How to Deploy Your Own Algo VPN Server in the DigitalOcean Cloud

When performing security research or connecting over untrusted networks, it’s often useful to tunnel connections through a VPN in a public cloud. This approach helps conceal your origin and safeguard your traffic, contributing to OPSEC when interacting with malicious infrastructure or traversing hostile environments. Moreover, by using VPN exit nodes in different cities and even countries, the researcher can explore the target from multiple geographic vantage points, which sometimes yields additional findings.

One way to accomplish this is to set up your own VPN server in a public cloud, as an alternative to relying on a commercial VPN service. The following tutorial explains how to deploy the Algo VPN software bundle on DigitalOcean (the link includes my referral code). I like using DigitalOcean for this purpose because it offers virtual machines (VMs) for as little as $5 per month; also, I find it easier to use than AWS.

Algo VPN Overview

Algo VPN is an open-source software bundle designed for self-hosted VPN services. It was designed by the folks at Trail of Bits to be easy to deploy, rely only on modern protocols and ciphers, and provide reasonable security defaults. Also, it doesn’t require dedicated VPN client software for connecting from most systems and devices, because of native IPSec support. It does, however, optionally support WireGuard VPN clients.

To understand why its creators believe Algo VPN is a better alternative to commercial VPNs, the Streisand VPN bundle and OpenVPN, read the blog post that announced Algo’s initial release.  As outlined in the post, Algo VPN is meant “to be easy to set up. That way, you start it when you need it, and tear it down before anyone can figure out the service you’re routing your traffic through.”

Creating a DigitalOcean VM

To obtain an Internet-accessible system where you’ll install Algo VPN server software, you can create a “droplet” on DigitalOcean running Ubuntu with a few clicks. Do do that, click the dropdown button below the Ubuntu icon on the DigitalOcean “Create Droplets” page, then select an 18.04 x64 option, as shown below.

Accepting default options for the droplet should be OK in most cases. If you’re not planning to tunnel a lot of traffic through the system, selecting the least expensive size will probably suffice. Select the geographic region where the VM will run based on your requirements. Assign a hostname that appeals to you.

Once the new host is active, make a note of the public IP address that DigitalOcean assigns to it and log into it using SSH. Then run the following commands inside your VM to update its OS and install Algo VPN core prerequisites:

apt-add-repository -y ppa:ansible/ansible
apt-get -y update
apt-get -y upgrade
apt-get -y install build-essential \
  libssl-dev \
  libffi-dev \
  python-dev \
  python-pip \
  python-setuptools \
  python-virtualenv

At this point, you could harden the configuration of your VM, but these steps are outside the scope of this guide.

Installing Algo VPN Server Software

Next, obtain the latest Algo VPN server software on the newly-setup droplet and prepare for the installation by executing the following commands:

git clone https://github.com/trailofbits/algo
cd algo
python -m virtualenv env
source env/bin/activate
python -m pip install -U pip virtualenv
python -m pip install -r requirements.txt

Set up the username for the people who will be using the VPN. To accomplish this, use your favorite text editor, such as Nano or Vim, to edit the config.cfg file in the ~/algo directory:

vim config.cfg

If you wish, remove the lines that represent the default users phone, laptop, and desktop add your own (e.g., john) so that the corresponding section of the file looks like this:

users:
 - john

After saving the file and exiting the text editor, execute the following command in the ~/algo directory to install Algo software:

./algo

When prompted by the installer, select the option to install “to existing Ubuntu 18.04 or 19.04 server.”

When proceeding with the installer, you should be OK  in most cases by accepting default answers with a few exceptions:

  • When asked to enter “the IP address of your server,” press Enter to accept the default “localhost” value.
  • When asked about the public IP address of the server, enter the IP address assigned to your VM by DigitalOcean when you created the droplet.

After providing the answers, give the installer a few minutes to complete its tasks. (Be patient.) Once it finishes, you’ll see the “Congratulations!” message, stating that your Algo VPN server is running.

Be sure to capture the “p12 and SSH keys password for new users” that the installer will display at the end as part of the congratulatory message because you will need to use it later. Store it in a safe place, such as your password vault.

Configuring VPN Clients

Once you’ve set up the Algo VPN service, configure your VPN client. The Algo setup process generates VPN client configuration files that allow you to easily complete the setup. It stores the files in under ~/algo/configs in a subdirectory whose name matches your server’s IP address.

In most cases, start by installing the WireGuard VPN client for your OS (get the app for macOS, iOSAndroid, or Windows). Next:

  • For iOS and Android, use the WireGuard app to scan the QR code PNG image that Algo generated and placed in the wireguard subdirectory on your server.
  • For Windows and macOS (Mojave or later), use the WireGuard app to “Import tunnel(s) from file…” and point it to the .conf file that Algo generated and placed in the wireguard subdirectory on your server.

If you don’t want to install WireGuard on your iOS device, you can follow Algo’s instructions to configure the built-in IPSec VPN client for Apple devices.

If using the WireGuard VPN client, use it to activate your VPN tunnel.

Additional Considerations for Algo VPN

Before relying on VPN to safeguard your interactions with malicious infrastructure, be sure to confirm that it’s concealing the necessary aspects of your origin. If it’s working properly, the remote host should see the IP address of your VPN servers, instead of the IP address of your VPN client. Similarly, your DNS traffic should be getting directed through the VPN tunnel, concealing your client’s locally-configured DNS server. One way to validate this is to use whoer.net, comparing what information the site reveals before and after you activate your VPN connection. Also, confirm that you’re not leaking your origin over IPv6; one way to do that is by connecting to ipv6leak.com.

You can turn off your VM when you don’t need it. When you boot it up again, Algo VPN software will automatically launch in the background. If running the server for longer periods, you should implement security measures necessary appropriate for Internet-connected infrastructure.

As you use your Algo VPN, adversaries might begin tracking the server’s IP address and eventually blacklist it. Therefore, it’s a good idea to periodically destroy this DigitalOcean droplet and create a new one from scratch. This will not only change the server’s IP address but also ensure that you’re running the latest version of VPN software and its dependencies. Unfortunately, after you do this, you’ll need to re-import VPN configuration details to match the new server’s IP address and certificate.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more