1. Home
  2. Docs
  3. Chainlink Node Setup
  4. GCP Cloud Server Setup
  5. Algo VPN

Algo VPN

Features of Algo VPN

Below is a list of Algo VPN features that you get out of the box.

  • Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) and WireGuard
  • Generates Apple profiles to auto-configure iOS and macOS devices
  • Includes a helper script to add and remove users
  • Blocks ads with a local DNS resolver (optional)
  • Sets up limited SSH users for tunneling traffic (optional)
  • Based on current versions of Ubuntu and strongSwan
  • Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or internal server.

Setup Algo VPN on Ubuntu / Debian

For an Ubuntu and Debian based systems, install required dependencies by running the commands below.

sudo apt-get update
sudo apt-get install -y git build-essential python-dev python-pip python-setuptools python-virtualenv libffi-dev libssl-dev

Once the dependencies have been installed, clone the Algo VPN repository.

git clone https://github.com/trailofbits/algo.git

Install Algo Python dependencies

Change to algo directory and install Python dependencies such as ansible, jinja, PyYAML.

cd algo
python -m virtualenv --python=$(which python2) env &&
source env/bin/activate &&
python -m pip install -U pip virtualenv &&
python -m pip install -r requirements.txt

This will collect ansible, jinja, PyYAML and many others.

List Users to create

Open config.cfg in your favorite text editor. Specify the users you wish to create in the users list. I encountered an error when I added a user with the name of a user in the system. The user may be running a given process and the Algo script returns an error. So use unique usernames.

vim config.cfg

Add users like below:

users:
  - test
  - pench
  - admin

Disable resolved service (for dnsmasq to work)

Run the following commands to disable the resolved service:

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

Also, remove the symlink to resolv.conf file.

sudo unlink /etc/resolv.conf

Then create new resolv.conf file.

echo "nameserver 8.8.8.8" > /etc/resolv.conf

Start the deployment

While still on the algo directory, begin the deployment by running the algo script as shown below. This leads to a series of questions that you will answer according to your set-up. My settings were like below.

# ./algo

Select your Cloud Provider or existing server.

PLAY [Ask user for the input] 
TASK [Gathering Facts] *
ok: [localhost]
[pause]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Vultr
5. Microsoft Azure
6. Google Compute Engine
7. Scaleway
8. OpenStack (DreamCompute optimised)
9. Install to existing Ubuntu 18.04 server (Advanced)
Enter the number of your desired provider
: 9

Set if to allow macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks/Wi-Fi.

TASK [pause] ***
ok: [localhost]
TASK [Set facts based on the input] **
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
y
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
y

Set list of trusted Wi-Fi networks.

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:
Netpap

Set other options as you see fit.

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
y
TASK [pause] ***
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
y
TASK [pause] ***
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:
y
TASK [pause] ***
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:
y

The ansible deployment should start.

 TASK [pause] **
ok: [localhost]
TASK [Set facts based on the input] *
ok: [localhost]
PLAY [Provision the server] *
TASK [Gathering Facts]
ok: [localhost]
--> Please include the following block of text when reporting issues:
Algo running on: Ubuntu 18.04.1 LTS (Virtualized: kvm)
Created from git clone. Last commit: 40b42c4 Get started with Azure more easily (#1323)
Python 2.7.15rc1
Runtime variables:
algo_provider "local"
algo_ondemand_cellular "True"
algo_ondemand_wifi "True"
algo_ondemand_wifi_exclude "X251bGw="
algo_local_dns "True"
algo_ssh_tunneling "True"
algo_windows "True"
wireguard_enabled "True"
dns_encryption "True"
TASK [Display the invocation environment] *
changed: [localhost -> localhost]
TASK [Install the requirements] ***
changed: [localhost -> localhost]
TASK [Generate the SSH private key] *
changed: [localhost]
TASK [Generate the SSH public key]
changed: [localhost]
[local : pause]
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:
localhost
TASK [local : pause]
ok: [localhost]
TASK [local : Set the facts]
ok: [localhost]
TASK [local : Set the facts]
ok: [localhost]
[local : pause]
Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[localhost]
:
192.168.1.10 (Your Public IP Here)

When it is successfully done, you should see a banner like the one below

TASK [debug] ******************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 172.16.0.1                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is n8L8q6bn       #\"\n", 
        "    \"#        The CA key password is bc6f3cc1080d166ca27b1cf5d5a14aa6       #\"\n", 
        "    "
    ]
}

PLAY RECAP ********************************************************************************************************************************************
localhost                  : ok=151  changed=85   unreachable=0    failed=0   

After the deployment, Algo VPN will add users to the system and generate configuration files for use with VPN clients as well as ssh keys.

Adding Users

After the installation, you can add other users to list in your config.cfg

users:
test
pech
admin
user2

Once the list is updated, activate the virtual environment and run the users update script.

source env/bin/activate
./algo update-users

After this process completes, the Algo VPN server will contain only the users listed in the config.cfg file.

# id test
uid=1002(test) gid=1003(test) groups=1003(test),1000(algo)

The configuration files for each VPN profile are located under the ./algo/configs/ServerIP directory.

# ls | grep test
ipsec_test.conf
ipsec_test.secrets
test.mobileconfig
test.p12
test.ssh_config
test.ssh.pem
windows_test.ps1

Conclusi

Was this article helpful to you? Yes No

How can we help?

Leave a Reply

Your email address will not be published. Required fields are marked *