algo wireguard VPN server

2020-11-26 · 2 min read

Setup #

  1. Create DigitalOcean Account https://m.do.co/c/75caca4c0b8e

  2. Create new DigitalOcean API key.

    • API > Personal Access Tokens > Generate New Token.
    • Name: trailofbits/algo, Read: Y, Write: Y.
    • Make sure to save the value somewhere since it'll disappear after leaving the page.

  3. Clone trailofbits/algo

$ git clone https://github.com/trailofbits/algo.git
$ cd algo
$ git checkout -b 20201126 ebec20ed3
  1. Install algo python deps
$ python3 -m pip install --user --upgrade virtualenv
$ python3 -m virtualenv --python="$(command -v python3)" .env
$ source .env/bin/activate
$ python3 -m pip install -U pip virtualenv
$ python3 -m pip install -r requirements.txt

  1. Setup algo/config.cfg

    • Add some users [phlipphone, phliptop, phlipdesk, ...].
    • Disable IPSEC.
    • Enable unattended_reboot.

  2. Deploy

    • Cloud Provider: DigitalOcean
    • Name: wg
    • Cellular On Demand: N
    • Wifi On Demand: N
    • DNS adblocking: y
    • SSH tunneling: N
    • Enter DigitalOcean API Key.
    • Region: SFO2

  3. SSH into the droplet

$ ssh -F configs/178.128.1.190/ssh_config wg
  1. (Optional) Install the DigitalOcean metrics agent
# curl --proto '=https' --tlsv1.2 -sSf https://repos.insights.digitalocean.com/install.sh | sudo bash
  1. (Optional) Set up DNS forwarding. Add nameserver (NS) records in domain registrar pointing to digitalocean nameservers.

Ex: In registrar, under domain (phlip9.com), add NS records for VPN's subdomain (wg.phlip9.com):

Type    Name    Value                   TTL
NS      wg      ns1.digitalocean.com    1 Hour
NS      wg      ns2.digitalocean.com    1 Hour
NS      wg      ns3.digitalocean.com    1 Hour

Verify records have updated (may take a minute):

$ dig NS +nocmd +nocomments wg.phlip9.com

;wg.phlip9.com.                 IN      NS
wg.phlip9.com.          1452    IN      NS      ns1.digitalocean.com.
wg.phlip9.com.          1452    IN      NS      ns3.digitalocean.com.
wg.phlip9.com.          1452    IN      NS      ns2.digitalocean.com.

In DigitalOcean, go to Create > Domains/DNS. Enter Domain: wg.phlip9.com. Add Domain. Create New Record: type: A, hostname: @, will direct to: droplet, ttl: 3600. Create New Record: type: AAAA, hostname: @, will direct to: droplet, ttl: 3600.

Verify records have updated:

$ dig A +nocmd +nocomments wg.phlip9.com

;wg.phlip9.com.                 IN      A
wg.phlip9.com.          3600    IN      A       178.128.1.190

$ dig AAAA +nocmd +nocomments wg.phlip9.com

;wg.phlip9.com.                 IN      AAAA
wg.phlip9.com.          3600    IN      AAAA    2604:a880:2:d0::21d0:e001

Adding New Users #

Add new users to algo.config.

$ ./algo update-users

Wireguard VPN Clients #

macOS #

  1. Install Wireguard from App Store

  2. Import tunnels from file > algo/configs/178.128.1.190/wireguard/phliptop.conf

Android #

  1. Install Wireguard from App Store

  2. Scan QR code from image > algo/configs/178.128.1.190/wireguard/phlipphone.png