Go to file
2016-10-16 15:27:05 +03:00
configs ECDSA fixed 2016-07-24 14:44:59 +03:00
playbooks linting 2016-09-19 20:18:27 +03:00
roles client configuration templates #43 2016-10-16 15:27:05 +03:00
.gitignore ssh fixes 2016-08-25 23:03:20 +03:00
ADVANCED.md some fixes 2016-09-26 15:43:19 +03:00
algo resolves #99 2016-10-13 14:45:41 +00:00
ansible.cfg new iptabes deployment #61 2016-08-20 16:22:14 +03:00
azure.yml Split the features role in two #49 2016-08-17 23:26:17 +03:00
config.cfg client configuration templates #43 2016-10-16 15:27:05 +03:00
CONTRIBUTING.md Update CONTRIBUTING.md 2016-08-24 09:31:52 +02:00
deploy.yml linting 2016-09-19 20:18:27 +03:00
inventory Fixes for #53 2016-08-17 23:31:17 +03:00
LICENSE Initial commit 2016-05-14 23:42:49 -04:00
README.md Merge branch 'master' of github.com:trailofbits/algo 2016-10-14 19:26:36 +03:00
requirements.txt Make a requirements.txt for pip #58 2016-08-20 14:23:06 +03:00
users.yml Add the SSH role to the users-update playbook #92 fixed 2016-10-06 20:39:53 +03:00

Algo VPN

Slack Status

Algo VPN (short for "Al Gore", the Vice President of Networks everywhere for inventing the Internet) is a set of Ansible scripts that simplifies the setup of a personal IPSEC VPN. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.

Features

  • Supports only IKEv2
  • Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH
  • Generates mobileconfig profiles to auto-configure Apple devices
  • Provides helper scripts to add and remove users
  • Blocks ads with a local DNS resolver and HTTP proxy (optional)
  • Based on current versions of Ubuntu and StrongSwan
  • Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server

Anti-features

  • Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
  • Does not install Tor, OpenVPN, or other risky servers
  • Does not depend on the security of TLS
  • Does not require client software on most platforms
  • Does not claim to provide anonymity or censorship avoidance
  • Does not claim to protect you from the FSB, MSS, DGSE, or FSM

Included Roles

Ansible scripts are organized into roles. The roles used by Algo are described in detail below.

Required Roles

  • Common
    • Installs several required packages and software updates, then reboots if necessary
    • Configures network interfaces and enables packet forwarding on them
  • VPN
    • Installs StrongSwan, enables AppArmor, limits CPU and memory access, and drops user privileges
    • Builds a Certificate Authority (CA) with easy-rsa-ipsec and creates one client certificate per user
    • Bundles the appropriate certificates into Apple mobileconfig profiles for each user

Optional Roles

  • Security Enhancements
    • Enables unattended-upgrades to ensure available patches are always applied
    • Modify operating system features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
    • Modifies SSH to use only modern ciphers and a seccomp sandbox, and restricts access to many legacy and unwanted features, like X11 forwarding and SFTP
    • Configures IPtables to block traffic that might pose a risk to VPN users, such as SMB/CIFS
  • Ad Blocking and Compression HTTP Proxy
    • Installs Privoxy with an ad blocking ruleset
    • Installs Apache with mod_pagespeed as an HTTP proxy
    • Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
  • DNS Ad Blocking
    • Install the dnsmasq local resolver with a blacklist for advertising domains
    • Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
  • Security Monitoring and Logging
    • Configures auditd and rsyslog to log data useful for investigating security incidents
    • Emails aggregated Logs to a configured address on a regular basis
  • SSH Tunneling
    • Adds a restricted algo group to SSH with no shell access and limited forwarding options
    • Creates one limited, local account per user and an SSH public key for each

Usage

Warning

If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the iptables tag. (You can find some information about tags here)

Requirements

Roles and Tags

Cloud roles:

  • role: cloud-digitalocean, tags: digitalocean
  • role: cloud-ec2, tags: ec2
  • role: cloud-gce, tags: gce

Server roles:

  • role: vpn, tags: vpn
  • role: dns_adblocking, tags: dns, adblock
  • role: proxy, tags: proxy, adblock
  • role: logging, tags: logging
  • role: security, tags: security
  • role: ssh_tunneling, tags: ssh_tunneling

Cloud Deployment

To install the dependencies on OS X or Linux:

sudo easy_install pip
sudo pip install -r requirements.txt

Open the file config.cfg in your favorite text editor. Specify the users you wish to create in the users list.

Start the deploy and follow the instructions:

./algo

When the process is done, you can find .mobileconfig files and certificates in the configs directory. Send the .mobileconfig profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user.

Local Deployment

It is possible to download Algo to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA and using a PPA requires installing software-properties-common. tl;dr:

sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible
sudo apt-get update && sudo apt-get install ansible
git clone https://github.com/trailofbits/algo
cd algo && ./algo

User Management

If you want to add or delete users, update the users list in config.cfg and run the command:

./algo update-users

FAQ

Has this been audited?

No. This project is under active development. We're happy to accept and fix issues as they are identified. Use algo at your own risk.

Why aren't you using Tor?

The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of actively malicious exit nodes.

Why aren't you using Racoon, LibreSwan, or OpenSwan?

Raccoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version.

Why aren't you using a memory-safe or verified IKE daemon?

I would, but I don't know of any suitable ones. If you're in the position to fund the development of such a project, contact us. We would be interested in leading such an effort. At the very least, I plan to make modifications to StrongSwan and the environment it's deployed in that prevent or significantly complicate exploitation of any latent issues.

Why aren't you using OpenVPN?

OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of TLS, both the protocol and its implementations, and we simply trust the server less due to past security incidents.

Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD?

Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free, Open, and HardenedBSD. Follow along on our progress in this issue.