Brew Your Own VPN With Algo — Take 2

Here’s my second take on how to brew up a good cup of Algo VPN.

In my original recipe, we created a Digital Ocean droplet, hardened it and only then installed Algo onto the droplet. Dan Guido, the CEO at Trail of Bits who led the team that created Algo, recommended that it’s easier, faster and more secure to run the Algo script directly from my Mac and let the script create the droplet and install Algo.

This recipe builds upon the instructions on how to deploy Algo on the project’s Github page. I’ve added my own explanations from the perspective of someone who’s new to cloud servers. If this stuff is new to you too, you might find these expanded directions helpful. As in the original recipe, this post assumes you use Apple devices and have a passing familiarity with (or are willing to learn) how to use Terminal. All credit for everything right belongs to the Algo team. Responsibility for any mistakes below is mine alone.

In this recipe, you’ll be doing the following:

  1. create a Digital Ocean account and then a personal access token
  2. download Algo
  3. install Algo’s core dependencies
  4. install Algo’s remaining dependencies
  5. list your Algo users
  6. install Algo on a droplet
  7. install Algo on your devices
  8. test to make sure Algo is working

Let’s get started.

1. Create a Digital Ocean Account

Digital Ocean offers virtual private servers — computers in the cloud that Digital Ocean calls droplets. It’s reportedly the most user-friendly cloud hosting provider, especially for new users. I had never created a cloud server before until I started using Algo and have found Digital Ocean a breeze to use.

To create a new account, just click this link. You’ll get a $10 credit and the folks that created Algo will get a referral credit. (I’m not getting any benefit.)

While I haven’t experienced any issues myself, it appears that Digital Ocean’s infrastructure is sometimes unreliable. If you’re running into issues, you might consider using another provider. If you prefer, you can use Amazon EC2, Google Compute Engine or Microsoft Azure, which are currently the other cloud server providers that Algo chooses to support.

Create a personal access token

Now create an API token — what Digital Ocean calls a personal access token. If you’re wondering what that is, it’s easy — an API token is just a long alphanumeric passcode like this example.

1iic01a7c5e2851328fe975b2dfe9878b88e6baf0ce96d9e6c8562062834168b

API stands for Application Programming Interface. It’s a way of requesting and receiving information online.

A personal access token serves the same function as your user name and password. It allows you (really the Algo script that you’ll be running) to log into your account without having to type in your user name and password. You’ll be using it shortly when you tell Algo to create a Digital Ocean droplet for you.

To create an API token, click on API in the menu at the top of the Digital Ocean webpage, then select Generate New Token.

A window will pop up.

Give the token a name, perhaps Algo since that’s why you’re creating it.

Make sure to select both Read and Write power for your token. Your token will need both powers to create a new droplet and install Algo for you.

Digital Ocean will then display your token along with the message, “Please copy your new personal access token now. It won’t be shown again for your security.” Follow Digital Ocean’s advice. Copy your token and store it securely. Treat it like a password. Keep it private and don’t accidentally post it online on a public webpage.

2. Download Algo

Download Algo from the Algo repository on Github. The compressed file is named algo-master.zip.

Pick whatever folder on your Mac you prefer to hold your Algo files. Move the zip file there.

Unzip the compressed Algo file that you downloaded. That will create a new folder on your Mac named algo-master.

3. Install Algo’s Core Dependencies

Before you run Algo, you need to install some software packages that Algo needs.

Open Terminal. (It’s in the Applications folder, then the Utilities folder.)

First, change the directory to the folder holding the Algo files.

cd /Users/{YourUserName}/{WhateverFolderYouPicked}/algo-master

Unless you’re in love with typing full directory paths, the easiest way to do this is to type cd (including a space after cd) in Terminal and then drag the algo-master folder from a Finder window into the Terminal window. That will automatically paste the directory path into Terminal.

Second, run these two commands.

python -m ensurepip --user
python -m pip install --user --upgrade virtualenv

Python is a programming language that Apple bundles with macOS. Algo’s own instructions say, “The python interpreter you use to deploy Algo must be python2. If you don’t know what this means, you’re probably fine.” That’s correct, I wasn’t sure what python interpreter was on my Mac and things worked out fine for me. If you’re curious, Apple has bundled Python 2.x with every macOS since at least Mac OS X Puma 10.1 in 2001 so if your Mac doesn’t have python2, you probably couldn’t run Algo anyway and should think about getting a new Mac.

In the first command, python -m instructs python to install a separate software module. The -m ensurepip argument directs python to install pip, which is a tool for installing software packages written in python. The --userargument tells python to install the package for just the current user.

The second command python -m pip install --user -upgrade virtualenv tells python to install another tool called virtualenv, which creates isolated environments to run python applications. With these two commands, you’re laying the foundation to create a virtual environment on your Mac that Algo will use to create a virtual server in the cloud.

4. Install Algo’s Remaining Dependencies

Now enter the following command to install Algo’s remaining dependencies, which will enable you to create a python virtual environment on your Mac to run Algo.

python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt

This is actually four commands joined by the && operator so let’s pause and break it down.

The first command python -m virtualenv env instructs python to create a new virtual environment inside a directory named env. A virtual environment allows python applications to install and upgrade packages without interfering with the behavior of other python applications running on the same system.

If (and only if) the first command succeeds (i.e., it finishes without throwing off an error code), then the && operator executes the next command.

The second command source env/bin/activate activates the new virtual environment. In other words, you’re telling your Mac that when you enter a python command, you want your computer to use the version of python that’s installed inside of the new virtual environment you just created.

The third command python -m pip install -U pip is directed to python in the virtual environment. This command makes sure that python installs the latest version of pip in the virtual environment.

The fourth command python -m pip install -r requirements.txt is where the rubber meets the road. It directs python to use pip to install in the virtual environment each of the dozen packages listed in requirements.txt in the algo-master folder:

msrestazure
setuptools>=11.3
ansible>=2.1,<2.2.1
dopy==0.3.5
boto>=2.5
boto3
azure==2.0.0rc5
msrest==0.4.1
apache-libcloud
six
pyopenssl
jinja2==2.8

When you look under the hood, you begin to better appreciate the effort that goes into designing packages like Algo (as well as strongSwan, the IPsec VPN that Algo employs).

As your Mac works its way through this command, you might be prompted to install cc. If so, press accept.

5. List Your Algo Users

Before you run Algo, you need to tell it what users to create.

Open config.cfg in nano or your favorite command-line text editor.

nano config.cfg 

If you haven’t used nano before, just dive in. It’s easy to figure out.

Edit the file to specify what users you wish to create in the users list. Remove the lines that represent the default users “dan” and “jack” and add your own (e.g., “adam” and “betty”), so that this portion of the file looks like this:

users:
- adam
- betty

Save and close.

After you save your changes to config.cfg, you’ll be back in your Terminal session. Make sure that the command line prompt shows that you’re in the algo-master directory.

5½. Patch Ansible

As of posting this story (December 3, 2017), you’ll need to do one more thing before you install Algo. Due to an issue that’s popped up with Ansible scripts (which Algo uses to create the Digital Ocean droplet), you’ll need to create and run a patch.

First, enter this command to create a new file (in the algo-master folder) called do_tag.patch.

nano do_tag.patch

Second, copy and paste this text into the new file.

--- ./env/lib/python2.7/site-packages/ansible/modules/core/cloud/digital_ocean/digital_ocean_tag.py.orig	2017-12-02 09:42:56.044524930 -0500
+++ ./env/lib/python2.7/site-packages/ansible/modules/core/cloud/digital_ocean/digital_ocean_tag.py 2017-12-02 09:43:14.245074861 -0500
@@ -242,7 +242,7 @@
module = AnsibleModule(
argument_spec=dict(
name=dict(type='str', required=True),
- resource_id=dict(aliases=['droplet_id'], type='int'),
+ resource_id=dict(aliases=['droplet_id'], type='str'),
resource_type=dict(choices=['droplet'], default='droplet'),
state=dict(choices=['present', 'absent'], default='present'),
api_token=dict(aliases=['API_TOKEN'], no_log=True),

Save and close.

Third, run this command.

patch -b -p0 < do_tag.patch

Props to David E. Myers for this patch.

6. Run Algo

To deploy Algo, enter this simple command.

./algo

Since you’re in the algo-master directory, this command will run the Unix executable named algo. That file invokes a set of Ansible scripts that will create a Digital Ocean droplet and install a VPN host on it.

According to the instructions on Algo’s Github page, “[t]here are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in deploy-from-ansible.md.” So you know what to expect, here’s what you’ll be asked.

What provider would you like to use?
1. DigitalOcean
2. Amazon EC2
3. Microsoft Azure
4. Google Compute Engine
5. Install to existing Ubuntu 16.04 server
Enter the number of your desired provider :

Enter 1 for Algo to create a Digital Ocean droplet for you.

Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens): [pasted values will not be displayed] :

Copy and paste the personal access token you created earlier. This will enable Algo to access your Digital Ocean account. It’s perfectly safe to enter your token here. The Algo script is running on your Mac so your token is shared with only Digital Ocean. If you want, you can delete your token after Algo creates your droplet.

Name the vpn server:
[algo.local]:

Enter whatever name you want. The Algo script will also add a Environment:Algo tag to your new droplet.

What region should the server be located in?
1. Amsterdam (Datacenter 2)
2. Amsterdam (Datacenter 3)
3. Frankfurt
4. London
5. New York (Datacenter 1)
6. New York (Datacenter 2)
7. New York (Datacenter 3)
8. San Francisco (Datacenter 1)
9. San Francisco (Datacenter 2)
10. Singapore
11. Toronto
12. Bangalore
Enter the number of your desired region:
[7]:

Choose whichever datacenter you want. Whatever location you pick will be where your VPN pops up to join the internet so, unless you have reasons to pick something else, it might make sense to pick a datacenter in your own country.

Do you want macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks? [y/N]: 

Answer yes. You can always disable “On Demand” later.

Do you want macOS/iOS clients to enable “VPN On Demand” when connected to Wi-Fi? [y/N]: 

Ditto.

Do you want to install a DNS resolver on this VPN server, to block ads while surfing? [y/N]: 

Answer no. This feature is not working now for macOS/iOS users due to a bug.

Do you want each user to have their own account for SSH tunneling? [y/N]: 

Just say no for now. If you or any of your users ever want to use a SSH tunnel, you can always create a new droplet enabling this feature.

Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config) [y/N]: 

Your choice. These security enhancements are optional.

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N]: 

Say no unless your VPN need to support someone using Windows or Linux.

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]:

The only reason to say yes is if you might want to add users later but you could always just create a new instance of Algo so it’s easiest to say no.

After you complete these prompts, the script will take about 5 minutes or so to create a droplet and install Algo.

Barring any error messages, you’ll get a message like this.

Congratulations!
Your Algo server is running.
Config files and certificates are in the ./configs/ directory.
Go to https://whoer.net/ after connecting
and ensure that all your traffic passes through the VPN.
Local DNS resolver 172.16.0.1
The p12 and SSH keys password is xxxxxxxx

In this message you’ll get “p12 and SSH keys password for new users.” Securely store this password. You’ll use it when you install the Algo VPN clients on your devices.

Congratulations, you’ve now used Algo to create a Digital Ocean droplet and install a VPN service.

7. Install Algo on Your Devices

Now that you’re running Algo as a VPN host on a Digital Ocean droplet, it’s time to install VPN clients on your devices.

Find the VPN profile files

To install Algo VPN on your devices, you’ll use the .mobileconfig files for your users. To find these files, look at the algo-master folder on your Mac, then the configs subdirectory, then in a subdirectory named after your droplet’s IP address. There will be an .mobileconfig file for each of your users.

macOS

To install Algo VPN on your Mac, just double-click the.mobileconfig file and follow the prompts.

You’ll be prompted for a password. Enter the .p12 password that Algo provided.

Once you’ve installed Algo on your Mac, Algo VPN should connect automatically, as long as you selected On Demand when prompted.

If you didn’t select On Demand, then to connect to Algo VPN, click on System Preferences, then Network, then select Algo VPN service from the list in the left column, then click Connect.

If you prefer to toggle VPN on and off, at System Preferences > Network > Algo VPN, uncheck Connect on demand and check Show VPN status in the menu bar.

iOS

To install Algo VPN on your iOS devices, Airdrop the .mobileconfig file to your device. As soon as you accept the Airdrop, you’ll be prompted to install the profile.

If you didn’t select On Demand, connect to Algo VPN by going to Settings and looking for the “VPN” toggle near the top of the list. Toggle VPN on.

You can turn “On Demand” on or off by clicking the (i) symbol next to the entry for Algo VPN and toggling “Connect On Demand.”

Other devices

For more info, including instructions on how to install VPN on other devices, see Algo’s writeup, Configure the VPN Clients.

8. Test to Make Sure Algo is Working

To check whether Algo VPN is working, visit whoer.net on each of your devices. Make sure that the IP address that whoer reports is that of your Algo VPN, rather than your own IP address.

Congratulations, you’ve used the Algo script to create a Digital Ocean droplet hosting your own private VPN!

Biblioteca Vasconcelos, Mexico City

Sources

My primary source is the README guide to deploying the Algo server.

Thorin Klosowski also wrote up a good description of how to set up Algo on Amazon Web Services.