algo wireguard VPN server

2020-11-26 ยท 2 min read

    Setup #

    1. Create DigitalOcean Account https://m.do.co/c/75caca4c0b8e

    2. Create new DigitalOcean API key.

      • API > Personal Access Tokens > Generate New Token.
      • Name: trailofbits/algo, Read: Y, Write: Y.
      • Make sure to save the value somewhere since it'll disappear after leaving the page.

    3. Clone trailofbits/algo

    $ git clone https://github.com/trailofbits/algo.git
$ cd algo
$ git checkout -b 20201126 ebec20ed3
    1. Install algo python deps
    $ python3 -m pip install --user --upgrade virtualenv
$ python3 -m virtualenv --python="$(command -v python3)" .env
$ source .env/bin/activate
$ python3 -m pip install -U pip virtualenv
$ python3 -m pip install -r requirements.txt

    1. Setup algo/config.cfg

      • Add some users [phlipphone, phliptop, phlipdesk, ...].
      • Disable IPSEC.
      • Enable unattended_reboot.

    2. Deploy

      • Cloud Provider: DigitalOcean
      • Name: wg
      • Cellular On Demand: N
      • Wifi On Demand: N
      • DNS adblocking: y
      • SSH tunneling: N
      • Enter DigitalOcean API Key.
      • Region: SFO2

    3. SSH into the droplet

    $ ssh -F configs/178.128.1.190/ssh_config wg
    1. (Optional) Install the DigitalOcean metrics agent
    # curl --proto '=https' --tlsv1.2 -sSf https://repos.insights.digitalocean.com/install.sh | sudo bash
    1. (Optional) Set up DNS forwarding. Add nameserver (NS) records in domain registrar pointing to digitalocean nameservers.

    Ex: In registrar, under domain (phlip9.com), add NS records for VPN's subdomain (wg.phlip9.com):

    Type    Name    Value                   TTL
NS      wg      ns1.digitalocean.com    1 Hour
NS      wg      ns2.digitalocean.com    1 Hour
NS      wg      ns3.digitalocean.com    1 Hour

    Verify records have updated (may take a minute):

    $ dig NS +nocmd +nocomments wg.phlip9.com

;wg.phlip9.com.                 IN      NS
wg.phlip9.com.          1452    IN      NS      ns1.digitalocean.com.
wg.phlip9.com.          1452    IN      NS      ns3.digitalocean.com.
wg.phlip9.com.          1452    IN      NS      ns2.digitalocean.com.

    In DigitalOcean, go to Create > Domains/DNS. Enter Domain: wg.phlip9.com. Add Domain. Create New Record: type: A, hostname: @, will direct to: droplet, ttl: 3600. Create New Record: type: AAAA, hostname: @, will direct to: droplet, ttl: 3600.

    Verify records have updated:

    $ dig A +nocmd +nocomments wg.phlip9.com

;wg.phlip9.com.                 IN      A
wg.phlip9.com.          3600    IN      A       178.128.1.190

$ dig AAAA +nocmd +nocomments wg.phlip9.com

;wg.phlip9.com.                 IN      AAAA
wg.phlip9.com.          3600    IN      AAAA    2604:a880:2:d0::21d0:e001

    Adding New Users #

    Add new users to algo.config.

    $ ./algo update-users

    Wireguard VPN Clients #

    macOS #

    1. Install Wireguard from App Store

    2. Import tunnels from file > algo/configs/178.128.1.190/wireguard/phliptop.conf

    Android #

    1. Install Wireguard from App Store

    2. Scan QR code from image > algo/configs/178.128.1.190/wireguard/phlipphone.png