
Algo: A set of Ansible scripts that simplify the setup of a personal IPSEC VPN - uoflcards22
https://github.com/trailofbits/algo
======
vermilingua
It’s worth mentioning that it is not, nor does TrailOfBits pretend, that the
goal of this project is privacy; it is security. Algo doesn’t and couldn’t
care less about your privacy once you reach the endpoint, only about securing
the tunnel.

You shouldn’t use Algo if you are concerned about surveillance from
corporations/governments, you _should_ use Algo if you are concerned about
surveillance/attacks from your local network or ISP.

~~~
auslander
Governments take the data from ISP too. And hiding your IP behind VPN is good
in any case.

~~~
JshWright
That is the parent comment's point. This will protect you from your local ISP.
It will not protect you from the government (or the ISP on the other end of
the tunnel).

A VPN does not 'hide' your IP address. It merely changes it.

~~~
auslander
> That is the parent comment's point.

"You shouldn’t use Algo if you are concerned about surveillance from
corporations/governments" \--- wrong, because Govs get all ISP data.

> It will not protect you from the government

But it _will_ , because all the government will see (using ISP data) is some
VPN traffic from me, nothing more.

VPN _does_ hide my IP address - all further connections are made from VPN IP,
used by thousands, and not from my personal ISP IP.

~~~
harshreality
Where would your VPN be? What makes you think the government doesn't monitor
traffic flows _there_? They don't even need to monitor traffic flows at your
home's ISP, since they can see both legs of the connection just by watching
the network your VPN server is on.

If you're in a FVEY country, you can't count on any real network metadata
privacy protection (against your own country's government) for near-realtime
communication. Multiple hops (e.g. tor) makes it more difficult for them, but
also makes your internet connection slow and unreliable, and your traffic
becomes even higher priority for them to investigate; if they happen to have
flow data on each of the nodes you use, you're probably unmasked.

~~~
auslander
> your traffic becomes even higher priority for them to investigate

You use tor, your ISP marks it, it triggers priority for them to investigate
_you_. You use VPN to access tor, it triggers nothing.

~~~
azinman2
Evidence?

------
dalanmiller
It should be noted that if you've setup Algo already that it now supports
WireGuard. The WireGuard Android app (which would be great to verify that it
is indeed published by www.wireguard.com) is stupid easy to setup and enable
on your device.

~~~
Tharre
It already is linked on the installation page:

[https://www.wireguard.com/install/#android-play-store-f-
droi...](https://www.wireguard.com/install/#android-play-store-f-droid)

------
eximius
Use Wireguard. It is wonderful and the community is friendly. `wg-quick` is
easy to use but if you need it, I believe Streisand supports automatically
provisioning a wireguard setup.

~~~
mistaken
Wireguard is awesome, but the kernel module is so far a mess. If you're
paranoid I wouldn't rely on it until the code has been cleaned up and perhaps
audited.

~~~
auslander
you are not mistaken

~~~
JshWright
Based on what evidence?

~~~
auslander
I just think being cautious is wise, given how new WG is. And, AFAIK it is
userland only, like OpenVpn, not in linux kernel, think performance.

~~~
geofft
There _is_ a WireGuard kernel module, and it also seems weird to me to say
"This is a mess" when what you actually mean is "Nobody yet knows if it is a
mess or not and I have no evidence either way."

------
nodesocket
I prefer [https://github.com/hwdsl2/setup-ipsec-
vpn](https://github.com/hwdsl2/setup-ipsec-vpn). Shamless blog post on setting
it up on a Raspberry Pi 3 - [https://blog.elasticbyte.net/setting-up-a-native-
cisco-ipsec...](https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-
vpn-server-using-a-raspberry-pi/)

~~~
athrun
Thank you for posting this! I'll be checking this out. I like how the scope of
this project is only about setting up an IPsec server automatically on a Linux
box.

Algo and Streisand have too much features, making them unwieldy.

------
accrual
> Does not install Tor, OpenVPN, or other risky servers

Although I recognize IPsec is a widely supported protocol and suitable for
this use case, did the readme intend to imply OpenVPN is risky?

~~~
Operyl
[https://github.com/trailofbits/algo/issues/36](https://github.com/trailofbits/algo/issues/36)
I guess they consider TLS to be a considerable risk. Theoretical I guess.

~~~
dguido
There is an FAQ that addresses "Why not OpenVPN?" including the specific
security concerns with it:

[https://github.com/trailofbits/algo/blob/master/docs/faq.md#...](https://github.com/trailofbits/algo/blob/master/docs/faq.md#why-
arent-you-using-openvpn)

------
TimTheTinker
Question - are there any guides available to help set up a home-brew router to
route all outbound connections through an Algo VPN with exceptions for
Netflix/etc.?

Something like this (this is for OpenVPN):
[https://arstechnica.com/gadgets/2017/05/how-to-build-your-
ow...](https://arstechnica.com/gadgets/2017/05/how-to-build-your-own-vpn-if-
youre-rightfully-wary-of-commercial-options/)

I currently have a pfSense router set up with Algo, but I have to disable the
IPSec policy whenever I want to use Netflix. (Discussion here:
[https://github.com/trailofbits/algo/issues/292](https://github.com/trailofbits/algo/issues/292)
\- see comments near the bottom.)

~~~
auslander
Try OPNsense

Here is detailed tutorial
[https://forum.opnsense.org/index.php?topic=4979.0](https://forum.opnsense.org/index.php?topic=4979.0)

~~~
TimTheTinker
I tried it, but the installer keeps crashing. (Device is an HP T620 Plus with
a 4-port/1GB Intel server NIC.)

------
Nadya
I actually tried running Algo through Azure and Microsoft terminated my Azure
account citing I was breaking Terms of Service. I had hosted Algo for all of
two and a half days before the takedown.

Not sure if anyone else has had luck - that was all I was using Azure for was
to test Algo out so had nothing else running on Azure at the time. I also ran
into a few snags trying to deplay Algo onto Azure so haven't bothered trying
to set it up elsewhere. My goal of the VPN was to get a JP address as a few
sites I browse are easier to browse with a JP address (eg: I don't get forced
bad English translations with no way to toggle to the JP version of the site
because I'm coming from an American IP...)

~~~
dguido
Hello! Developer for AlgoVPN here.

We have many successful reports of using Azure for AlgoVPN. I would appreciate
it very much if you could file an issue and include the full details of what
happened, including any communications you received from Microsoft
([https://github.com/trailofbits/algo/issues/new](https://github.com/trailofbits/algo/issues/new)).
I have contacts at Azure that I can escalate this issue to directly.

~~~
Nadya
I don't tend to hold onto email as I don't really care for or value them;
especially not emails saying my account has been terminated. Those are more of
a delete and move on with my life kind of notice. I ended up getting an email
from a rep. asking how my experience was and either two or three (I think it
was two) calls to speak with me. A funny left-hand not speaking to the right-
hand scenario where customer reps tried to salvage a client even though the
client had been terminated by the service.

Thanks for extending a hand. I'll look for the email tomorrow - and if found -
I'll open an issue. Though if you don't hear from me, it's because the email
in all likelihood was deleted shortly after getting it. My use wasn't critical
need, so I didn't particularly care to deal with the headache of getting
things sorted.

------
chrisweekly
Given this post's HN commentary is full of seemingly well-informed
perspectives on the relative merits of several VPN service providers and
software packages can anyone comment on Private Tunnel? I've been using it for
years, having paid something like $20 for 100GB. No complaints, but interested
in expert opinion / insights regarding privacy and security. Thanks!

~~~
dguido
My choice is typically between "should I use a hosted provider" vs "should I
host my own." IMHO there is not a vast amount of difference between hosted VPN
providers. They all suffer from generally the same issues.

Here are some reasons you might want to self-host:

[https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-
th...](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/)

------
akerro
>Does not install Tor, OpenVPN, or other risky servers

Does it call OpenVPN a risky server? Why?

Found it
[https://github.com/trailofbits/algo/blob/master/docs/faq.md#...](https://github.com/trailofbits/algo/blob/master/docs/faq.md#why-
arent-you-using-openvpn)

------
ilarum
What is the best way to have a VPN in each continent (apart from the obvious
option to have an instance in each region)? I used to pay for a commercial
service, but I lost this functionality when I switched to a self-hosted
solution.

I prefer this feature since I travel a lot and would like to have lower
latency wherever I am.

~~~
tootahe45
What is wrong with purchasing a VPN that is made to provide this functionality
on the cheap? i don't get why everybody has to try do it themselves. If you're
worrying about tainted IPs, pay a little more for a VPN that logs. All good
VPNs support connecting via openVPN at this point.

------
givinguflac
Serious question, do people consider a cloud provider to be more trustworthy
than a professional VPN company?

~~~
filmgirlcw
Perhaps? If you’re using a VPN to protect your internet traffic from being
sold to ad companies, probably. The VPN industry has become a racket full of
affiliate schemes that push people towards plans and services that don’t
necessarily act in the user’s best interest. Figuring out the food from the
bad can be difficult. And I’ve seen some services that when audited use
outdated or insecure stacks.

Of course, if you’re using a VPN to try to protect your browsing activity from
authorities, obviously a major cloud provider may be more willing to turn your
info over to someone else.

~~~
mirimir
I've been using VPN services for over a decade. In my opinion, the most
privacy friendly are AirVPN, Insorg, IVPN, Mullvad, Private Internet Access
and Riseup. To my knowledge, HideMyAss, EarthVPN, IPVanish, PureVPN and
WANSecurity have violated their users' privacy. For the most part, by sharing
logs with investigators. Prudent providers make damn sure not to have any logs
that could be seized.

~~~
Alexa_Anthony
Well, I will not advocate for any big brand here but it is also true that
hidemyass, IPvanish, Purevpn has more than 50% total share of VPN users and
indeed its true that new VPN services especially Private Internet Access is
going great. I recently read some review of them at Bestvpn.co.

------
ishanjain28
How do you decide what vpn tech to use?

I was using openvpn and then switched to wireguard because openvpn was
consuming a lot of power on my phone.

Why would I want to use Ipsec?

~~~
ReverseCold
> Why would I want to use Ipsec?

It's already built into your phone. (Probably)

~~~
ishanjain28
It is. But just one tiny app for VPN isn't too bad if that VPN does not ruin
internet bandwidth.

------
alchemism
Also is great. I extend this script and use it as a quick-and-easy way of
managing my dev team’s vpn into our clouds.

------
xanth
Having not done any cloud work myself I have no clue how much this would cost,
anyone able to give a rough estimate?

~~~
gbear605
$5/month or less is a reasonable.

------
verroq
Not enough people have heard of Outline.
[https://getoutline.org/](https://getoutline.org/)

It is a shadowsocks client and even non-technical users can provision VPNs on
cloud hosting providers.

~~~
voltagex_
It's a Google/Alphabet project. Hmm.

~~~
dguido
It's not a Google project, it's a Jigsaw project. There's a huge difference,
since one is run with extremely low resources and employees between the
entities are not shared. Don't trust code that comes from Jigsaw. In my
experience, it's all been haphazardly thrown together for a proof of concept
and media coverage, not production quality software that people should use.

------
nimbius
>Algo supports DigitalOcean (most user friendly), Amazon Lightsail, Amazon
EC2, Microsoft Azure, Google Compute Engine, Scaleway and OpenStack.

four of the seven listed are cloud providers that actively encourage
censorship for the sake of their business model. at best, you would be a fool
to run a personal VPN on them, at worst the fact that support exists at all
could be evidence that this software is in fact _worse_ than openVPN or TOR in
that it facilitates an obviously poor implementation.

Google and Microsoft both joined the PRISM program in 2009.

[https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#M...](https://en.wikipedia.org/wiki/PRISM_\(surveillance_program\)#Media_disclosure_of_PRISM)

------
mtgx
IPSEC is broken by (NSA) design. Use Wireguard instead.

[https://www.mail-
archive.com/cryptography@metzdowd.com/msg12...](https://www.mail-
archive.com/cryptography@metzdowd.com/msg12325.html)

[https://www.wireguard.com/protocol/](https://www.wireguard.com/protocol/)

------
codedokode
I once wanted to write an Ansible playbook to install VPN on a server but
found out that you cannot just pass parameters via command line like

ansible setup-vpn 1.2.3.4

Ansible expects you to write host address into a file in /etc. So
inconvenient. Also, Ansible doesn't support Windows and Cygwin.

It turned out it was easier to write instructions into a Bash program. Sadly,
it is non-portable and works only with a specific distribution.

It is also surprising how many files are there in the repository for a
relatively simple task. And how complicated installation process is. In PHP
everything would be easier, because you can pack your application into a
single phar archive like in Java.

They don't support builtin Android client. I remember I installed Strongswan
or something like this and it worked with Android out of the box.

I wouldn't recommend Digital Ocean. They don't accept virtual debit card (they
want a real card so they can charge you whenever they want) and their VPS are
too expensive. $5 per month is too expensive when you can find offers as low
as 1 euro/month in Europe with pre-paid system.

~~~
1118836282029
Ansible works on Windows

[https://www.ansible.com/integrations/infrastructure/windows](https://www.ansible.com/integrations/infrastructure/windows)

I don’t get the Ansible hate, it’s great.

~~~
codedokode
It only can manage modern Windows versions. But you cannot use Windows to
control other hosts:
[https://docs.ansible.com/ansible/latest/user_guide/windows_f...](https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html#can-
ansible-run-on-windows)

