diff --git a/.travis.yml b/.travis.yml
index 02e1d7e37..1a310c896 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -21,6 +21,8 @@ env:
before_install:
- sudo apt-get update -qq
- sudo apt-get install python-pip python-dev ca-certificates shellcheck -qq
+ # workaround for https://travis-ci.community/t/then-sudo-apt-get-update-failed-public-key-is-not-available-no-pubkey-6b05f25d762e3157-in-ubuntu-xenial/1728
+ - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 762E3157
install:
- pip install ansible==2.6.5
diff --git a/README-fr.md b/README-fr.md
index 4b1be3531..4106438aa 100644
--- a/README-fr.md
+++ b/README-fr.md
@@ -111,7 +111,7 @@ Effectuez toutes ces tâches sur votre machine locale.
sudo apt-get install git
* Sur Fedora 27, certains progiciels sont nécessaires plus tard
- sudo yum install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
+ sudo dnf install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
* Sur CentOS 7, `pip` est disponible dans le dépôt EPEL; certains progiciels supplémentaires sont nécessaires plus tard.
sudo yum -y update && sudo yum install -y epel-release
diff --git a/README-ru.md b/README-ru.md
index 787e401dd..959b3d738 100644
--- a/README-ru.md
+++ b/README-ru.md
@@ -110,7 +110,7 @@
sudo apt-get install git
* На Fedora
- sudo yum install git
+ sudo dnf install git
* На macOS (с использованием [Homebrew](https://brew.sh/))
brew install git
@@ -120,7 +120,7 @@
sudo apt-get install python-paramiko python-pip python-pycurl python-dev build-essential
* На Fedora
- sudo yum install python-pip
+ sudo dnf install python-pip
* На macOS
sudo easy_install pip
diff --git a/README.md b/README.md
index addfcbe0d..eddc3b1f2 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,7 @@ Complete all of these tasks on your local home machine.
sudo apt-get install git python-pip
* On Fedora 27, some additional packages are needed later.
- sudo yum install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
+ sudo dnf install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
* On CentOS 7, `pip` is available from the EPEL repository; some additional packages are needed later.
sudo yum -y update && sudo yum install -y epel-release
diff --git a/playbooks/roles/common/vars/main.yml b/playbooks/roles/common/vars/main.yml
index 5d8f26f14..d34a006ed 100644
--- a/playbooks/roles/common/vars/main.yml
+++ b/playbooks/roles/common/vars/main.yml
@@ -24,7 +24,7 @@ streisand_common_packages:
# Required to use the Ansible `expect` module
- python-pexpect
# Required for the apt_repository module
- - python-software-properties
+ - software-properties-common
# Used to generate convenient QR codes for mobile clients in the
# Shadowsocks, Tor, and WireGuard roles
- qrencode
diff --git a/playbooks/roles/openconnect/templates/instructions.md.j2 b/playbooks/roles/openconnect/templates/instructions.md.j2
index 89c6a64d1..63b391481 100644
--- a/playbooks/roles/openconnect/templates/instructions.md.j2
+++ b/playbooks/roles/openconnect/templates/instructions.md.j2
@@ -23,7 +23,7 @@ Client certificates are a mechanism by which clients can authenticate themselves
1. Your OpenConnect server issues its own __server certificate__. This is used by your device's client software (such as AnyConnect for iOS) to securely identify the VPN server. Download this server's certificate.
* [ca.crt](/openconnect/ca.crt)
-1. Each device you wish to configure needs a __client certificate__ in addition to the server certificate above. A client certificate is used to securely identify and authenticate your device to the VPN server. Two devices can't use the same client certifcate and be logged in at the same time (one client certificate per device). Each client certificate is protected by a password, which will be needed to unlock it once you import it into your device.
+1. Each device you wish to configure needs a __client certificate__ in addition to the server certificate above. A client certificate is used to securely identify and authenticate your device to the VPN server. Two devices can't use the same client certificate and be logged in at the same time (one client certificate per device). Each client certificate is protected by a password, which will be needed to unlock it once you import it into your device.
{% for client in vpn_client_pkcs12_password_list.results %}
* [{{ client.client_name.stdout }}.p12](/openconnect/{{ client.client_name.stdout }}.p12), password: `{{ client.stdout }}`
{% endfor %}
diff --git a/playbooks/roles/ssh-forward/templates/instructions.md.j2 b/playbooks/roles/ssh-forward/templates/instructions.md.j2
index dc0c585d9..9e0620579 100644
--- a/playbooks/roles/ssh-forward/templates/instructions.md.j2
+++ b/playbooks/roles/ssh-forward/templates/instructions.md.j2
@@ -17,8 +17,8 @@ SSH Tunnel
1. Download [PuTTY](/mirror/ssh/) and run it.
1. Go to the *Session* section.
1. Enter `{{ streisand_ipv4_address }}` in the Host Name field.
-1. Enter `{{ ssh_port }}` in the Port field.
- * Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port.
+1. Enter `443` in the Port field.
+ * Port {{ ssh_port }} is available as an option if your network does not block it.
1. Go to Connection --> Data.
1. Enter `forward` in the *Auto-login username* field.
1. Go to Connection --> SSH.
@@ -67,11 +67,11 @@ You are now connected and have a SOCKS proxy up and running that is ready to for
1. Copy the `streisand_rsa` file to the directory of your choice.
1. Set the correct permissions on the RSA key file:
* `chmod 600 streisand_rsa`
-1. Add a new entry to your `.ssh/config` file. It should look like this. Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port. Be sure to adjust the location of the IdentityFile:
+1. Add a new entry to your `.ssh/config` file. It should look like this. Port {{ ssh_port }} is available if your network does not block it. Be sure to adjust the location of the IdentityFile:
Host {{ streisand_server_name }}
User forward
- Port {{ ssh_port }}
+ Port 443
HostName {{ streisand_ipv4_address }}
IdentitiesOnly yes
IdentityFile ~/.ssh/streisand_rsa
@@ -87,7 +87,7 @@ You are now connected and have a SOCKS proxy up and running that is ready to for
1. You are now connected and have a SOCKS proxy up and running that is ready to forward encrypted traffic through SSH. The next step is to configure your web browser to use it. You can follow the same instructions contained in the Windows section above to configure Firefox to route its traffic through the SOCKS proxy.
{% if streisand_sshuttle_enabled %}
-#### sshuttle
+#### sshuttle
Sshuttle is a simple VPN tunnelling solution that operates over the SSH transport. It's fast, easy to set up, and offers great performance.
@@ -96,11 +96,11 @@ Sshuttle is a simple VPN tunnelling solution that operates over the SSH transpor
1. Copy the `streisand_rsa` file to the directory of your choice.
1. Set the correct permissions on the RSA key file:
* `chmod 600 streisand_rsa`
-1. Add a new entry to your `.ssh/config` file. It should look like this. Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port. Be sure to adjust the location of the IdentityFile:
+1. Add a new entry to your `.ssh/config` file. It should look like this. Port {{ ssh_port }} is available if your network does not block it. Be sure to adjust the location of the IdentityFile:
Host {{ streisand_server_name }}
User sshuttle
- Port {{ ssh_port }}
+ Port 443
HostName {{ streisand_ipv4_address }}
IdentitiesOnly yes
IdentityFile ~/.ssh/streisand_rsa
@@ -139,8 +139,8 @@ Sshuttle is a simple VPN tunnelling solution that operates over the SSH transpor
1. Tap *Settings*.
1. Tap *Host name* and enter `{{ streisand_ipv4_address }}`.
1. Tap *User Name* and enter `forward`.
-1. Tap *Port* and enter `{{ ssh_port }}`.
- * Port `443` is available as a fallback option if you are on a network that restricts access to the default SSH port.
+1. Tap *Port* and enter `443`.
+ * Port {{ ssh_port }} is available if your network does not block it.
1. Tap *Private Key File* and select the `streisand_rsa` file that you copied to your phone.
1. Tap *Dynamic Forward Port* and enter `1080`.
1. Tap *Forwards* and enter `L8888=localhost:8888`.
diff --git a/playbooks/roles/wireguard/templates/instructions.md.j2 b/playbooks/roles/wireguard/templates/instructions.md.j2
index 859a5a237..38bdcffbb 100644
--- a/playbooks/roles/wireguard/templates/instructions.md.j2
+++ b/playbooks/roles/wireguard/templates/instructions.md.j2
@@ -12,6 +12,7 @@ An [experimental configuration for OpenWrt/LEDE](#openwrt) 17.01.4 (or later) is
---
* Platforms
* [Android](#android)
+ * [iOS](#ios)
* [Linux](#linux)
* [macOS](#macos)
* [OpenWrt](#openwrt)
@@ -31,6 +32,21 @@ An [experimental configuration for OpenWrt/LEDE](#openwrt) 17.01.4 (or later) is
---
+
+### iOS ###
+1. Install WireGuard (by WireGuard Development Team) from the App Store.
+1. Launch the app and tap the blue button to add a new tunnel.
+1. Tap *Create from QR code* and grant the app permission to access the camera. A viewfinder will appear.
+1. Use the camera to scan one of these client configuration QR codes. **Only one device can use a profile at a time**:
+{% for client in vpn_client_names.results %}
+ * [{{ client.stdout }}](/wireguard/{{ client.stdout }}.png)
+{% endfor %}
+1. Enter a name for the tunnel and tap *Create Tunnel* to save the configuration.
+1. Tap the switch next to the tunnel's name to enable the VPN. If this is your first time using WireGuard on your iOS device, you will be prompted to accept the VPN connection request.
+1. You should be good to go! You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo]({{ streisand_my_ip_url }}). It should say *Your public IP address is {{ streisand_ipv4_address }}*.
+
+---
+
### Linux ###
1. [Install WireGuard](https://www.wireguard.com/install/).