When performing security research or connecting over untrusted networks, it’s often useful to tunnel connections through a VPN in a public cloud. This approach helps conceal your origin and safeguard your traffic, contributing to OPSEC when interacting with malicious infrastructure or traversing hostile environments. Moreover, by using VPN exit nodes in different cities and even countries, the researcher can explore the target from multiple geographic vantage points, which sometimes yields additional findings.
One way to accomplish this is to set up your own VPN server in a public cloud, as an alternative to relying on a commercial VPN service. The following tutorial explains how to deploy the Algo VPN software bundle on DigitalOcean (the link includes my referral code). I like using DigitalOcean for this purpose because it offers virtual private server instances for as little as $5 per month; also, I find it easier to use than AWS.
Algo VPN Overview
Algo VPN is an open source software bundle designed for self-hosted VPN services. It was designed by the folks at Trail of Bits to be easy to deploy, rely only on modern protocols and ciphers and provide reasonable security defaults. Also, it doesn’t require dedicated VPN client software for connecting from most systems and devices, because of native IPSec support. It does, however, optionally support WireGuard VPN clients.
To understand why its creators believe Algo VPN is a better alternative to commercial VPNs, the Streisand VPN bundle and OpenVPN, read the blog post that announced Algo’s initial release. As outlined in the post, Algo VPN is meant “to be easy to set up. That way, you start it when you need it, and tear it down before anyone can figure out the service you’re routing your traffic through.”
Creating a DigitalOcean Virtual Private Server
To obtain an Internet-accessible system where you’ll install Algo VPN server software, you can create a “droplet” on DigitalOcean running Ubuntu with a few clicks. Do do that, click the dropdown button below the Ubuntu icon on the DigitalOcean “Create Droplets” page, then select the 18.04 option, as shown below. (Don’t use 16.04 due to a possible DNS issue.)
Accepting default options for the droplet should be OK in most cases. If you’re not planning to tunnel a lot of traffic through the system, selecting the least expensive size will probably suffice. Select the geographic region where the Virtual Private Server will run based on your requirements. Assign a hostname that appeals to you.
Once the new host is active, make a note of the public IP address that DigitalOcean assigns to it and log into it using SSH. Then run the following commands inside the new virtual private server to update its OS and install Algo VPN core prerequisites:
apt-add-repository -y ppa:ansible/ansible apt-get -y update apt-get -y upgrade apt-get -y install build-essential \ libssl-dev \ libffi-dev \ python-dev \ python-pip \ python-setuptools \ python-virtualenv
At this point you could harden the configuration of the virtual private server, but these steps are outside the scope of this guide.
Installing Algo VPN Server Software
Next, obtain the latest Algo VPN server software on the newly-setup droplet and prepare for the installation by executing the following commands:
git clone https://github.com/trailofbits/algo cd algo python -m virtualenv env source env/bin/activate python -m pip install -U pip python -m pip install -r requirements.txt
Set up the username for the people who will be using the VPN. To accomplish this, use your favorite text editor, such as Nano or Vim to edit the config.cfg file in the ~/algo directory:
If you wish, remove the lines that represent the default users phone, laptop, and desktop add your own (e.g., john), so that the corresponding section of the file looks like this:
users: - john
After saving the file and exiting the text editor, execute the following command in the ~/algo directory to install Algo software:
When prompted by the installer, select the option to install “to existing Ubuntu 18.04 server”:
When proceeding with the installer, you should be OK in most cases by accepting default answers with a few exceptions:
- If planning to VPN from Windows 10 or Linux desktop client systems, answer “Y” to the corresponding question.
- When asked to enter “the IP address of your server,” press Enter to accept the default “localhost” value.
- When asked about the public IP address of the server, enter the IP address assigned to the virtual private server by DigitalOcean when you created the droplet.
After providing the answers, give the installer a few minutes to complete its tasks. (Be patient.) Once it finishes, you’ll see the “Congratulations!” message, stating that your Algo VPN server is running.
Be sure to capture the “p12 and SSH keys password for new users” that the installer will display at the end as part of the congratulatory message, because you will need to use it later. Store it in a safe place, such as your password vault.
Configuring VPN Clients
Once you’ve set up the Alog VPN service, follow the instructions on the Algo VPN website to configure your VPN client. The steps are different for each OS. Fortunately, the Algo setup process generates VPN client configuration files that allow you to accomplish this with relative ease. It stores the files in under ~/algo/configs in a subdirectory whose name matches your server’s IP address.
- For iOS and Android, use the WireGuard app to scan the QR code image that Algo generated and placed in the wiregard subdirectory on your server.
- For macOS (Mojave or later), use the WireGuard app to “Import tunnel(s) from file…” and point it to the .conf file that Algo generated and placed in the wiregard subdirectory on your server.
If you don’t want to install WireGuard on your iOS device, you can follow Algo’s instructions to configure the built-in IPSec VPN client.
If setting up the VPN client on Windows 10, retrieve from the Algo VPN server your user’s file with the .ps1 extension (e.g., john.ps1). It will be in the ipsec/windows subdirectory. Then, open the Administrator shell on the Windows system and execute the following command from the folder where you’ve placed these files, adjusting the file name to match your name:
powershell -ExecutionPolicy ByPass -File john.ps1 -Add
When prompted, supply the p12 password that the Algo VPN installer displayed at the end of the installation. This will import the appropriate certificate information and create the VPN connection entry. To connect to the VPN server, go to Settings > Network & Internet > VPN. If you wish to remove the VPN entry, use the PowerShell command above, replacing “-Add” with “-Remove”.
Additional Considerations for Algo VPN
Before relying on VPN to safeguard your interactions with malicious infrastructure, be sure to confirm that it’s concealing the necessary aspects of your origin. If it’s working properly, the remote host should see the IP address of your VPN servers, instead of the IP address of your VPN client. Similarly, your DNS traffic should be getting directed through the VPN tunnel, concealing your client’s locally-configured DNS server. One way to validate this is to use whoer.net, comparing what information the site reveals before and after you activate your VPN connection. Also, confirm that you’re not leaking your origin over IPv6; one way to do that is by connecting to ipv6leak.com.
You can turn off the virtual private server when you don’t need it. When you boot it up again, Algo VPN software will automatically launch in the background. If running the server for longer periods of time, you should implement security measures necessary appropriate for Internet-connected infrastructure.
As you use your Algo VPN server, adversaries might begin tracking the server’s IP address and eventually blacklist it. Therefore, it’s a good idea to periodically destroy this DigitalOcean droplet and create a new one from scratch. This will not only change the server’s IP address, but also ensure that you’re running the latest version of VPN software and its dependencies. Unfortunately, after you do this, you’ll need to re-import VPN configuration details to match the new server’s IP address and certificate.