Wednesday, March 21, 2018

Create Your Own Personal VPN with Algo

I have known for some time that browsing on public Wi-Fi nets without using a VPN (Virtual Private Network) was a bad idea, because a hacker can easily sniff all unencrypted traffic, possibly compromising all manner of personal data. For this reason, I have had a free TunnelBear account for years. It was great, because it offered 500MB of free data per month (+1GB if you tweeted about them, which I often did), and I essentially never needed more. On those rare occasions I did, I switched to cellular, or just gave up and turned off the VPN.

 

The problem with this approach is that I had to manually connect to TunnelBear every time, which I often forgot to do, or even didn’t know was necessary, as the iPhone automatically connects to known Wi-Fi networks every time unless you specifically tell it not to. And even when I did remember, connecting manually leaves you open to security leaks, unless you connect to the VPN before you connect to the unsecured Wi-Fi network. So I have for some time wanted a free or cheap way to make my iPhone auto-connect to a VPN whenever it connected to an untrusted (i.e. other than home or work) Wi-Fi network. Cloak VPN (now known as encrypt.me) would do it, but it was expensive, at $10/month (although I now see that they have a limited plan for $3/mo; not bad), for something I needed only occasionally. I used their free trial, then uninstalled it. Then I tried using Activator when my iPhone was jailbroken. This worked, but drained my battery life like crazy, so I gave up on it and went back to TunnelBear, which, though it was either always-on or manual-connect, had the advantages of being free, user-friendly, and gentle on my battery.

 

Still, I would occasionally get frustrated and Google around looking for a better solution. I did run across something, but it looked too technical to try using my iPhone alone, and of course I never thought of it when I was at my computer: custom profiles. Well, today I finally got fed up enough that I remembered to do it once I got home (well, alright, I ran across an iPhone browser tab that I had left open), and decided to give it a shot. In the process, though, I found an even better way than that article described: Algo (named after Al Gore). It’s not (nearly) as user-friendly as TunnelBear, but it will automatically connect on untrusted networks, it’s free(ish), and it lets you set up your own VPN, so you don’t have to trust some faceless VPN company.

 

Edit: In the process of setting up Algo, I discovered that TunnelBear had added the ability to add trusted networks, which is what I had wanted all the time. So if you don’t plan to regularly use more than 1.5GB of data per month while connected to public Wi-Fi networks (or are willing to pay $10/mo for unlimited VPN data), and you trust TunnelBear not to misuse/sell/accidentally compromise your data, just use that. It’s free, easy, and works great (though be warned that, like any commercial VPN, TunnelBear is not without flaws).

 

However, if you’re interested in setting up your own, personal VPN for cheap, and aren’t averse to getting your hands a little dirty in Terminal, read on!

 

First, a warning: VPNs are not a panacea. They don’t make you completely anonymous (use Tor for that…though it comes with its own problems). They don’t protect agains the fact that just connecting to a Wi-Fi network can identify you. Heck, even having Wi-Fi on means that you can be tracked, and VPNs can’t do anything about that. What it can do is ensure that your data cannot be sniffed out by local hackers, and it can also prevent unscrupulous ISPs from seeing/modifying/selling your data. Note, however, that your VPN service can do all of those things, whether or not they choose to. That’s true to a degree even with Algo; whatever hosting service you’re using theoretically has access to all of the data you transfer over the VPN. However, Amazon (or whoever you use) probably doesn’t know (unless someone goes and checks) that you’re using a VPN on their service, so they have little incentive to snoop. Don’t expect any of this to protect you from a warrant from the FBI, however; that’s a whole ’nother level of security, that we won’t be dealing with here. Maybe if you set up Algo your own Ubuntu server on an encrypted disk on a computer you own, the FBI couldn’t easily find out what you had been doing with a warrant. Maybe. Just recognize that everything has tradeoffs, and there’s no perfect solution.

 

Following is a step-by-step list of instructions to get Algo installed on Mac and iOS devices. These instructions can be easily adapted for other systems, but I’m focusing on Apple boxes. None of this is my own invention; I drew from various instruction sets around the Internet, particularly MacObserver’s and, of course, Algo’s. For simplicity, these instructions assume you’re doing this on a Mac running macOS High Sierra (though the instructions will likely apply to any proximate version of macOS) and using Amazon EC2 as a host. Amazon EC2 is free for a year (if you stay within Amazon’s rather expansive limits). I’ll try revisit this with more info after that year expires; I don’t mind paying a small amount for on-demand VPN, but I’d really rather not pay $10/month for something I use only occasionally.

 

The reason I’m doing this is that the instructions I’ve seen are not clear or detailed enough; I had trouble figuring out what I should do at several points and had to research it, so I’m transmitting the benefit of that to you. The settings I chose are for securing public Wi-Fi connections, not your home network, though making a different choice is a matter of not setting one option. As noted above, I will be using Amazon EC2; if you want to use another host, instructions can be found elsewhere, including in the previously-mentioned MacObserver article.

 

How to set up Algo using macOS

  1. Create a free account at Amazon Web Services. They’ll ask you for a credit or debit card number (that has at least $1 on it) to verify your identity and charge you if you actually spend any money; that’s fine. If you stay within Amazon’s limits, this account is free for a year, and likely cheap thereafter. (I had trouble logging in after I created my account using Safari, so I used Google Chrome.)
  2. From your Amazon Web Services Console page, choose IAM from the Services menu.
  3. Select the Users tab.
  4. Click “Add User.”
  5. Enter your desired user name, then choose “Programmatic Access” below. Click “Next.”
  6. Select “Attach existing policies directly.”
  7. Choose “AdministratorAccess” in the list below. Click “Next.”
  8. Review your choices, then click “Create User.”
  9. Click “Download .csv.”
    • In Safari, this brought up a tab with the information in it, instead of downloading a .csv file. If this happens, Select All, Copy, Paste it into your text editor of choice, then Save it (in plain text) as credentials.csv.
  10. Click “Close.”
  11. Download Algo. Unzip the resulting archive if Safari hasn’t done that for you already. You should have a folder in your Downloads folder called “algo-master.”
  12. Open the Terminal app.
  13. Type cd and then drag the “algo-master” folder into the Terminal. Its directory path should show up after “cd.” Hit Enter.
  14. Now we enter a few commands in Terminal. You can just triple-click on the command below, choose Copy, switch to Terminal, and choose Paste. Done right, that will even press Enter for you! Or, you can type them as displayed below.
  15. Type
    python -m ensurepip --user
    and press Enter.
  16. Type
    python -m pip install --user --upgrade virtualenv
    and press Enter.
  17. Type
    python -m virtualenv env && source env/bin/activate && python -m pip install -r requirements.txt
    and press Enter.
  18. If you’ve never installed the cc command line tools, you’ll be prompted to do that. Go ahead and agree, it’s perfectly safe and required to move forward.
  19. After everything completes, type
    sudo nano config.cfg
    and press Enter. You’ll be asked for your administrative password, and then a text editor will open. Under the section called Users in the file, replace the existing user names with whatever usernames you wish to use (you’ll have to use the arrow keys instead of the mouse to navigate around the screen). These are the people who will have access to your VPN. Once you’ve added your users, press Control-X to save your changes and exit the text editor.
  20. Now we install Algo itself. Stay in Terminal, and type
    ./algo
    and press Enter.
  21. Algo will ask you what provider you’re going to use. We’re using Amazon EC2, so choose “3” (and press Enter of course; I’m not going to mention that for every option).
  22. Now it asks for the aws_access_key. Go back to your Downloads folder and open the “credentials.csv” file you downloaded earlier. Copy the Access Key ID and paste it into the Terminal. Press Enter.
  23. Do the same for the Secret access key.
  24. Name your server. You can name it whatever you like, though I presume there are some limits on what characters you can use and how long it can be.
  25. Choose a Region. It’s likely better to choose the one nearest where you’ll usually be, for speed reasons.
  26. It asks “Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?” For our purposes, choose No. Choose Yes if you want your VPN to protect your cellular connection as well.
  27. It asks “Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?” Choose Yes.
  28. Look up the exact name of any trusted Wi-Fi networks (all of your remembered Wi-Fi networks will be in System Preferences→Network→Advanced… Sadly, you can’t Copy from there, but you can carefully type them into Terminal, separated by commas but not spaces (there can be spaces in the network names, though). Only select those networks you personally trust; i.e. not Starbucks! These are usually your home and work Wi-Fi networks. If you want always-on VPN, don’t add any networks here.
  29. Whether you want your personal VPN to block ads is up to you; I prefer the more fine-grained control of an ad-blocker.
  30. SSH tunneling is for tricking firewalls and such, and so isn’t useful for our purposes. Choose No.
  31. I only intend to use this VPN for macOS and iOS clients, so I chose No to Windows 10 and Linux Desktop compatibility.
  32. It says that doing so would create an insecurity, so I said no to retaining the CA key. Note that this means that you can’t create more users later without starting all over (which isn’t that hard).
  33. Now go grab a sandwich or something, while Algo installs itself to your Amazon EC2 instance.
  34. The confirmation screen gives some valuable info. I would recommend copying and pasting the final screen into a text file for future reference. At the very minimum, you absolutely need the password it shows after “The p12 and SSH keys password for new users is”. Save that in a safe place, like a password manager.
  35. Now we get to configure the your Macs and iOS devices to use your brand-new VPN service. First off, uninstall any existing VPNs. We don’t want any conflicts. This involves deleting VPN apps from Mac and iOS devices, and checking System Preferences→Profiles on the Mac, and Settings→General→Profiles in iOS for VPN profiles (including old Algo profiles) and deleting them.
  36. Go back to your downloads folder in the Finder, and open the “algo-master” folder. Inside it is a “configs” folder (~/Downloads/algo-master/configs), and inside that is a folder named for your AWS server’s IP address. Open that folder, and, among other things, you’ll see files named .mobileconfig.
  37. Open the .mobileconfig file that corresponds with the correct user on any Mac you want to use your newly created VPN on (just double-click it).
  38. Choose “Continue.”
  39. Choose “Continue” again.
  40. Enter the password you hopefully saved from the Algo confirmation screen in Terminal. If not, it should still be there in the Terminal window.
  41. Click Install, and enter an administrator username and password for this Mac.
  42. If you included your current Wi-Fi network in the list of trusted Wi-Fi networks in Step 28 above, you won’t have any way immediately to test your install. Connect to an untrusted network (perhaps go to Starbucks; you deserve a coffee after all this work. Or just enable the Guest network on your router), and go to https://whoer.net/ to see if you did everything right. If you did, Mr. Whoer should report your ISP as “Amazon.com." If not, try going to System Preferences→Profiles, deleting the profile you installed earlier, and starting again from Step 35.
  43. If it worked, congrats! Send the file to any other Macs you wish to secure, and go through Steps 37–42 again. Then Airdrop (or email, or whatever) that file to every iOS device you want to VPN with.
  44. Open the file on your iOS device (whether by tapping it in email, receiving the Airdrop file, or whatever)
  45. Tap Install, then enter your device password. Tap Install again, then a third time.
  46. Enter the password you saved in Step 33. Tap Next.
  47. Tap Done. That’s it! It should be working. Again, connect to an untrusted network and visit https://whoer.net. The IP address should be the one in your profile.
  48. Now you can delete the “algo-master” file from your Downloads folder. You may wish to keep the “configs” folder, or at least the .mobileconfig files, along with the “credentials.csv” file and the Algo confirmation details, somewhere safe. You may be tempted to hold on to the entire algo-master folder, and that’s not a terrible idea, but remember that they will probably make improvements in the future, so remember to download a new copy if you want to start over sometime.

Now, you may want to change things in the future, such as the list of users, or the trusted networks (perhaps you decide you like this VPN thing so much you want to use it all the time).

  • If you chose to save the CA key in Step 32 above, this is fairly simple. If not, you’ll have to destroy your instance and start over, which is not really that much work.
  • To change the list of trusted networks, open the .mobileconfig file in a text editor (PlistEdit Pro is an excellent tool for this task), navigate to your current list of trusted networks (under SSIDMatch), and add or remove networks as you please. Make sure you keep the exact formatting as shown for any new or changed lines.
  • To destroy the instance you created, log into Amazon Web Services, select EC2 (under “Compute”) from the Services menu, choose Instances, and click on Actions→Instance State→Terminate. That will allow you to start over from Step 11.

Enjoy your new, personal VPN! Let me know how it goes, or any difficulties you have with these instructions, in the comments below!