trailofbits · patsevanton · Feb 25, 2024
@@ -6,10 +6,10 @@ Find the corresponding `mobileconfig` (Apple Profile) for each user and send it
 
 ## Enable the VPN
 
-On iOS, connect to the VPN by opening **Settings** and clicking the toggle next to "VPN" near the top of the list. If using WireGuard you can also enable the VPN from the WireGuard app. On macOS, connect to the VPN by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, and clicking "Connect." Check "Show VPN status in menu bar" to easily connect and disconnect from the menu bar.
+On iOS, connect to the VPN by opening **Settings** and clicking the toggle next to "VPN" near the top of the list. If using WireGuard, you can also enable the VPN from the WireGuard app. On macOS, connect to the VPN by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, and clicking "Connect." Check "Show VPN status in menu bar" to easily connect and disconnect from the menu bar.
 
 ## Managing "Connect On Demand"
 
-If you enabled "Connect On Demand" the VPN will connect automatically whenever it is able. Most Apple users will want to enable "Connect On Demand", but if you do then simply disabling the VPN will not cause it to stay disabled; it will just "Connect On Demand" again. To disable the VPN you'll need to disable "Connect On Demand".
+If you enable "Connect On Demand", the VPN will connect automatically whenever it is able. Most Apple users will want to enable "Connect On Demand", but if you do then simply disabling the VPN will not cause it to stay disabled; it will just "Connect On Demand" again. To disable the VPN you'll need to disable "Connect On Demand".
 
 On iOS, you can turn off "Connect On Demand" in **Settings** by clicking the (i) next to the entry for your Algo VPN and toggling off "Connect On Demand." On macOS, you can turn off "Connect On Demand" by opening **System Preferences** -> **Network**, finding the Algo VPN in the left column, unchecking the box for "Connect on demand", and clicking Apply.
@@ -27,7 +27,7 @@ To configure the connection to come up at boot time replace `auto=add` with `aut
 
 ## Notes on SELinux
 
-If you use a system with SELinux enabled you might need to set appropriate file contexts:
+If you use a system with SELinux enabled, you might need to set appropriate file contexts:
 
 ````
 semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?"

@@ -50,7 +50,7 @@ If your Linux distribution does not use `systemd` you can bring up WireGuard wit
 
 ## Using a DNS Search Domain
 
-As of the `v1.0.20200510` release of `wireguard-tools` WireGuard supports setting a DNS search domain. In your `wg0.conf` file a non-numeric entry on the `DNS` line will be used as a search domain. For example this:
+As of the `v1.0.20200510` release of `wireguard-tools` WireGuard supports setting a DNS search domain. In your `wg0.conf` file a non-numeric entry on the `DNS` line will be used as a search domain. For example, this:
 ```
 DNS = 172.27.153.31, fd00::b:991f, mydomain.com
 ```

@@ -5,24 +5,24 @@ This is a tested, working scenario with following environment:
 - algo installed ubuntu at digitalocean
 - client side router "TP-Link TL-WR1043ND" with openwrt ver. 21.02.1. [Openwrt Install instructions](https://openwrt.org/toh/tp-link/tl-wr1043nd)
 - or client side router "TP-Link Archer C20i AC750" with openwrt ver. 21.02.1. [Openwrt install instructions](https://openwrt.org/toh/tp-link/archer_c20i)
-see compatible device list at https://openwrt.org/toh/start . Theoretically any of the device on list should work
+see compatible device list at https://openwrt.org/toh/start . Theoretically, any of the device on list should work
 
 
 
 ## Router setup
 Make sure that you have 
 - router with openwrt installed, 
 - router is connected to internet, 
-- router and device in front of router does not have same ip . By default openwrt have 192.168.1.1 if so change it to something like 192.168.2.1 
+- router and device in front of router do not have same ip. By default, openwrt have 192.168.1.1 if so change it to something like 192.168.2.1 
 ### Install required packages(WebUI)
-- Open router web UI (mostly http://192.168.1.1 )
+- Open router web UI (mostly http://192.168.1.1)
 - Login. (by default username: root, password:<empty>
 - System -> Software, click "Update lists"
 - Install following packages wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
 - restart router
 
 ### Alternative Install required packages(ssh)
-- Open router web UI (mostly http://192.168.1.1 )
+- Open router web UI (mostly http://192.168.1.1)
 - ssh [email protected]
 - opkg update
 - opkg install wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5

@@ -13,7 +13,7 @@ Additional info might be found in [this issue](https://github.com/trailofbits/al
 
 ##### Extra charges
 
-- DigitalOcean: Floating IPs are free when assigned to a Droplet, but after manually deleting a Droplet you need to also delete the Floating IP or you'll get charged for it.
+- DigitalOcean: Floating IPs are free when assigned to a Droplet, but after manually deleting a Droplet, you need to also delete the Floating IP or you'll get charged for it.
 
 ##### IPv6
 

@@ -10,7 +10,7 @@ The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tie
 
 *Note*: Your Algo instance will not stop working when you hit the bandwidth limit, you will just start accumulating service charges on your AWS account.
 
-As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance  usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits.
+As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits.
 
 Additional configurations are documented in the [EC2 section of the deploy from ansible guide](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#amazon-ec2)
 
@@ -50,9 +50,9 @@ On the final screen, click the Download CSV button. This file includes the AWS a
 
 ## Using EC2 during Algo setup
 
-After you have downloaded Algo and installed its dependencies, the next step is running Algo to provision the VPN server  on your AWS account.
+After you have downloaded Algo and installed its dependencies, the next step is running Algo to provision the VPN server on your AWS account.
 
-First you will be asked which server type to setup. You would want to enter "3" to use Amazon EC2.
+First, you will be asked which server type to setup. You would want to enter "3" to use Amazon EC2.
 
 ```
 $ ./algo
@@ -75,7 +75,7 @@ Enter the number of your desired provider
 : 3
 ```
 
-Next you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Key (Secret Access Key) that you received in the CSV file when you setup the account (don't worry if you don't see your text entered in the console; the key input is hidden here by Algo).
+Next, you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Key (Secret Access Key) that you received in the CSV file when you setup the account (don't worry if you don't see your text entered in the console; the key input is hidden here by Algo).
 
 ```
 Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
@@ -88,14 +88,14 @@ Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing
 [ABCD...]: 
 ```
 
-You will be prompted for the server name to enter. Feel free to leave this as the default ("algo") if you are not certain  how this will affect your setup. Here we chose to call it "algovpn".
+You will be prompted for the server name to enter. Feel free to leave this as the default ("algo") if you are not certain how this will affect your setup. Here we chose to call it "algovpn".
 
 ```
 Name the vpn server:
 [algo]: algovpn
 ```
 
-After entering the server name, the script ask which region you wish to setup your new Algo instance in. Enter the number  next to name of the region.
+After entering the server name, the script ask which region you wish to setup your new Algo instance in. Enter the number next to name of the region.
 
 ```
 What region should the server be located in?

@@ -38,7 +38,7 @@ Here you can find some information from [the official doc](https://docs.microsof
 - Windows ([link](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest)): 
  For Windows the Azure CLI is installed via an MSI, which gives you access to the CLI through the Windows Command Prompt (CMD) or PowerShell. When installing for Windows Subsystem for Linux (WSL), packages are available for your Linux distribution. [Download the MSI installer](https://aka.ms/installazurecliwindows)
 
-If your OS is missing or to get more information see [the official doc](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
+If your OS is missing or to get more information, see [the official doc](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
 
 
 ## Sign in

@@ -67,7 +67,7 @@ Enter your API token. The token must have read and write permissions (https://cl
  (output is hidden):
 ```
 
-Finally you will be asked the region in which you wish to setup your new Algo server. This list is dynamic and can change based on availability of resources. Enter the number next to name of the region:
+Finally, you will be asked the region in which you wish to setup your new Algo server. This list is dynamic and can change based on availability of resources. Enter the number next to name of the region:
 
 ```
 What region should the server be located in?

@@ -1,6 +1,6 @@
 ## API Token
 
-Sign into the Linode Manager and go to the
+Sign in to the Linode Manager and go to the
 [tokens management page](https://cloud.linode.com/profile/tokens).
 
 Click `Add a Personal Access Token`. Label your new token and select *at least* the

@@ -67,7 +67,7 @@ Server roles:
  - Adds a restricted `algo` group with no shell access and limited SSH forwarding options
  - Creates one limited, local account and an SSH public key for each user
 - role: wireguard
- - Installs a [Wireguard](https://www.wireguard.com/) server, with a startup script, and automatic checks for upgrades
+ - Install a [Wireguard](https://www.wireguard.com/) server, with a startup script, and automatic checks for upgrades
  - Creates wireguard.conf files for Linux clients as well as QR codes for Apple/Android clients
 
 Note: The `strongswan` role generates Apple profiles with On-Demand Wifi and Cellular if you pass the following variables:
@@ -80,7 +80,7 @@ Note: The `strongswan` role generates Apple profiles with On-Demand Wifi and Cel
 
 - role: local, provider: local
 
-This role is intended to be run for local install onto an Ubuntu server, or onto an unsupported cloud provider's Ubuntu instance. Required variables:
+This role is intended to be run for local installation onto an Ubuntu server, or onto an unsupported cloud provider's Ubuntu instance. Required variables:
 
 - server - IP address of your server (or "localhost" if deploying to the local machine)
 - endpoint - public IP address of the server you're installing on
@@ -112,7 +112,7 @@ Additional variables:
 
 - [encrypted](https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/) - Encrypted EBS boot volume. Boolean (Default: true)
 - [size](https://aws.amazon.com/ec2/instance-types/) - EC2 instance type. String (Default: t2.micro)
-- [image](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-images.html) - AMI `describe-images` search parameters to find the OS for the hosted image. Each OS and architecture has a unique AMI-ID. The OS owner, for example [Ubuntu](https://cloud-images.ubuntu.com/locator/ec2/), updates these images often. If parameters below result in multiple results, the most recent AMI-ID is chosen
+- [image](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-images.html) - AMI `describe-images` search parameters to find the OS for the hosted image. Each OS and architecture has a unique AMI-ID. The OS owner, for example, [Ubuntu](https://cloud-images.ubuntu.com/locator/ec2/), updates these images often. If parameters below result in multiple results, the most recent AMI-ID is chosen
 
  ```
  # Example of equivalent cli command

@@ -1,7 +1,7 @@
 # Deploy from Google Cloud Shell
 **IMPORTANT NOTE: As of 2021-12-14 Algo requires Python 3.8, but Google Cloud Shell only provides Python 3.7.3. The instructions below will not work until Google updates Cloud Shell to have at least Python 3.8.**
 
-If you want to try Algo but don't wish to install the software on your own system you can use the **free** [Google Cloud Shell](https://cloud.google.com/shell/) to deploy a VPN to any supported cloud provider. Note that you cannot choose `Install to existing Ubuntu server` to turn Google Cloud Shell into your VPN server.
+If you want to try Algo but don't wish to install the software on your own system, you can use the **free** [Google Cloud Shell](https://cloud.google.com/shell/) to deploy a VPN to any supported cloud provider. Note that you cannot choose `Install to existing Ubuntu server` to turn Google Cloud Shell into your VPN server.
 
 1. See the [Cloud Shell documentation](https://cloud.google.com/shell/docs/) to start an instance of Cloud Shell in your browser.
 

@@ -9,7 +9,7 @@ While it is not possible to run your Algo server from within a Docker container,
 
 ## Deploying an Algo Server with Docker
 
-1. Install [Docker](https://www.docker.com/community-edition#/download) --  setup and configuration is not covered here
+1. Install [Docker](https://www.docker.com/community-edition#/download) -- setup and configuration is not covered here
 2. Create a local directory to hold your VPN configs (e.g. `C:\Users\trailofbits\Documents\VPNs\`)
 3. Create a local copy of [config.cfg](https://github.com/trailofbits/algo/blob/master/config.cfg), with required modifications (e.g. `C:\Users\trailofbits\Documents\VPNs\config.cfg`)
 4. Run the Docker container, mounting your configurations appropriately (assuming the container is named `trailofbits/algo` with a tag `latest`):
@@ -97,7 +97,7 @@ Docker themselves provide a concept of [Content Trust](https://docs.docker.com/e
 
 1. Even though we're taking care to drop all capabilities to minimize the impact of running as root, we can probably include not only a `seccomp` profile, but also AppArmor and/or SELinux profiles as well.
 2. The Docker image doesn't natively support [advanced](deploy-from-ansible.md) Algo deployments, which is useful for scripting. This can be done by launching an interactive shell and running the commands yourself.
-3. The way configuration is passed into and out of the container is a bit kludgy. Hopefully future improvements in Docker volumes will make this a bit easier to handle.
+3. The way configuration is passed into and out of the container is a bit kludgy. Hopefully, future improvements in Docker volumes will make this a bit easier to handle.
 
 ## Advanced Usage
 

@@ -8,7 +8,7 @@ Algo uses [Ansible](https://www.ansible.com) which requires Python 3. macOS incl
 
 Catalina comes with Python 3 installed as `/usr/bin/python3`. This file, and certain others like `/usr/bin/git`, start out as stub files that prompt you to install the Command Line Developer Tools package the first time you run them. This is the easiest way to install Python 3 on Catalina.
 
-Note that Python 3 from Command Line Developer Tools prior to the release for Xcode 11.5 on 2020-05-20 might not work with Algo. If Software Update does not offer to update an older version of the tools you can download a newer version from [here](https://developer.apple.com/download/more/) (Apple ID login required).
+Note that Python 3 from Command Line Developer Tools prior to the release for Xcode 11.5 on 2020-05-20 might not work with Algo. If Software Update does not offer to update an older version of the tools, you can download a newer version from [here](https://developer.apple.com/download/more/) (Apple ID login required).
 
 ## macOS prior to 10.15 Catalina
 
@@ -45,19 +45,19 @@ brew uninstall python3
 
 #### Option 2: Install the package from Python.org
 
-If you don't want to install a package manager you can download the Python package for macOS from [python.org](https://www.python.org/downloads/mac-osx/).
+If you don't want to install a package manager, you can download the Python package for macOS from [python.org](https://www.python.org/downloads/mac-osx/).
 
 ##### Installation
 
 Download the most recent version of Python and install it like any other macOS package. Then initialize the CA certificate store from Finder by double-clicking on the file `Install Certificates.command` found in the `/Applications/Python 3.8` folder.
 
-When you double-click on `Install Certificates.command` a new Terminal window will open. If the window remains blank then the command has not run correctly. This can happen if you've changed the default shell in Terminal Preferences. Try changing it back to the default and run `Install Certificates.command` again.
+When you double-click on `Install Certificates.command` a new Terminal window will open. If the window remains blank, then the command has not run correctly. This can happen if you've changed the default shell in Terminal Preferences. Try changing it back to the default and run `Install Certificates.command` again.
 
 After installation open a new tab or window in Terminal and verify that the command `which python3` returns either `/usr/local/bin/python3` or `/Library/Frameworks/Python.framework/Versions/3.8/bin/python3`.
 
 ##### Removal
 
-Unfortunately the python.org package does not include an uninstaller and removing it requires several steps:
+Unfortunately, the python.org package does not include an uninstaller and removing it requires several steps:
 
 1. In Finder, delete the package folder found in `/Applications`.
 2. In Finder, delete the *rest* of the package found under ` /Library/Frameworks/Python.framework/Versions`.