This article will show you how to make and install your own Algo VPN within minutes. Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers.
Features and Benefits of Algo
- The self-hosted personal VPN server
- Ease of deployment and security
- Automatically deploys an on-demand VPN service
- Not shared with other users
- It relies on only modern protocols and cyphers
- Includes only the minimal software you need
- it’s free
Don’t have a server yet? Worry not! Get your very own dedicated server for the best price on the market!
SECTION 1.0 — CREATE A SECURE SSH KEY PAIR
Open the terminal and create a directory to hold the SSH key pair.
mkdir ~/.ssh
Restrict permissions for that directory.
chmod 700 ~/.ssh
Create what's called an RSA key pair.
ssh-keygen -a 256 -b 4096 -o -t rsa
- The -a 256 argument specifies using 256 KDF
- The default is 16 rounds
- Go with 256
- The -b 4096 argument specifies that the key will be 4096 bits
- -o argument specifies using the new stronger OpenSSH format for the private key
- -t RSA argument specifies using an RSA key
Accept the default file location.
Enter file in which to save the key
(/Users/{YourUserName}/.ssh/id_rsa)
At the next prompt, enter a secure passphrase and save it securely.
Enter passphrase (empty for no passphrase)
The ssh-keygen command will show the following output:
Your identification has been saved in /Users/{YourUserName}/.ssh/id_rsa.
Your public key has been saved in /Users/{YourUserName}/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:{YourLongRandomPublicKey} {YourUserName}@{YourDevice}
The key’s randomart image is:
+--[ RSA 2048]----+
| . |
| + . |
| . . . |
| o + |
| H + S |
| + O o + . |
| . A . o |
| o. W |
| . |
+-----------------+
Save this info securely. Congrats, you have created SSH key pair for the next step.
SECTION 2.0 — CREATE A DROPLET
Create a Virtual Private Server, what Digital Ocean calls a “droplet.”
SECTION 3.0 — HARDEN THE DROPLET
- Log onto your droplet (1 minute)
- Set the root password (3 minutes)
- Update and install packages (3 minutes)
- Create a new user (3 minutes)
- Require SSH authentication (3 minutes)
- Test the new user (1 minute)
- Install security updates and restart (3 minutes)
- Set Sudo password for a new user (3 minutes)
- Grant sudo power to a new user (3 minutes)
- Lockdown SSH (3 minutes)
- Activate a firewall (5 minutes)
- Install Fail2Ban (10 minutes)
- Automate security updates (5 minutes)
- Install Google Authenticator (5 minutes)
- Activate multi-factor authentication (5 minutes)
- Install Logwatch (3 minutes)
- Activate DigitalOcean Monitoring (1 minute)
3.1. Log onto Droplet
Log into your droplet using SSH.
ssh root@{your-new-digitalocean-droplet-ip-address}
The first time logging in, you'll get a warning like this.
The authenticity of host 'x.x.x.x' can't be established.
ECDSA key fingerprint is SHA256:{longrandomlinesoftextmorelongrandomlinesoftext}.
Are you sure you want to continue connecting (yes/no)?
Just answer yes and proceed.
Enter the passphrase you chose when you created your SSH public key.
Enter passphrase for key ‘/Users/{YourUserName}/.ssh/id_rsa’
You have just logged into your droplet.
3.2. Set the Root Password
Use this command to set a secure root passphrase.
passwd
3.3. Update and Install Packages
Enter these two commands.
apt-get update
apt-get upgrade
3.4. Create a New User
To create a new non-root user, enter these four commands.
useradd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
3.5. Require SSH Authentication
Open a new Terminal session and run this command.
cat ~/.ssh/id_rsa.pub
- Copy the key you created into the clipboard.
- Close the Terminal session.
- Again open the terminal session for your droplet; use Nano.
nano /home/deploy/.ssh/authorized_keys
- Paste the contents of the id_rsa.pub file from your local machine.
- Save and close by hitting ctrl+x.
- Then enter these two commands.
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R
3.6. Test the New User
Open a new window and log in to the server as the new user deploys.
ssh deploy@{your-new-digitalocean-droplet-ip-address}
You may get a notification about security updates.
7 packages can be updated.
7 updates are security updates.
*** System restart required ***
Closeout of this Terminal session for deployment.
3.7. Install Security Updates and Restart
Return to your original Terminal session for the root user. Install the security updates, and run this command:
sudo apt full-upgrade
To restart, run this command:
shutdown –r now
You need to SSH back in again as root.
Ssh root@{your-new-digitalocean-droplet-ip-address}
The result will be as follow:
0 packages can be updated
0 updates are security updates.
You have rebooted your droplet for the first time.
3.8. Set Sudo Password for New User
Create a sudo password for the new user.
passwd deploy
Use a secure passphrase and save it securely.
3.9. Grant Sudo Power to the New User
To make a user a sudo user, run this command:
visudo
Confirm these two lines are present.
If not, add them.
root ALL=(ALL) ALL
%sudo ALL=(ALL) ALL
Save and close.
Then enter this command.
usermod -aG sudo deploy
To enable these changes, run this command:
exec su -l deploy
Your Terminal screen will give this output.
root@ubuntu-512mb-nyc1-01:~# exec su -l deploy
To run a command as administrator (user "root"), use "sudo".
See "man sudo_root" for details.
deploy@ubuntu-512mb-nyc1-01:~$
3.10. Lock Down SSH
Edit server SSH configuration:
sudo nano /etc/ssh/sshd_config
Look for this text.
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
Edit the PermitRootLogin line to no.
Enable your changes by saving the changes and exiting the nano text editor.
Run this command to restart ssh.
sudo service ssh restart
3.11. Activate a Firewall
Run this command.
sudo ufw status
Edit UFW’s config file, which supports IPv6 using the nano text editor.
sudo nano /etc/default/ufw
Make sure IPv6 is set to yes
IPV6=yes
Save and close.
Set UFW
- It will deny all incoming connections
- It will allow all outgoing connections
Enter these two commands
sudo ufw default deny incoming
sudo ufw default allow outgoing
Run these commands to adjust some crucial settings.
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow from {your-static-IP-address} to any port 22
Enter these commands to turn off UFW, then turn it on for the settings to effect.
sudo ufw disable
sudo ufw enable
To confirm its running type:
sudo ufw status verbose
3.12. Install Fail2Ban
It monitors login attempts to your server and blocks suspicious activity.
sudo apt-get install fail2ban
copy /etc/fail2ban/jail.conf as a .local file.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then edit the /etc/fail2ban/jail.local file you just created.
sudo nano /etc/fail2ban/jail.local
Look for this code.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask, or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
Look six lines further down for this text:
bantime = 600
“bantime” is the number of seconds a host is banned. Edit it so that it reads like this.
# bantime = 600
# permanent ban
bantime = -1
Save and close.
Now use this command to reload Fail2Ban with your new rules.
sudo fail2ban-client reload
To confirm that you’ve whitelisted your IP address, run this command.
sudo fail2ban-client get sshd ignoreip
Enter this command to confirm that offenders will be permanently banned (at least until the system is rebooted).
sudo fail2ban-client get sshd bantime
Look for bantime = -1.
3.13. Install Logwatch
Run this command.
sudo apt-get install logwatch
Edit a Logwatch configuration file to run a chron job.
sudo nano /etc/cron.daily/00logwatch
Add this line.
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high
Save, and exit.
3.14. Activate DigitalOcean Monitoring
To install the agent, enter this command.
curl -sSL https://agent.digitalocean.com/install.sh | sh
Congratulations, you’ve hardened your droplet against hackers.
SECTION 4.0 — INSTALL ALGO
- Install Algo’s prerequisites
- Copy Algo onto your droplet
- Create Algo users
- Install Algo on your droplet
- Transfer Algo files to your devices
- Install Algo on your devices, and
- Confirm Algo is working
4.1 Install Algo’s Core Prerequisites
To run Ansible scripts, enter these commands.
sudo apt-add-repository -y ppa:ansible/ansible
sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get install -y software-properties-common python-virtualenv ansible
4.2 Copy Algo onto Droplet
Now run these commands to fetch the latest Algo package.
sudo git clone https://github.com/trailofbits/algo
cd algo
sudo python -m virtualenv env
source env/bin/activate
4.3 Create Algo Users
Set up usernames for the people who will be using the VPN.
nano config.cfg
Remove the lines that represent the default users “dan” and “jack”.
Add your own (e.g., “adam”) so that this part of the file looks like this:
users:
- adam
Look for this text and change 2 to -1.
# StrongSwan log level
#https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: -1
Save and close.
4.4 Install Algo on Droplet
Type:
./algo
You will see this output:
What provider would you like to use?
1. DigitalOcean
2. Amazon EC2
3. Microsoft Azure
4. Google Compute Engine
5. Install to existing Ubuntu 16.04 server
Enter the number of your desired provider
Select 5.
Do not enter your droplet’s IP address here; instead, enter localhost as shown below.
Enter the IP address of your server: (or use localhost for local installation)[localhost]
At the third prompt, hit return.
What user should we use to log in on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
At the fourth prompt, enter your droplet's IP address.
Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
At the fifth prompt, hit return.
Was this server deployed by Algo previously? [y/N]
At the sixth and seventh prompts, select yes.
Do you want macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks?
[y/N]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
At the eighth prompt, enter your preference.
List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
Hit return to select the defaults for the remaining prompts.
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
Do you want each user to have their own account for SSH tunneling
[y/N]
Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
[y/N]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
After five minutes, the installer should complete the installation.
It will give you a message that says.
Congratulations!
Your Algo server is running.
You’ll get “p12 and SSH keys password for new users.” Securely store this password. Use it when you install the Algo VPN clients on your devices.
Algo will create configuration files in the directory ./deploy/algo/configs/{your-digitalocean-droplet-ip-address},
Make deploy the owner of the Algo configuration files. The -R argument recursively changes the ownership of the folder.
sudo chown -R deploy ./algo/configs/123.45.67.89/
4.5 Transfer Algo Files to Your Devices
Open a new Terminal session to create a directory
mkdir configs
cd configs
Log into your droplet using SFTP:
sftp deploy@{your-digitalocean-droplet-ip-address}
Change the directory on your droplet. Give the path of the folder holding the Algo configuration files.
Cd algo/configs/{your-digitalocean-droplet-ip-address}
Then type:
get *
Close the SFTP session.
exit
Use the same Terminal window to confirm the Algo configuration files.
ls
4.6 Install Algo on Your Devices
The file that you want will be named. adam.mobileconfig. Use the same profile to install Algo VPN on your macOS and iOS devices.
For Mac, double-click the .mobileconfig file.
For iOS, Airdrop the .mobileconfig file to your device.
Enter the password that you got when you installed Algo to your droplet. After entering the password, you may want to consider your long-term privacy needs. For a comprehensive guide on selecting the right VPN for your personal use, check out our article on How to Choose a VPN.
4.7 Confirm Algo Is Working
Just check your IP address on your browser if your IP address is different from the one you previously used to see. It means that you have successfully made, installed, and deployed your own Algo VPN on your device.
This is your own VPN service on your own cloud-based computer.
Conclusion
Congratulations are in order! You made it to the end; you’re now a proud owner of an Algo VPN server. If you're using a VPS for your VPN server setup, you've just completed an important step in securing your network. However, for those seeking an additional layer of privacy and anonymity, you might want to consider using an anonymous VPS. An anonymous VPS can offer you more privacy by masking your identity during the setup process, ensuring that your personal information isn't tied to the server you're using.
To further enhance your online security and learn about the benefits of using a VPN, check out our guide on how to get a VPN.
Let us know how you did it in the comments below. Sharing your experience can help others who are setting up their own VPS for VPN servers or exploring similar solutions like anonymous VPS hosting for enhanced security.
For a comprehensive guide on selecting the best VPS for your needs, check out our post on VPS for OpenVPN, which offers insights into optimal server choices and configurations for a seamless VPN experience.
People also read:
