Go to file
2016-10-15 19:26:28 +02:00
configs ECDSA fixed 2016-07-24 14:44:59 +03:00
docs pull in changes from master 2016-10-15 19:26:28 +02:00
playbooks linting 2016-09-19 20:18:27 +03:00
roles pull in changes from master 2016-10-15 19:26:28 +02:00
.gitignore ssh fixes 2016-08-25 23:03:20 +03:00
algo pull in changes from master 2016-10-15 19:26:28 +02:00
ansible.cfg new iptabes deployment #61 2016-08-20 16:22:14 +03:00
azure.yml Split the features role in two #49 2016-08-17 23:26:17 +03:00
config.cfg Initial commit of reorg'd docs 2016-10-13 15:27:06 +02:00
CONTRIBUTING.md Initial commit of reorg'd docs 2016-10-13 15:27:06 +02:00
deploy.yml Initial commit of reorg'd docs 2016-10-13 15:27:06 +02:00
inventory Fixes for #53 2016-08-17 23:31:17 +03:00
LICENSE Initial commit 2016-05-14 23:42:49 -04:00
README.md pull in changes from master 2016-10-15 19:26:28 +02:00
requirements.txt Initial commit of reorg'd docs 2016-10-13 15:27:06 +02:00
users.yml Add the SSH role to the users-update playbook #92 fixed 2016-10-06 20:39:53 +03:00

Algo VPN

Slack Status

Algo VPN (short for "Al Gore", the Vice President of Networks everywhere for inventing the Internet) is a set of Ansible scripts that simplifies the setup of a personal IPSEC VPN. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.

Features

  • Supports only IKEv2 w/ a single cipher suite: AES GCM, SHA2 HMAC, and P-256 DH
  • Generates Apple Profiles to auto-configure iOS and macOS devices
  • Provides helper scripts to add and remove users
  • Blocks ads with a local DNS resolver and HTTP proxy (optional)
  • Sets up limited SSH tunnels for each user (optional)
  • Based on current versions of Ubuntu and StrongSwan
  • Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server

Anti-features

  • Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
  • Does not install Tor, OpenVPN, or other risky servers
  • Does not depend on the security of TLS
  • Does not require client software on most platforms
  • Does not claim to provide anonymity or censorship avoidance
  • Does not claim to protect you from the FSB, MSS, DGSE, or FSM

Initial Setup

The easiest way to get an Algo server running is to let it setup a new virtual machine in the cloud for you.

  1. Install the dependencies on OS X or Linux:
sudo easy_install pip
sudo pip install -r requirements.txt
  1. Open the file config.cfg in your favorite text editor. Specify the users you wish to create in the users list.
  2. Start the deploy and follow the instructions:
./algo

That's it! You now have an Algo VPN server on the internet.

Note: for local or scripted deployment instructions see the Advanced Usage documentation.

User Management

Configuration Files

After Algo finishes setting up the server, you can find all the certificates and configuration files that users will need in the config directory. Make sure to adequately secure and transmit these files since many contain private keys.

  • [adsf].mobileconfig: Apple Configuration Profiles. These are all-in-one configuration files for iOS and macOS devices. Open them to a compatible device to fully configure the VPN. Note that they can be installed via AirDrop.
  • asdf
  • asdf

Adding or Removing Users

Algo's own scripts can easily add and remove users from the VPN server.

  1. Update the users list in your config.cfg
  2. Run the command:
./algo update-users

The Algo VPN server now only contains the users listed in the config.cfg file.

SSH Tunneling

If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in config.cfg. None of these user accounts will have shell access and their SSH tunneling options are limited. This was done to ensure that users have the least access required to tunnel through the server.

Use the following command to SSH tunnel through the server:

asdf

asdf then explain the options used

FAQ

Has Algo been audited?

No. This project is under active development. We're happy to accept and fix issues as they are identified. Use Algo at your own risk.

Why aren't you using Tor?

The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of actively malicious exit nodes.

Why aren't you using Racoon, LibreSwan, or OpenSwan?

Racoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version.

Why aren't you using a memory-safe or verified IKE daemon?

I would, but I don't know of any suitable ones. If you're in the position to fund the development of such a project, contact us. We would be interested in leading such an effort. At the very least, I plan to make modifications to StrongSwan and the environment it's deployed in that prevent or significantly complicate exploitation of any latent issues.

Why aren't you using OpenVPN?

OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of TLS, both the protocol and its implementations, and we simply trust the server less due to past security incidents.

Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD?

Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in this issue.