35faf4bca7
* Draft works with ECDSA RSA support for Windows * update-users with local_openssl_tasks * move prompts to the algo script * additional directory for SSH keys * move easyrsa_p12_export_password to pre_tasks * update-users testing * Fix hardcoded vars * Delete the CA key * Hardcoded IP. Fixes #219 * Some fixes |
||
---|---|---|
.github | ||
configs | ||
docs | ||
library | ||
playbooks | ||
roles | ||
tests | ||
.gitignore | ||
.travis.yml | ||
algo | ||
ansible.cfg | ||
config.cfg | ||
CONTRIBUTING.md | ||
deploy.yml | ||
inventory | ||
LICENSE | ||
logo.png | ||
README.md | ||
requirements.txt | ||
users.yml |
Algo VPN
Algo VPN (short for "Al Gore", the Vice President of Networks everywhere for inventing the Internet) is a set of Ansible scripts that simplifies the setup of a personal IPSEC VPN. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.
Features
- Supports only IKEv2 w/ a single cipher suite: AES-GCM, HMAC-SHA2, and P-256 DH
- Generates Apple Profiles to auto-configure iOS and macOS devices
- Provides helper scripts to add and remove users
- Blocks ads with a local DNS resolver and HTTP proxy (optional)
- Sets up limited SSH users for tunneling traffic (optional)
- Based on current versions of Ubuntu and strongSwan
- Installs to DigitalOcean, Amazon EC2, Google Compute Engine, Microsoft Azure, or your own server
Anti-features
- Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
- Does not install Tor, OpenVPN, or other risky servers
- Does not depend on the security of TLS
- Does not require client software on most platforms
- Does not claim to provide anonymity or censorship avoidance
- Does not claim to protect you from the FSB, MSS, DGSE, or FSM
Deploy the Algo Server
The easiest way to get an Algo server running is to let it set up a new virtual machine in the cloud for you.
- Setup an account on a cloud hosting provider. Algo supports DigitalOcean (most user friendly), Amazon EC2, Google Compute Engine, and Microsoft Azure.
- Download Algo
- Install Algo's dependencies for your operating system. To do this, open a terminal and
cd
into the directory where you downloaded Algo, then:
macOS: sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt
Linux (deb-based): sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt
Linux (rpm-based): See the Pre-Install Documentation for RedHat/CentOS 6.x
- Open
config.cfg
in your favorite text editor. Specify the users you wish to create in theusers
list. - Start the deployment. Return to your terminal. In the Algo directory, run
./algo
and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in ROLES.md.
That's it! You now have an Algo VPN server on the internet.
Note: for local or scripted deployment instructions see the Advanced Usage documentation.
Configure the VPN Clients
Certificates and configuration files that users will need are placed in the configs
directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of your new Algo VPN server.
Apple Devices
Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted.
Android Devices
You need to install the StrongSwan VPN Client for Android 4 and newer because no version of Android supports IKEv2. Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use.
Windows
Copy the CA certificate, user certificate, and the user PowerShell script to the client computer. Import the CA certificate to the local machine Trusted Root certificate store. Then, run the included PowerShell script to import the user certificate, set up a VPN connection, and activate stronger ciphers on it.
If you want to perform these steps by hand, you will need to import the user certificate to the Personal certificate store, add an IKEv2 connection in the network settings, then activate stronger ciphers on it via the following PowerShell script:
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
Linux strongSwan Clients (e.g., OpenWRT, Ubuntu, etc.)
Install strongSwan, then copy the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These may require some customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
Other Devices
Depending on the platform, you may need one or multiple of the following files.
- ca.crt: CA Certificate
- user_ipsec.conf: StrongSwan client configuration
- user_ipsec.secrets: StrongSwan client configuration
- user.crt: User Certificate
- user.key: User Private Key
- user.mobileconfig: Apple Profile
- user.p12: User Certificate and Private Key (in PKCS#12 format)
- user_windows.ps1: Powershell script to setup a VPN connection on Windows
Setup an SSH Tunnel
If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in config.cfg
and an SSH authorized_key files for them will be in the configs
directory (user.ssh.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., ssh -N
is required). This is done to ensure that SSH users have the least access required to tunnel through the server and can perform no other actions.
Use the example command below to start an SSH tunnel by replacing user
and ip
with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem
Adding or Removing Users
Algo's own scripts can easily add and remove users from the VPN server.
- Update the
users
list in yourconfig.cfg
- Run the command:
./algo update-users
The Algo VPN server now contains only the users listed in the config.cfg
file.
FAQ
Has Algo been audited?
No. This project is under active development. We're happy to accept and fix issues as they are identified. Use Algo at your own risk. If you find a security issue of any severity, please contact us on Slack.
Why aren't you using Tor?
The goal of this project is not to provide anonymity, but to ensure confidentiality of network traffic while traveling. Tor introduces new risks that are unsuitable for Algo's intended users. Namely, with Algo, users are in control over the gateway routing their traffic. With Tor, users are at the mercy of actively malicious exit nodes.
Why aren't you using Racoon, LibreSwan, or OpenSwan?
Racoon does not support IKEv2. Racoon2 supports IKEv2 but is not actively maintained. When we looked, the documentation for StrongSwan was better than the corresponding documentation for LibreSwan or OpenSwan. StrongSwan also has the benefit of a from-scratch rewrite to support IKEv2. I consider such rewrites a positive step when supporting a major new protocol version.
Why aren't you using a memory-safe or verified IKE daemon?
I would, but I don't know of any suitable ones. If you're in the position to fund the development of such a project, contact us. We would be interested in leading such an effort. At the very least, I plan to make modifications to StrongSwan and the environment it's deployed in that prevent or significantly complicate exploitation of any latent issues.
Why aren't you using OpenVPN?
OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of TLS, both the protocol and its implementations, and we simply trust the server less due to past security incidents.
Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD?
Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in this issue.
Troubleshooting
Little Snitch is broken when connected to the VPN
Little Snitch is not compatible with IPSEC VPNs due to a known bug in macOS and there is no solution. The Little Snitch "filter" does not get incoming packets from IPSEC VPNs and, therefore, cannot evaluate any rules over them. Their developers have filed a bug report with Apple but there has been no response. There is nothing they or Algo can do to resolve this problem on their own. You can read more about this problem in issue #134.