Meet Algo, the VPN that works

I think you’ll agree when I say: there’s no VPN option on the market designed with equal emphasis on security and ease of use.

That changes now.

Today we’re introducing Algo, a self-hosted personal VPN server designed for ease of deployment and security. Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need.

And it’s free.

For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.

Don’t bother with commercial VPNs

They’re crap.

Really, the paid-for services are just commercial honeypots. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data.

Paid-for VPNs tend to be insecure: they share keys, their weak cryptography gives a false sense of security, and they require you to trust their operators.

Even if you’re not doing anything wrong, you could be sharing the same endpoint with someone who is. In that case, your network traffic will be analyzed when law enforcement makes that seizure.

Streisand is no better

Good concept. Poor implementation.

It installs ~40 services, including numerous remote access services, a Tor relay node, and out-of-date software. It leaves you with dozens of keys to manage and it allows weak crypto.

That’s a hefty footprint and it’s too complicated for any reasonable person to secure. If you set up an individual server just for yourself, you’d never know if or when an attacker compromised it.

OpenVPN: Requires client software

OpenVPN’s lack of out-of-the-box client support on any major desktop or mobile operating system introduces unnecessary complexity. The user experience suffers.

Speaking of users, they’re required to update and maintain this software too. That is a recipe for disaster.

Worst of all, OpenVPN depends on the security of TLS, both the protocol and its implementations. Between that, and past security incidents, we simply trust it less.

Other VPNs’ S/WAN song

The original attempt at free VPN software -FreeS/WAN- died in the early 2000’s when its dev team fractured. Three people forked it into LibreSwan, strongSwan and Openswan.

To use any of them today, you need something approaching tribal knowledge. The available documentation stymied and appalled us:

  • Little differentiation – If you search for information about strongSwan’s configuration, you could easily end up at a LibreSwan page. The terms will look familiar, but the instructions will be wrong.
  • Impenetrable language – Instead of using standard terms like ‘client, server, remote and local,’ they use ‘sun, moon, bob, carol,’ and a bunch of other arbitrary words.
  • Brittle methodology – The vast majority of documentation and guides insist on using ‘tried and true’ methods such as L2TP and IKEv1, even though IKEv2 is simpler and stronger. Since Apple added IKEv2 to iOS 8, there’s no reason not to use it.

Only the strongest S/WAN survived

After wading through the convoluted quagmire that is the S/WAN triplets, we settled on strongSwan.

Its documentation -such as it is- is the best of the bunch. It was rewritten recently from scratch to support IKEv2 (a positive step when supporting a major new protocol version). It’s the only IPSEC software that even offers the option for a trusted key store.

And the community is helpful. Special thanks to Thermi.

But it’s still super-complicated. Too many contributors made it very arcane. Again, you need that tribal knowledge to make IPSEC do what you want.

These are examples of why cryptography software has a well-earned reputation for poor usability. A tightly knit development community only communicating with itself tends to lead to a profusion of options that should be deprecated. There’s no sign that the user interface or experience has been reviewed on behalf of less-experienced users. For anyone bold enough to consider these points, here lies the path to widespread adoption.

So, we built Algo

Algo is a set of Ansible scripts that simplifies the setup of a personal IPSEC VPN. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.

The ‘VP of all Networks’ is strong, secure and tidy. It uses the least amount of software necessary to get the job done.

We made Algo with corporate travelers in mind. To save bandwidth and increase security, it blocks ads and compresses what’s left.

We shared an early version of Algo at Black Hat this year and people loved it.

Algo’s Features Anti-features
  • Supports only IKEv2
  • Supports only a single cipher suite w/ AES-GCM, SHA2 HMAC, and P-256 DH
  • Generates mobileconfig profiles to auto-configure Apple devices
  • Provides helper scripts to add and remove users
  • Blocks ads with a local DNS resolver and HTTP proxy
  • Based on current versions of Ubuntu and strongSwan
  • Installs to DigitalOcean, Amazon, Google, Azure or your own server
  • Does not support legacy cipher suites nor protocols like L2TP, IKEv1, or RSA
  • Does not install Tor, OpenVPN, or other risky servers
  • Does not depend on the security of TLS
  • Does not require client software on most platforms
  • Does not claim to provide anonymity or censorship avoidance
  • Does not claim to protect you from the FSB, MSS, DGSE, or FSM

Designed to be disposable

We wanted Algo to be easy to set up. That way, you start it when you need it, and tear it down before anyone can figure out the service you’re routing your traffic through.

Setup is automated. Just answer a few questions, and Algo will build your VPN for you.

We’ve automated the setup process for Apple devices, too. Algo just gives you a file that you AirDrop to your device. You press ‘install’ and you’ve got your VPN. Or ‘VPNs.’

You don’t have to choose just one VPN gateway. You could make yourself 20 on different services; Digital Ocean in Bangalore, EC2 in Virginia or any other combination. You have your choice.

One last reason that Algo is such a good solution: it’s been abstracted as a set of Ansible roles that we released to the community. Ansible provides clearer documentation, ensures that we can repeat what it is that we’re doing, and allows us to monitor configuration drift.

Thanks to the roles we created in Ansible, it’s very easy for us to add and refine different features independently. Members of our team will keep up on feature requests.

We’ll make sure it’s right. You can just use it.

Try Algo today.

Want help installing Algo?

We’re planning a virtual crypto party for Friday, December 16th at 3pm EST where we’ll walk you through installing Algo on their own. Register to join us.

31 thoughts on “Meet Algo, the VPN that works

  1. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data.” Same applies for this implementation.

    Most providers default to OpenVPN, and you pointing out the shared PSK implementation (which is usually available for those who ask/want it) is extremely biased. They also offer PPTP protocol, which is entirely insecure, and using it is a lot worse than IPSEC with a PSK.

    Ikev2 protocol only works on standard ports, which are commonly blocked on many corporate, school, and public networks. OpenVPN offers much more flexibility, especially if you are running it on TCP 443 (with Stunnel if you like), which makes it unblockable in 99.9% of cases.

    Strongswan code base is monstrous, with a bunch of separate services, etc. Sure it will work without a client on your Windows/Mac and iOS device, but downloading a simple OpenVPN client is trivial.

    Lastly, sharing a server with other people, as the case with commercial VPNs, is one of the best features of a VPN, as you get lost in the crowd. Running a node, just for yourself, that you probably bought with your own credit card, which will be handed out to anyone with a court order, is almost useless.

    Full disclosure: I run a VPN company

    • re. getting lost in the crowd, ToB have always been open about the fact that Algo is for *confidentiality* – not anonymity or censorship avoidance. It even says that explicitly in the anti-features list above.

    • Algo is a solution for last-mile encryption (and data compression). It’s for people concerned with shared wifi access points and sketchy VPN operators. However, I still take issue with your points.

      > If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data.” Same applies for this implementation.

      Since Algo uses have control over their servers, they have avenues for attestation. This is not possible with shared VPN services.

      > Most providers default to OpenVPN, and you pointing out the shared PSK implementation (which is usually available for those who ask/want it) is extremely biased. They also offer PPTP protocol, which is entirely insecure, and using it is a lot worse than IPSEC with a PSK.

      Default/shared PSK credentials indicate poor security posture from the administrators of a *security service*. It’s still worth pointing out.

      > Ikev2 protocol only works on standard ports, which are commonly blocked on many corporate, school, and public networks. OpenVPN offers much more flexibility, especially if you are running it on TCP 443 (with Stunnel if you like), which makes it unblockable in 99.9% of cases.

      I disagree with this statement. Corporations may block ikev2 but public networks rarely do. Algo isn’t meant to avoid your corporate IT’s draconian internet policies so you can hit up Facebook while at work.

      > Strongswan code base is monstrous, with a bunch of separate services, etc. Sure it will work without a client on your Windows/Mac and iOS device, but downloading a simple OpenVPN client is trivial.

      It’s true that both projects are bloated. However, the client code for ipsec is already available and tested by Microsoft/Apple. Why would we add more attack surface to the user’s phone? Algo is also investigating limiting the attack surface of strongswan: https://github.com/trailofbits/algo/issues/12.

      > Lastly, sharing a server with other people, as the case with commercial VPNs, is one of the best features of a VPN, as you get lost in the crowd.

      So my crimes get hidden among everyone else’s crimes? What if I don’t want to commit crime? Then my legitimate traffic is hiding other people’s crime?

      > Running a node, just for yourself, that you probably bought with your own credit card, which will be handed out to anyone with a court order, is almost useless.

      Do you allow your customers to audit your processes and procedures? Your service adds a middle-man that wouldn’t be there otherwise, a great target for a court order with a gag order.

      • >> Strongswan code base is monstrous, with a bunch of separate services, etc. Sure it will work without a client on your Windows/Mac and iOS device, but downloading a simple OpenVPN client is trivial.

        > It’s true that both projects are bloated. However, the client code for ipsec is already available and tested by Microsoft/Apple. Why would we add more attack surface to the user’s phone? Algo is also investigating limiting the attack surface of strongswan: https://github.com/trailofbits/algo/issues/12

        We have taken steps to limit the attack surface of strongswan already. All those separate modules you spoke about allowed us to enable only what was needed for our specific configuration. See more here: https://github.com/trailofbits/algo/issues/84

      • I can tell you for a fact that Ikev2 is blocked on more networks than you think. Schools, work places, public wifi networks, and even major cellphone carriers.

        Just because you’re not committing a crime today (or think you’re not), doesn’t mean it won’t become a crime next year. Look at the UK law that was just passed. Its not a stretch that there is going to be a prosecution dragnet based on the data that now must be retained by the ISPs, and its going to extend retroactively. Plausible deniability that the activity cannot be traced to a single user can reasonably be your last line of defense. This is something you cannot claim if you’re the only 1 using the server.

        Also, don’t forget, the “man in the middle” is still there, its the hosting provider. They have your personal info on file, which is released at the drop of a hat, since its a lot easier (cheaper) for the hosting company to pass the buck, rather than defend your privacy when you’re paying them $5/month. We had this happen multiple times, as a part of the numerous “John Doe” lawsuits.

  2. Pingback: 2016 Year in Review | Trail of Bits Blog

  3. you advertise exclusive P-256 elliptic curve DH proposals on your main promo, but your Windows Powershell setup info on github uses DH Group 14 (2048 bit) which is less secure – why isn’t it “-DHGroup ecdhp256” ??

    • Windows support is a configurable option and is off by default. Windows does not support P-256 DH, so when you turn that feature on we have to make accommodations for it. In the setup script, it is described to the user as a less secure option. Finally, the PowerShell script is an improvement to the Windows default — enables stronger ciphers than Windows supports out of the box. That’s the best we can do if you want Windows support.

  4. Hello, just a question. Is there anything wrong with shadowsocks? because I am just a casual user of streisand and found shadowsocks to be very easy to set up.

  5. Pingback: Wolverton: No perfect way to protect privacy | ITRsearch.com

  6. Hi, how can we customize the ad-blocking list to add sites to it? Essentially I’m trying to add sites to nuke to my VPN running on DigitalOcean.

    Also, is SSH access disabled after installing Algo? Haven’t figured out how to do SSH again after installing.

    Thanks for the amazing work,
    ra

  7. I would be very interested in this if it went more in the direction of Pi-hole. A simple hardware piece I can insert between my router and my network switch that is transparent to the clients. Still do the heavy lifting up at the cloud like your design though. I would be very interested in buying / building that. I don’t want to touch all of my clients here and this would make it trivial to put inline or remove if it starts acting up.

  8. Pingback: My experience setting up an Algo VPN » Greenjam94's Infosec Blog

  9. On the OpenVPN problems: it is good to be aware that the Dutch government has had ordered a hardened version of OpenVPN (dubbed OpenVPN-NL). It has all the weaknesses removed and is certified up to NATO Restricted. So a few problems AlgoVPN is warning against are solved.
    It is released as open source, See https://openvpn.fox-it.com/.

    • I would not call them resolved. OpenVPN-NL is a hostile fork that changes some of the poorly chosen crypto defaults in vanilla OpenVPN, but the overall security architecture and protocol remains the same. It introduces further problems since it needs to stay in sync with upstream and may misapply or introduce new vulnerabilities in the process. IMHO OpenVPN-NL is an admirable effort but not a good solution.

  10. It would be really great if you could support IKEv1 as well, as an option at least.

    I currently use Streisand because I have both Android and iOS devices (and the Android ones are more important for me). I need a protocol that supports Android Always-On VPN, and for iOS this is just a nice-to-have. So I use L2TP currently. But I don’t like Streisand’s installing of all those other protocols. Especially tor. You can uninstall it afterwards but it makes it harder to upgrade.

    I know this does not apply to everyone but it would be a great feature if it were available. Or would it perhaps be easy to add some lines to one of the config files to add IKEv1 support? I don’t know strongSwan at all (for reasons you mentioned above)

    • Thanks for your comment! We clearly agree on installing only the minimum number of servers available and avoiding Tor, especially when you don’t need it. However, Android’s lack of support for modern protocols and crypto is a problem that they should solve, not one that we should weaken the Algo server to support. Even if you believe that IKEv1 is a safe enough protocol, enabling it would load a huge amount of additional code and complexity into the server which could have bugs and needs to be maintained.

      I’m planning to start a campaign to name and shame products that have not kept up and Android is among the worst offender. I would recommend using the strongSwan app for now, even though the Android VPN API does not support Always On (strike two!). You can also modify the Algo server configuration by hand yourself after it has been installed with a new “connection” for IKEv1 if you want.

      • Good point, I didn’t think of the security implications of IKEv1. And I know what you mean with Android. I also found that it connects blindly to 802.11 WPA-Enterprise networks without checking the certificate.

        By the way, while default Android does not support IKEv2, I found that Samsung devices actually do! Which covers most of my use cases, I also have a Sony and Nexus but they’re not quite as important. I had to set it up manually but it works great even with my J3 (which is still on Android 5.1.1). Strange that Samsung seems to care enough about security to implement IKEv2 on their own, while at the same time neglecting their updates.. But anyway.

        I installed Algo now and it works, great, also connects quicker and more reliable. Thanks for building it!

  11. Pingback: Weekly Links & Thoughts #116 | meshedsociety.com

  12. Pingback: #VUC643 – Algo VPN Project | IP Communications & VoIP Community

  13. Does this provide the devices using Algo a router-based VPN? All traffic is pushed to the VPN server through the tunnel, and devices cannot communicate with other hosts on their LANs?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s