We promised you an even easier solution than we proposed in Chapter 4.3 (OPENVPN) so today we cover a setup that allows IKEv2 with strong encrypto (AES-GCM, SHA2 and P-256), and WireGuard with a built-in ad and tracking blocker!
This solution is called Algo VPN!
It is an extremely easy setup and it works 'out of the box' with most cloud providers! One of the best is Hetzner, but as mentioned in Chapter 4.2 they want an ID during the setup of the cloud. Once again, this is not a big issue as you control the cloud, logs etc. Plus you should be doing a new cloud setup every 14-30 days for maximum privacy and then just delete the old setup, this is less important if you are only using it for streaming but bear in mind that you control the cloud, so you can exchange it at any time!
Download Algo and deploy it super easily by connecting via ssh to your server,
ssh root@your_server_ip Run the command git clone https://github.com/trailofbits/algo.git
to create a directory named algo containing the Algo scripts.
On some servers you might need to install Python 3 for Ubuntu and Debian thus:
sudo apt install -y python3-virtualenv
Install Algo's remaining dependencies. You'll need to run these commands from the Algo directory each time you download a new copy of Algo. In a Terminal window cd into the algo directory and run:
python3 -m virtualenv --python="$(command -v python3)" .env && source .env/bin/activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt
Set up the username for the people who will be using the VPN. To
accomplish this, use your favorite text editor, such as Nano or Vim, to
edit the config.cfg file in the ~/algo directory:
Now open and edit the config.cfg file thus:
nano config.cfg Or vim config.cfg
If you wish, remove the lines that represent the default users phone, laptop and desktop then add your own (e.g., hildeguard, peter, andy) so that the corresponding section of the file looks like this:
users: -hildeguard -peter -andy Find where it says adblock_lists: - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - "https://hosts-file.net/ad_servers.txt" - "ad any of the lists you like" find dnscrypt_servers: ipv4: - cloudflare # - google ipv6: - cloudflare-ipv6 Replace the lines with dnscrypt_servers: ipv4: - doh-jp-blahdns - doh-de-blahdns ipv6: - doh-jp-blahdns-v6 Or of course any of the once listed here https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md You do not need to change this as we are using dns encryption! dns_servers: ipv4: - 126.96.36.199 - 188.8.131.52 ipv6: - 2606:4700:4700::1111 - 2606:4700:4700::1001 But change it anyway to dns_servers: ipv4: - 184.108.40.206 - 220.127.116.11 ipv6: - 2001:1608:10:25::1c04:b12f - 2001:1608:10:25::9249:d69b Once this is done save it and start the deployment In the also directory run ./algo And if all goes well you should see "# Congratulations! #" "# Your Algo server is running. #" "# Config files and certificates are in the ./configs/ directory. #" "# Go to https://whoer.net/ after connecting #" "# and ensure that all your traffic passes through the VPN. #" "# Local DNS resolver 172.16.0.1 #" "# The p12 and SSH keys password for new users is XXXXXXXX #" "# The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #"
If that's the case, congratulation!
SFTP now to your server, and download the config files.
This files should be called:
hildeguard.conf (whicht is a config file for WireGuard)
hildeguard.mobileconfig (which is a config file for IKEv2 mobile setup for iOS)
hildeguard.png (which generates a QR code that you can scan with your Android or iOS device)
Of course you have the same files for peter and andy
Enjoy extremely good speeds with this setup. Of course, this is again based on your physical location, but WireGuard and IKEv2 are extremely fast and you should get a way better speed than with the OpenVPN setup.
In our next writeup, we will describe a a WireGuard setup with unbound DNS resolver! This is the fastest AND the easiest setup and you'll get it next!