Deploying Your Own VPN Server On the Cloud with Algo VPN in 15 minutes

If you wound up on this article, and somehow have no idea what in God’s name a VPN is, I’ll explain it with Romain Dillet’s analogy in his blog at TechCrunch.

"A VPN works just like the tunnel in this movie scene — it connects different roads and turns them into one, and a helicopter can’t see what’s happening inside the tunnel."

Just like that, when you connect to a server, your device connects to a VPN Server, which acts as a tunnel, securing the connection between your device, and the server. Nobody outside the tunnel can see what you are doing.

So you might be wondering why you would want to setup your own VPN server when you can use one for free. When you use free VPN services, your data is at risk as the VPN company has access to this tunnel, and therefore see all your internet traffic. Many of them sell your data to scammers and advertisers. When you set up your own VPN on the cloud, you only risk cloud providers like AWS and DigitalOcean snooping on your internet traffic (which they have sworn they won’t do :) ).

What is Algo VPN?

Algo VPN is an open source project designed for self-hosted VPN services. You could set up your own VPN server with very little effort, and with little knowledge about programming. This was designed by the amazing folks at Trail of Bits. On the blog announcing the initial release of Algo, they claim that Algo VPN is “to be easy to set up. That way, you start it when you need it, and tear it down before anyone can figure out the service you’re routing your traffic through.”

What you Need

• An account on a cloud hosting provider (eg: DigitalOcean).

• Installation of Ansible.

• A device/instance with a debian-based Operating System.

If you’re using an rpm-based, or Windows Operating system, please refer to the following documentation.

• rpm: https://github.com/trailofbits/algo/blob/master/docs/deploy-from-redhat-centos6.md

• Windows: https://github.com/trailofbits/algo/blob/master/docs/deploy-from-windows.md

Deploying the Algo Server

Algo server could be deployed on pretty much any major cloud hosting provider like DigitalOcean, AWS EC2, Microsoft Azure, Google Compute Engine, or other OpenStack-based cloud hosting.

I will be executing all of the following operations on an Ubuntu 18.04 instance.

Initial Setup

Install Ansible

$ apt-add-repository -y ppa:ansible/ansible

Update repositories

$ apt-get update -y
$ apt-get upgrade -y

Install Python tools

apt-get install -y build-essential \
  libssl-dev \
  libffi-dev \
  python-dev \
  python-pip \
  python-setuptools \
  python-virtualenv

Install the Algo VPN Server

$ git clone https://github.com/trailofbits/algo
$ cd algo
$ python -m virtualenv env
$ source env/bin/activate
$ python -m pip install -U pip
$ python -m pip install -r requirements.txt

Setup the usernames of the people who will be using the VPN. To do this, open the config.cfg file in the algo directory using your favourite editor and specify the users you wish to create in the users list. You may remove the default users (phone, laptop, desktop) if you wish, and add your own.

Users:
  - savidude

Save the file and exit out of the editor, and execute the following command in the algo directory.

./algo

When prompted for a cloud provider, select the provider of your choice.

Answer the next few Y/N questions according to your preference. Accepting the default answers should be fine in most cases.

You will be prompted for an API token, to which you should generate one at https://cloud.digitalocean.com/settings/api/tokens. The generated token should have Read and Write permissions.

When prompted for a region the server should be located at, select a region closest to you. I selected Bangalore (India), as it is closest to where I live (Sri Lanka).

Thereafter, the installation will take a few minutes. Once complete, you’ll see the “Congratulations!” message.

Configure the VPN Clients

Algo generates a WireGuard configuration file wireguard/<username>.conf, and a QR code wireguard>/<username>.png for each user defined in the config.cfg file. The wireguard directory could be found at algo/configs/<public-ip>/wireguard.

Apple Devices

• For iOS, install WireGuard from the App Store, and use it to scan the QR Code.

• For MacOS Mojave or later, install WireGuard from the App Store and run the app. This will appear in the Menu bar. Click on the WireGuard icon, and select “Import tunnel(s) from file” and select the appropriate WireGuard configuration file.

Android Devices

Install WireGuard from the Play Store, and use it to scan the QR code.

Follow the instructions here to configure VPN for Windows and Linux devices.

Congratulations! You have successfully set up your own VPN Server. Now, the only person you need to worry about selling your data to advertisers and scammers is yourself.