Hacker News new | past | comments | ask | show | jobs | submit login
Algo: A set of Ansible scripts that simplify the setup of a personal IPSEC VPN (github.com/trailofbits)
189 points by uoflcards22 on Aug 22, 2018 | hide | past | favorite | 86 comments



It’s worth mentioning that it is not, nor does TrailOfBits pretend, that the goal of this project is privacy; it is security. Algo doesn’t and couldn’t care less about your privacy once you reach the endpoint, only about securing the tunnel.

You shouldn’t use Algo if you are concerned about surveillance from corporations/governments, you should use Algo if you are concerned about surveillance/attacks from your local network or ISP.


Hello, I am the original author of Algo. This is 100% correct and I am glad that people understand the goals of the project. Please use Algo to keep communications secure.


Let's not make a false dichotomy between privacy and security. Privacy is an integral part of security - https://news.ycombinator.com/item?id=17763324

The real quality to discuss is threat models. Even using a public-mix VPN is not going to protect against Klein-style wholesale tapping (due to packet correlation). Using your own VPN to exit will not protect against legal attacks (subscriber info will still be subpoenaed). But either will protect against revealing (to every service you connect to) your roaming between access networks - eg the discovery of who is friends from their connecting to the same WiFi.

(Also, distinguishing between "government" and "commercial" surveillance is a bit of a red herring as well. Much government surveillance is done by the "private" sector, which the government at least then buys fulls access to, if it doesn't constitute a de facto government on its own - eg credit bureaus in the US)


Governments take the data from ISP too. And hiding your IP behind VPN is good in any case.


That is the parent comment's point. This will protect you from your local ISP. It will not protect you from the government (or the ISP on the other end of the tunnel).

A VPN does not 'hide' your IP address. It merely changes it.


> That is the parent comment's point.

"You shouldn’t use Algo if you are concerned about surveillance from corporations/governments" --- wrong, because Govs get all ISP data.

> It will not protect you from the government

But it will, because all the government will see (using ISP data) is some VPN traffic from me, nothing more.

VPN does hide my IP address - all further connections are made from VPN IP, used by thousands, and not from my personal ISP IP.


Where would your VPN be? What makes you think the government doesn't monitor traffic flows there? They don't even need to monitor traffic flows at your home's ISP, since they can see both legs of the connection just by watching the network your VPN server is on.

If you're in a FVEY country, you can't count on any real network metadata privacy protection (against your own country's government) for near-realtime communication. Multiple hops (e.g. tor) makes it more difficult for them, but also makes your internet connection slow and unreliable, and your traffic becomes even higher priority for them to investigate; if they happen to have flow data on each of the nodes you use, you're probably unmasked.


> your traffic becomes even higher priority for them to investigate

You use tor, your ISP marks it, it triggers priority for them to investigate you. You use VPN to access tor, it triggers nothing.


Evidence?


It should be noted that if you've setup Algo already that it now supports WireGuard. The WireGuard Android app (which would be great to verify that it is indeed published by www.wireguard.com) is stupid easy to setup and enable on your device.


It already is linked on the installation page:

https://www.wireguard.com/install/#android-play-store-f-droi...


Use Wireguard. It is wonderful and the community is friendly. `wg-quick` is easy to use but if you need it, I believe Streisand supports automatically provisioning a wireguard setup.


Yes! Algo also sets up Wireguard for you.


I tried using it but unlike IPSEC/SSL VPNs, it doesn't punch through many firewalls.

Not Wireguard fault, but in my case IPSEC worked better. I guess I could encapsulate it, but it's just annoying to do and on some platforms it's just too much trouble.


WireGuard supports persistent keepalives to punch through most firewalls[0].

If your firewall blocks UDP packets in general, you're in a world of pain either way, since TCP over TCP is pretty bad.

[0] https://www.wireguard.com/quickstart/#nat-and-firewall-trave...


Try Wireguard on port 4500; this is usually allowed by any firewall/filter that allows ipsec.


Algo supports it as well although the docs currently make it sound like it's for Android clients only. But you can grab the generated config (and perhaps add a keepalive line to taste) and use it on other platforms.


Wireguard is awesome, but the kernel module is so far a mess. If you're paranoid I wouldn't rely on it until the code has been cleaned up and perhaps audited.


> a mess

by @mistaken, not Linus: http://lists.openwall.net/netdev/2018/08/02/124


Having actually looked at the code a bit, it is dramatically cleaner than any other firewall code I’ve ever seen. And the crypto is pretty nicely done, too.

OpenVPN is a mess. IPSEC and basically all implementations thereof are messes.

(As a personal anecdote, have you ever tried to get OpenVPN to do anything remotely sensible with MTUs or MTU-related ICMP errors? You can’t, because every possible configuration gets it at least partially wrong [0]. Wireguard get it entirely correct AFAICT.)

[0] https://community.openvpn.net/openvpn/ticket/375


Ordinarily I would appreciate comments calling for an audit of security-critical software, but spoken with such derision and apparently ignorant of the fact that the author audits code for a living I can't get behind. As for "cleaned up", LKML's only objections to it so far are formatting; think variable declarations, line wrapping (or lack thereof), et al.


I'm not sure I've seen a more accurate handle before. I'd welcome any evidence to convince me otherwise though.


A mess in what way out of interest? (I've not looked at the source)


You are mistaken


you are not mistaken


Based on what evidence?


I just think being cautious is wise, given how new WG is. And, AFAIK it is userland only, like OpenVpn, not in linux kernel, think performance.


There is a WireGuard kernel module, and it also seems weird to me to say "This is a mess" when what you actually mean is "Nobody yet knows if it is a mess or not and I have no evidence either way."


I'm not sure where you're getting your information; the /de facto/ primary WireGuard implementation is a Linux kernel module.


So, you don't have any evidence that Wireguard is "a mess" (the claim that you are supporting).


I prefer https://github.com/hwdsl2/setup-ipsec-vpn. Shamless blog post on setting it up on a Raspberry Pi 3 - https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec...


Thank you for posting this! I'll be checking this out. I like how the scope of this project is only about setting up an IPsec server automatically on a Linux box.

Algo and Streisand have too much features, making them unwieldy.


See also https://github.com/jawj/IKEv2-setup for IKEv2 (I made this)


> Does not install Tor, OpenVPN, or other risky servers

Although I recognize IPsec is a widely supported protocol and suitable for this use case, did the readme intend to imply OpenVPN is risky?


https://github.com/trailofbits/algo/issues/36 I guess they consider TLS to be a considerable risk. Theoretical I guess.


There is an FAQ that addresses "Why not OpenVPN?" including the specific security concerns with it:

https://github.com/trailofbits/algo/blob/master/docs/faq.md#...


Question - are there any guides available to help set up a home-brew router to route all outbound connections through an Algo VPN with exceptions for Netflix/etc.?

Something like this (this is for OpenVPN): https://arstechnica.com/gadgets/2017/05/how-to-build-your-ow...

I currently have a pfSense router set up with Algo, but I have to disable the IPSec policy whenever I want to use Netflix. (Discussion here: https://github.com/trailofbits/algo/issues/292 - see comments near the bottom.)


Try OPNsense

Here is detailed tutorial https://forum.opnsense.org/index.php?topic=4979.0


I tried it, but the installer keeps crashing. (Device is an HP T620 Plus with a 4-port/1GB Intel server NIC.)


VyOS is another good option


I actually tried running Algo through Azure and Microsoft terminated my Azure account citing I was breaking Terms of Service. I had hosted Algo for all of two and a half days before the takedown.

Not sure if anyone else has had luck - that was all I was using Azure for was to test Algo out so had nothing else running on Azure at the time. I also ran into a few snags trying to deplay Algo onto Azure so haven't bothered trying to set it up elsewhere. My goal of the VPN was to get a JP address as a few sites I browse are easier to browse with a JP address (eg: I don't get forced bad English translations with no way to toggle to the JP version of the site because I'm coming from an American IP...)


Hello! Developer for AlgoVPN here.

We have many successful reports of using Azure for AlgoVPN. I would appreciate it very much if you could file an issue and include the full details of what happened, including any communications you received from Microsoft (https://github.com/trailofbits/algo/issues/new). I have contacts at Azure that I can escalate this issue to directly.


I don't tend to hold onto email as I don't really care for or value them; especially not emails saying my account has been terminated. Those are more of a delete and move on with my life kind of notice. I ended up getting an email from a rep. asking how my experience was and either two or three (I think it was two) calls to speak with me. A funny left-hand not speaking to the right-hand scenario where customer reps tried to salvage a client even though the client had been terminated by the service.

Thanks for extending a hand. I'll look for the email tomorrow - and if found - I'll open an issue. Though if you don't hear from me, it's because the email in all likelihood was deleted shortly after getting it. My use wasn't critical need, so I didn't particularly care to deal with the headache of getting things sorted.


I have been running my algo VM (with wireguard) in Azure for 2-3 months now without issue. For me it is nice because there is an Azure region pretty close to me so I don't take a _huge_ hit traversing the country.

I do work at MSFT but my algo VM is inside of my personal account.


Given this post's HN commentary is full of seemingly well-informed perspectives on the relative merits of several VPN service providers and software packages can anyone comment on Private Tunnel? I've been using it for years, having paid something like $20 for 100GB. No complaints, but interested in expert opinion / insights regarding privacy and security. Thanks!


My choice is typically between "should I use a hosted provider" vs "should I host my own." IMHO there is not a vast amount of difference between hosted VPN providers. They all suffer from generally the same issues.

Here are some reasons you might want to self-host:

https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-th...


>Does not install Tor, OpenVPN, or other risky servers

Does it call OpenVPN a risky server? Why?

Found it https://github.com/trailofbits/algo/blob/master/docs/faq.md#...


What is the best way to have a VPN in each continent (apart from the obvious option to have an instance in each region)? I used to pay for a commercial service, but I lost this functionality when I switched to a self-hosted solution.

I prefer this feature since I travel a lot and would like to have lower latency wherever I am.


What is wrong with purchasing a VPN that is made to provide this functionality on the cheap? i don't get why everybody has to try do it themselves. If you're worrying about tainted IPs, pay a little more for a VPN that logs. All good VPNs support connecting via openVPN at this point.


I swap with friends: they host an endpoint someplace they control and I host one in my colo in California.

They are friends of mine whom I know well so don't worry about one of my IP addresses being used to download child porn.


Serious question, do people consider a cloud provider to be more trustworthy than a professional VPN company?


Perhaps? If you’re using a VPN to protect your internet traffic from being sold to ad companies, probably. The VPN industry has become a racket full of affiliate schemes that push people towards plans and services that don’t necessarily act in the user’s best interest. Figuring out the food from the bad can be difficult. And I’ve seen some services that when audited use outdated or insecure stacks.

Of course, if you’re using a VPN to try to protect your browsing activity from authorities, obviously a major cloud provider may be more willing to turn your info over to someone else.


I've been using VPN services for over a decade. In my opinion, the most privacy friendly are AirVPN, Insorg, IVPN, Mullvad, Private Internet Access and Riseup. To my knowledge, HideMyAss, EarthVPN, IPVanish, PureVPN and WANSecurity have violated their users' privacy. For the most part, by sharing logs with investigators. Prudent providers make damn sure not to have any logs that could be seized.


Well, I will not advocate for any big brand here but it is also true that hidemyass, IPvanish, Purevpn has more than 50% total share of VPN users and indeed its true that new VPN services especially Private Internet Access is going great. I recently read some review of them at Bestvpn.co.


> Figuring out the food from the bad can be difficult

Lol. Funny, good VPNs are like good fishing spots, the ones who know the difference tend not to share their favourites, keeping it for themselves :)


Trustworthy? I could go either way, depending on particular scenario.

Usable? Infinitely. I've noticed quite a few web sites and services putting obnoxious blocks or filters or other impediments against users coming from "widely-known" VPN and VPS provider IP addresses. But few seem to bother with Microsoft or Amazon IPs.

So for something that has the purpose of either getting me out from behind a restrictive network or wrapping my traffic on an insecure network, a VPN to an Azure- or EC2-provisioned virtual machine works just fine.


I have a Streisand [1] server on a Digital Ocean droplet, and I do run into the occasional Cloudflare: blocked or extra-aggressive captcha when I am routed through it.

1: https://github.com/StreisandEffect/streisand


Serious question, are there any professional VPN companies? Dont most VPN companies depend on cloud providers for many locations too. Most VPN companies have had serious screw ups in the past. PureVPN - disable all encryption by default for performance on their Windows client - for example. StrongVPN I recall logging. Other popular ones recur billing at top whack after a year and refusing refund. Overloaded servers, port blocking and so on.


It depends what you want. If you're trying to obtain some degree of anonymity, then a personal VPN server is obviously much worse, since you'll be a using a dedicated IP address just for you, instead of sharing a public one.

But if you just want to secure your data from an untrustworthy local network, it's a reasonable choice. You're less likely to be flagged as connecting from a "bad" IP.


You can have both. Mirimir reaches the Internet using a nested chain of three VPN services. The last being IVPN, given that I work for them. But then I use private VPNs on VPS when I need to pretend that I'm not using a VPN.


It depends. Some VPN services will go out of their way to protect users' privacy. Because it's a moral issue for them. Or because they value their reputation. Others will sell you out, to avoid penalties and costs. And the same is true for cloud providers.


It depends on a cloud provider


a professional VPN company is probably using some cloud provider themselves.


How do you decide what vpn tech to use?

I was using openvpn and then switched to wireguard because openvpn was consuming a lot of power on my phone.

Why would I want to use Ipsec?


> Why would I want to use Ipsec?

It's already built into your phone. (Probably)


It is. But just one tiny app for VPN isn't too bad if that VPN does not ruin internet bandwidth.


> Why would I want to use Ipsec?

Why wouldn't you?


I don't know. I briefly used IPsec when I stopped using OpenVPN and I was looking for alternatives. The setup for IPsec on the server was slightly annoying. I used a Github project that sets up everything for me but the script didn't do everything.

And I have observed(from just using IPsec and wireguard on my phone) that wireguard is quite good(maybe even better) than IPsec at not annihilating internet bandwidth.


Also is great. I extend this script and use it as a quick-and-easy way of managing my dev team’s vpn into our clouds.


Having not done any cloud work myself I have no clue how much this would cost, anyone able to give a rough estimate?


$5/month or less is a reasonable.


Not enough people have heard of Outline. https://getoutline.org/

It is a shadowsocks client and even non-technical users can provision VPNs on cloud hosting providers.


It's a Google/Alphabet project. Hmm.


It's not a Google project, it's a Jigsaw project. There's a huge difference, since one is run with extremely low resources and employees between the entities are not shared. Don't trust code that comes from Jigsaw. In my experience, it's all been haphazardly thrown together for a proof of concept and media coverage, not production quality software that people should use.


Outline is a security disaster, and I strongly recommend against using it.

- Shadowsocks is not a VPN, it's a per-application SOCKS proxy. What has Jigsaw done to ensure that packets don't leak outside of the tunnel? All UDP traffic leaks, so it looks like they did nothing! https://github.com/shadowsocks/shadowsocks-rust/issues/78

- Shadowsocks is dangerously full of bad configuration options to avoid. Did Jigsaw avoid all of them when it built Outline? Their copy of shadowsocks appears to use an unauthenticated CFB mode by default (https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...), but then this setting is overridden elsewhere. Good luck checking all the rest.

- They enabled an automated update system they called "Watchtower." Is this safe to use? Who controls the keys? When are updates pushed out? How would it react to a subpoena?

- Is shadowsocks safe? It's a giant pile of C that was purpose-built to evade censorship by the Chinese Great Firewall, nothing more. It wasn't written or designed by an expert in secure communications and it was not even intended for that purpose. It's had a bunch of bugs before (https://x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/) and none of the crypto makes sense (https://crypto.stackexchange.com/questions/39776/evaluatung-...)!

- The setup process is bonkers. Outline has an Electron app that builds a cloud server, authenticates to it over a random port, then somehow bootstraps encrypted communication with a self-signed certificate. I haven't had time to review the process in all its detail but what the hell? The certificate does not even appear pinned correctly: https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...

- Jigsaw did not pay for a reputable security review of the code. This security review is one of the worst, possibly THE worst, that I have ever read. It looks like shadowsocks was in scope at first, but then eliminated from scope. There's some weird fascination with parsing bugs in local configuration files. I don't know what's going on here, but it's a waste of paper: https://s3.amazonaws.com/outline-vpn/static_downloads/ros-re...

Jigsaw is advertising this as a method to keep high-risk journalists safe and it's likely to get someone killed (https://medium.com/jigsaw/introducing-outline-making-it-safe...). They are conflating two different use cases: Outline may be acceptable for bypassing censorship (low-risk, where success is immediately visible), but it is wholly unacceptable for protecting the safety or anonymity of speech online (which carries the risk of an invisible and potentially fatal failure in a hundred different ways if traffic can be inspected or even just attributed to a person).

tl;dr Outline is a flaming pile of garbage. Stop recommending it.


>Outline is a security disaster, and I strongly recommend against using it. >- Shadowsocks is not a VPN, it's a per-application SOCKS proxy. What has Jigsaw done to ensure that packets don't leak outside of the tunnel? All UDP traffic leaks, so it looks like they did nothing! >https://github.com/shadowsocks/shadowsocks-rust/issues/78

UDP seems to work properly with Outline without any issues. SOCKS proxies does allow UDP to be proxied.

>Shadowsocks is dangerously full of bad configuration options to avoid. Did Jigsaw avoid all of them when it built Outline? Their copy of shadowsocks appears to use an unauthenticated CFB mode by default (https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...), but then this setting is overridden elsewhere. Good luck checking all the rest.

How can CBF mode by "unauthenticated"? What does that even mean?

>They enabled an automated update system they called "Watchtower." Is this safe to use? Who controls the keys? When are updates pushed out? How would it react to a subpoena?

Not sure about this one

>Is shadowsocks safe? It's a giant pile of C that was purpose-built to evade censorship by the Chinese Great Firewall, nothing more. It wasn't written or designed by an expert in secure communications and it was not even intended for that purpose. It's had a bunch of bugs before (https://x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/) and none of the crypto makes sense (https://crypto.stackexchange.com/questions/39776/evaluatung-...)!

Shadowsocks is/was written in Python. The CVEs you have linked affect the Python version only. There is however a much cleaner C version. If you'd read the spec, the crypto makes perfect sense, as pointed out by the stack exchange post, the lack of a PDF on the password is probably the only weakpoint.

>The setup process is bonkers. Outline has an Electron app that builds a cloud server, authenticates to it over a random port, then somehow bootstraps encrypted communication with a self-signed certificate. I haven't had time to review the process in all its detail but what the hell? The certificate does not even appear pinned correctly: https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d....

>Jigsaw did not pay for a reputable security review of the code. This security review is one of the worst, possibly THE worst, that I have ever read. It looks like shadowsocks was in scope at first, but then eliminated from scope. There's some weird fascination with parsing bugs in local configuration files. I don't know what's going on here, but it's a waste of paper: https://s3.amazonaws.com/outline-vpn/static_downloads/ros-re....

>Jigsaw is advertising this as a method to keep high-risk journalists safe and it's likely to get someone killed (https://medium.com/jigsaw/introducing-outline-making-it-safe...). They are conflating two different use cases: Outline may be acceptable for bypassing censorship (low-risk, where success is immediately visible), but it is wholly unacceptable for protecting the safety or anonymity of speech online (which carries the risk of an invisible and potentially fatal failure in a hundred different ways if traffic can be inspected or even just attributed to a person).

In a reply to a thread where it's about a easy to set up VPN, I think it is perfectly acceptable.

>tl;dr Outline is a flaming pile of garbage. Stop recommending it.

Outline is a fine iOS app that let's you connect to a shadowsocks server as a easy to use VPN. I can't speak for anything else.


>Algo supports DigitalOcean (most user friendly), Amazon Lightsail, Amazon EC2, Microsoft Azure, Google Compute Engine, Scaleway and OpenStack.

four of the seven listed are cloud providers that actively encourage censorship for the sake of their business model. at best, you would be a fool to run a personal VPN on them, at worst the fact that support exists at all could be evidence that this software is in fact worse than openVPN or TOR in that it facilitates an obviously poor implementation.

Google and Microsoft both joined the PRISM program in 2009.

https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#M...



I once wanted to write an Ansible playbook to install VPN on a server but found out that you cannot just pass parameters via command line like

ansible setup-vpn 1.2.3.4

Ansible expects you to write host address into a file in /etc. So inconvenient. Also, Ansible doesn't support Windows and Cygwin.

It turned out it was easier to write instructions into a Bash program. Sadly, it is non-portable and works only with a specific distribution.

It is also surprising how many files are there in the repository for a relatively simple task. And how complicated installation process is. In PHP everything would be easier, because you can pack your application into a single phar archive like in Java.

They don't support builtin Android client. I remember I installed Strongswan or something like this and it worked with Android out of the box.

I wouldn't recommend Digital Ocean. They don't accept virtual debit card (they want a real card so they can charge you whenever they want) and their VPS are too expensive. $5 per month is too expensive when you can find offers as low as 1 euro/month in Europe with pre-paid system.


>Ansible expects you to write host address into a file in /etc. So inconvenient.

When I was first learning ansible, I was very frustrated about things like this. I came to learn, though, that it is very flexible, and this behavior, as well as other weirdness is completely overrideable.

Two ways to override this behavior, with the inventory.ini file in the same directory as the project:

1) ansible.cfg in the project directory that points to the inventory file (you can also override other default behaviors using this file.)

2) pass in a -i argument with the path to the file.

I usually just go with option 1, because I like overriding many of the default behaviors (like making cowsay random, or turning it off sometimes), or setting up my ansible vault.



Ansible works on Windows

https://www.ansible.com/integrations/infrastructure/windows

I don’t get the Ansible hate, it’s great.


It only can manage modern Windows versions. But you cannot use Windows to control other hosts: https://docs.ansible.com/ansible/latest/user_guide/windows_f...


Are there any specific VPS hosts you would recommend in Europe?


Aruba has 1-dollar tiny VPS which could be enough for a VPN server, don't know about their performance though. Vps.ag offers 3 euro instances. Both of them use pre-paid payments and accept virtual cards.

I recommend checking what VPS technology is used. If it is OpenVZ or similar then you won't be able to edit iptables config, load kernel modules, setup ipsec. Because OpenVZ is more like a userspace container rather than a virtual machine. KVM, XEN, VMWare work fine.


You can specify inventory on the command line with -i




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: