Getting Algo VPN up and running

Foucault’s Panopticon is becoming all too real.

Your privacy on the internet had never been guaranteed. Now it is under direct, premeditated threat. On March 23, 2017, the U.S. Senate voted to allow ISPs to sell your browsing history and other data to corporations, governments, and anyone else who wants it, without your consent. This is very troubling and you can read more about it here and here. It is not yet set in stone as the House will vote on S.J. Res 34 later this week. You can wait for the result of the vote and put your faith in the system, or you can take some action.

Update: the House has voted to repeal broadband privacy rules, effectively selling your browsing history to the highest bidder.

The most effective action is the one that is most sustainable. If you do something for a week and then go back to your old way of being, that is a failure. For this reason I don’t recommend Tor— most of us are used to our current browser setup and won’t migrate to Tor cold turkey. There are also issues with Tor exit nodes being monitored.

The most sustainable solution to ensuring your online privacy (note: NOT anonymity) is a VPN. But there are issues with commercial VPNs. Some of them are actively malicious and collect and sell your data (many free ones may do this). Many of the remaining ones are configured improperly leading to IP leaks and other problems that defeat the purpose of a VPN. Given that you ultimately have to trust the VPN provider, you can either really do your homework, put trust in the provider, and pay $7+ per month, or set up your own VPN.

The latter is a technical endeavor that is extremely prone to error; if you’re not an information security or cryptography expert, don’t roll your own. Fortunately for all of us who fall into the latter category, the good folks at Trail of Bits have automated the creation of a secure VPN that can be set up and deployed in minutes. You don’t have to trust ToB either, since the code is open-source (and thus actively and continuously reviewed by the community) as well as in the process of being audited by a professional cryptography auditing firm.

You can find the code and instructions for setting up your Algo server and deploying it at the GitHub repository here. The instructions are clear. However I still ran into a couple of issues that others may run into.

The setup happens on two machines — your home computer and the server you’re deploying to. My home machine is a macOS laptop. As a result I ran into an odd issue when running the command in the fourth step:

sudo pip install virtualenv && virtualenv env && source env/bin/activate && pip install -r requirements.txt

Initially I got an error that seemed to point to the six package as the culprit. Further digging showed that this is actually related to the System Integrity Protections on macOS. You can read more about that here. If SIP is enabled on your Mac (some newer MBPs ship with it disabled), you may run into an issue that manifests as something else but is ultimately caused by the fact that your command/script is attempting to update/remove one of the directories that SIP prohibits you from modifying, even as root. The solution was running the command with the ignore-installed six flag, as mentioned in the GitHub issue.

After this I ran into another issue where the installation failed with “Operation Not Permitted”. The problem turned out to once again be related to SIP and the solution was to run the commands with the user flag. So here is the original command with the two flags necessary to circumvent SIP issues:

pip install -U virtualenv && virtualenv env && source env/bin/activate && pip install -U -r requirements.txt --ignore-installed six

Note: this issue is related to one’s current Python installation as well as the status of SIP. I am not saying that it’s guaranteed to come up if you’re installing Algo on a macOS. If it does, using these flags may help.

Once you’ve got the Algo binary — just execute it, answer some prompts, and you’ve got a shiny new VPN server tucked away at a cloud provider of your choice (or your own hardware). There was one prompt that I did not fully understand and later had to fix, so I’ll mention that here as well:

Do you want to enable VPN On Demand when connected to cellular networks?
Do you want to enable VPN On Demand when connected to Wi-Fi?

I did not know what this meant so I answered “no”. Once I had the server deployed and the clients set up on my macOS and iOS, I realized that the VPN was not “always-on” on my iPhone, meaning that I had to manually connect to it every time I turned my phone on. After some digging I realized that this is an option that is set up in the Configuration Profile that connects to the VPN. Thus, if you want the option of having an “always-on” VPN, you will want to answer “yes” to one or both of those prompts. It’s an easy fix — the most straightforward way is to blow away your existing server and create a new one from scratch, providing the proper responses to the prompts. If you know what you’re doing, you can edit the Configuration Profile manually (not recommended) or using the Apple Configurator app (also not recommended).

When faced with these issues, I sought help on the Slack channel and got quick and useful responses from Dan Guido. It’s amazing that you can get technical help from the CEO at 9pm on a Sunday night.

Closing thoughts

I want to stress the difference between privacy and anonymity. The Algo VPN will grant you privacy, which is the thing that is compromised by S.J. Res 34 or by a public WiFi. It does not grant you anonymity. If you are deploying the Algo VPN through one of the four cloud services that is supported (DigitalOcean, AWS, GCP, or Azure), then you have an account that is linked to your identity and your credit card. If you are deploying to your own server, if that server is on U.S. soil it is subject to being turned over with a court order. If it’s overseas, you are exempted from most protections of U.S. law. In fact, this is one of the Anti-features Algo explicitly lists: “Does not claim to provide anonymity or censorship avoidance.” If you do want anonymity, a commercial VPN is slightly better at this because it allows you to get lost in the crowd since you’re sharing the VPN server with other people. But this does not grant full anonymity and exposes you to other problems, such as having to trust the VPN.

If you do go with a commercial VPN, be aware of the following:

  1. You actually want your VPN to be based in the U.S. Some VPNs boast of being Europe-based or non-U.S.-based, but as mentioned above this is bad for you the user — you are exempted from U.S. law that broadly protects citizen communications from most foreign surveillance. Moreover, the U.S. is one of the few countries that does not have a mandatory data retention policy. Countries in the EU are forced to log, even though some claim they do not.

Whether you go with Algo or a commercial VPN, be aware that you may be placed on an NSA list.

To sum up: despite some of the hiccups caused by Mac’s SIP, Algo makes setting up your own VPN orders of magnitude easier, accessible, and secure. Thank you to Dan Guido and the team at Trail of Bits.

Like what you read? Give Dmitry Pavluk a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.