How to deploy Algo VPN to Digital Ocean

Algo_VPN_to_DO.md

How to deploy own Algo VPN using Digital Ocean

Prerequisites

• Account on the Digital Ocean
• SSH
• WireGuard VPN client

Useful info

• Algo VPN repo
• Article about deploying Algo VPN
• Second article (in more details)

> Create Droplet

1. Create or choose a team
2. Create new project
3. Open page with creating droplet:
   • Choose region. Closest to you is the best option. Now ()
   • Choose OS - Ubuntu. Version 20.04 (LTS) v64 is guaranteed to work.
   • Droplet type - Basic
   • CPU options - Regular >> 6$/month (1GB / 1 CPU, 10Gb SSD, 1 TB transfer)
   • Authentication method - SSH >> Add new SSH or choose existing one
   • Give any useful name for hostname
4. Configure DigitalOcean firewall for using with Algo: LINK. To configure the DigitalOcean firewall, go to Networking, Firewalls, and choose Create Firewall
   • Configure your Inbound Rules as follows:
     • SSH - TCP - 22
     • Custom - TCP - 4160
     • Custom - UDP - 500
     • Custom - UDP - 4500
     • Custom - UDP - 51820
   • Leave the Outbound Rules at their defaults.
   • Under Apply to Droplets enter the tag of your droplet to apply this firewall to Algo VPN you create (Environment:Algo).

> Install Algo VPN on droplet

1. Connect to the droplet using ssh with IP of your droplet istead of 000.0.000.0:

   ssh [email protected]
   

The very first time when you connect you’ll be asked if you’re sure you want to continue connecting. You can type yes and then press ENTER:

The authenticity of host '104.248.255.83 (104.248.255.83)' can't be established.
ED25519 key fingerprint is SHA256:sahj7FrFpuhE+hETvuilHWxgFfrhJMMRRyZtRMvyOJ4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

2. Run the following commands inside your VM to update its OS and install Algo VPN core prerequisites:

   apt -y update
   apt -y upgrade
   apt install -y --no-install-recommends python3-virtualenv
   

3. Reboot the VM by typing:

   reboot
   

4. Get the latest version of Algo VPN to the droplet and prepare to install:

   git clone https://github.com/trailofbits/algo
   cd algo
   python3 -m virtualenv --python=/usr/bin/python3 .env
   source .env/bin/activate
   python3 -m pip install -U pip virtualenv
   python3 -m pip install -r requirements.txt
   

5. Configure Algo:

   • Open in Nano to edit the config.cfg file in the ~/algo directory:

   nano config.cfg
   

   • Replace default users phone, laptop, and desktop with your own (at least two users)

   users:
       - kolebakin-mac
       - kolebakin-phone
   

   • To improve your server's security posture, consider setting enabling the unattended_reboot option so it looks like this:

   unattended_reboot:
       enabled: true
       time: 04:00
   

6. After saving the file and exiting the text editor, execute the following command in the ~/algo directory to install Algo software:

   ./algo
   

   • Answer to questions during installing:
     • What provider would you like to use? 1. DigitalOcean
     • Name the vpn server - default Algo - or any you want
     • Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks? y
     • Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi? y
     • Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) y
     • Do you want to enable DNS ad blocking on this VPN server? y
     • Do you want each user to have their own account for SSH tunneling? N
     • Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens) - generate new or copy from token secret place
     • What region should the server be located in? - Choose the region of droplet
   • Be patient during installation!! It will take about 10 minutes.
   • When installation is done you will see message like this:

     "msg": [
     [
         "\"#                          Congratulations!                            #\"",
         "\"#                     Your Algo server is running.                     #\"",
         "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
         "\"#              Go to https://whoer.net/ after connecting               #\"",
         "\"#        and ensure that all your traffic passes through the VPN.      #\"",
         "\"#                     Local DNS resolver 100.24.117.23, fd10::8:7777                   #\"",
         ""
     ],
     "    \"#        The p12 and SSH keys password for new users is KOTqMq1kc       #\"\n",
     "    \"#        The CA key password is Mucqh9914I6a77gFA       #\"\n",
     "    \"#      Shell access: ssh -F configs/100.99.240.100/ssh_config algo        #\"\n"
     ]
     

> Use your own VPN via WireGuard

1. Algo saves config files for all users in the folder: ~/algo/configs/{your-server-IP}/wireguard Check the path of this folder, because IP of droplet and IP of the Algo server will be different. So, you can copy this file from VM to your Desktop it using this command in the Mac terminal:

   scp root@{your-droplet-IP}:/root/algo/configs/{your-algo-server-IP}/wireguard/{your-vpn-username}.conf ~/Desktop

2. Go to the Wireguard. Click Import tunnel from file... Choose your configuration file and click Import. After it you can Activate your own VPN tunnel.

3. Check that Firewall (Networking/Firewall) is working for Droplet with Algo server!

4. To check that your vpn work properly:

   • IP Address Test. Go to https://whoer.net/ to compare the IP Address information before and after activating the VPN connection. If there is no difference and the client IP is still exposed even after activating the VPN, then the test fails.
   • DNS Leak Test. Once connected, you can head over to https://dnsleaktest.com/ and select Extended Test to make sure your DNS is not leaking. You should see your DNS provider as CloudFlare with the IP address and location of the server you have chosen using your VPN service. If the client’s original IP address and location are displayed in the DNS Leak Test then you have a leak and the test fails.
   • WebRTC Test. Now, for a third and more general test, visit https://ipleak.net/ and check the Web RTC detection section to make sure the client’s IP address isn’t leaking.
   • Internet Speed Test (Optional) Visit https://fast.com/ to check and compare your internet speed before and after activating VPN.

I have gone through this process now a few times, except for the firewall configuration and I have received the message "Congratulations! Your Algo server is running" a couple of times now. However, it creates a second droplet ("algo") instead of using the droplet I initially setup per your instructions which I named "AlgoDroplet". It also created a second ssh key called "algo@ssh", instead of using the one I already had setup for my DigitalOcean account. I have no idea where the public/private keys are saved for that key. The algo directory and installation files were not installed in the new droplet, however, but in the one I setup per your instructions. If I try to launch the droplet console for the" algo" droplet, I receive a message that "all configured authentication methods failed". However, I am able to launch the droplet console for the "AlgoDroplet", so maybe it will work.

Running git clone https://github.com/trailofbits/algo and the subsequent setup script will automatically build the server for you. This means you don't need to manually set up a droplet; the script will handle it. It seems the author intended for the setup to be run locally, avoiding installation directly on the local machine.