
Algo – Set up a personal IPSEC VPN in the cloud - Garbage
https://github.com/trailofbits/algo
======
wahern
Setting up IPSec on OpenBSD is much, much easier than on Linux. IKEv2 setup is
two lines in /etc/iked.conf:

    
    
      user "someuser" "somepassword"
    
      ikev2 "roaming" passive esp \
        from 0.0.0.0/0 to 192.168.1.128/25 peer any \
        ikesa auth hmac-sha2-512 enc aes-128 prf hmac-sha2-512 group modp2048 \
        childsa enc aes-128-gcm group modp2048 \
        eap "mschap-v2" \
        config address 192.168.1.128/25 \
        config name-server 192.168.1.1
    

Then setting up NAT is as simple as this one-liner in /etc/pf.conf:

    
    
      pass out on egress from 192.168.1.128/25 to any nat-to egress
    

Using IKEv1 instead of IKEv2 is just as easy (one-liner in /etc/ipsec.conf),
except you also have to configure L2TP. That's also very simple.

The Linux IPSec stack is just... incomparable.....

------
hackuser
Excellent reading about why you should consider Algo, the ideas behind it, and
why commercial VPNs don't do what you hope:

[https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-
th...](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/)

Note that Algo is designed by security professionals, is recommended by some
you may have heard of FWIW (grugq, Kenn White, more), and is careful about
what it claims to do:

* "Does not claim to provide anonymity or censorship avoidance"

* "Does not claim to protect you from the FSB, MSS, DGSE, or FSM"

~~~
dguido
Thanks for the support! Really cool to see a project of mine up on the front
page of Hacker News.

------
cypher543
This still seems too difficult for the average person who isn't a sysadmin,
but still wants to protect their privacy. Python? Virtualenv? Config files?
Ugh. My ideal VPN appliance would be a minimal Busybox-based disk image that
updates using A/B partitions and has a nice web UI. It lets you set basic
things like the hostname, time, admin password, and then regenerates all of
/etc. A cross-platform GUI setup wizard uploads the disk image to a VPS
provider, you get back a URL for the web UI with clear client setup
instructions, and that's it. If an update becomes available, you click a
button, it downloads the new image to the idle partition, modifies the GRUB
config to boot from it, and restarts. Done.

~~~
danvittegleo
I read your comment a week ago and fully agreed that I wanted something
similar. So I built this:
[https://github.com/dan-v/dosxvpn](https://github.com/dan-v/dosxvpn)

* It is an OSX packaged app that launches a GUI wizard and deploys to digitalocean, auto configures VPN on OSX, and spits out a mobileconfig file.

* It is based on CoreOS (not busybox) but it set to auto update the OS using A/B partitions.

* VPN docker image running on droplet is also configured to auto update

