Friday, December 27, 2024
Google search engine
HomeGuest BlogsAlgo VPN – Setup a personal IPSEC VPN in the Cloud

Algo VPN – Setup a personal IPSEC VPN in the Cloud

What is Algo VPN?

According to their Github Page, “Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC and Wireguard VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices.”.

Algo VPN

Algo gives you an easy way to install and configure a secure VPN in promise or in Cloud for Personal use. Please note you don’t need a mastery of Linux or Ansible to set this up, the process is not burdensome.

“Rivers know this: there is no hurry. We shall get there some day.” 
― A.A. Milne,

Features of Algo VPN

Below is a list of Algo VPN features that you get out of the box.

  • Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) and WireGuard
  • Generates Apple profiles to auto-configure iOS and macOS devices
  • Includes a helper script to add and remove users
  • Blocks ads with a local DNS resolver (optional)
  • Sets up limited SSH users for tunneling traffic (optional)
  • Based on current versions of Ubuntu and strongSwan
  • Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or internal server.

Setup Algo VPN on Ubuntu / Debian

For an Ubuntu and Debian based systems, install required dependencies by running the commands below.

# Update package list index
sudo apt update

# Python 3
sudo apt-get install -y git build-essential python3-dev python3-pip python3-setuptools python3-virtualenv libffi-dev libssl-dev 

# Python 2
sudo apt-get install -y git build-essential python-dev python-pip python-setuptools python-virtualenv libffi-dev libssl-dev 

Once the dependencies have been installed, clone the Algo VPN repository.

git clone https://github.com/trailofbits/algo.git

Install Algo Python dependencies

Change to algo directory and install Python dependencies such as ansible, jinja, PyYAML.

cd algo
python3 -m virtualenv --python=$(which python3) env
source env/bin/activate
python3 -m pip install -U pip virtualenv
python3 -m pip install -r requirements.txt

This will collect ansible, jinja, PyYAML and many others.

List Users to create

Open config.cfg in your favorite text editor. Specify the users you wish to create in the users list. I encountered an error when I added a user with the name of a user in the system. The user may be running a given process and the Algo script returns an error. So use unique usernames.

vim config.cfg

Add users like below:

users:
  - test
  - pench
  - admin

Disable resolved service (for dnsmasq to work)

Run the following commands to disable the resolved service:

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

Also, remove the symlink to resolv.conf file.

sudo unlink /etc/resolv.conf

Then create new resolv.conf file.

echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

Start the deployment

While still on the algo directory, begin the deployment by running the algo script as shown below. This leads to a series of questions that you will answer according to your set-up. My settings were like below.

# ./algo

Select your Cloud Provider or existing server.

PLAY [Ask user for the input] 
 TASK [Gathering Facts] *
 ok: [localhost]
 [pause]
 What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider
: 12

Set if to allow macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks/Wi-Fi.

TASK [pause] ***
 ok: [localhost]
 TASK [Set facts based on the input] **
 ok: [localhost]
 [pause]
 Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
 [y/N]
 :
 y
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
 [y/N]
 :
 y

Set list of trusted Wi-Fi networks.

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:
Netpap

Set other options as you see fit.

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
 [y/N]
 :
 y
 TASK [pause] ***
 ok: [localhost]
 [pause]
 Do you want each user to have their own account for SSH tunneling?
 [y/N]
 :
 y
 TASK [pause] ***
 ok: [localhost]
 [pause]
 Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
 [y/N]
 :
 y
 TASK [pause] ***
 ok: [localhost]
 [pause]
 Do you want to retain the CA key? (required to add users in the future, but less secure)
 [y/N]
 :
 y

The ansible deployment should start.

 TASK [pause] **
 ok: [localhost]
 TASK [Set facts based on the input] *
 ok: [localhost]
 PLAY [Provision the server] *
 TASK [Gathering Facts] 
 ok: [localhost]
 --> Please include the following block of text when reporting issues:
Algo running on: Ubuntu 18.04.1 LTS (Virtualized: kvm)
 Created from git clone. Last commit: 40b42c4 Get started with Azure more easily (#1323)
 Python 2.7.15rc1
 Runtime variables:
     algo_provider "local"
     algo_ondemand_cellular "True"
     algo_ondemand_wifi "True"
     algo_ondemand_wifi_exclude "X251bGw="
     algo_local_dns "True"
     algo_ssh_tunneling "True"
     algo_windows "True"
     wireguard_enabled "True"
     dns_encryption "True"
 TASK [Display the invocation environment] *
 changed: [localhost -> localhost]
 TASK [Install the requirements] ***
 changed: [localhost -> localhost]
 TASK [Generate the SSH private key] *
 changed: [localhost]
 TASK [Generate the SSH public key] 
 changed: [localhost]
 [local : pause]
 Enter the IP address of your server: (or use localhost for local installation):
 [localhost]
 :
 localhost
 TASK [local : pause] 
 ok: [localhost]
 TASK [local : Set the facts] 
 ok: [localhost]
 TASK [local : Set the facts] 
 ok: [localhost]
 [local : pause]
 Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
 [localhost]
 :
 192.168.1.10 (Your Public IP Here)

When it is successfully done, you should see a banner like the one below

TASK [debug] ******************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 172.16.0.1                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is n8L8q6bn       #\"\n", 
        "    \"#        The CA key password is bc6f3cc1080d166ca27b1cf5d5a14aa6       #\"\n", 
        "    "
    ]
}

PLAY RECAP ********************************************************************************************************************************************
localhost                  : ok=151  changed=85   unreachable=0    failed=0   

After the deployment, Algo VPN will add users to the system and generate configuration files for use with VPN clients as well as ssh keys.

Adding Users

After the installation, you can add other users to list in your config.cfg

users:
test
pech
admin
user2

Once the list is updated, activate the virtual environment and run the users update script.

source env/bin/activate
./algo update-users

After this process completes, the Algo VPN server will contain only the users listed in the config.cfg file.

# id test
uid=1002(test) gid=1003(test) groups=1003(test),1000(algo)

The configuration files for each VPN profile are located under the ./algo/configs/ServerIP directory.

# ls | grep test
ipsec_test.conf
ipsec_test.secrets
test.mobileconfig
test.p12
test.ssh_config
test.ssh.pem
windows_test.ps1

Conclusion

We hope the setup went successfully. In our next article, we are going to configure Linux, Windows and Android devices to connect to the Algo VPN Server we have installed. Next read is:

Other VPN related guides are:

Cheers guys.

RELATED ARTICLES

Most Popular

Recent Comments