Merge branch 'master' into streisand_ipv6

.travis.yml

@@ -21,6 +21,8 @@ env:
 before_install:
   - sudo apt-get update -qq
   - sudo apt-get install python-pip python-dev ca-certificates shellcheck -qq
+  # workaround for https://travis-ci.community/t/then-sudo-apt-get-update-failed-public-key-is-not-available-no-pubkey-6b05f25d762e3157-in-ubuntu-xenial/1728
+  - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 762E3157
 
 install:
   - pip install ansible==2.6.5

README-fr.md

@@ -111,7 +111,7 @@ Effectuez toutes ces tâches sur votre machine locale.
             sudo apt-get install git
   * Sur Fedora 27, certains progiciels sont nécessaires plus tard
 
-          sudo yum install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
+          sudo dnf install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
   * Sur CentOS 7, `pip` est disponible dans le dépôt EPEL; certains progiciels supplémentaires sont nécessaires plus tard.
 
           sudo yum -y update && sudo yum install -y epel-release

README-ru.md

@@ -110,7 +110,7 @@
         sudo apt-get install git
   * На Fedora
 
-        sudo yum install git
+        sudo dnf install git
   * На macOS (с использованием [Homebrew](https://brew.sh/))
 
         brew install git
@@ -120,7 +120,7 @@
         sudo apt-get install python-paramiko python-pip python-pycurl python-dev build-essential
   * На Fedora
 
-        sudo yum install python-pip
+        sudo dnf install python-pip
   * На macOS
 
         sudo easy_install pip

README.md

@@ -113,7 +113,7 @@ Complete all of these tasks on your local home machine.
         sudo apt-get install git python-pip
   * On Fedora 27, some additional packages are needed later.
 
-		sudo yum install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
+		sudo dnf install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
   * On CentOS 7, `pip` is available from the EPEL repository; some additional packages are needed later.
 
 		sudo yum -y update && sudo yum install -y epel-release

playbooks/roles/common/vars/main.yml

@@ -24,7 +24,7 @@ streisand_common_packages:
   # Required to use the Ansible `expect` module
   - python-pexpect
   # Required for the apt_repository module
-  - python-software-properties
+  - software-properties-common
   # Used to generate convenient QR codes for mobile clients in the
   # Shadowsocks, Tor, and WireGuard roles
   - qrencode

playbooks/roles/openconnect/templates/instructions.md.j2

@@ -23,7 +23,7 @@ Client certificates are a mechanism by which clients can authenticate themselves
 
 1. Your OpenConnect server issues its own __server certificate__. This is used by your device's client software (such as AnyConnect for iOS) to securely identify the VPN server. Download this server's certificate.
    * [ca.crt](/openconnect/ca.crt)
-1. Each device you wish to configure needs a __client certificate__ in addition to the server certificate above. A client certificate is used to securely identify and authenticate your device to the VPN server. Two devices can't use the same client certifcate and be logged in at the same time (one client certificate per device). Each client certificate is protected by a password, which will be needed to unlock it once you import it into your device.
+1. Each device you wish to configure needs a __client certificate__ in addition to the server certificate above. A client certificate is used to securely identify and authenticate your device to the VPN server. Two devices can't use the same client certificate and be logged in at the same time (one client certificate per device). Each client certificate is protected by a password, which will be needed to unlock it once you import it into your device.
 {% for client in vpn_client_pkcs12_password_list.results %}
    * [{{ client.client_name.stdout }}.p12](/openconnect/{{ client.client_name.stdout }}.p12), password: `{{ client.stdout }}` 
 {% endfor %}

playbooks/roles/ssh-forward/templates/instructions.md.j2

@@ -17,8 +17,8 @@ SSH Tunnel
 1. Download [PuTTY](/mirror/ssh/) and run it.
 1. Go to the *Session* section.
 1. Enter `{{ streisand_ipv4_address }}` in the Host Name field.
-1. Enter `{{ ssh_port }}` in the Port field.
-   * Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port.
+1. Enter `443` in the Port field.
+   * Port {{ ssh_port }} is available as an option if your network does not block it.
 1. Go to Connection --> Data.
 1. Enter `forward` in the *Auto-login username* field.
 1. Go to Connection --> SSH.
@@ -67,11 +67,11 @@ You are now connected and have a SOCKS proxy up and running that is ready to for
 1. Copy the `streisand_rsa` file to the directory of your choice.
 1. Set the correct permissions on the RSA key file:
    * `chmod 600 streisand_rsa`
-1. Add a new entry to your `.ssh/config` file. It should look like this. Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port. Be sure to adjust the location of the IdentityFile:
+1. Add a new entry to your `.ssh/config` file. It should look like this. Port {{ ssh_port }} is available if your network does not block it. Be sure to adjust the location of the IdentityFile:
 
          Host {{ streisand_server_name }}
            User           forward
-           Port           {{ ssh_port }}
+           Port           443
            HostName       {{ streisand_ipv4_address }}
            IdentitiesOnly yes
            IdentityFile   ~/.ssh/streisand_rsa
@@ -87,7 +87,7 @@ You are now connected and have a SOCKS proxy up and running that is ready to for
 1. You are now connected and have a SOCKS proxy up and running that is ready to forward encrypted traffic through SSH. The next step is to configure your web browser to use it. You can follow the same instructions contained in the Windows section above to configure Firefox to route its traffic through the SOCKS proxy.
 
 {% if streisand_sshuttle_enabled %}
-#### sshuttle 
+#### sshuttle
 
 Sshuttle is a simple VPN tunnelling solution that operates over the SSH transport. It's fast, easy to set up, and offers great performance.
 
@@ -96,11 +96,11 @@ Sshuttle is a simple VPN tunnelling solution that operates over the SSH transpor
 1. Copy the `streisand_rsa` file to the directory of your choice.
 1. Set the correct permissions on the RSA key file:
    * `chmod 600 streisand_rsa`
-1. Add a new entry to your `.ssh/config` file. It should look like this. Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port. Be sure to adjust the location of the IdentityFile:
+1. Add a new entry to your `.ssh/config` file. It should look like this. Port {{ ssh_port }} is available if your network does not block it. Be sure to adjust the location of the IdentityFile:
 
          Host {{ streisand_server_name }}
            User           sshuttle
-           Port           {{ ssh_port }}
+           Port           443
            HostName       {{ streisand_ipv4_address }}
            IdentitiesOnly yes
            IdentityFile   ~/.ssh/streisand_rsa
@@ -139,8 +139,8 @@ Sshuttle is a simple VPN tunnelling solution that operates over the SSH transpor
 1. Tap *Settings*.
 1. Tap *Host name* and enter `{{ streisand_ipv4_address }}`.
 1. Tap *User Name* and enter `forward`.
-1. Tap *Port* and enter `{{ ssh_port }}`.
-   * Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port.
+1. Tap *Port* and enter `443`.
+   * Port {{ ssh_port }} is available if your network does not block it.
 1. Tap *Private Key File* and select the `streisand_rsa` file that you copied to your phone.
 1. Tap *Dynamic Forward Port* and enter `1080`.
 1. Tap *Forwards* and enter `L8888=localhost:8888`.

playbooks/roles/wireguard/templates/instructions.md.j2

@@ -12,6 +12,7 @@ An [experimental configuration for OpenWrt/LEDE](#openwrt) 17.01.4 (or later) is
 ---
 * Platforms
   * [Android](#android)
+  * [iOS](#ios)
   * [Linux](#linux)
   * [macOS](#macos)
   * [OpenWrt](#openwrt)
@@ -31,6 +32,21 @@ An [experimental configuration for OpenWrt/LEDE](#openwrt) 17.01.4 (or later) is
 
 ---
 
+<a name="ios"></a>
+### iOS ###
+1. Install WireGuard (by WireGuard Development Team) from the App Store.
+1. Launch the app and tap the blue button to add a new tunnel.
+1. Tap *Create from QR code* and grant the app permission to access the camera. A viewfinder will appear.
+1. Use the camera to scan one of these client configuration QR codes. **Only one device can use a profile at a time**:
+{% for client in vpn_client_names.results %}
+   * [{{ client.stdout }}](/wireguard/{{ client.stdout }}.png)
+{% endfor %}
+1. Enter a name for the tunnel and tap *Create Tunnel* to save the configuration.
+1. Tap the switch next to the tunnel's name to enable the VPN. If this is your first time using WireGuard on your iOS device, you will be prompted to accept the VPN connection request.
+1. You should be good to go! You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo]({{ streisand_my_ip_url }}). It should say *Your public IP address is {{ streisand_ipv4_address }}*.
+
+---
+
 <a name="linux"></a>
 ### Linux ###
 1. [Install WireGuard](https://www.wireguard.com/install/).