Brew Your Own VPN With Algo

Brewing your own VPN at home beats whatever some strangers are offering on the internet

If you’re like me, you’ve been hearing for years that you should be using a VPN and you’re dumb for not using one. After Congress voted this spring to allow your home internet service provider to sell your personal internet browsing data, I bet you’ve been seeing even more recommendations that you need a VPN. You know that a VPN is safer when you’re using an untrusted network like wifi at some coffee shop or a hotel. You also know that even when you’re at home, using a VPN can stop your ISP from selling your browsing data. But there’re tons of VPN providers out there. Sure, you know to avoid free VPNs, which track you online and are worthless or outright dangerous, but you’ve heard lots of paid VPNs are deceptive, phony, sketchy liars or worse. So what can you do?

As it turns out, it’s easy enough to brew your own VPN. This is a recipe I’ve assembled from other sources to set up a free and easy VPN called Algo.

Algo [is] a self-hosted personal VPN server designed for ease of deployment and security. Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need.

And it’s free.

This will take around an hour or two of your time (faster if you’re already familiar with this stuff, maybe slower if you run into issues). While Algo itself is free, it’ll cost you $5 a month to host Algo VPN on your own cloud-based virtual computer. Once you set it up, you can browse online knowing that you can trust your VPN provider (because it’s you) and that your VPN will help keep your internet traffic secure and private from your ISP at home and hackers elsewhere.

I’ve written this recipe for my own use. While I’m generally familiar with personal computers and occasionally use the Terminal on my Macbook, I had never created a SSH key pair. I had never deployed a server. I had never even heard of Ubuntu. After doing some reading and minimal troubleshooting, I was able to create a Virtual Private Server on Digital Ocean and get Algo running perfectly.

If I can do it, you can too, especially if you use a Mac and iOS devices like I do. I’m posting this recipe in case people like you might find it useful. Just keep in mind that while it works for me, YMMV. I had to work through some mistakes and learned a bunch of new stuff along the way. You will too.

This post consists of five sections:

1. creating a secure SSH key pair (5 minutes)
2. creating a Digital Ocean droplet (10 minutes)
3. hardening the droplet (1 hour)
4. installing Algo (15 minutes) and
5. listing and thanking my sources.

SECTION 1.0 — CREATE A SECURE SSH KEY PAIR

You’ll start by creating a secure SSH key pair. If you’re not familiar with it (I wasn’t), it’s easy. Just think of SSH as a way of authenticating yourself online that’s much stronger than using a password. Even if this is old hat and you’ve done it many times before, humor me — do it one more time and create a new SSH key pair that you’ve never used before.

To create a SSH key pair, open Terminal (look in the Applications folder, then in Utilities) and create a directory to hold the SSH key pair.

mkdir ~/.ssh

Restrict permissions for that directory.

chmod 700 ~/.ssh

Create the SSH key pair. For now you’ll create what’s called a RSA key pair.

ssh-keygen -a 256 -b 4096 -o -t rsa

Just so you know, the -a 256 argument specifies using 256 KDF (key derivation function) rounds. The default is 16 rounds. Some recommend 100 rounds. I decided to go with 256. More rounds result in somewhat slower verification (maybe a second or two longer for me), which increases resistance to brute-force cracking.

The -b 4096 argument specifies that the key will be 4096 bits, making it harder to hack than the default length of 2048 bits.

The -o argument specifies using the new stronger OpenSSH format for the private key, rather than the older and more compatible but weaker PEM format.

The -t rsa argument specifies using a RSA key.

At the prompt, hit enter to accept the default file location.

Enter file in which to save the key (/Users/{YourUserName}/.ssh/id_rsa) 

At the next prompt, enter a secure passphrase and save it securely.

Enter passphrase (empty for no passphrase)

The ssh-keygen command will then generate the following info:

Your identification has been saved in /Users/{YourUserName}/.ssh/id_rsa.
Your public key has been saved in /Users/{YourUserName}/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:{YourLongRandomPublicKey} {YourUserName}@{YourDevice}
The key’s randomart image is:
+--[ RSA 2048]----+
|        .        |
|       + .       |
|   .  .   .      |
|     o   +       |
|    H + S        |
|   + O o + .     |
|    .   A . o    |
|       o. W      |
|   .             |
+-----------------+

Save this info securely.

Congratulations, you’ve just created the SSH key pair you’ll be using for the next step.

SECTION 2.0 — CREATE A DROPLET

If you don’t already have one (I didn’t), set up an account on Digital Ocean and use it to create a Virtual Private Server, what Digital Ocean calls a “droplet.”

Under “Choose an image,” select Ubuntu, which is an open-source operating system. It’s easy enough to learn its basics, which is all you’ll need for this project.

Under “Choose a size,” select the smallest cheapest droplet. Skip adding any block storage.

Under “Choose a datacenter region,” select whatever you want. Whatever location you pick will be where your VPN pops up to join the internet so, unless you have reasons to pick something else, it might make sense to pick a datacenter in your own country.

Decline any additional options. In particular, to reduce the risk of leaking info over IPv6, refrain from activating IPv6 when you create your droplet.

If you didn’t do so already when you created your Digital Ocean account, add your new SSH public key that you just created. If you don’t have it handy, open up Terminal and enter this command.

cat ~/.ssh/id_rsa.pub

Copy and paste the public key into the form on Digital Ocean’s webpage.

Accept the default hostname or choose your own.

Once the droplet is active, note its public IP address.

Congratulations, you just created your own computer in the cloud. That’s what you’ll use in the next two steps.

SECTION 3.0 — HARDEN THE DROPLET

You’ll spend most of your time on this project hardening your droplet so that it’s more resistant to hacking. This will go fast if you’re already familiar with this stuff; it’ll go slower if all this is new to you like it was for me.

Here’s what you’re going to do:

1. log onto your droplet (1 minute)
2. set the root password (3 minutes)
3. update and install packages (3 minutes)
4. create a new user (3 minutes)
5. require SSH authentication (3 minutes)
6. test the new user (1 minute)
7. install security updates and restart (3 minutes)
8. set sudo password for new user (3 minutes)
9. grant sudo power to new user (3 minutes)
10. lock down SSH (3 minutes)
11. activate a firewall (5 minutes)
12. install Fail2Ban (10 minutes)
13. automate security updates (5 minutes)
14. install Google Authenticator (5 minutes)
15. activate multi-factor authentication (5 minutes)
16. install Logwatch (3 minutes)
17. activate DigitalOcean Monitoring (1 minute)

3.1. Log onto Droplet

Using Terminal on your computer, log into your droplet using SSH.

ssh root@{your-new-digitalocean-droplet-ip-address}

When you enter the command, include your droplet’s brand new IP address, leaving out the squiggly brackets, so that it reads like ssh root@123.45.67.89.

You can alway copy your droplet’s IP address from the droplet dashboard on the Digital Ocean website.

The first time you log into your droplet you’ll get a warning like this.

The authenticity of host 'x.x.x.x' can't be established.
ECDSA key fingerprint is SHA256:{longrandomlinesoftextmorelongrandomlinesoftext}.
Are you sure you want to continue connecting (yes/no)?

Just answer yes and proceed.

(If you get the warning again and you’re not logging in for the first time as a new user and you haven’t re-imaged your droplet to reinstall Ubuntu, then you might be the target of a man-in-the-middle attack and should investigate before proceeding.)

At this prompt, enter the passphrase that you chose when you created your SSH public key.

Enter passphrase for key ‘/Users/{YourUserName}/.ssh/id_rsa’

Congratulations, you’ve just logged into your droplet.

3.2. Set the Root Password

Use this command to set a secure root passphrase.

passwd

Be sure to save it securely. This is just in case you ever lose the ability to log in using SSH or you lose your sudo password (more on sudo soon).

3.3. Update and Install Packages

Enter these two commands.

apt-get update 
apt-get upgrade

The first command updates the list of available packages and their versions, but doesn’t install any packages. The second command installs newer versions of the packages you have.

You’ll likely get a message that a package was automatically installed and is no longer required. To remove unneeded packages and free up some disk space, you can run this command.

apt autoremove

3.4. Create A New User

Security pros recommend creating a non-root user — often called “deploy” — to log into your server. Pick whatever username you like. To create such a new non-root user, enter these four commands.

useradd deploy 
mkdir /home/deploy 
mkdir /home/deploy/.ssh 
chmod 700 /home/deploy/.ssh

The first command creates the new user named deploy. The second creates a directory for the new user. The third creates a subdirectory to hold the SSH credentials for deploy. The fourth changes the access permissions protecting these SSH credentials.

The chmod or change mode command sets the permissions for a folder or file. The argument 700 means that the owner can read, write, execute. While you’re logged in as root for now, you’ll soon run the chown or change ownership command to make deploy the owner of its own .ssh folder.

While you’re at it, set up your preferred shell for deploy. This command specifies bash, which is the same shell that Apple uses for macOS.

usermod -s /bin/bash deploy

3.5. Require SSH Authentication

Rather than using passwords, configure your server to require public key authentication for your user accounts.

First, open a new Terminal session for your Mac computer (Terminal > Shell > New Window) and run this command.

cat ~/.ssh/id_rsa.pub

Copy the public key you just created into the clipboard and close the Terminal session.

Second, back in the Terminal session for your droplet, use Nano, a simple terminal-based text editor, to edit the authorized_keys file in deploy’s subdirectory. (If you prefer, feel free to use another text editor like Vim. If you’re not familiar with either — I wasn’t — it’s no big deal, just dive in.)

nano /home/deploy/.ssh/authorized_keys

Paste the contents of the id_rsa.pub file from your local machine.

Save and close by hitting ctrl-x and following the prompts. Congrats, you just edited your first file on your droplet.

Then enter these two commands.

chmod 400 /home/deploy/.ssh/authorized_keys 
chown deploy:deploy /home/deploy -R

The command chmod 400 sets the access permission for the authorized_keys file to be read by its owner. The chown or change ownership command makes deploy the owner of the deploy directory and the files in that directory.

3.6. Test the New User

While you keep open the existing Terminal window for the root user, open a new window and log into the server as the new user deploy.

ssh deploy@{your-new-digitalocean-droplet-ip-address}

If you’re unsuccessful, go back and figure out what you did wrong.

If you’re successful, you may get a notification about security updates.

7 packages can be updated.
7 updates are security updates.
*** System restart required ***

You’ll take care of installing the security updates and restarting the system in the next step. For now, enter logout and close out of this Terminal session for deploy.

3.7. Install Security Updates and Restart

Assuming you were successful in logging in as deploy, return to your original Terminal session for the root user.

To install the security updates, run this command.

sudo apt full-upgrade

To restart, run this command.

shutdown -r now

Since you rebooted your droplet, you need to SSH back in again as root.

ssh root@{your-new-digitalocean-droplet-ip-address}

You should now see this notification.

0 packages can be updated.
0 updates are security updates.

Congratulations, you rebooted your droplet for the first time.

3.8. Set Sudo Password for New User

Now create what’s called a sudo password for the new user.

passwd deploy

Use a secure passphrase and save it securely. This is the password you’ll use to confirm that deploy has authority to run certain commands on your droplet.

3.9. Grant Sudo Power to the New User

sudo comes from “super user do.” It’s a command that allows a non-root user like deploy to issue commands with root permissions.

To make a user a sudo user, run this command to edit the sudo privileges file.

visudo

Visudo is a special text editor designed specifically to edit the file that governs which users have what privileges. To guard against errors that can easily screw up your system and lock you out entirely, Visudo validates the syntax of the file upon saving.

While in Visudo, confirm these two lines are present. If not, add them.

root ALL=(ALL) ALL 
%sudo ALL=(ALL) ALL

If there are lines for any other users or groups, comment them out by adding # at the start of each such line.

Save and close.

Then enter this command.

usermod -aG sudo deploy

The -aG sudo deploy argument appends deploy to the sudo group. This grants super powers to deploy when the sudo password is entered.

To enable these changes, run this command to start a new shell for deploy with its new permissions.

exec su -l deploy

Your Terminal screen should look like this.

root@ubuntu-512mb-nyc1-01:~# exec su -l deploy
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
deploy@ubuntu-512mb-nyc1-01:~$

Notice how the prompt originally shows you logged in as root to your droplet. (ubuntu-512mb-nyc1–01 is the default name.)

Then once you enter exec su -l deploy, the prompt shows you logged in as deploy.

As the notification says, now that you’re logged in as deploy, to run a command that requires an administrator’s powers, enter sudo at the start of the command.

Also pay attention to the line that says See “man sudo_root” for details.

Whenever you want to know what a particular command does, you can enter man then the name of the command you’d like to look up. The man command is an easy interface to Ubuntu’s online reference manuals. (As you might have noticed, as we’ve been using new commands, I’ve been adding hypertext links in this post to the online man info on those commands.)

While you’re logged in as deploy and run sudo commands, Ubuntu will prompt you for a password. When it does, enter deploy’s sudo password.

3.10. Lock Down SSH

Now edit the server’s SSH configuration file to prevent password and root logins and to lock SSH to a particular IP address.

sudo nano /etc/ssh/sshd_config 

Look for this text.

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

Edit the PermitRootLogin line to no.

Also look for the PasswordAuthentication line and make sure it’s set to no.

Then add this line, including your IP address that you’ll be connecting from when you log in to your droplet. (Skip this if your IP address is dynamic.)

AllowUsers deploy@{your-static-ip-address-don't-use-your-new-digitalocean-droplet-ip-address}

Save and close.

To enable your changes, run this command to restart ssh.

sudo service ssh restart

3.11. Activate A Firewall

Ubuntu’s default firewall is UFW, which stands for Uncomplicated FireWall and is easy to set up. (UFW is a front-end interface for something called IPtables. If you’re already familiar with IPtables, you probably don’t need this guide.)

To confirm that UFW is installed (it should come with Ubuntu automatically) and check its status (it should be inactive), run this command.

sudo ufw status

Start by editing UFW’s config file to make sure it supports IPv6.

sudo nano /etc/default/ufw

While you won’t be using IPv6, make sure IPv6 is set to yes just in case. (It was already in my config file.)

IPV6=yes

Save and close.

To set UFW to deny all incoming connections and allow all outgoing connections, enter these two commands.

sudo ufw default deny incoming
sudo ufw default allow outgoing

To adjust some settings, run these commands.

sudo ufw allow 80 
sudo ufw allow 443 
sudo ufw allow from {your-static-IP-address} to any port 22

These three commands configure the server to accept traffic over ports 80 and 443, as well as traffic from your IP address over port 22, which the standard port for SSH traffic. (Once again, skip the third command if your IP address is dynamic. You should also be aware that the third command will allow you to SSH into your droplet from your home IP address but will block you if you try to SSH in from a different IP address.)

If everything looks good, enter these commands to turn off UFW then turn it on.

sudo ufw disable
sudo ufw enable

To confirm it’s running, you can enter this command.

sudo ufw status verbose

3.12. Install Fail2Ban

Fail2ban is a package that monitors login attempts to your server and blocks suspicious activity. It’s easy to install. To do so, enter this command.

sudo apt-get install fail2ban

Fail2ban reads .conf configuration files first, then .localfiles override any settings. As a result, to edit Fail2Ban’s settings, you should first copy a .conf configuration file as a .local file so that you can edit the .local file while leaving the .conf file untouched.

To whitelist your (static) IP address so you don’t accidentally get yourself banned from your own droplet, copy /etc/fail2ban/jail.conf as a .local file.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then edit the /etc/fail2ban/jail.local file that you just created.

sudo nano /etc/fail2ban/jail.local

Look for this code.

[DEFAULT]
#
# MISCELLANEOUS OPTIONS# MISCELLANEOUS OPTIONS
#
# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

At the line ignoreip = 127.0.0.1/8, insert a space then your static IP address to whitelist your own address. (If you’re wondering, the IP address 127.0.0.1/8 refers to the localhost. This address is set aside for a machine’s reference to itself so don’t delete it.)

While you’re editing this fail2ban configuration file, let’s permanently ban any offenders from IP addresses other than your IP address who attempt to SSH into your droplet. Look six lines further down for this text.

# “bantime” is the number of seconds that a host is banned.
bantime = 600

Edit it so that it reads like this.

# “bantime” is the number of seconds that a host is banned.
# bantime = 600
# permanent ban
bantime = -1

Save and close.

Now use these this command to reload Fail2Ban with your new rules.

sudo fail2ban-client reload

To confirm that you’ve whitelisted your IP address, run this command.

sudo fail2ban-client get sshd ignoreip

To confirm that offenders will be permanently banned (at least until the system is rebooted), enter this command.

sudo fail2ban-client get sshd bantime

Look for bantime = -1.

3.13. Automate Security Updates

On the one hand, it’s helpful to automatically apply security updates, especially on a machine like this where you likely won’t be logging in regularly. On the other hand, using unattended-upgrades has been known to cause Out-Of-Memory errors on 512mb cloud servers and lock up the machine. I decided to enable this command. You get to decide for yourself.

To enable automatic security updates, first run this command to automatically install updated packages.

sudo apt-get install unattended-upgrades

Now edit two configuration files to direct that the only updates that are installed automatically are security updates.

First, run this command.

sudo nano /etc/apt/apt.conf.d/10periodic

Edit the file to read as follows:

APT::Periodic::Update-Package-Lists “1”; 
APT::Periodic::Download-Upgradeable-Packages “1”;
APT::Periodic::AutocleanInterval “7”; 
APT::Periodic::Unattended-Upgrade “1”;

Save and close.

Second, run this command.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Edit the file to read as follows.

Unattended-Upgrade::Allowed-Origins {        "${distro_id}:${distro_codename}";     "${distro_id}:${distro_codename}-security";             "${distro_id}ESM:${distro_codename}";     //"${distro_id}:${distro_codename}-updates"; };

Save and close.

3.14. Install Google Authenticator

If you’re already using Multi-Factor Authentication on your email and other important accounts, then you’re likely already familiar with how Google Authenticator works and should go ahead and install it on your droplet.

If you’re not yet familiar with two-step authentication, then you should watch this video, read this info and set it on your email and key accounts before you bother about setting up a VPN. Seriously, using two-step authentication on your email is way more important and way easier than setting up your own VPN.

Ok, now that you’re using two-step authentication on your email, let’s set it up on your droplet. To install Google Authenticator on your droplet, enter these commands.

sudo apt-get install libpam-google-authenticator
google-authenticator

(You want to make sure you’re logged in as deploy when you install Google Authenticator. If you’ve taken a break and aren’t sure whether you’re logged in as root or deploy, just look at the prompt line in Terminal or run the who command. If you’re logged in as root and want to become deploy, run the su deploy command.)

The Google Authenticator installer will now run through a series of questions.

At the first prompt, answer yes.

Do you want authentication tokens to be time-based (y/n)

Google Authenticator will display a QR code and text including your new secret key, your verification code and five emergency scratch codes. Use the Google Authenticator app on your iPhone to scan the QR code. Securely save the secret key, verification code and scratch codes.

At the second prompt, answer yes.

Do you want me to update your “/home/deploy/.google_authenticator” file (y/n)

At the third prompt, respond yes to block replay attacks.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)

At the fourth prompt, select your preference. (Both Google and Lastpass go with 4 minutes so that’s good enough for me.)

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) 

At the fifth prompt, answer yes to defend against brute-force attacks.

If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)

3.15. Activate Multi-Factor Authentication

Now that you’ve installed Google Authenticator, you need to tell SSH to use it.

To do so, enter this command.

sudo nano /etc/pam.d/sshd

At the bottom of the file — after @include common-password—insert this line.

auth required pam_google_authenticator.so

Save and close the file.

Now edit the sshd_config file.

sudo nano /etc/ssh/sshd_config

Look for ChallengeResponseAuthentication and set its value to yes.

Save and close the file.

Run this command to restart the SSH service to reload the configuration files.

sudo systemctl restart sshd.service

To test that everything’s working so far, open a second Terminal session and try logging in over SSH. Because an SSH key overrides all other authentication options by default, you should not need to enter deploy’s password or Google Authenticator code.

Now let’s change your settings to require multi-factor authentication. Reopen the sshd configuration file.

sudo nano /etc/ssh/sshd_config

Add the following line at the bottom of the file.

AuthenticationMethods publickey,password publickey,keyboard-interactive

publickey refers to the public key that you generated at the start and have assigned to deploy.

password publickey refers to the Sudo password for deploy.

keyboard-interactive refers to the Google Authenticator code.

Save and close the file.

Restart SSH.

sudo systemctl restart sshd.service

To test that multi-factor authenticator has been enabled, once again open a second Terminal session and try logging in over SSH. If everything’s working correctly, you’ll need to enter the passphrase for the public key, then the Sudo passphrase for deploy and then the Google Authenticator code.

Congratulations, you’ve now installed and activated Google Authenticator. All this is going to make it pretty hard for a hacker to break into your droplet.

3.16. Install Logwatch

Logwatch is a package that monitors your logs and emails them to you. If you absolutely prioritize security over privacy, you may choose to install this package. If you feel that your droplet is secure enough and you’re now more concerned about protecting your privacy, feel free to skip this step.

To install Logwatch, run this command.

sudo apt-get install logwatch

If anyone else ever accesses your server, these emailed logs may prove helpful in figuring out what happened and when, especially since the intruder may alter your server logs.

Run this command to edit a Logwatch configuration file to run a chron job.

sudo nano /etc/cron.daily/00logwatch

Add this line.

/usr/sbin/logwatch --output mail --mailto youremailaddress@youremailservice.com --detail high

Save and exit.

3.17. Activate DigitalOcean Monitoring

If you chose to install Logwatch, consider activating DigitalOcean Monitoring. It’s a free, opt-in service that gives more detailed reports on your droplets and resource usage. To do so, a DigitalOcean agent must be installed on your droplet. To install the agent, enter this command.

curl -sSL https://agent.digitalocean.com/install.sh | sh

Congratulations, you’ve hardened your droplet against hackers.

SECTION 4.0 — INSTALL ALGO

After creating a SSH key pair, creating your droplet and then hardening it, it’s finally time to install Algo.

Algo is a free open source package that the security consulting company Trail of Bits designed to install a self-hosted VPN service.

This is what you’ll be doing:

1. install Algo’s prerequisites
2. copy Algo onto your droplet
3. create Algo users
4. install Algo on your droplet
5. transfer Algo files to your devices
6. install Algo on your devices, and
7. confirm Algo is working

4.1 Install Algo’s Core Prerequisites

Algo actually is a set of what are called Ansible scripts to install an open source IPsec VPN package called strongSwan, which a team of volunteers created and maintains and which Trail of Bits’ CEO Dan Guido settled on.

To install Algo’s prerequisites, including the package needed to run Ansible scripts, enter these commands.

sudo apt-add-repository -y ppa:ansible/ansible
sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get install -y software-properties-common python-virtualenv ansible

4.2 Copy Algo onto Droplet

Now run these commands to fetch the latest Algo package and prepare for installation.

sudo git clone https://github.com/trailofbits/algo
cd algo
sudo python -m virtualenv env
source env/bin/activate

4.3 Create Algo Users

Now it’s time to set up usernames for the people who will be using the VPN.

nano config.cfg

Remove the lines that represent the default users “dan” and “jack” and add your own (e.g., “adam”), so that this part of the file looks like this:

users:
 - adam

The config.cfg file also governs how much information the VPN package will log. The available levels from from -1 (absolutely silent) through 4 (very detailed including sensitive information like keys). The default is 2 (more detailed debugging control flow). If you prefer to turn off VPN logging, look for this text and change 2 to -1.

# StrongSwan log level
#https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2

Save and close.

4.4 Install Algo on Droplet

After all that, it takes just a single command to install Algo on your droplet.

./algo

The Ansible scripts that Dan and his team put together will now run you through a series of thirteen prompts.

At the first prompt, select 5 to use the DigitalOcean droplet you’ve created and hardened.

What provider would you like to use?
1. DigitalOcean
2. Amazon EC2
3. Microsoft Azure
4. Google Compute Engine
5. Install to existing Ubuntu 16.04 server
Enter the number of your desired provider

At the second prompt, type in localhost, meaning that you’re installing Algo on your droplet. Do not enter your droplet’s IP address here. That will come later.

Enter the IP address of your server: (or use localhost for local installation)[localhost]

At the third prompt, hit return.

What user should we use to login on the server? (note: passwordless login required, or ignore if you’re deploying to localhost)

At the fourth prompt, enter your droplet’s IP address. You can copy it over from the Digital Ocean website.

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)

At fifth prompt, hit return.

Was this server deployed by Algo previously? [y/N]

At the sixth and seventh prompts, select yes so that your VPN will automatically connect whenever your device is connected via cell or wifi.

Do you want macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks? 
[y/N]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]

At the eighth prompt, enter your preference. (I didn’t list any trusted networks because I want all my traffic to flow through the VPN, even when I’m connected to my home network. Although I trust my home network, I don’t trust my ISP not to sell my info.)

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)

Hit return to select the defaults for the remaining prompts.

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
Do you want each user to have their own account for SSH tunneling
[y/N]
Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
[y/N]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]

While Algo’s documentation of these script questions is young and evolving, it appears that answering yes toDo you want to apply operating system security enhancements on the server? enables unattended-upgrades, which you already took care of when you were hardening your droplet, as well as additional actions, which you can look into further if you wish.

After five minutes or so, the installer should complete the installation and give you a message that says.

Congratulations!
Your Algo server is running.

In this message you’ll get “p12 and SSH keys password for new users.” Securely store this password. You’ll use it when you install the Algo VPN clients on your devices.

Algo will create configuration files in the directory ./deploy/algo/configs/{your-digitalocean-droplet-ip-address}, where the subdirectory name reflects your droplet’s IP address.

Make deploy the owner of the Algo configuration files.

sudo chown -R deploy ./algo/configs/123.45.67.89/

The -R argument recursively changes the ownership of the folder and all files in it to deploy.

4.5 Transfer Algo Files to Your Devices

To install Algo on your devices, you’ll want to transfer the Algo configuration files from your droplet to your Mac and then to your other devices.

First, on your Mac, open a new Terminal session to create a directory (in your home directory or wherever else you choose) to store the Algo configuration files and then change to that directory.

mkdir configs
cd configs

Second, in this new Terminal session, log into your droplet using SFTP, which stands for Secure File Transfer Protocol.

sftp deploy@{your-digitalocean-droplet-ip-address}

Change directory on your droplet to the folder holding the Algo configuration files.

cd algo/configs/{your-digitalocean-droplet-ip-address}

The SFTP command to transfer the Algo configuration files from your droplet to your Mac couldn’t be easier.

get *

Close the SFTP session.

exit

Now that you’ve closed the SFTP session, you can use the same Terminal window (which once again is pointing to your Mac) to confirm that the Algo configuration files are in the directory you created on your Mac.

ls

4.6 Install Algo on Your Devices

Assuming you’re using Apple products, the file that you want will be named adam.mobileconfig or whatever username you assigned. You can use the same profile to install Algo VPN on your macOS and iOS devices.

To install Algo VPN on your Mac, just double-click the.mobileconfig file.

To install Algo VPN on your iOS devices, Airdrop the.mobileconfig file to your device. As soon as you accept the Airdrop, you’ll be prompted to install the profile.

Either way, you’ll be prompted for a password. Enter the password that you got when you installed Algo to your droplet.

For more info, including instructions on how to install VPN on other devices, see Algo’s writeup, Configure the VPN Clients.

4.7 Confirm Algo Is Working

Now that you’ve installed Algo on your devices, it’ll start working automatically (assuming that you selected “VPN on Demand” when you installed Algo on your droplet).

Check to make sure that the IP address that shows up in your browser is your browser’s IP address. For now, this is as simple as Googling “what’s my IP address?” and seeing what pops up in your search results.

If you’re concerned about privacy and anonymity and know about things like webRTC, DNS and IPv6 leaks, there’s lots more that you could be doing.

Congratulations, you’ve now set up your own VPN service on your own cloud-based computer!

If you liked this guide, please clap for this story. Stick around. Now that I’ve created this account, I’ll be posting some more info that you might find useful.

Stadtbibliothek Stuttgart

SECTION 5— SOURCES

Props to the authors of these articles (and those linked above), as well as the teams that developed Ubuntu, Ansible, strongSwan, Algo and the many other packages that make Algo VPN possible.

Jeff Ahking

Setting up your own VPN with Algo - Part 1

Setting up your own VPN with Algo - Part 2

Mitchell Anicas

Initial Server Setup with Ubuntu 16.04 | DigitalOcean

Romain Dillet

How I made my own VPN server in 15 minutes

Dan Guido

Meet Algo, the VPN that works

trailofbits/algo

Bryan Kennedy

My First 5 Minutes On A Server; Or, Essential Security for Linux Servers * Bryan Kennedy

David Lesniak

How To Roll Your Own VPN With Algo And Digital Ocean

Thomas K. Running

Run Your Own VPN Server in 10 min (Step-by-Step Guide)

Lenny Zeltser

How to Deploy Your Own Algo VPN Server in the DigitalOcean Cloud

Changelog

11/8/17 added instructions on how to edit /etc/fail2ban/jail.local to “permanently” ban offenders