Setting up your own VPN with Algo - Part 1

Setting up your own VPN with Algo - Part 1

Part 2: configuring your devices.

Super Quick Version


To Sections

Cooking your Algo VPN

If you’re doing this for the first time and don’t already have a Digital Ocean account, budget maybe 20-30 minutes for this guide. Once you get used to it, you can easily create more VPNs in less than 15 minutes if you want to (although most people are fine with just one).

Recipe

  • A server (we’re going to use a $5/mo Digital Ocean server)
  • A computer or phone that can use a VPN.
  • Some basic command line experience

Frequently asked questions

What is Algo?

Algo is a free open source VPN that you self-host. It can be set up in less than 15 minutes, destroyed in less than a second, and hosted on your own server.

It’s free?

Yes, downloading and setting up Algo is free. Hosting, however is not. The cheapest hosting I’ve found is $5/mo on Digital Ocean. If you own your own server, you can set Algo up there too!

Is it secure?

Algo creates an IPSEC VPN that uses strong cryptography. So yes it encrypts your network traffic extremely well. It also does NOT claim to provide anonymity or censorship avoidance or to protect you from the NSA and government agencies… because VPNs don’t do those things anyway.

Can I safely use Algo in a country that bans VPNs?

I wouldn’t recommend it. If your country is on this list of countries that have banned VPN use you’ll be risking some serious trouble - including arrest and imprisonment.

Can I trust it?

The code is open source and regularly reviewed by security people. Since it’s self hosted, this means that you’re in full control over your server logs rather than placing your trust over them to someone else.

What else should I know about it?

I recommend reading what the creators of Algo have to say about it.


Step 1

Self-hosting on Digital Ocean

Go to Digital Ocean’s signup page to start the process.

To sign up, you will need:

  • An email address for login and account confirmation
  • A Two Factor Auth method like a cell phone or Google’s authenticator app (optional but strongly recommended).
  • Credit card or Paypal account for monthly payments

Create your account and then go to the Droplets section to create a new droplet. A droplet is Digital Ocean’s term for a virtual server. We’re going to choose the cheapest and smallest Ubuntu server available.



Next, you’ll be asked where you want to host your droplet. Unless you’re trying to circumvent location restrictions on web content, which I should remind you is illegal in some countries, choosing the host country isn’t too important.


Don’t select any addons and name the droplet whatever you want. Click create when you’re done.


Once you create your droplet, you’ll get a vital email containing the IP address and the temporary password for your droplet. We’ll need it for the next step!


You’ll also see the new droplet in your Digital Ocean dashboard


Now, we’ll SSH into your newly created server with the command line.

SSH stands for Secure Shell and it’s a way to connect with your server from your personal computer. Basically it lets you work inside your server all from the comfort of your home laptop.

If you have an apple computer, SSH capabilities come pre-installed with your command line application. If you have a windows computer, you may need to install an SSH client to get it to work, but then otherwise the following steps will be the same.

    ssh root@{ip-address} 
    # your server IP address is in your email from Digital Ocean 
    # or the on the Droplet dashboard

NOTE if it refuses a connection at first, keep trying until it asks for your password! It sometimes takes a minute for the server to accept connections after it was created.

Change your temporary password (from the email) when it asks.


Ok! Now you’re tunneled into your new server and ready to set up that VPN.

Step 2:

Installing prerequisite software

Once SSHed into the server (the command prompt should say root@{droplet name}), installing the prerequisite software is as easy as copy and pasting a single line of code I wrote for you.

The line of code will install:

  • Software-Properties-Common - lets the server better handle software from “independent software sources” (like Algo)
  • Ansible — a tool that lets Algo automate a lot of things
  • Python — a programming language that Algo uses
  • Git — lets us download Algo

Copy and paste the following code in:

cd ~ && apt-add-repository -y ppa:ansible/ansible && apt-get update -y && apt-get upgrade -y && apt-get install -y software-properties-common python-virtualenv ansible git && cd ~ && git clone https://github.com/trailofbits/algo && cd algo && python -m virtualenv env && source env/bin/activate


Installation should occur automatically. If you see the screen below, just hit OK. Otherwise sit back and watch it all install.


If everything was successful, a new directory named Algo should be created in your home ~ directory.

Type in:

cd ~/algo && ls

You should see something like this:


Step 3:

Running the self-install script

Now that Algo and its prerequisite software are installed, we need to make one last configuration before running the install script.

The install script will generate unique VPN setup files for every user that we specify inside of its configuration file, AKA config.cfg.

Open this file up and add in all the users who you’ll want to be able to use this VPN (most of the time this will just be you).

Type in:

cd ~/algo && nano config.cfg

The file will open in the text editor. Find the users section of the file and add your user(s) like so:


There’s also an option here to turn off VPN logging. Change the log level number to -1. In addition to this, we’ll also turn off system logging entirely later on.


Hit control-X to exit and save the work in nano, then y and Enter to confirm a file overwrite.

Ok! Now we’re ready to run the install script. Type in:

cd ~/algo && ./algo

You’ll see this screen with a choice of server hosting options. Choose 5: Install into an existing Ubuntu 16.04 server


Next, a list of questions will appear which I’ll walk through step by step with you. Some of your answers can vary depending on your own needs and preferences so I’ll give my own preferences and an explanation for them below.

Algo Installation cheatsheet

  • Enter the IP address of your server: (or use localhost for local installation)
    • leave blank (press enter) since this is a local installation
  • What user should we use to login on the server? (note: passwordless login required, or ignore if you’re deploying to localhost)
    • leave blank (press enter)
  • Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
    • Copy and paste the IP address of this server droplet (from Digital Ocean email or dashboard)
  • Was this server deployed by Algo previously?
    • No, since this is a new server.
  • Do you want macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks?
    • VPN On Demand automatically connects your macOS/iOS laptop or phone to the VPN every time you’re on a cellular network (using your mobile data, for example). I chose ‘N’ because I like to be able to manually connect to my VPN when I need it.
  • Do you want macOS/iOS clients to enable “VPN On Demand” when connected to Wi-Fi?
    • Same as above but this time for wifi networks. Up to you.
  • List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
    • List the name of any wifis that you want to exclude from using this VPN (personally I don’t trust any)
  • Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
    • Again, totally up to you. This should block most banner ads that you see but won’t do anything to block tracking.
  • Do you want each user to have their own account for SSH tunneling?
    • I chose ‘N’ because most likely if you have multiple users sharing this VPN, they won’t need to have access to this server at all.
  • Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
    • WARNING!!! Do NOT select Y unless you have an RSA private key associated with the server for login! You’ll be locked out. Select N if you don’t know how to how to setup an RSA public/private key. Or read the digital ocean guide (Tip: for Algo, don’t set a password for the key).
  • Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
    • Totally up to you. Not sure what they mean by less secure, but it’s a tradeoff for usability if you have Windows or Linux machines.
  • Do you want to retain the CA key? (required to add users in the future, but less secure)
    • I chose N because I was only going to create the VPN for myself. Since it’s easy to create new VPNs, I could always make a new one if I want to add more people. But if you want a lot of people to use it, maybe choose ‘Y’ so you don’t have to destroy it and set everyone up again.

Watch it install and, when it’s done, you’ll see this screen if it worked:


**IMPORTANT** Write down the p12 and SSH key password and the CA key password that is printed on this certificate! We’ll need this to configure the VPN on your devices!

Bonus:

Turning off the server logs

By default, Ubuntu servers store logs of who connects with the server and when. They store these logs in /var/log/syslog. You can turn off these logs with the following command:

service rsyslog stop && systemctl disable rsyslog.service

(thanks to a commenter who pointed that the 2nd part will disable the service even on reboot!)

and delete the existing logs with the following command:

rm /var/log/syslog

A word of reminder that your outgoing traffic from the server is still visible and logged by whichever internet service provider operates the server’s network. Websites also keep logs of visitors. We are just turning off the internal logs, but have no control over what logs occur outside of the server by the ISP.

Step 4:

Distributing your config files

Your VPN is now up and running and can accept connections from any configured device.

Remember those unique config scripts I mentioned that get generated for each user? Those will be saved into the ~/algo/configs/{your vpn's ip address} directory. There are files to configure your VPN for each device type (OSx, iOS, Windows(if chosen), Linux(if chosen)) for each user in there.


To setup the VPN on your devices, we need to get these config files onto those devices and run them. We need to transfer the config files out of the server to your laptop, and then email them to those devices or store/share the files so those devices can retrieve them.

We’re going to use SFTP to do this. Just like SSH, SFTP creates a secure connection from your laptop to the server - but what’s special about it is that it allows you to transfer files back and forth.

If you’re still logged into your server, exit the SSH session by typing exit.

Follow the guide below to retrieve your files.

  1. On your personal machine, go to your home directory (or anywhere) and make a new folder to store the config files with mkdir configs && cd configs
  2. Establish an SFTP connection to your VPN server with sftp root@{ip address of server}
  3. Enter into your server’s Algo configs folder with cd algo/configs/{ip address of server}
  4. Transfer all the files from your server’s algo/configs/{ip address of server} directory to your personal computer’s ~/configs folder with get *
  5. Exit with exit
  6. If everything worked, all the files should be your personal computer inside the configs folder you created! Type ls to make sure they exist.


Now you can send them to your devices via email or whichever file transfer service you prefer. If you have multiple users, make sure each user gets the correct files. I don’t know what could happen if two people using the same identity tried to connect to the VPN at the same time but that might be asking for some mild trouble and inconvenience.

Part 2: configuring your devices.


Categories:
digital-security   sys-admin-stuff


Because every coding blog needs a comments section.

Please keep comments respectful! Harassment and general arrogance will not be tolerated.