Go to file
2017-02-14 17:42:54 +01:00
.github additional columns 2016-12-12 17:40:31 +03:00
configs ECDSA fixed 2016-07-24 14:44:59 +03:00
docs typo 2017-02-12 13:13:24 -05:00
library ec2_ami_copy boto3 module, KMS, tagging, AMI caching (Encrypted support) 2017-01-05 19:36:30 +00:00
playbooks Add the algo ssh key to any server (prevent fails when a user wants to update-users on a server deployed by algo but not with the algo ssh key) 2017-01-14 19:38:21 +03:00
roles rename connection 2017-02-12 23:01:29 +03:00
tests Local openssl tasks (#169) 2017-02-03 14:24:02 -05:00
.gitignore ec2_ami_copy boto3 module, KMS, tagging, AMI caching (Encrypted support) 2017-01-05 19:36:30 +00:00
.travis.yml Local openssl tasks (#169) 2017-02-03 14:24:02 -05:00
algo Local openssl tasks (#169) 2017-02-03 14:24:02 -05:00
ansible.cfg increase timeouts 2017-01-14 19:38:21 +03:00
config.cfg Additional info in the congrats 2017-01-26 20:01:06 +03:00
CONTRIBUTING.md Move FAQ to its own doc. 2017-02-07 17:27:13 -05:00
deploy.yml Local openssl tasks (#169) 2017-02-03 14:24:02 -05:00
inventory Fixes for #53 2016-08-17 23:31:17 +03:00
LICENSE Initial commit 2016-05-14 23:42:49 -04:00
logo.png Closes #82, again 2017-02-07 16:35:23 -05:00
README.md Update README.md 2017-02-14 17:42:54 +01:00
requirements.txt Prevent ansible and Jinja2 from updates #220 (#221) 2017-01-22 23:06:32 +03:00
users.yml Local openssl tasks (#169) 2017-02-03 14:24:02 -05:00

Algo VPN

TravisCI Status Slack Status

Algo VPN is a set of Ansible scripts that simplifies the setup of a personal IPSEC VPN. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.

Features

  • Supports only IKEv2 w/ a single cipher suite: AES-GCM, HMAC-SHA2, and P-256 DH
  • Generates Apple Profiles to auto-configure iOS and macOS devices
  • Provides helper scripts to add and remove users
  • Blocks ads with a local DNS resolver and HTTP proxy (optional)
  • Sets up limited SSH users for tunneling traffic (optional)
  • Based on current versions of Ubuntu and strongSwan
  • Installs to DigitalOcean, Amazon EC2, Google Compute Engine, Microsoft Azure, or your own server

Anti-features

  • Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
  • Does not install Tor, OpenVPN, or other risky servers
  • Does not depend on the security of TLS
  • Does not require client software on most platforms
  • Does not claim to provide anonymity or censorship avoidance
  • Does not claim to protect you from the FSB, MSS, DGSE, or FSM

Deploy the Algo Server

The easiest way to get an Algo server running is to let it set up a new virtual machine in the cloud for you.

  1. Setup an account on a cloud hosting provider. Algo supports DigitalOcean (most user friendly), Amazon EC2, Google Compute Engine, and Microsoft Azure.
  2. Download Algo
  3. Install Algo's dependencies for your operating system. To do this, open a terminal and cd into the directory where you downloaded Algo, then:

macOS: sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt

Linux (deb-based): sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt

Linux (rpm-based): See the Pre-Install Documentation for RedHat/CentOS 6.x

  1. Open config.cfg in your favorite text editor. Specify the users you wish to create in the users list.
  2. Start the deployment. Return to your terminal. In the Algo directory, run ./algo and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in ROLES.md.

That's it! You will get the message below when the server deployment process completes. You now have an Algo server on the internet. Take note of the p12 (user certificate) password in case you need it later.

        "\"#----------------------------------------------------------------------#\"", 
        "\"#                          Congratulations!                            #\"", 
        "\"#                     Your Algo server is running.                     #\"", 
        "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
        "\"#              Go to https://whoer.net/ after connecting               #\"", 
        "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
        "\"#          Local DNS resolver and Proxy IP address: 172.16.0.1         #\"", 
        "\"#                The p12 and SSH keys password is XXXXXXXX             #\"", 
        "\"#----------------------------------------------------------------------#\"", 

Note: Advanced users who want to install Algo on top of a server they already own or want to script the deployment of Algo onto a network of servers, please see the Advanced Usage documentation.

Configure the VPN Clients

Certificates and configuration files that users will need are placed in the configs directory. Make sure to secure these files since many contain private keys. All files are prefixed with the IP address of your new Algo VPN server.

Apple Devices

Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted.

Android Devices

You need to install the StrongSwan VPN Client for Android 4 and newer because no version of Android supports IKEv2. Import the corresponding user.p12 certificate to your device. It's very simple to configure the StrongSwan VPN Client, just make a new profile with the IP address of your VPN server and choose which certificate to use.

Windows

Copy the CA certificate, user certificate, and the user PowerShell script to the client computer. Import the CA certificate to the local machine Trusted Root certificate store. Then, run the included PowerShell script to import the user certificate, set up a VPN connection, and activate stronger ciphers on it.

If you want to perform these steps by hand, you will need to import the user certificate to the Personal certificate store, add an IKEv2 connection in the network settings, then activate stronger ciphers on it via the following PowerShell script:

Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA25612 8 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none

Linux strongSwan Clients (e.g., OpenWRT, Ubuntu, etc.)

Install strongSwan, then copy the included user_ipsec.conf, user_ipsec.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These may require some customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.

Other Devices

Depending on the platform, you may need one or multiple of the following files.

  • ca.crt: CA Certificate
  • user_ipsec.conf: StrongSwan client configuration
  • user_ipsec.secrets: StrongSwan client configuration
  • user.crt: User Certificate
  • user.key: User Private Key
  • user.mobileconfig: Apple Profile
  • user.p12: User Certificate and Private Key (in PKCS#12 format)
  • user_windows.ps1: Powershell script to setup a VPN connection on Windows

Setup an SSH Tunnel

If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in config.cfg and an SSH authorized_key files for them will be in the configs directory (user.ssh.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., ssh -N is required). This is done to ensure that SSH users have the least access required to tunnel through the server and can perform no other actions.

Use the example command below to start an SSH tunnel by replacing user and ip with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.

ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pem

Adding or Removing Users

Algo's own scripts can easily add and remove users from the VPN server.

  1. Update the users list in your config.cfg
  2. Run the command: ./algo update-users

The Algo VPN server now contains only the users listed in the config.cfg file.

Additional Documentation

  • Advanced Usage describes how to deploy an Algo VPN server directly from Ansible.
  • FAQ includes answers to common questions.
  • Roles includes a description of optional Algo VPN server features.
  • Troubleshooting includes answers to common technical issues.

Endorsements

I've been ranting about the sorry state of VPN svcs for so long, probably about time to give a proper talk on the subject. TL;DR: use Algo.

-- Kenn White

Before picking a VPN provider/app, make sure you do some research https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf ... or consider Algo

-- The Register

Algo is really easy and secure.

-- the grugq