en
  English
Phone :  +370 (5) 204-1903
Email: sales@1gbits.com
  1. Dedicated server
  2. Blog
  3. How to Deploy Your Personal Algo VPN Server Anonymously

This article will show you how to make and install your own Algo VPN within minutes.

Features and Benefits of Algo

  • The self-hosted personal VPN server
  • Ease of deployment and security
  • Automatically deploys an on-demand VPN service
  • Not shared with other users
  • Relies on only modern protocols and ciphers
  • Includes only the minimal software you need
  • it’s free

Don’t have a server yet? Worry not! Get your very own dedicated server for the best price in the market!

SECTION 1.0 — CREATE A SECURE SSH KEY PAIR

Open Terminal

Create a directory to hold the SSH key pair

mkdir ~/.ssh

Restrict permissions for that directory.

chmod 700 ~/.ssh

Create what's called an RSA key pair.

ssh-keygen -a 256 -b 4096 -o -t rsa

  • The -a 256 argument specifies using 256 KDF
  • The default is 16 rounds
  • Go with 256
  • The -b 4096 argument specifies that the key will be 4096 bits
  • -o argument specifies using the new stronger OpenSSH format for the private key
  • -t rsa argument specifies using a RSA key

Accept the default file location

Enter file in which to save the key

(/Users/{YourUserName}/.ssh/id_rsa)

At the next prompt:

Enter a secure passphrase and save it securely.

Enter passphrase (empty for no passphrase)

The ssh-keygen command will show the following output:

Your identification has been saved in /Users/{YourUserName}/.ssh/id_rsa.

Your public key has been saved in /Users/{YourUserName}/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:{YourLongRandomPublicKey} {YourUserName}@{YourDevice}

The key’s randomart image is:

+--[ RSA 2048]----+

|        .        |

|       + .       |

|   .  .   .      |

|     o   +       |

|    H + S        |

|   + O o + .     |

|    .   A . o    |

|       o. W      |

|   .             |

+-----------------+

Save this info securely.

You have created SSH key pair for the next step.

SECTION 2.0 — CREATE A DROPLET

Create a Virtual Private Server, what Digital Ocean calls a “droplet.”

SECTION 3.0 — HARDEN THE DROPLET

  1. Log onto your droplet (1 minute)
  2. Set the root password (3 minutes)
  3. Update and install packages (3 minutes)
  4. Create a new user (3 minutes)
  5. Require SSH authentication (3 minutes)
  6. Test the new user (1 minute)
  7. Install security updates and restart (3 minutes)
  8. Set sudo password for a new user (3 minutes)
  9. Grant sudo power to a new user (3 minutes)
  10. Lock down SSH (3 minutes)
  11. Activate a firewall (5 minutes)
  12. Install Fail2Ban (10 minutes)
  13. Automate security updates (5 minutes)
  14. Install Google Authenticator (5 minutes)
  15. Activate multi-factor authentication (5 minutes)
  16. Install Logwatch (3 minutes)
  17. Activate DigitalOcean Monitoring (1 minute)

3.1. Log onto Droplet

Log into your droplet using SSH.

ssh root@{your-new-digitalocean-droplet-ip-address}

At the first time logging in, you'll get a warning like this.

The authenticity of host 'x.x.x.x' can't be established.

ECDSA key fingerprint is SHA256:{longrandomlinesoftextmorelongrandomlinesoftext}.

Are you sure you want to continue connecting (yes/no)?

Just answer yes and proceed.

Enter the passphrase you chose when you created your SSH public key.

Enter passphrase for key ‘/Users/{YourUserName}/.ssh/id_rsa’

You have just logged into your droplet.

3.2. Set the Root Password

Use this command to set a secure root passphrase.

passwd

3.3. Update and Install Packages

Enter these two commands.

apt-get update

apt-get upgrade

3.4. Create a New User

To create a new non-root user, enter these four commands.

useradd deploy

mkdir /home/deploy

mkdir /home/deploy/.ssh

chmod 700 /home/deploy/.ssh

3.5. Require SSH Authentication

Open a new Terminal session and run this command.

cat ~/.ssh/id_rsa.pub

Copy the key you created into the clipboard.

Close the Terminal session.

Again open Terminal session for your droplet; use Nano.

nano /home/deploy/.ssh/authorized_keys

Paste the contents of the id_rsa.pub file from your local machine.

Save and close by hitting ctrl-x

Then enter these two commands.

chmod 400 /home/deploy/.ssh/authorized_keys

chown deploy:deploy /home/deploy -R

3.6. Test the New User

Open a new window.

Log in to the server as the new user deploys.

ssh deploy@{your-new-digitalocean-droplet-ip-address}

You may get a notification about security updates.

7 packages can be updated.

7 updates are security updates.

*** System restart required ***

Enter logout.

Close out of this Terminal session for deploy.

3.7. Install Security Updates and Restart

Return to your original Terminal session for the root user.

Install the security updates, run this command:

sudo apt full-upgrade

To restart, run this command:

shutdown –r now

You need to SSH back in again as root.

Ssh root@{your-new-digitalocean-droplet-ip-address}

The result will be as follow:

0 packages can be updated.

0 updates are security updates.

You have rebooted your droplet for the first time.

3.8. Set Sudo Password for New User

Create a sudo password for the new user.

passwd deploy

Use a secure passphrase and save it securely.

3.9. Grant Sudo Power to the New User

To make a user a sudo user, run this command:

visudo

Confirm these two lines are present.

If not, add them.

root ALL=(ALL) ALL

%sudo ALL=(ALL) ALL

Save and close.

Then enter this command.

usermod -aG sudo deploy

To enable these changes, run this command:

exec su -l deploy

Your Terminal screen eill give this output.

root@ubuntu-512mb-nyc1-01:~# exec su -l deploy

To run a command as administrator (user "root"), use "sudo ".

See "man sudo_root" for details.

deploy@ubuntu-512mb-nyc1-01:~$

3.10. Lock Down SSH

Edit server SSH configuration:

sudo nano /etc/ssh/sshd_config

Look for this text.

# Authentication:

LoginGraceTime 120

PermitRootLogin yes

StrictModes yes

Edit the PermitRootLogin line to no.

Enable your changes

Run this command to restart ssh.

sudo service ssh restart

3.11. Activate a Firewall

Run this command.

sudo ufw status

Edit UFW’s config file

Which supports IPv6.

sudo nano /etc/default/ufw

Make sure IPv6 is set to yes

IPV6=yes

Save and close.

Set UFW

  • It will deny all incoming connections
  • It will allow all outgoing connections

Enter these two commands

sudo ufw default deny incoming

sudo ufw default allow outgoing

Adjust some settings, run these commands.

sudo ufw allow 80

sudo ufw allow 443

sudo ufw allow from {your-static-IP-address} to any port 22

Enter these commands to turn off UFW then turn it on.

sudo ufw disable

sudo ufw enable

To confirm it’s running

Type:

sudo ufw status verbose

3.12. Install Fail2Ban

It monitors login attempts to your server

Blocks suspicious activity.

sudo apt-get install fail2ban

copy /etc/fail2ban/jail.conf as a .local file.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then edit the /etc/fail2ban/jail.local file that you just created.

sudo nano /etc/fail2ban/jail.local

Look for this code.

[DEFAULT]

#

# MISCELLANEOUS OPTIONS# MISCELLANEOUS OPTIONS

#

# "ignoreip" can be an IP address, a CIDR mask, or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8

Look six lines further down for this text.

# “bantime” is the number of seconds that a host is banned.

bantime = 600

Edit it so that it reads like this.

# “bantime” is the number of seconds that a host is banned.

# bantime = 600

# permanent ban

bantime = -1

Save and close.

Now use this command to reload Fail2Ban with your new rules.

sudo fail2ban-client reload

To confirm that you’ve whitelisted your IP address, run this command.

sudo fail2ban-client get sshd ignoreip

To confirm that offenders will be permanently banned (at least until the system is rebooted), enter this command.

sudo fail2ban-client get sshd bantime

Look for bantime = -1.

3.13. Install Logwatch

Run this command.

sudo apt-get install logwatch

Edit a Logwatch configuration file to run a chron job.

sudo nano /etc/cron.daily/00logwatch

Add this line.

/usr/sbin/logwatch --output mail --mailto youremailaddress@youremailservice.com --detail high

Save, and exit.

3.14. Activate DigitalOcean Monitoring

To install the agent, enter this command.

curl -sSL https://agent.digitalocean.com/install.sh | sh

Congratulations, you’ve hardened your droplet against hackers.

SECTION 4.0 — INSTALL ALGO

  1. Install Algo’s prerequisites
  2. Copy Algo onto your droplet
  3. Create Algo users
  4. Install Algo on your droplet
  5. Transfer Algo files to your devices
  6. Install Algo on your devices, and
  7. Confirm Algo is working

4.1 Install Algo’s Core Prerequisites

To run Ansible scripts, enter these commands.

sudo apt-add-repository -y ppa:ansible/ansible

sudo apt-get update -y

sudo apt-get upgrade -y

sudo apt-get install -y software-properties-common python-virtualenv ansible

4.2 Copy Algo onto Droplet

Now run these commands to fetch the latest Algo package.

sudo git clone https://github.com/trailofbits/algo

cd algo

sudo python -m virtualenv env

source env/bin/activate

4.3 Create Algo Users

Set up usernames for the people who will be using the VPN.

nano config.cfg

Remove the lines that represent the default users “dan” and “jack”.

Add your own (e.g., “adam”), so that this part of the file looks like this:

users:

 - adam

Look for this text and change 2 to -1.

# StrongSwan log level

#https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

strongswan_log_level: 2

Save and close.

4.4 Install Algo on Droplet

Type:

./algo

You will see this output:

What provider would you like to use?

  1. DigitalOcean
  2. Amazon EC2
  3. Microsoft Azure
  4. Google Compute Engine
  5. Install to existing Ubuntu 16.04 server

Enter the number of your desired provider

Select 5.

Do not enter your droplet’s IP address here.

Enter the IP address of your server: (or use localhost for local installation)[localhost]

At the third prompt, hit return.

What user should we use to log in on the server? (note: passwordless login required, or ignore if you're deploying to localhost)

At the fourth prompt, enter your droplet's IP address.

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)

At the fifth prompt, hit return.

Was this server deployed by Algo previously? [y/N]

At the sixth and seventh prompts, select yes.

Do you want macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks?

[y/N]

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?

[y/N]

At the eighth prompt, enter your preference.

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)

Hit return to select the defaults for the remaining prompts.

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?

[y/N]

Do you want each user to have their own account for SSH tunneling

[y/N]

Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)

[y/N]

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)

[y/N]

Do you want to retain the CA key? (required to add users in the future, but less secure)

[y/N]

After five minutes Installer should complete the installation.

It will give you a message that says.

Congratulations!

Your Algo server is running.

you’ll get “p12 and SSH keys password for new users.”

Securely store this password.

Use it when you install the Algo VPN clients on your devices.

Algo will create configuration files in the directory ./deploy/algo/configs/{your-digitalocean-droplet-ip-address},

Make deploy the owner of the Algo configuration files.

sudo chown -R deploy ./algo/configs/123.45.67.89/

The -R argument recursively changes the ownership of the folder.

4.5 Transfer Algo Files to Your Devices

Open a new Terminal session to create a directory

mkdir configs

cd configs

Log into your droplet using SFTP:

sftp deploy@{your-digitalocean-droplet-ip-address}

Change directory on your droplet.

Give the path of the folder holding the Algo configuration files.

Cd algo/configs/{your-digitalocean-droplet-ip-address}

Then type:

get *

Close the SFTP session.

exit

Use the same Terminal window to confirm that the Algo configuration files.

ls

4.6 Install Algo on Your Devices

The file that you want will be named adam.mobileconfig.

Use the same profile to install Algo VPN on your macOS and iOS devices.

For Mac, Double-click the .mobileconfig file.

For iOS, Airdrop the .mobileconfig file to your device.

Enter the password that you got when you installed Algo to your droplet.

4.7 Confirm Algo Is Working

Just check your IP address on your browser if your IP address is different from the one which you previously used to see. It means that you have successfully made, installed, and deployed your very own algo VPN on your device.

This is your own VPN service on your own cloud-based computer.

Congratulations are in order. You made it till the end now you’re a proud owner of an Algo VPN server. Let us know how you did it in the comments below.

 

 

author img

Nisal N

I’m a Computer Engineering student and I always had a very strong passion for computers and networking. It always fascinated me how this technology functions and now I enjoy learning new things and also sharing my knowledge with fellow curiosity seekers out there.

Leave A Comment