Algo is an easy way to set up a personal VPN in the cloud.
In case something is missing here, refer to their DO install guide or Docker client guide.
Generate an API token in Digital Ocean, then run:
export DO_TOKEN=<your-token-herer>
git clone [email protected]:trailofbits/algo.git
cd algo
ALGO_ARGS="provider=digitalocean
server_name=algo
ondemand_cellular=true
ondemand_wifi=true
dns_adblocking=false
ssh_tunneling=false
store_pki=true
region=fra1
do_token=$DO_TOKEN"
docker run --cap-drop=all -it \
-e "ALGO_ARGS=$ALGO_ARGS" \
-v $(pwd):/data \
trailofbits/algo:latest
The installation takes quite a while. After it's finished, you should see the following banner.
ok: [x.x.x.x] => {
"msg": [
[
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver X.X.X.X, fdxx::x:xxxx #\"",
""
],
" \"# The p12 and SSH keys password for new users is xxxxxxxx #\"\n",
" \"# The CA key password is xxxxxxxxxxx #\"\n",
" \"# Shell access: ssh -i configs/algo.pem [email protected] #\"\n"
]
}
The default configuration is taken from config.cfg file, and contains three users:
- desktop
- laptop
- phone
-
Save the output banner which contains the passwords etc to 1password
This is needed for possibly updating users later. Note: updating users will create new p12 and SSH key passwords for new users.
-
You can optionally save the configs to e.g. 1password.
zip -r algo-configs.zip configsand save the zip file to 1passwordNeeded for easy reconfiguration of a device. Optional, because if you lose the keys, you can always reinstall the server.
Refer to https://github.com/trailofbits/algo#configure-the-vpn-clients for full client guides.
WireGuard is an open source VPN client, which makes installing the client VPN configs easier. See https://www.wireguard.com/.
Install WireGuard at https://apps.apple.com/us/app/wireguard/id1451685025?mt=12 and open the app. Click "install via configuration file" or similar and browse to configs/x.x.x.x/wireguard/laptop.conf.
Install WireGuard at https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8, and scan the QR code from your computer.
To show the QR code, run (where x.x.x.x is the IP address of the created Droplet):
open configs/x.x.x.x/wireguard/phone.png
Run rm -rf configs in the algo repository directory after you have installed the VPN clients. WireGuard copies the secrets to its own storage so removing the configs folder is fine.
If you stored the configs as a zip in 1password, it can be always unzipped to the same place to e.g. update users.
-
Go to algo project dir
-
Update config.cfg to contain wanted users
-
Run update users
docker run --cap-drop=all -it \ -e "ALGO_ARGS=update-users" \ -v $(pwd):/data \ trailofbits/algo:latest
- On demand = automatic VPN connection