3 minutes reading time (640 words)

Privacy Cookbook - Chapter 4.4 - Algo VPN (Wireguard and IKEv2)

algo

​We promised you an even easier solution than we proposed in Chapter 4.3 (OPENVPN) so today we cover a setup that allows IKEv2 with strong encrypto (AES-GCM, SHA2 and P-256), and WireGuard with a built-in ad and tracking blocker!

This solution is called Algo VPN!

https://github.com/trailofbits/algo

It is an extremely easy setup and it works 'out of the box' with most cloud providers! One of the best is Hetzner, but as mentioned in Chapter 4.2 they want an ID during the setup of the cloud. Once again, this is not a big issue as you control the cloud, logs etc. Plus you should be doing a new cloud setup every 14-30 days for maximum privacy and then just delete the old setup, this is less important if you are only using it for streaming but bear in mind that you control the cloud, so you can exchange it at any time!

Download Algo and deploy it super easily by connecting via ssh to your server,

ssh root@your_server_ip

Run the command

git clone https://github.com/trailofbits/algo.git 

to create a directory named algo containing the Algo scripts.

On some servers you might need to install Python 3 for Ubuntu and Debian thus:

sudo apt install -y python3-virtualenv 

Install Algo's remaining dependencies. You'll need to run these commands from the Algo directory each time you download a new copy of Algo. In a Terminal window cd into the algo directory and run:

python3 -m virtualenv --python="$(command -v python3)" .env &&
  source .env/bin/activate &&
  python3 -m pip install -U pip virtualenv &&
  python3 -m pip install -r requirements.txt 

Set up the username for the people who will be using the VPN. To accomplish this, use your favorite text editor, such as Nano or Vim, to edit the config.cfg file in the ~/algo directory:

Now open and edit the config.cfg file thus:

nano config.cfg
Or
vim config.cfg 

If you wish, remove the lines that represent the default users phone, laptop and desktop then add your own (e.g., hildeguard, peter, andy) so that the corresponding section of the file looks like this:

users:
-hildeguard
-peter
-andy

Find where it says
adblock_lists:
 - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
 - "https://hosts-file.net/ad_servers.txt"
 - "ad any of the lists you like"

find
dnscrypt_servers:
ipv4:
- cloudflare
#   - google
  ipv6:
    - cloudflare-ipv6

Replace the lines with

dnscrypt_servers:
ipv4:
- doh-jp-blahdns
- doh-de-blahdns
  ipv6:
    - doh-jp-blahdns-v6

Or of course any of the once listed here
https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md

You do not need to change this as we are using dns encryption!
dns_servers:
  ipv4:
    - 1.1.1.1
    - 1.0.0.1
  ipv6:
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001

But change it anyway to
dns_servers:
  ipv4:
    - 84.200.69.80
    - 84.200.70.40
  ipv6:
    - 2001:1608:10:25::1c04:b12f
    - 2001:1608:10:25::9249:d69b

Once this is done save it and start the deployment

In the also directory run

./algo

And if all goes well you should see

 "#                          Congratulations!                            #"
    "#                     Your Algo server is running.                     #"
    "#    Config files and certificates are in the ./configs/ directory.    #"
    "#              Go to https://whoer.net/ after connecting               #"
    "#        and ensure that all your traffic passes through the VPN.      #"
    "#                     Local DNS resolver 172.16.0.1                    #"
    "#        The p12 and SSH keys password for new users is XXXXXXXX       #"
    "#        The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX       #" 

If that's the case, congratulation!

SFTP now to your server, and download the config files.

This files should be called:

hildeguard.conf (whicht is a config file for WireGuard)
hildeguard.mobileconfig (which is a config file for IKEv2 mobile setup for iOS)
hildeguard.png (which generates a QR code that you can scan with your Android or iOS device)

Of course you have the same files for peter and andy

Enjoy extremely good speeds with this setup. Of course, this is again based on your physical location, but WireGuard and IKEv2 are extremely fast and you should get a way better speed than with the OpenVPN setup.

In our next writeup, we will describe a a WireGuard setup with unbound DNS resolver! This is the fastest AND the easiest setup and you'll get it next!

 

Comments (0)

Rated 0 out of 5 based on 0 voters
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest. Sign up or login to your account.
Rate this post:
Attachments (0 / 3)
Share Your Location