@ -6,13 +6,13 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw
## Features
* Supports only IKEv2
* Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH
* Generates mobileconfig profiles to auto-configure Apple devices
* Supports only IKEv2 w/ a single cipher suite: AES-GCM, HMAC-SHA2, and P-256 DH
* Generates Apple Profiles to auto-configure iOS and macOS devices
* Provides helper scripts to add and remove users
* Blocks ads with a local DNS resolver and HTTP proxy (optional)
* Based on current versions of Ubuntu and StrongSwan
* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server
* Sets up limited SSH users for tunneling traffic (optional)
* Based on current versions of Ubuntu and strongSwan
* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, Microsoft Azure or your own server
## Anti-features
@ -23,123 +23,90 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw
* Does not claim to provide anonymity or censorship avoidance
* Does not claim to protect you from the [FSB](https://en.wikipedia.org/wiki/Federal_Security_Service), [MSS](https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)), [DGSE](https://en.wikipedia.org/wiki/Directorate-General_for_External_Security), or [FSM](https://en.wikipedia.org/wiki/Flying_Spaghetti_Monster)
## Included Roles
Ansible scripts are organized into roles. The roles used by Algo are described in detail below.
### Required Roles
* **Common**
* Installs several required packages and software updates, then reboots if necessary
* Configures network interfaces and enables packet forwarding on them
* **VPN**
* Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges
* Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user
* Bundles the appropriate certificates into Apple mobileconfig profiles for each user
### Optional Roles
* **Security Enhancements**
* Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
* Modify operating system features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
* Modifies SSH to use only modern ciphers and a seccomp sandbox, and restricts access to many legacy and unwanted features, like X11 forwarding and SFTP
* Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
* **Ad Blocking and Compression HTTP Proxy**
* Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset
* Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy
* Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
* **DNS Ad Blocking**
* Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
* Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
* **Security Monitoring and Logging**
* Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents
* Emails aggregated Logs to a configured address on a regular basis
* **SSH Tunneling**
* Adds a restricted `algo` group to SSH with no shell access and limited forwarding options
* Creates one limited, local account per user and an SSH public key for each
## Usage
### Warning
If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the `iptables` tag. (You can find some information about tags [here](https://github.com/trailofbits/algo/blob/master/ADVANCED.md))
* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS)
* [six](https://github.com/JioCloud/python-six)
* SHell or BASH
* libselinux-python (for RedHat based distros)
### Roles and Tags
**Cloud roles:**
- role: cloud-digitalocean, tags: digitalocean
- role: cloud-ec2, tags: ec2
- role: cloud-gce, tags: gce
**Server roles:**
- role: vpn, tags: vpn
- role: dns_adblocking, tags: dns, adblock
- role: proxy, tags: proxy, adblock
- role: logging, tags: logging
- role: security, tags: security
- role: ssh_tunneling, tags: ssh_tunneling
### Cloud Deployment
To install the dependencies on OS X or Linux:
```
sudo easy_install pip
sudo pip install -r requirements.txt
```
Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
Start the deploy and follow the instructions:
```
./algo
```
When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user.
### Local Deployment
It is possible to download Algo to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA and using a PPA requires installing `software-properties-common`. tl;dr:
2. Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
3. Start the deploy and follow the instructions: `./algo`
That's it! You now have an Algo VPN server on the internet.
Note: for local or scripted deployment instructions see the [Advanced Usage](/docs/ADVANCED.md) documentation.
## Configure the VPN Clients
Certificates and configuration files that users will need are placed in the `configs` directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of the Algo VPN server.
### Apple Devices
Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop (or other secure means). Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices and installing a profile will fully configure the VPN.
### Android Devices
You need to install the [StrongSwan VPN Client for Android 4 and newer](https://play.google.com/store/apps/details?id=org.strongswan.android). Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use.
### Windows
Import your user certificate to your Personal certificate store and your CA certificate to the Local Machine Trusted Root certificate store. Then, add an IKEv2 connection in the network settings and activate additional ciphers for it via Powershell (change the ConnectionName to the name of your IKEv2 connection):
Note that an all-in-one Powershell script that imports your personal certificate, sets up the VPN connection, and activates the stronger ciphers for it is included in the `configs` folder.
### StrongSwan Clients (e.g., OpenWRT)
Find the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files and copy them to your client device. These may be useful if you plan to set up a point-to-point VPN with OpenWRT or other custom device.
### Other Devices
Depending on the platform, you may need one or multiple of the following files.
* user.p12: User Certificate and Private Key (in PKCS#12 format)
* user_windows.ps1: Powershell script to setup a VPN connection on Windows
## Setup an SSH Tunnel
If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and an SSH authorized_key files for them will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access and their tunneling options are limited (`ssh -N` is required). This is done to ensure that users have the least access required to tunnel through the server.
Use the command below to start an SSH tunnel, replacing `ip` and `user` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through Algo.
Algo's own scripts can easily add and remove users from the VPN server.
1. Update the `users` list in your `config.cfg`
2. Run the command: `./algo update-users`
The Algo VPN server now contains only the users listed in the `config.cfg` file.
## FAQ
### Has this been audited?
### Has Algo been audited?
No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use algo at your own risk.
No. This project is under active development. We're happy to [accept and fix issues](https://github.com/trailofbits/algo/issues) as they are identified. Use Algo at your own risk.
### Why aren't you using Tor?
The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/).
The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of [actively](https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf) [malicious](https://chloe.re/2015/06/20/a-month-with-badonions/) [exit](https://community.fireeye.com/people/archit.mehta/blog/2014/11/18/onionduke-apt-malware-distributed-via-malicious-tor-exit-node) [nodes](https://www.wired.com/2010/06/wikileaks-documents/).
### Why aren't you using Racoon, LibreSwan, or OpenSwan?
Raccoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version.
Racoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version.
### Why aren't you using a memory-safe or verified IKE daemon?
@ -151,4 +118,4 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi
### Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD?
Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free, Open, and HardenedBSD. Follow along on our progress in [this issue](https://github.com/trailofbits/algo/issues/35).
Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35).
- name:Configure the server and install required software
hosts:localhost
gather_facts:false
vars:
regions:
"1": "East US"
"2": "West US"
"3": "South Central US"
"4": "North Europe"
"5": "East Asia"
"6": "Japan East"
"7": "West Europe"
"8": "Southeast Asia"
"9": "Japan West"
"10": "North Central US"
"11": "Central US"
"12": "Brazil South"
"13": "East US 2"
"14": "Australia Southeast"
"15": "Australia East"
#vars_prompt:
#- name: "azure_subscription_id"
#prompt: "Enter your subscription ID (https://blogs.msdn.microsoft.com/mschray/2015/05/13/getting-your-azure-guid-subscription-id/):\n"
#private: yes
#- name: "management_cert_path"
#prompt: "Enter the local path to your management cert [ex: ~/.ssh/id_rsa.pub] (https://azure.microsoft.com/en-us/documentation/articles/azure-api-management-certs/):\n"
#private: no
#- name: "ssh_public_key"
#prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n"
#private: no
#- name: "region"
#prompt: >
#What region should the server be located in?
#1. East US
#2. West US
#3. South Central US
#4. North Europe
#5. East Asia
#6. Japan East
#7. West Europe
#8. Southeast Asia
#9. Japan West
#10. North Central US
#11. Central US
#12. Brazil South
#13. East US 2
#14. Australia Southeast
#15. Australia East
#Enter the number of your desired region:
#default: "7"
#private: no
#- name: "azure_server_name"
#prompt: "Name the vpn server:\n"
#default: "algo.local"
#private: no
#- name: "dns_enabled"
#prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n"
#default: "Y"
#private: no
#- name: "auditd_enabled"
#prompt: "Do you want to use auditd ? (Y or N):\n"
Before you begin, make sure you have installed all the dependencies necessary for your use case. Algo depends on the software below and most of it will be installed via the `requirements.txt` file.
* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS)
* [six](https://github.com/JioCloud/python-six)
* SHell or BASH
* libselinux-python (for RedHat based distros)
## Local Deployment
**Warning**: If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the `iptables` tag. You can find some information about tags below.
It is possible to download the Algo scripts to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA, and using a PPA requires installing `software-properties-common`.
* Installs several required packages and software updates, then reboots if necessary
* Configures network interfaces and enables packet forwarding on them
* **VPN**
* Installs [StrongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges
* Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user
* Bundles the appropriate certificates into Apple mobileconfig profiles for each user
* Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
## Optional Roles
* **Security Enhancements (Reccommended)**
* Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
* Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
* Enhances SSH with modern ciphers and seccomp, and restricts access to older, unwanted features like X11 forwarding and SFTP
* **Ad Blocking and Compression HTTP Proxy**
* Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset
* Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy
* Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
* **DNS Ad Blocking**
* Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
* Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
* **Security Monitoring and Logging**
* Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents
* Sends logs to a configured email address on a regular basis
* **SSH Tunneling**
* Adds a restricted `algo` group with no shell access and limited SSH forwarding options
* Creates one limited, local account per user and an SSH public key for each
{% if service_dns is defined and service_dns == "Y" %}
{% if local_dns is defined and local_dns == "Y" %}
rightdns={{ local_service_ip }}
{% else %}
rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %}
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
{% if OnDemandEnabled_WIFI_ECXLUDE is defined and OnDemandEnabled_WIFI_ECXLUDE != '_null' %}
{% set WIFI_ECXLUDE_LIST = OnDemandEnabled_WIFI_ECXLUDE.split(',') %}
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
{% for network_name in WIFI_ECXLUDE_LIST %}
<string>{{ network_name }}</string>
{% endfor %}
</array>
</dict>
{% else %}
{% endif %}
<dict>
<key>Action</key>
{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %}
<string>Connect</string>
{% else %}
<string>Disconnect</string>
{% endif %}
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
</dict>
<dict>
<key>Action</key>
{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %}