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
+
+# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
+# This option will keep the "connection" open in the eyes of NAT.
+# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
+wireguard_PersistentKeepalive: 0
+
+# WireGuard network configuration
+wireguard_network_ipv4: 10.19.49.0/24
+wireguard_network_ipv6: fd9d:bc11:4021::/48
+
 # DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
 # providers may be specified, but avoid mixing providers that filter results
 # (like Cisco) with those that don't (like Cloudflare) or you could get
@@ -102,17 +117,6 @@ unattended_reboot:
   enabled: false
   time: 06:00
 
-# Block traffic between connected clients. Change this to false to enable
-# connected clients to reach each other, as well as other computers on the
-# same LAN as your Algo server (i.e. the "road warrior" setup). In this
-# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
-BetweenClients_DROP: true
-
-# Block SMB/CIFS traffic
-block_smb: true
-
-# Block NETBIOS traffic
-block_netbios: true
 
 congrats:
   common: |
@@ -142,7 +146,7 @@ cloud_providers:
     size: s-1vcpu-1gb
     image: "ubuntu-19-04-x64"
   ec2:
-    # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
+    # Change the encrypted flag to "false" to disable AWS volume encryption.
     encrypted: true
     # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
     # Additional prompt will be raised to determine which IP to use

From 58ffdeab0e04ed409c2cbf47762080b215ce1d3e Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Sun, 27 Oct 2019 19:03:05 -0400
Subject: [PATCH 19/21] Further config changes

As per feedback, also better explanation of keys_clean_all
---
 config.cfg | 68 +++++++++++++++++++++++++++---------------------------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/config.cfg b/config.cfg
index 06302dda9..e0f14318b 100644
--- a/config.cfg
+++ b/config.cfg
@@ -53,14 +53,46 @@ block_smb: true
 # Block NETBIOS traffic
 block_netbios: true
 
+# Your Algo server will automatically install security updates. Some updates
+# require a reboot to take effect but your Algo server will not reboot itself
+# automatically unless you change 'enabled' below from 'false' to 'true', in
+# which case a reboot will take place if necessary at the time specified (as
+# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
+unattended_reboot:
+  enabled: false
+  time: 06:00
+
 ### Advanced users only below this line ###
 
+# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
+# providers may be specified, but avoid mixing providers that filter results
+# (like Cisco) with those that don't (like Cloudflare) or you could get
+# inconsistent results. The list of available public providers can be found
+# here:
+# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
+dnscrypt_servers:
+  ipv4:
+    - cloudflare
+#   - google
+  ipv6:
+    - cloudflare-ipv6
+
+# DNS servers which will be used if 'dns_encryption' is 'false'.
+# The default is to use Cloudflare.
+dns_servers:
+  ipv4:
+    - 1.1.1.1
+    - 1.0.0.1
+  ipv6:
+    - 2606:4700:4700::1111
+    - 2606:4700:4700::1001
+
 # Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
 # Supports on MacOS and Linux only (including Windows Subsystem for Linux)
 pki_in_tmpfs: true
 
-# If True re-init all existing certificates. Boolean
-keys_clean_all: False
+# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users. 
+keys_clean_all: false
 
 # StrongSwan log level
 # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
@@ -81,42 +113,10 @@ wireguard_PersistentKeepalive: 0
 wireguard_network_ipv4: 10.19.49.0/24
 wireguard_network_ipv6: fd9d:bc11:4021::/48
 
-# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
-# providers may be specified, but avoid mixing providers that filter results
-# (like Cisco) with those that don't (like Cloudflare) or you could get
-# inconsistent results. The list of available public providers can be found
-# here:
-# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
-dnscrypt_servers:
-  ipv4:
-    - cloudflare
-#   - google
-  ipv6:
-    - cloudflare-ipv6
-
-# DNS servers which will be used if 'dns_encryption' is 'false'.
-# The default is to use Cloudflare.
-dns_servers:
-  ipv4:
-    - 1.1.1.1
-    - 1.0.0.1
-  ipv6:
-    - 2606:4700:4700::1111
-    - 2606:4700:4700::1001
-
 # Randomly generated IP address for the local dns resolver
 local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 
-# Your Algo server will automatically install security updates. Some updates
-# require a reboot to take effect but your Algo server will not reboot itself
-# automatically unless you change 'enabled' below from 'false' to 'true', in
-# which case a reboot will take place if necessary at the time specified (as
-# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
-unattended_reboot:
-  enabled: false
-  time: 06:00
-
 
 congrats:
   common: |

From 21433686ab72f83e03336291530ab6efe6c329d5 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Mon, 9 Dec 2019 09:53:41 -0500
Subject: [PATCH 20/21] Add road warrior instructions to FAQ

---
 docs/faq.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/faq.md b/docs/faq.md
index 2a377db8d..ff1ac6f98 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -13,6 +13,7 @@
 * [Wasn't IPSEC backdoored by the US government?](#wasnt-ipsec-backdoored-by-the-us-government)
 * [What inbound ports are used?](#what-inbound-ports-are-used)
 * [How do I monitor user activity?](#how-do-i-monitor-user-activity)
+* [How do I reach another connected client?](#how-do-i-reach-another-connected-client)
 
 ## Has Algo been audited?
 
@@ -85,3 +86,7 @@ You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any fire
 ## How do I monitor user activity?
 
 Your Algo server will track IPsec client logins by default in `/var/log/syslog`. This will give you client names, date/time of connection and reconnection, and what IP addresses they're connecting from. This can be disabled entirely by setting `strongswan_log_level` to `-1` in `config.cfg`. WireGuard doesn't save any logs, but entering `sudo wg` on the server will give you the last endpoint and contact time of each client. Disabling this is [paradoxically difficult](https://git.zx2c4.com/blind-operator-mode/about/). There isn't any out-of-the-box way to monitor actual user _activity_ (e.g. websites browsed, etc.)
+
+## How do I reach another connected client?
+
+By default, your Algo server doesn't allow connections between connected clients. This can be changed at the time of deployment by enabling the `BetweenClients_DROP` flag in `config.cfg`. See the ["Road Warrior" instructions](/docs/deploy-to-ubuntu.md#road-warrior-setup) for more details.

From ca9723dc289884800d2e880339a4c3b1e7f44e28 Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Mon, 9 Dec 2019 09:56:56 -0500
Subject: [PATCH 21/21] Remove specific ports from RW instructions

---
 docs/deploy-to-ubuntu.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deploy-to-ubuntu.md b/docs/deploy-to-ubuntu.md
index 0ccf50aee..c96d8e03e 100644
--- a/docs/deploy-to-ubuntu.md
+++ b/docs/deploy-to-ubuntu.md
@@ -11,7 +11,7 @@ Make sure your target server is running an unmodified copy of the operating syst
 # Road Warrior setup
 
 Some may find it useful to set up an Algo server on an Ubuntu box on your home LAN, with the intention of being able to securely access your LAN and any resources on it when you're traveling elsewhere (the ["road warrior" setup](https://en.wikipedia.org/wiki/Road_warrior_(computing))). A few tips if you're doing so:
-- Make sure you redirect any relevant incoming ports (UDP/500, UDP/4500, and UDP/51820) to the Algo server from your router;
+- Make sure you forward any [relevant incoming ports](/docs/firewalls.md#external-firewall) to the Algo server from your router;
 - Change `BetweenClients_DROP` in `config.cfg` to `false`, and also consider changing `block_smb` and `block_netbios` to `false`;
 - If you want to use a DNS server on your LAN to resolve local domain names properly (e.g. a Pi-hole), set the `dns_encryption` flag in `config.cfg` to `false`, and change `dns_servers` to the local DNS server IP (i.e. `192.168.1.2`).