Time Required – An afternoon (depending on your familiarity with Bash)

With everything on hold due to the coronavirus, I thought now would be a great time to get reacquainted with cloud infrastructure and also take some steps to ensure everything is a little bit more secure when everything gets back to normal.

Personal VPN’s are becoming more and more popular these days. No doubt you’ve seen the endless barrage of advertising from commercial VPN suppliers peppered all over the web, but the major flaw with all of these is that you have to trust the supplier to stay true to their no logging policies and not snoop on your data. Couple this with limited or non existent possibilities for internal networking and the high price of these services and you have some quite significant drawbacks.

Using cloud infrastructure, for anyone with a basic understanding of the Linux terminal it’s very easier than ever to ‘roll your own’ VPN server at a lower cost than even the cheapest of conventional providers.

Digital Ocean is a cloud provider based in New York, however they have data centres in Amsterdam, London, San Francisco, Frankfurt, Toronto and Bangalore; starting from $5 a month, you can provision a Virtual Machine in one of their data centres. As a commercial ISP, they are not required to block any of the websites that residential suppliers such as BT, TalkTalk and Virgin do and they do not apply any traffic management to their data, so if your ISP slows down or blocks things like VOIP or BitTorrent, you will get around this.

Anyone who has used Linux before (or even bought a new Laptop for college) has probably heard of or used Ubuntu. First released in 2004, in broad terms, it’s a free and open source operating system maintained by an organisation called Canonical. It is essentially a slightly more user friendly (I’m talking about Linux, so still pretty bad) and stable release of the Linux OS Debian. Ubuntu powers a large amount of the internet’s infrastructure, powering SnapChat, Instagram, DropBox and many more.

Encouraged by the increase in usage of private and commercial VPN services in the last few years, there has been a great deal of innovation in the back end software that powers these platforms. A few years back, OpenVPN was the standard, alongside expensive, proprietary offerings from Cisco (AnyConnect) and other big players. More recently, new lightweight platforms have developed, alongside streamlined installation scripts to make setting up a personal VPN server easier than ever. For this article, we will be using a script called Algowhich will provision a server which will work with all of the most common devices (Android, iOS, Windows, Mac & Linux) and also install a DNS-level ad blocker.

So if you’re looking for something to do this afternoon, follow along. I’ll be helping out and answering questions in the comments or DM’s if you fancy giving it a go!

Firstly, you will need to make an account with Digital Ocean. If you click the referral link here, you will get $100 credit to get started when you add a card to your account.

Once you’re logged in, create a new project and select ‘Just trying out Digital Ocean’, you can call this whatever you like.

Then click “Get started with a droplet”

Select the Ubuntu 20.04 LTS distribution and then select your machine plan. We will be using the $5/mo plan.

Then, choose a data centre region. Remember, this will be where your traffic originates from, so if you want to continue accessing Netflix, iPlayer and so on like at home, make sure you select a UK centre.

Scroll down to authentication and select “one time password.” If you are familiar with SSH keys, you can add your public key here to enable passwordless logins.

Give your server a name. I have called this one “demovpnserver”

Now select “create droplet,” you will be taken back to the control panel and a progress bar will show you your server being provisioned in the cloud. Once this is complete, you will receive the login details and IP address for your server via email.

Now you will need to fire up your SSH client. Terminal is installed by default on macOS, for Windows you will need to install PuTTY. To connect using Terminal, open a new window and type:

ssh root@<your server ip>

As this is the first time we are connecting, we will be asked if we trust the servers’ public key. Type ‘yes’ and hit enter. Then type your password (nothing will appear on the screen, don’t worry, it hasn’t frozen) and hit enter. It will ask you to set a new root password (don’t forget this!)

You are now logged in to your server. First things first, we want to get everything up to date, so lets run the following commands

apt-get update && apt-get -y upgrade

Now, we are going to want to copy over the files required to set up the VPN server. Simply type this command to download the Git

git clone https://github.com/trailofbits/algo.git

This will download the required files to set up your server. We also need to get a copy of the dependencies (programs that run in the background) to allow the script to run. Lets type in the following and hit enter

apt install -y python3-virtualenv

And lastly for the dependencies (you can copy and paste)

python3 -m virtualenv --python="$(command -v python3)" .env && source .env/bin/activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt

We now want to change the directory to the files we have just downloaded. To do this we type

cd algo

Now, we want to edit the configuration file to create our users and open up internal networking. We are going to use an editor called nano to do this. Let’s type

nano config.cfg

We need to create a user for each device we are going to connect to the server. I have created a couple of spares as well for when new devices are added. Simply make a new line and follow the format to create new users.

users:
  - phone
  - laptop
  - desktop
  - spare1

  - spare2

Continue scrolling down to BetweenClients_DROP here we want to decide if we want to allow internal networking. This will allow your devices to see each other on the VPN as if they were connected to a local network, allowing you to share files between machines. If you want to allow this, ensure this section of your config looks like this:

# Block traffic between connected clients. Change this to false to enable

# connected clients to reach each other, as well as other computers on the

# same LAN as your Algo server (i.e. the "road warrior" setup). In this

# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.

BetweenClients_DROP: false

# Block SMB/CIFS traffic

block_smb: false

# Block NETBIOS traffic

block_netbios: false

Finally, we want to enable unattended updates to ensure your server always has the latest security patches. Set unattended_reboot to true and choose a suitable time like below:

# Your Algo server will automatically install security updates. Some
# updates require a reboot to take effect but your Algo server will not 
# reboot itself automatically unless you change 'enabled' below from 
# 'false' to 'true', in which case a reboot will take place if necessary at # the time specified (as HH:MM) in the time zone of your Algo server. The 
# default time zone is UTC.

unattended_reboot:

  enabled:true  

  time: 06:00

That’s our config file done! Now we want to press Ctrl+x, ‘y’ and ‘enter’ to save the file and go back to the command line. We now want to run the setup script by typing the below

./algo

The script will now run and will ask you to specify options firstly, let’s chose to install this on the local macine (option 11)

We want go through the following prompts and answer as follows:

Next, we need to enter the server IP address from your setup email and press enter. Leave the username prompt blank as we are using the local machine. It will ask you to enter the server IP address a second time.

Algo will now run it’s setup. This will take 5-10 minutes. Whilst this is running, we are going to download Cyberduck to let us connect to the server and download the config files. You should also download and install the WireGuard desktop client.

Once complete, the following will be echoed on to the Terminal. You have now set up a VPN server!

We are now going to copy the config files over to our computer. Fire up CyberDuck and create a new SSH connection to your server.

Let’s go to the ‘algo’ file once connected, you can see the configs folder here. We’re going to drag and drop this onto our desktop.

Inside the folder, we will see our wireguard config. You can import the .config file into wireguard or scan the QR code on a mobile device to connect to your VPN from there.

From here, we can install the config on multiple devices. If you run a speed test, you will see your ISP appears as Digital Ocean and your IP address will be the server IP. There is a slight increase in latency and a slight slow down in speeds, but that’s the price you pay for privacy!

Let me know if you followed along and if you would be interested in some more articles on how we can expand on our VPN by hosting a file server, installing webmin to allow for easy administration and so on!