VPN stands for Virtual Private Network. It is a technology that allows users to create a secure and encrypted connection to another network over the internet. A VPN provides privacy and anonymity by encrypting all the traffic that passes through it, making it difficult for anyone to intercept or track the user’s online activity.
There are several types of VPNs, these include Site-to-Site VPNs, Remote Access VPNs, Mobile VPNs, Cloud VPNs, Hybrid VPNs
WireGuard is a relatively new and modern open-source VPN protocol that aims to provide fast, secure, and simple VPN connections. This VPN protocol can be used in various VPN types, such as remote access VPN and site-to-site VPN. It has been integrated into many operating systems and platforms, including Linux, Android, iOS, and macOS. Wireguard was designed with a focus on performance, minimalism, and simplicity, and aims to be easy to configure and use.
Compared to other VPN protocols, WireGuard has a smaller codebase, which makes it easier to audit and maintain. It uses advanced cryptography algorithms to provide secure connections and can operate over both IPv4 and IPv6 networks. WireGuard is also designed to be faster and more efficient than other VPN protocols, which can result in improved network performance and reduced latency.
Algo VPN is a set of Ansible scripts that makes it easier to spin WireGuard and IPsec VPN on-premise or in the cloud. Algo VPN was designed by Trail of Bits to simplify the Wireguad VPN installation. It allows users to connect from any device including Android, Linux, OSX, iOS etc.
The features associated with Algo VPN are:
- It can be used to install to several cloud platforms such as DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, CloudStack, Hetzner Cloud, Linode, or your own Ubuntu server (for more advanced users)
- Supports WireGuard for iOS, macOS, Linux, Android and Windows 10
- Includes a helper script to add and remove users
- Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, macOS, and Linux
- It generates Apple profiles to auto-configure iOS and macOS devices
- Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
- Based on current versions of Ubuntu and strongSwan
#1. Install the Required Packages
For this guide, you need an Ubuntu 22.04|20.04|18.04 running on-prem in the cloud. Since Algo is an Ansible script, you need to have Python 3.8 or later installed.
This can be done using the below commands:
sudo apt update
sudo apt install -y --no-install-recommends python3-virtualenv libffi-dev libssl-dev gitOnce installed, check the Python version:
$ python3 --version
Python 3.10.6Also, clone the Algo repositories:
sudo su -
git clone https://github.com/trailofbits/algo.git
Install the Algo dependencies:
cd algo
python3 -m pip install -U pip virtualenv
python3 -m virtualenv --python=$(which python3) env
source env/bin/activate
python3 -m pip install -r requirements.txt#2. Configure WireGuard and IPsec VPN Server
Algo allows you to run the Ansible scripts to a remote host or execute the script on your local machine. For this guide, we will run the script on our local machine.
But before that, we need to make a few configurations for Algo. These include:
Create Users on Algo
The configurations are stored in the config.cfg file. Using your favourite editor, open the file:
vim config.cfgIn the file, specify the users to be created during the installation. For this guide, we will have 4 users as below:
users:
- phone
- linux
- windowsDisable System-Resolved
For dnsmasq to work, we need to disable resolved service:
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolvedRemove the symbolic link to resolv.conf:
sudo unlink /etc/resolv.confNow create a new conf file as shown:
$ sudo vim /etc/resolv.conf
ameserver 8.8.8.8#3. Install WireGuard and IPsec VPN Server
Once the configurations have been made as above, you are set to start the Wireguard deployment. The installation will go through a series of questions.
Start the installation:
./algoProceed as below.
PLAY [localhost] *****************************************************************************
TASK [Gathering Facts] ***********************************************************************
ok: [localhost]
TASK [Playbook dir stat] *********************************************************************
ok: [localhost]
TASK [Ensure Ansible is not being run in a world writable directory] *************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
..
[Cloud prompt]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Linode
12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
Enter the number of your desired provider
:
12
Allow macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks/Wi-Fi.
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
y
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
yProvide the list of trusted WiFi networks:
List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:
HomeNetMake several other configurations as shown below:
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
y
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
y
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
y
...
Local installation might break your server. Use at your own risk.
Proceed? Press ENTER to continue or CTRL+C and A to abort...:Provide your public IP for certificate verification.
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
[localhost]
:
Provide_Your_PublicIP/Domain_nameSit back and watch the Ansible deployment. Once the deployment is complete, you will see this:
Now you will have the connection profiles created in the configs/IP_Address/wireguard/. View the profiles:
$ ls configs/localhost/wireguard/
apple linux.conf linux.png phone.conf phone.png windows.conf windows.pngYou can also view the content of any profile:
$ cat configs/localhost/wireguard/linux.conf
[Interface]
PrivateKey = qH7djC3t4njG6W2bxnSteNAUzyyuhpdQ21u+CHKjhXw=
Address = 10.49.0.3
DNS = 172.28.237.162
[Peer]
PublicKey = shbJpOr2Y2wNwzQyXwQJruac4JsYISlTefNC43l2RVY=
PresharedKey = fagxwHc1CaRAs80ii5Rx33THZDl56LqyAd388u/z7og=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = **********.compute-1.amazonaws.com:51820The profiles contain all that is required to set up a Wireguard Client. The PNG files contain QR codes that can be scanned to connect to the VPN server.
In case you want to add users after the deployment, edit the config.cfg and add the desired users. Then update the config:
source env/bin/activate
./algo update-usersNow we will verify if Wireguard has been set up on this server:
sudo wgSample Output:
#4. Configure Wireguard Clients
Once the Wireguard server has been set up, we can configure VPN clients to connect to it. To install a Wireguard client, follow the below steps:
4.1. Setup WireGuard Client on Linux and macOS
The Wireguard client can be set up on Linux and macOS from the Wireguard installation instructions page. Alternatively, use package managers to install the WireGuard Client.
On Debian/Ubuntu systems, also install the below package:
sudo apt install openresolvOnce installed, create a configuration file:
sudo vim /etc/wireguard/wgvpn.confIn the file, add the lines in the generated profiles on the Wireguaard server. For example from the linux.conf
[Interface]
PrivateKey = qH7djC3t4njG6W2bxnSteNAUzyyuhpdQ21u+CHKjhXw=
Address = 10.49.0.3
DNS = 172.28.237.162
[Peer]
PublicKey = shbJpOr2Y2wNwzQyXwQJruac4JsYISlTefNC43l2RVY=
PresharedKey = fagxwHc1CaRAs80ii5Rx33THZDl56LqyAd388u/z7og=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = *********.compute-1.amazonaws.com:51820Save the file and reboot the system:
sudo rebootOnce the system reboots, start the VPN interface with the command:
$ sudo wg-quick up wgvpn
[#] ip link add wgvpn type wireguard
[#] wg setconf wgvpn /dev/fd/63
[#] ip -4 address add 10.49.0.3 dev wgvpn
[#] ip link set mtu 1420 up dev wgvpn
[#] resolvconf -a wgvpn -m 0 -x
[#] wg set wgvpn fwmark 51820
[#] ip -6 route add ::/0 dev wgvpn table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev wgvpn table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63Once the interface has been started, verify if it is running:
sudo wgSample Output:
4.2. Setup WireGuard Client on Windows.
You can also set up a Windows Client. First, install the Wireguard Client as instructed on the official WireGuard page.
Once installed, launch the client and click on Add empty Tunnel.
Paste in the contents of any profile from the Wireguard server.
Save the file and start the interface.
Once started, you will see this:
4.3. Set up WireGuard Client on Mobile Devices
You can set up the Wireguard client on Android, and iOS devices by following the aid provided in the below guide:
Verdict
Today, we have learned how to set up WireGuard and IPsec VPN Server on Ubuntu 22.04 using Algo VPN. We have seen how easy the deployment is and also demonstrated how to connect clients to the server. I hope this was of importance to you.
See more:
- Deploy WireGuard and IPsec VPN Server using Ansible
- How To Setup WireGuard VPN on Amazon Linux 2
- Install StrongSwan VPN Server on Rocky/AlmaLinux
- How To Setup and Use ZeroTier VPN Server
