Algo VPN

Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices.

Features

• Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) and WireGuard
• Generates Apple profiles to auto-configure iOS and macOS devices
• Includes a helper script to add and remove users
• Blocks ads with a local DNS resolver (optional)
• Sets up limited SSH users for tunneling traffic (optional)
• Based on current versions of Ubuntu and strongSwan
• Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu server

Anti-features

• Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
• Does not install Tor, OpenVPN, or other risky servers
• Does not depend on the security of TLS
• Does not require client software on most platforms
• Does not claim to provide anonymity or censorship avoidance
• Does not claim to protect you from the FSB, MSS, DGSE, or FSM

Changelog v1.1

Removed

• IKEv2 for Windows is now deleted, use Wireguard #1493

Added

• Tmpfs for key generation #145
• Randomly generated pre-shared keys for WireGuard #1465 (elreydetoda)
• Support for Ubuntu 19.04 #1405 (jackivanov)
• AWS support for existing EIP #1292 (statik)
• Script to support cloud-init and local easy deploy #1366 (jackivanov)
• Automatically create cloud firewall rules for installs onto Vultr #1400 (TC1977)
• Randomly generated IP address for the local dns resolver #1429 (jackivanov)
• Update users: add server pick-list #1441 (TC1977)
• Additional testing #213
• Add IPv6 support to DNS #1425 (shapiro125)
• Additional p12 with the CA cert included #1403 (jackivanov)

Fixed

• Fixes error in 10-algo-lo100.network #1369 (adamluk)
• Error message is missing for some roles #1364
• DNS leak in Linux/Wireguard when LAN gateway/DNS is 172.16.0.1 #1422
• Installation error after #1397 #1409
• EC2 encrypted images bug #1528

Changed

• Upgrade Ansible to 2.7.12 #1536
• DNSmasq removed, and the DNS adblocking functionality has been moved to the dnscrypt-proxy
• Azure: moved to the Standard_B1S image size
• Refactoring, Linting and additional tests #1397 (jackivanov)
• Scaleway modules #1410 (jackivanov)
• Use VULTR_API_CONFIG variable if set #1374 (davidemyers)
• Simplify Apple Profile Configuration Template #1033 (faf0)
• Include roles as separate tasks #1365 (jackivanov)

Download & Tutorial

Copyright (c) 2016 Trail of Bits