Go to file
Dan Guido 31d6bd39a1 The docs got out of sync with the scripts (#480)
* The docs got out of sync with the scripts

* restructure

* fix links
2017-04-23 16:36:30 -04:00
.github Update ISSUE_TEMPLATE.md 2017-04-12 20:14:27 +02:00
configs ECDSA fixed 2016-07-24 14:44:59 +03:00
docs The docs got out of sync with the scripts (#480) 2017-04-23 16:36:30 -04:00
library ec2_ami_copy boto3 module, KMS, tagging, AMI caching (Encrypted support) 2017-01-05 19:36:30 +00:00
playbooks Some enhances in the compat ciphers (#464) 2017-04-23 16:00:37 -04:00
roles Some enhances in the compat ciphers (#464) 2017-04-23 16:00:37 -04:00
tests Local openssl tasks (#169) 2017-02-03 14:24:02 -05:00
.gitignore Removing update to ~/.ssh/config #400 (#435) 2017-04-17 22:01:42 -04:00
.travis.yml Doc improvements (#479) 2017-04-23 14:54:54 -04:00
algo Update documentation to include minimum required IAM policy (#461) 2017-04-20 18:15:31 -04:00
ansible.cfg increase timeouts 2017-01-14 19:38:21 +03:00
config.cfg Move back to 16.04. Forgot to change after testing 2017-04-22 23:09:37 +02:00
CONTRIBUTING.md Doc improvements (#479) 2017-04-23 14:54:54 -04:00
deploy_client.yml Some fixes. Fedora client. Close #44 2017-03-04 23:05:02 +03:00
deploy.yml remove the proxy role #440 (#457) 2017-04-20 18:00:17 -04:00
inventory Fixes for #53 2016-08-17 23:31:17 +03:00
LICENSE Initial commit 2016-05-14 23:42:49 -04:00
logo.png Closes #82, again 2017-02-07 16:35:23 -05:00
README.md The docs got out of sync with the scripts (#480) 2017-04-23 16:36:30 -04:00
requirements.txt add msrestazure to the requirements #269 2017-04-05 16:14:11 +02:00
users.yml remove the proxy role #440 (#457) 2017-04-20 18:00:17 -04:00

Algo VPN

TravisCI Status Slack Status Twitter Flattr PayPal Patreon Bountysource

Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices. See our release announcement for more information.

Features

  • Supports only IKEv2 with strong crypto: AES-GCM, SHA2, and P-256
  • Generates Apple profiles to auto-configure iOS and macOS devices
  • Includes a helper script to add and remove users
  • Blocks ads with a local DNS resolver (optional)
  • Sets up limited SSH users for tunneling traffic (optional)
  • Based on current versions of Ubuntu and strongSwan
  • Installs to DigitalOcean, Amazon EC2, Microsoft Azure, Google Compute Engine, or your own server

Anti-features

  • Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
  • Does not install Tor, OpenVPN, or other risky servers
  • Does not depend on the security of TLS
  • Does not require client software on most platforms
  • Does not claim to provide anonymity or censorship avoidance
  • Does not claim to protect you from the FSB, MSS, DGSE, or FSM

Deploy the Algo Server

The easiest way to get an Algo server running is to let it set up a new virtual machine in the cloud for you.

  1. Setup an account on a cloud hosting provider. Algo supports DigitalOcean (most user friendly), Amazon EC2, Google Compute Engine, and Microsoft Azure.

  2. Download Algo and unzip it in a convenient location on your local machine.

  3. Install Algo's core dependencies. Open the Terminal. The python interpreter you use to deploy Algo must be python2. If you don't know what this means, you're probably fine. cd into the algo-master directory where you unzipped Algo, then run:

    • macOS:
      $ python -m ensurepip --user
      $ python -m pip install --user --upgrade virtualenv
      
    • Linux (deb-based):
      $ sudo apt-get update && sudo apt-get install \
          build-essential \
          libssl-dev \
          libffi-dev \
          python-dev \
          python-pip \
          python-setuptools \
          python-virtualenv -y
      
    • Linux (rpm-based): See the Pre-Install Documentation for RedHat/CentOS 6.x
    • Windows: See the Windows documentation
  4. Install Algo's remaining dependencies for your operating system. Use the same terminal window as the previous step and run:

    $ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt
    

    On macOS, you may be prompted to install cc. You should press accept if so.

  5. Open config.cfg in your favorite text editor. Specify the users you wish to create in the users list.

  6. Start the deployment. Return to your terminal. In the Algo directory, run ./algo and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in deploy-with-ansible.md.

That's it! You will get the message below when the server deployment process completes. You now have an Algo server on the internet. Take note of the p12 (user certificate) password in case you need it later.

You can now setup clients to connect it, e.g. your iPhone or laptop. Proceed to Configure the VPN Clients below.

        "\"#----------------------------------------------------------------------#\"",
        "\"#                          Congratulations!                            #\"",
        "\"#                     Your Algo server is running.                     #\"",
        "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
        "\"#              Go to https://whoer.net/ after connecting               #\"",
        "\"#        and ensure that all your traffic passes through the VPN.      #\"",
        "\"#                    Local DNS resolver 172.16.0.1                     #\"",
        "\"#                The p12 and SSH keys password is XXXXXXXX             #\"",
        "\"#----------------------------------------------------------------------#\"",

Advanced users who want to install Algo on top of a server they already own or want to script the deployment of Algo onto a network of servers, please see the Deploy to Ubuntu documentation.

Configure the VPN Clients

Distribute the configuration files to your users, so they can connect to the VPN. Certificates and configuration files that users will need are placed in the configs directory. Make sure to secure these files since many contain private keys. All files are saved under a subdirectory named with the IP address of your new Algo VPN server.

Apple Devices

Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted.

On iOS, you can connect to the VPN by opening Settings and clicking the toggle next to "VPN" near the top of the list. On macOS, you can connect to the VPN by opening System Preferences -> Network, finding Algo VPN in the left column and clicking "Connect." On macOS, we recommend checking "Show VPN status in menu bar" too which lets you connect and disconnect from the menu bar.

If you enabled "On Demand", the VPN will connect automatically whenever it is able. On iOS, you can turn off "On Demand" by clicking the (i) next to the entry for Algo VPN and toggling off "Connect On Demand." On macOS, you can turn off "On Demand" by opening the Network Preferences, finding Algo VPN in the left column, and unchecking the box for "Connect on demand."

Android Devices

You need to install the strongSwan VPN Client for Android 4 and newer because no version of Android supports IKEv2. Import the corresponding user.p12 certificate to your device. See the Android setup instructions for more detailed steps.

Windows

Windows clients have a more complicated setup than most others. Follow the steps below to set one up:

  1. Copy the CA certificate (cacert.pem), user certificate ($user.p12), and the user PowerShell script (windows_$user.ps1) to the client computer.
  2. Import the CA certificate to the local machine Trusted Root certificate store.
  3. Open PowerShell as Administrator. Navigate to your copied files.
  4. If you haven't already, you will need to change the Execution Policy to allow unsigned scripts to run.
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
  1. In the same PowerShell window, run the included PowerShell script to import the user certificate, set up a VPN connection, and activate stronger ciphers on it.
  2. After you execute the user script, set the Execution Policy back before you close the PowerShell window.
Set-ExecutionPolicy Restricted -Scope CurrentUser

Your VPN is now installed and ready to use.

If you want to perform these steps by hand, you will need to import the user certificate to the Personal certificate store, add an IKEv2 connection in the network settings, then activate stronger ciphers on it via the following PowerShell script:

Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup none

Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop)

Network Manager does not support AES-GCM. In order to support Linux Desktop clients, please choose the "compatible" cryptography and use at least Network Manager 1.4.1. See Issue #263 for more information.

Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.)

Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.

Ubuntu Server 16.04 example

  1. sudo apt-get install strongswan strongswan-plugin-openssl: install strongSwan
  2. /etc/ipsec.d/certs: copy user.crt from algo-master/configs/<name>/pki/certs
  3. /etc/ipsec.d/private: copy user.key from algo-master/configs/<name>/pki/private
  4. /etc/ipsec.d/cacerts: copy cacert.pem from algo-master/configs/<name>/cacert.pem
  5. /etc/ipsec.secrets: add your user.key to the list, e.g. xx.xxx.xx.xxx : ECDSA user.key
  6. /etc/ipsec.conf: add the connection from ipsec_user.conf and update leftcert to match the user.crt filename
  7. sudo ipsec restart: pick up config changes
  8. sudo ipsec up <conn-name>: start the ipsec tunnel
  9. sudo ipsec down <conn-name>: shutdown the ipsec tunnel

One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to /etc/ipsec.conf. Replace 192.168.1.1/24 with the subnet your LAN uses:

conn lan-passthrough
leftsubnet=192.168.1.1/24
rightsubnet=192.168.1.1/24
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough

Other Devices

Depending on the platform, you may need one or multiple of the following files.

  • cacert.pem: CA Certificate
  • user.mobileconfig: Apple Profile
  • user.p12: User Certificate and Private Key (in PKCS#12 format)
  • user.sswan: Android strongSwan Profile
  • ipsec_user.conf: strongSwan client configuration
  • ipsec_user.secrets: strongSwan client configuration
  • windows_user.ps1: Powershell script to help setup a VPN connection on Windows

Setup an SSH Tunnel

If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in config.cfg and an SSH authorized_key files for them will be in the configs directory (user.ssh.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., ssh -N is required). This is done to ensure that SSH users have the least access required to tunnel through the server and can perform no other actions.

Use the example command below to start an SSH tunnel by replacing user and ip with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.

ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem

SSH into Algo Server

To SSH into the Algo server for administrative purposes you can use the example command below by replacing ip with your own:

ssh ubuntu@ip -i ~/.ssh/algo.pem

If you find yourself regularly logging into Algo then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of ~/.bash_profile to add it to your shell environment permanently.

ssh-add ~/.ssh/algo > /dev/null 2>&1

Adding or Removing Users

Algo's own scripts can easily add and remove users from the VPN server.

  1. Update the users list in your config.cfg
  2. Open a terminal, cd to the algo directory, and activate the virtual environment with source env/bin/activate
  3. Run the command: ./algo update-users

The Algo VPN server now contains only the users listed in the config.cfg file.

Additional Documentation

Endorsements

I've been ranting about the sorry state of VPN svcs for so long, probably about time to give a proper talk on the subject. TL;DR: use Algo.

-- Kenn White

Before picking a VPN provider/app, make sure you do some research https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf ... or consider Algo

-- The Register

Algo is really easy and secure.

-- the grugq

I played around with Algo VPN, a set of scripts that let you set up a VPN in the cloud in very little time, even if you dont know much about development. Ive got to say that I was quite impressed with Trail of Bits approach.

-- Romain Dillet for TechCrunch

If youre uncomfortable shelling out the cash to an anonymous, random VPN provider, this is the best solution.

-- Thorin Klosowski for Lifehacker

Support Algo VPN

All donations support continued development. Thanks!

  • We accept donations via PayPal, Patreon, and Flattr.
  • Use our referral code when you sign up to Digital Ocean for a $10 credit.
  • We also accept and appreciate contributions of new code and bugfixes via Github Pull Requests.