Set up a personal IPSEC VPN in the cloud https://blog.trailofbits.com/2016/12/…
Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices. See our release announcement for more information.
Features
- Supports only IKEv2 with strong crypto: AES-GCM, SHA2, and P-256
- Generates Apple profiles to auto-configure iOS and macOS devices
- Includes a helper script to add and remove users
- Blocks ads with a local DNS resolver (optional)
- Sets up limited SSH users for tunneling traffic (optional)
- Based on current versions of Ubuntu and strongSwan
- Installs to DigitalOcean, Amazon EC2, Microsoft Azure, Google Compute Engine, or your own server
Anti-features
- Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
- Does not install Tor, OpenVPN, or other risky servers
- Does not depend on the security of TLS
- Does not require client software on most platforms
- Does not claim to provide anonymity or censorship avoidance
- Does not claim to protect you from the FSB, MSS, DGSE, or FSM
Deploy the Algo Server
The easiest way to get an Algo server running is to let it set up a new virtual machine in the cloud for you.
- Setup an account on a cloud hosting provider. Algo supports DigitalOcean (most user friendly), Amazon EC2, Google Compute Engine, and Microsoft Azure.
- Download Algo. Unzip it in a convenient location on your local machine.
- Install Algo's core dependencies. Open the Terminal. The
pythoninterpreter you use to deploy Algo must be python2. If you don't know what this means, you're probably fine.cdinto thealgo-masterdirectory where you unzipped Algo, then run:- macOS:
$ python -m ensurepip --user $ python -m pip install --user --upgrade virtualenv
- Linux (deb-based):
$ sudo apt-get update && sudo apt-get install \ build-essential \ libssl-dev \ libffi-dev \ python-dev \ python-pip \ python-setuptools \ python-virtualenv -y - Linux (rpm-based): See the Pre-Install Documentation for RedHat/CentOS 6.x
- Windows: See the Windows documentation
- macOS:
- Install Algo's remaining dependencies. Use the same Terminal window as the previous step and run:
$ python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt
On macOS, you may be prompted to installcc. You should press accept if so. - List the users to create. Open
config.cfgin your favorite text editor. Specify the users you wish to create in theuserslist. - Start the deployment. Return to your terminal. In the Algo directory, run
./algoand follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in deploy-from-ansible.md.
That's it! You will get the message below when the server deployment process completes. You now have an Algo server on the internet. Take note of the p12 (user certificate) password in case you need it later.
You can now setup clients to connect it, e.g. your iPhone or laptop. Proceed to Configure the VPN Clients below.
"\"#----------------------------------------------------------------------#\"",
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.16.0.1 #\"",
"\"# The p12 and SSH keys password is XXXXXXXX #\"",
"\"#----------------------------------------------------------------------#\"",
Configure the VPN Clients
Certificates and configuration files that users will need are placed in the
configs directory. Make sure to secure these files since many contain private keys. All files are saved under a subdirectory named with the IP address of your new Algo VPN server.Apple Devices
Send users their Apple Profile. Find the corresponding mobileconfig (Apple Profile) for each user and send it to them over AirDrop or other secure means. Apple Configuration Profiles are all-in-one configuration files for iOS and macOS devices. On macOS, double-clicking a profile to install it will fully configure the VPN. On iOS, users are prompted to install the profile as soon as the AirDrop is accepted.
Turn on the VPN. On iOS, connect to the VPN by opening Settings and clicking the toggle next to "VPN" near the top of the list. On macOS, connect to the VPN by opening System Preferences -> Network, finding Algo VPN in the left column and clicking "Connect." On macOS, check "Show VPN status in menu bar" to easily connect and disconnect from the menu bar.
Managing On-Demand VPNs. If you enabled "On Demand", the VPN will connect automatically whenever it is able. On iOS, you can turn off "On Demand" by clicking the (i) next to the entry for Algo VPN and toggling off "Connect On Demand." On macOS, you can turn off "On Demand" by opening the Network Preferences, finding Algo VPN in the left column, and unchecking the box for "Connect on demand."
Android Devices
No version of Android supports IKEv2. Install the strongSwan VPN Client for Android 4 and newer. Import the corresponding user.p12 certificate to your device. See the Android setup instructions for more a more detailed walkthrough.
Windows 10
Copy your PowerShell script
windows_{username}.ps1 and p12 certificate {username}.p12 to the Windows client and run the following command as Administrator to configure the VPN connection.powershell -ExecutionPolicy ByPass -File windows_{username}.ps1 Add
For a manual installation, see the Windows setup instructions.
Linux Network Manager Clients (e.g., Ubuntu, Debian, or Fedora Desktop)
Network Manager does not support AES-GCM. In order to support Linux Desktop clients, choose the "compatible" cryptography during the deploy process and use at least Network Manager 1.4.1. See Issue #263 for more information.
Linux strongSwan Clients (e.g., OpenWRT, Ubuntu Server, etc.)
Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
Ubuntu Server 16.04 example
sudo apt-get install strongswan strongswan-plugin-openssl: install strongSwan/etc/ipsec.d/certs: copy<name>.crtfromalgo-master/configs/<server_ip>/pki/certs/<name>.crt/etc/ipsec.d/private: copy<name>.keyfromalgo-master/configs/<server_ip>/pki/private/<name>.key/etc/ipsec.d/cacerts: copycacert.pemfromalgo-master/configs/<server_ip>/pki/cacert.pem/etc/ipsec.secrets: add youruser.keyto the list, e.g.<server_ip> : ECDSA <name>.key/etc/ipsec.conf: add the connection fromipsec_user.confand ensureleftcertmatches the<name>.crtfilenamesudo ipsec restart: pick up config changessudo ipsec up <conn-name>: start the ipsec tunnelsudo ipsec down <conn-name>: shutdown the ipsec tunnel
One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to
/etc/ipsec.conf:conn lan-passthrough
leftsubnet=192.168.1.1/24 # Replace with your LAN subnet
rightsubnet=192.168.1.1/24 # Replac with your LAND subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
Other Devices
Depending on the platform, you may need one or multiple of the following files.
- cacert.pem: CA Certificate
- user.mobileconfig: Apple Profile
- user.p12: User Certificate and Private Key (in PKCS#12 format)
- user.sswan: Android strongSwan Profile
- ipsec_user.conf: strongSwan client configuration
- ipsec_user.secrets: strongSwan client configuration
- windows_user.ps1: Powershell script to help setup a VPN connection on Windows
Setup an SSH Tunnel
If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in
config.cfgand SSH authorized_key files for them will be in the configs directory (user.ssh.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., ssh -N is required). This ensures that SSH users have the least access required to setup a tunnel and can perform no other actions on the Algo server.
Use the example command below to start an SSH tunnel by replacing
user and ip with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/ip_user.ssh.pemSSH into Algo Server
To SSH into the Algo server for administrative purposes you can use the example command below by replacing
ipwith your own:ssh root@ip -i ~/.ssh/algo.pem
If you find yourself regularly logging into Algo then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of
~/.bash_profile to add it to your shell environment permanently.ssh-add ~/.ssh/algo > /dev/null 2>&1
Note the admin username is
ubuntu instead of root on providers other than Digital Ocean.Adding or Removing Users
If you chose the save the CA certificate during the deploy process, then Algo's own scripts can easily add and remove users from the VPN server.
- Update the
userslist in yourconfig.cfg - Open a terminal,
cdto the algo directory, and activate the virtual environment withsource env/bin/activate - Run the command:
./algo update-users
After this process completes, the Algo VPN server will contains only the users listed in the
config.cfg file.Additional Documentation
- Setup instructions
- Documentation for available Ansible roles
- Deploy from Fedora Workstation (26)
- Deploy from RedHat/CentOS 6.x
- Deploy from Windows
- Deploy from Ansible directly
- Client setup
- Setup Android clients
- Setup Generic/Linux clients with Ansible
- Cloud setup
- Configure Azure
- Advanced Deployment
- Deploy to your own FreeBSD server
- Deploy to your own Ubuntu 16.04 server
- Deploy to an unsupported cloud provider
- FAQ
- Troubleshooting
If you read all the documentation and have further questions, join the chat on Gitter.
Endorsements
I've been ranting about the sorry state of VPN svcs for so long, probably about time to give a proper talk on the subject. TL;DR: use Algo.
-- Kenn White
Before picking a VPN provider/app, make sure you do some research https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf ... – or consider Algo
-- The Register
Algo is really easy and secure.
-- the grugq
I played around with Algo VPN, a set of scripts that let you set up a VPN in the cloud in very little time, even if you don’t know much about development. I’ve got to say that I was quite impressed with Trail of Bits’ approach.
-- Romain Dillet for TechCrunch
If you’re uncomfortable shelling out the cash to an anonymous, random VPN provider, this is the best solution.
-- Thorin Klosowski for Lifehacker
from https://github.com/trailofbits/algo
---------------------------
Meet Algo, the VPN that works
I think you’ll agree when I say: there’s no VPN option on the market designed with equal emphasis on security and ease of use.
That changes now.
Today we’re introducing Algo, a self-hosted personal VPN server designed for ease of deployment and security. Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need.
And it’s free.
For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.
Don’t bother with commercial VPNs
Really, the paid-for services are just commercial honeypots. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data.
Paid-for VPNs tend to be insecure: they share keys, their weak cryptography gives a false sense of security, and they require you to trust their operators.
Even if you’re not doing anything wrong, you could be sharing the same endpoint with someone who is. In that case, your network traffic will be analyzed when law enforcement makes that seizure.
Streisand is no better
Good concept. Poor implementation.
It installs ~40 services, including numerous remote access services, a Tor relay node, and out-of-date software. It leaves you with dozens of keys to manage and it allows weak crypto.
That’s a hefty footprint and it’s too complicated for any reasonable person to secure. If you set up an individual server just for yourself, you’d never know if or when an attacker compromised it.
OpenVPN: Requires client software
OpenVPN’s lack of out-of-the-box client support on any major desktop or mobile operating system introduces unnecessary complexity. The user experience suffers.
Speaking of users, they’re required to update and maintain this software too. That is a recipe for disaster.
Worst of all, OpenVPN depends on the security of TLS, both the protocoland its implementations. Between that, and past security incidents, we simply trust it less.
Other VPNs’ S/WAN song
The original attempt at free VPN software -FreeS/WAN- died in the early 2000’s when its dev team fractured. Three people forked it into LibreSwan, strongSwan and Openswan.
To use any of them today, you need something approaching tribal knowledge. The available documentation stymied and appalled us:
- Little differentiation – If you search for information about strongSwan’s configuration, you could easily end up at a LibreSwan page. The terms will look familiar, but the instructions will be wrong.
- Impenetrable language – Instead of using standard terms like ‘client, server, remote and local,’ they use ‘sun, moon, bob, carol,’ and a bunch of other arbitrary words.
- Brittle methodology – The vast majority of documentation and guides insist on using ‘tried and true’ methods such as L2TP and IKEv1, even though IKEv2 is simpler and stronger. Since Apple added IKEv2 to iOS 8, there’s no reason not to use it.
Only the strongest S/WAN survived
After wading through the convoluted quagmire that is the S/WAN triplets, we settled on strongSwan.
Its documentation -such as it is- is the best of the bunch. It was rewritten recently from scratch to support IKEv2 (a positive step when supporting a major new protocol version). It’s the only IPSEC software that even offers the option for a trusted key store.
And the community is helpful. Special thanks to Thermi.
But it’s still super-complicated. Too many contributors made it very arcane. Again, you need that tribal knowledge to make IPSEC do what you want.
These are examples of why cryptography software has a well-earned reputation for poor usability. A tightly knit development community only communicating with itself tends to lead to a profusion of options that should be deprecated. There’s no sign that the user interface or experience has been reviewed on behalf of less-experienced users. For anyone bold enough to consider these points, here lies the path to widespread adoption.
So, we built Algo
Algo is a set of Ansible scripts that simplifies the setup of a personal IPSEC VPN. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.
The ‘VP of all Networks’ is strong, secure and tidy. It uses the least amount of software necessary to get the job done.
We made Algo with corporate travelers in mind. To save bandwidth and increase security, it blocks ads and compresses what’s left.
| Algo’s Features | Anti-features |
|---|---|
|
|
Designed to be disposable
We wanted Algo to be easy to set up. That way, you start it when you need it, and tear it down before anyone can figure out the service you’re routing your traffic through.
Setup is automated. Just answer a few questions, and Algo will build your VPN for you.
We’ve automated the setup process for Apple devices, too. Algo just gives you a file that you AirDrop to your device. You press ‘install’ and you’ve got your VPN. Or ‘VPNs.’
You don’t have to choose just one VPN gateway. You could make yourself 20 on different services; Digital Ocean in Bangalore, EC2 in Virginia or any other combination. You have your choice.
PSA: @trailofbits has a nice VPN builder and they're interested in developing a memory-safe/verified IKE2 daemon.github.com/trailofbits/al…
One last reason that Algo is such a good solution: it’s been abstracted as a set of Ansible roles that we released to the community. Ansible provides clearer documentation, ensures that we can repeat what it is that we’re doing, and allows us to monitor configuration drift.
Thanks to the roles we created in Ansible, it’s very easy for us to add and refine different features independently. Members of our team will keep up on feature requests.
We’ll make sure it’s right. You can just use it.
Want help installing Algo?
We’re planning a virtual crypto party for Friday, December 16th at 3pm EST where we’ll walk you through installing Algo on their own. Register to join us.
https://technet.microsoft.com/en-us/library/dd125380(v=ws.10).aspx
or am I missing some vital nuance here ?
ra
It is released as open source, See https://openvpn.fox-it.com/.