How to Deploy Your Personal Algo VPN Server Anonymously

This article will show you how to make and install your own Algo VPN within minutes.

Dedicaterd Server TutorialsBy: Nisal N / 25 September, 2020

How to Deploy Your Personal Algo VPN Server Anonymously

This article will show you how to make and install your own Algo VPN within minutes. Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers.

Features and Benefits of Algo

The self-hosted personal VPN server
Ease of deployment and security
Automatically deploys an on-demand VPN service
Not shared with other users
It relies on only modern protocols and cyphers
Includes only the minimal software you need
it’s free

Don’t have a server yet? Worry not! Get your very own dedicated server for the best price on the market!

SECTION 1.0 — CREATE A SECURE SSH KEY PAIR

Open the terminal and create a directory to hold the SSH key pair.

mkdir ~/.ssh

Restrict permissions for that directory.

chmod 700 ~/.ssh

Create what's called an RSA key pair.

ssh-keygen -a 256 -b 4096 -o -t rsa

The -a 256 argument specifies using 256 KDF
The default is 16 rounds
Go with 256
The -b 4096 argument specifies that the key will be 4096 bits
-o argument specifies using the new stronger OpenSSH format for the private key
-t RSA argument specifies using an RSA key

Accept the default file location.

Enter file in which to save the key

(/Users/{YourUserName}/.ssh/id_rsa)

At the next prompt, enter a secure passphrase and save it securely.

Enter passphrase (empty for no passphrase)

The ssh-keygen command will show the following output:

Your identification has been saved in /Users/{YourUserName}/.ssh/id_rsa.
Your public key has been saved in /Users/{YourUserName}/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:{YourLongRandomPublicKey} {YourUserName}@{YourDevice}
The key’s randomart image is:
+--[ RSA 2048]----+
|        .        |
|       + .       |
|   .  .   .      |
|     o   +       |
|    H + S        |
|   + O o + .     |
|    .   A . o    |
|       o. W      |
|   .             |
+-----------------+

Save this info securely. Congrats, you have created SSH key pair for the next step.

SECTION 2.0 — CREATE A DROPLET

Create a Virtual Private Server, what Digital Ocean calls a “droplet.”

SECTION 3.0 — HARDEN THE DROPLET

Log onto your droplet (1 minute)
Set the root password (3 minutes)
Update and install packages (3 minutes)
Create a new user (3 minutes)
Require SSH authentication (3 minutes)
Test the new user (1 minute)
Install security updates and restart (3 minutes)
Set Sudo password for a new user (3 minutes)
Grant sudo power to a new user (3 minutes)
Lockdown SSH (3 minutes)
Activate a firewall (5 minutes)
Install Fail2Ban (10 minutes)
Automate security updates (5 minutes)
Install Google Authenticator (5 minutes)
Activate multi-factor authentication (5 minutes)
Install Logwatch (3 minutes)
Activate DigitalOcean Monitoring (1 minute)

3.1. Log onto Droplet

Log into your droplet using SSH.

ssh root@{your-new-digitalocean-droplet-ip-address}

The first time logging in, you'll get a warning like this.

The authenticity of host 'x.x.x.x' can't be established.
ECDSA key fingerprint is SHA256:{longrandomlinesoftextmorelongrandomlinesoftext}.
Are you sure you want to continue connecting (yes/no)?

Just answer yes and proceed.

Enter the passphrase you chose when you created your SSH public key.

Enter passphrase for key ‘/Users/{YourUserName}/.ssh/id_rsa’

You have just logged into your droplet.

3.2. Set the Root Password

Use this command to set a secure root passphrase.

passwd

3.3. Update and Install Packages

Enter these two commands.

apt-get update

apt-get upgrade

3.4. Create a New User

To create a new non-root user, enter these four commands.

useradd deploy

mkdir /home/deploy

mkdir /home/deploy/.ssh

chmod 700 /home/deploy/.ssh

3.5. Require SSH Authentication

Open a new Terminal session and run this command.

cat ~/.ssh/id_rsa.pub

Copy the key you created into the clipboard.
Close the Terminal session.
Again open the terminal session for your droplet; use Nano.

nano /home/deploy/.ssh/authorized_keys

Paste the contents of the id_rsa.pub file from your local machine.
Save and close by hitting ctrl+x.
Then enter these two commands.

chmod 400 /home/deploy/.ssh/authorized_keys

chown deploy:deploy /home/deploy -R

3.6. Test the New User

Open a new window and log in to the server as the new user deploys.

ssh deploy@{your-new-digitalocean-droplet-ip-address}

You may get a notification about security updates.

7 packages can be updated.
7 updates are security updates.
*** System restart required ***

Closeout of this Terminal session for deployment.

3.7. Install Security Updates and Restart

Return to your original Terminal session for the root user. Install the security updates, and run this command:

sudo apt full-upgrade

To restart, run this command:

shutdown –r now

You need to SSH back in again as root.

Ssh root@{your-new-digitalocean-droplet-ip-address}

The result will be as follow:

0 packages can be updated
0 updates are security updates.

You have rebooted your droplet for the first time.

3.8. Set Sudo Password for New User

Create a sudo password for the new user.

passwd deploy

Use a secure passphrase and save it securely.

3.9. Grant Sudo Power to the New User

To make a user a sudo user, run this command:

visudo

Confirm these two lines are present.

If not, add them.

root ALL=(ALL) ALL

%sudo ALL=(ALL) ALL

Save and close.

Then enter this command.

usermod -aG sudo deploy

To enable these changes, run this command:

exec su -l deploy

Your Terminal screen will give this output.

root@ubuntu-512mb-nyc1-01:~# exec su -l deploy
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
deploy@ubuntu-512mb-nyc1-01:~$

3.10. Lock Down SSH

Edit server SSH configuration:

sudo nano /etc/ssh/sshd_config

Look for this text.

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

Edit the PermitRootLogin line to no.

Enable your changes by saving the changes and exiting the nano text editor.

Run this command to restart ssh.

sudo service ssh restart

3.11. Activate a Firewall

Run this command.

sudo ufw status

Edit UFW’s config file, which supports IPv6 using the nano text editor.

sudo nano /etc/default/ufw

Make sure IPv6 is set to yes

IPV6=yes

Save and close.

Set UFW

It will deny all incoming connections
It will allow all outgoing connections

Enter these two commands

sudo ufw default deny incoming

sudo ufw default allow outgoing

Run these commands to adjust some crucial settings.

sudo ufw allow 80

sudo ufw allow 443

sudo ufw allow from {your-static-IP-address} to any port 22

Enter these commands to turn off UFW, then turn it on for the settings to effect.

sudo ufw disable

sudo ufw enable

To confirm its running type:

sudo ufw status verbose

3.12. Install Fail2Ban

It monitors login attempts to your server and blocks suspicious activity.

sudo apt-get install fail2ban

copy /etc/fail2ban/jail.conf as a .local file.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then edit the /etc/fail2ban/jail.local file you just created.

sudo nano /etc/fail2ban/jail.local

Look for this code.

[DEFAULT]
#
# MISCELLANEOUS OPTIONS# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask, or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

Look six lines further down for this text:

bantime = 600

“bantime” is the number of seconds a host is banned. Edit it so that it reads like this.

# bantime = 600

# permanent ban

bantime = -1

Save and close.

Now use this command to reload Fail2Ban with your new rules.

sudo fail2ban-client reload

To confirm that you’ve whitelisted your IP address, run this command.

sudo fail2ban-client get sshd ignoreip

Enter this command to confirm that offenders will be permanently banned (at least until the system is rebooted).

sudo fail2ban-client get sshd bantime

Look for bantime = -1.

3.13. Install Logwatch

Run this command.

sudo apt-get install logwatch

Edit a Logwatch configuration file to run a chron job.

sudo nano /etc/cron.daily/00logwatch

Add this line.

/usr/sbin/logwatch --output mail --mailto [email protected] --detail high

Save, and exit.

3.14. Activate DigitalOcean Monitoring

To install the agent, enter this command.

curl -sSL https://agent.digitalocean.com/install.sh | sh

Congratulations, you’ve hardened your droplet against hackers.

SECTION 4.0 — INSTALL ALGO

Install Algo’s prerequisites
Copy Algo onto your droplet
Create Algo users
Install Algo on your droplet
Transfer Algo files to your devices
Install Algo on your devices, and
Confirm Algo is working

4.1 Install Algo’s Core Prerequisites

To run Ansible scripts, enter these commands.

sudo apt-add-repository -y ppa:ansible/ansible

sudo apt-get update -y

sudo apt-get upgrade -y

sudo apt-get install -y software-properties-common python-virtualenv ansible

4.2 Copy Algo onto Droplet

Now run these commands to fetch the latest Algo package.

sudo git clone https://github.com/trailofbits/algo

cd algo

sudo python -m virtualenv env

source env/bin/activate

4.3 Create Algo Users

Set up usernames for the people who will be using the VPN.

nano config.cfg

Remove the lines that represent the default users “dan” and “jack”.

Add your own (e.g., “adam”) so that this part of the file looks like this:

users:
 - adam

Look for this text and change 2 to -1.

# StrongSwan log level
#https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: -1

Save and close.

4.4 Install Algo on Droplet

Type:

./algo

You will see this output:

What provider would you like to use?

1. DigitalOcean
2. Amazon EC2
3. Microsoft Azure
4. Google Compute Engine
5. Install to existing Ubuntu 16.04 server

Enter the number of your desired provider

Select 5.

Do not enter your droplet’s IP address here; instead, enter localhost as shown below.

Enter the IP address of your server: (or use localhost for local installation)[localhost]

At the third prompt, hit return.

What user should we use to log in on the server? (note: passwordless login required, or ignore if you're deploying to localhost)

At the fourth prompt, enter your droplet's IP address.

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)

At the fifth prompt, hit return.

Was this server deployed by Algo previously? [y/N]

At the sixth and seventh prompts, select yes.

Do you want macOS/iOS clients to enable “VPN On Demand” when connected to cellular networks?
[y/N]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]

At the eighth prompt, enter your preference.

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)

Hit return to select the defaults for the remaining prompts.

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
Do you want each user to have their own account for SSH tunneling
[y/N]
Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
[y/N]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]

After five minutes, the installer should complete the installation.

It will give you a message that says.

Congratulations!
Your Algo server is running.

You’ll get “p12 and SSH keys password for new users.” Securely store this password. Use it when you install the Algo VPN clients on your devices.

Algo will create configuration files in the directory ./deploy/algo/configs/{your-digitalocean-droplet-ip-address},

Make deploy the owner of the Algo configuration files. The -R argument recursively changes the ownership of the folder.

sudo chown -R deploy ./algo/configs/123.45.67.89/

4.5 Transfer Algo Files to Your Devices

Open a new Terminal session to create a directory

mkdir configs

cd configs

Log into your droplet using SFTP:

sftp deploy@{your-digitalocean-droplet-ip-address}

Change the directory on your droplet. Give the path of the folder holding the Algo configuration files.

Cd algo/configs/{your-digitalocean-droplet-ip-address}

Then type:

get *

Close the SFTP session.

exit

Use the same Terminal window to confirm the Algo configuration files.

ls

4.6 Install Algo on Your Devices

The file that you want will be named. adam.mobileconfig. Use the same profile to install Algo VPN on your macOS and iOS devices.

For Mac, double-click the .mobileconfig file.

For iOS, Airdrop the .mobileconfig file to your device.

Enter the password that you got when you installed Algo to your droplet.

4.7 Confirm Algo Is Working

Just check your IP address on your browser if your IP address is different from the one you previously used to see. It means that you have successfully made, installed, and deployed your own Algo VPN on your device.

This is your own VPN service on your own cloud-based computer.

Conclusion

Congratulations are in order. You made it till the end; you’re a proud owner of an Algo VPN server. Let us know how you did it in the comments below.

People also read:

Nisal N

Computers has always fascinated me since I was a kid and here we are. I love travelling for 2 reasons: the first one to see a new part of the world and second (the most important one) to experience the rich culture hidden among the country and people. I'm pretty good at cooking but very poor when it comes to baking.

How useful was this article for you?

(Rated 0 from 0 votes)