Wednesday, March 21, 2018

Create Your Own Personal VPN with Algo

(updated—Fixed links, updated instructions for macOS Mojave, and added instructions for Google Compute Engine)

 

I have known for some time that browsing on public Wi-Fi nets without using a VPN (Virtual Private Network) was a bad idea, because a hacker can easily sniff all unencrypted traffic, possibly compromising all manner of personal data. For this reason, I have had a free TunnelBear account for years. It was great, because it offered 500MB of free data per month (+1GB if you tweeted about them, which I often did), and I essentially never needed more. On those rare occasions I did, I switched to cellular, or just gave up and turned off the VPN.

 

The problem with this approach is that I had to manually connect to TunnelBear every time, which I often forgot to do, or even didn’t know was necessary, as the iPhone automatically connects to known Wi-Fi networks every time unless you specifically tell it not to. And even when I did remember, connecting manually leaves you open to security leaks. So I have for some time wanted a free or cheap way to make my iPhone auto-connect to a VPN whenever it connected to an untrusted (i.e. other than home or work) Wi-Fi network. Cloak VPN (now known as encrypt.me) would do it, but it was expensive, at $10/month (although I now see that they have a limited plan for $3/mo; not bad), for something I needed only occasionally. I used their free trial, then uninstalled it. Then I tried using Activator when my iPhone was jailbroken. This worked, but drained my battery life like crazy, so I gave up on it and went back to TunnelBear, which, though it was either always-on or manual-connect, had the advantages of being free, user-friendly, and gentle on my battery.

 

Still, I would occasionally get frustrated and Google around looking for a better solution. I did run across something, but it looked too technical to try using my iPhone alone, and of course I never thought of it when I was at my computer: custom profiles. Well, today I finally got fed up enough that I remembered to do it once I got home (well, alright, I ran across an iPhone browser tab that I had left open), and decided to give it a shot. In the process, though, I found an even better way than that article described: Algo (named after Al Gore). It’s not (nearly) as user-friendly to set up as TunnelBear, but it will automatically connect on untrusted networks, it’s free(ish), and it lets you set up your own VPN, so you don’t have to trust some faceless VPN company.

 

Edit: In the process of setting up Algo, I discovered that TunnelBear had added the ability to add trusted networks, which is what I had wanted all the time. So if you don’t plan to regularly use more than 1.5GB of data per month while connected to public Wi-Fi networks (or are willing to pay $10/mo for unlimited VPN data), and you trust TunnelBear not to misuse/sell/accidentally compromise your data, just use that. It’s free, easy, and works great (though be warned that, like any commercial VPN, TunnelBear is not without flaws).

 

However, if you’re interested in setting up your own, personal VPN for cheap, and aren’t averse to getting your hands a little dirty in Terminal, read on!

 

First, a warning: VPNs are not a panacea. They don’t make you completely anonymous (use Tor for that…though it comes with its own problems). They don’t protect agains the fact that just connecting to a Wi-Fi network can identify you. Heck, even having Wi-Fi on means that you can be tracked, and VPNs can’t do anything about that (although iPhones, at least, have been immune from this particular problem since iOS 8). What it can do is ensure that your data cannot be sniffed out by local hackers, and it can also prevent unscrupulous ISPs from seeing/modifying/selling your data. Note, however, that your VPN service can do all of those things, whether or not they choose to. That’s true to a degree even with Algo; whatever hosting service you’re using theoretically has access to all of the data you transfer over the VPN. However, Amazon (or whoever you use) probably doesn’t know (unless someone goes and checks) that you’re using a VPN on their service, so they have little incentive to snoop. Don’t expect any of this to protect you from a warrant from the FBI, however; that’s a whole ’nother level of security, that we won’t be dealing with here. Maybe if you set up Algo your own Ubuntu server on an encrypted disk on a computer you own, the FBI couldn’t easily find out what you had been doing with a warrant. Maybe. Just recognize that everything has tradeoffs, and there’s no perfect solution.

 

Following is a step-by-step list of instructions to get Algo installed on Mac and iOS devices. These instructions can be easily adapted for other systems, but I’m focusing on Apple boxes. None of this is my own invention; I drew from various instruction sets around the Internet, particularly MacObserver’s and, of course, Algo’s. For simplicity, these instructions assume you’re doing this on a Mac running macOS Mojave (though the instructions will likely apply to any proximate version of macOS) and using Amazon EC2 as a host. Amazon EC2 is free for a year (if you stay within Amazon’s rather expansive limits). I’ll try revisit this with more info after that year expires; I don’t mind paying a small amount for on-demand VPN, but I’d really rather not pay $10/month for something I use only occasionally.

 

Update: My Free Tier has expired; for the first month since, my bill was $9.10. This stacks up well with other services like Tunnelbear. If it’s that much every month, signing up for a Tunnelbear annual plan would be cheaper; we’ll have to see if that’s the case. || Eep! Looking more closely at my bill, I see that most ($8.20) of that bill is for 720 hours of computing time—in other words, continuously, whether I’m actively using the VPN or not. So no, this isn’t cheaper than an annual plan from Tunnelbear. DigitalOcean, another Algo-compatible host, is only $5/mo, so that could be a better option than Amazon EC2. However, I’ve heard that Google’s cloud platform, GCP, doesn’t charge for computing hours for VPNs the way that Amazon and DigitalOcean do, so that could be a nearly free option (and Google Cloud also has a 1-year free trial, so at least I can get another free year). I’ll include instructions for GCP below.

 

The reason I’m doing this is that the instructions I’ve seen are not clear or detailed enough; I had trouble figuring out what I should do at several points and had to research it, so I’m transmitting the benefit of that to you. The settings I chose are for securing public Wi-Fi connections, not your home network, though making a different choice is a matter of not setting one option. As noted above, these instructions are for Amazon EC2 or Google GCE; if you want to use another host, instructions can be found elsewhere, including in the previously-mentioned MacObserver article.

 

How to set up Algo using macOS

 

Note: Any text in fixed-width font is intended to be entered into Terminal.app. You should be able to triple-click on the listed command, choose Copy, switch to Terminal, and choose Paste. Done right, that will even press Return for you! Or, you can just type them as displayed.

  1. Set up a Cloud Services account.
    • Amazon EC2:
      • Create a free account at Amazon Web Services. They’ll ask you for a credit or debit card number (that has at least $1 on it) to verify your identity and charge you if you actually spend any money; that’s fine. If you stay within Amazon’s limits, this account is free for a year, and likely cheap thereafter. (I had trouble logging in after I created my account using Safari, so I used Google Chrome.)
      • From your Amazon Web Services Console page, choose IAM from the Services menu.
      • Select the Users tab.
      • Click “Add User.”
      • Enter your desired user name, then choose “Programmatic Access” below. Click “Next.”
      • Select “Attach existing policies directly.”
      • Choose “AdministratorAccess” in the list below. Click “Next.”
      • Review your choices, then click “Create User.”
      • Click “Download .csv.”
        • In Safari, this brought up a tab with the information in it, instead of downloading a .csv file. If this happens, Select All, Copy, Paste it into your text editor of choice, then Save it (as plain text) as credentials.csv.
      • Click “Close.”
    • Google GCE:
      • Install gcloud:
        • Make sure that Python 2.7 is installed on your system. Launch Terminal.app and type:
          python -V
          and press Return.
        • Download the 64-bit installer from the gcloud Quickstart page.
        • Expand the archive by double-clicking on it. You may need to install an expander such as The Unarchiver first.
        • Move the resulting “google-cloud-sdk”folder into your Home folder.
        • In Terminal, type
          ./google-cloud-sdk/install.sh
          and press Return. It will ask you a few questions.
          • Whether you want to send data back to Google is up to you.
          • When it asks if you want to continue, hit Return.
          • When it asks you to enter a path, hit Return.
        • Close that Terminal window.
        • Open another Terminal window.
        • Type
          gcloud init
          and press Return.
        • Accept the option to log in using your Google user account. This will open Chrome and allow you to log into your Google account and authorize Google Cloud.
        • Choose No when it asks you if you would like to create a project.
      • Log into Google Cloud and accept the license agreement.
  2. Download Algo. Unzip the resulting archive if Safari hasn’t done that for you already. You should have a folder in your Downloads folder called “algo-master.”
  3. Open the Terminal app.
  4. Type cd and then drag the “algo-master” folder into the Terminal. Its directory path should show up after “cd.” Hit Return.
  5. Now we enter a few commands in Terminal. If you receive any errors in this process, I’ve found that closing the Terminal window, making a new one, and starting from Step 4 usually works.
  6. Type
    python -m ensurepip --user
    and press Return.
  7. Type
    python -m pip install --user --upgrade virtualenv
    and press Return.
  8. Type
    python -m virtualenv --python=`which python2` env &&
  9. source env/bin/activate &&
  10. python -m pip install -U pip virtualenv &&
  11. python -m pip install -r requirements.txt
    and press Return.
  12. If you’ve never installed the cc command line tools, you’ll be prompted to do that. Go ahead and agree, it’s perfectly safe and required to move forward.
  13. After everything completes, type
    sudo nano config.cfg
    and press Return. You’ll be asked for your administrative password, and then a text editor will open. Under the section called Users in the file, replace the existing user names with whatever usernames you wish to use (you’ll have to use the arrow keys instead of the mouse to navigate around the screen). These are the people who will have access to your VPN. Once you’ve added your users, press Control-X to save your changes and exit the text editor.
  14. Now we install Algo itself.
    • If you’re using Amazon EC2:
      • Stay in Terminal, and type
        ./algo
        and press Return.
      • Algo will ask you what provider you’re going to use. We’re using Amazon EC2, so choose “3” (and press Return of course; I’m not going to mention that for every option).
      • Now it asks for the aws_access_key. Go back to your Downloads folder and open the “credentials.csv” file you downloaded earlier. Copy the Access Key ID and paste it into the Terminal. Press Return.
      • Do the same for the Secret access key.
    • If you’re using Google GCE:
  15. Name your server. You can name it whatever you like, though I presume there are some limits on what characters you can use and how long it can be. I just hit Return to accept the default option in brackets (“algo”).
  16. Choose a Region. It’s likely better to choose the one nearest where you’ll usually be, for speed reasons (this question may come after the others if you’re using GCE).
  17. It asks “Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?” For our purposes, choose No. Choose Yes if you want your VPN to protect your cellular connection as well.
  18. It asks “Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?” Choose Yes.
  19. Look up the exact name of any trusted Wi-Fi networks (all of your remembered Wi-Fi networks will be in System Preferences→Network→Advanced… Sadly, you can’t Copy from there, but you can carefully type them into Terminal, separated by commas but not spaces (there can be spaces in the network names, though). Only select those networks you personally trust; i.e. not Starbucks! These are usually your home and work Wi-Fi networks. If you want always-on VPN, don’t add any networks here.
  20. Whether you want your personal VPN to block ads is up to you; I prefer the more fine-grained control of an ad-blocker.
  21. SSH tunneling is for tricking firewalls and such, and so isn’t useful for our purposes. Choose No.
  22. I only intend to use this VPN for macOS and iOS clients, so I chose No to Windows 10 and Linux Desktop compatibility.
  23. It says that doing so would create an insecurity, so I said no to retaining the CA key. Note that this means that you can’t create more users later without starting all over from Step 3 (which isn’t that hard).
  24. Now go grab a sandwich or something, while Algo installs itself to your Amazon EC2 or Google GCE instance.
  25. The confirmation screen gives some valuable info. I would recommend copying and pasting the final screen into a text file for future reference. At the very minimum, you absolutely need the password it shows after “The p12 and SSH keys password for new users is”. Save that in a safe place, like a password manager.
  26. Now we get to configure the your Macs and iOS devices to use your brand-new VPN service. First off, uninstall any existing VPNs. We don’t want any conflicts. This involves deleting VPN apps from Mac and iOS devices, and checking System Preferences→Profiles on the Mac, and Settings→General→Profiles in iOS for VPN profiles (including old Algo profiles) and deleting them.
    • Note: I am not including instructions for using Wireguard, because I’m using older Macs, and because I want to pre-configure the Wi-Fi exceptions, and because frankly it’s simpler not to use Wireguard on all-Apple installations. If you want to use Wireguard, see the "Apple devices" section of the official instructions.
  27. Go back to your downloads folder in the Finder, and open the “algo-master” folder. Inside it is a “configs” folder (~/Downloads/algo-master/configs), and inside that is a folder named for your server’s IP address, and inside that is a folder named “Apple.” Open the “Apple” folder, and you’ll see files named .mobileconfig.
  28. Open the .mobileconfig file that corresponds with the correct user on any Mac you want to use your newly created VPN on (just double-click it).
  29. Choose “Continue.”
  30. If using Amazon EC2:
      • Choose “Continue” again.
      • Enter the password you hopefully saved from the Algo confirmation screen in Terminal. If not, it should still be there in the Terminal window.
  31. Click Install, and enter an administrator username and password for this Mac.
  32. If you included your current Wi-Fi network in the list of trusted Wi-Fi networks in Step 28 above, you won’t have any way immediately to test your install. Connect to an untrusted network (perhaps go to Starbucks; you deserve a coffee after all this work. Or just enable the Guest network on your router), and go to https://whoer.net/ to see if you did everything right. If you did, Mr. Whoer should report your ISP as “Amazon.com" or “Google Cloud,” depending on which cloud service you’re using. If it doesn’t, try going to System Preferences→Profiles, deleting the profile you installed earlier, and starting again from Step 24.
  33. If it worked, congrats! Send the file via secure means (Airdrop for instance, or iMessage) to any other Macs you wish to secure, and go through Steps 23–28 again. Then Airdrop (or use some other secure means) that file to every iOS device you want to VPN with. If you specified different users in step 10, make sure to send the right files to the right devices.
  34. Open the file on your iOS device (whether by tapping it in Messages, receiving the Airdrop file, or whatever)
  35. Tap Install, then enter your device password.
  36. If using Amazon EC2:
    • Tap Install again, then a third time.
    • Enter the password you saved in Step 22. Tap Next.
  37. Tap Done. That’s it! It should be working. Again, connect to an untrusted network and visit https://whoer.net. The IP address should be the one in your profile.
  38. Now you can delete the “algo-master” file from your Downloads folder. You may wish to keep the “configs” folder, or at least the .mobileconfig files, along with the “credentials.csv” file, the “config.cfg” file, and the Algo confirmation details, somewhere safe. You may be tempted to hold on to the entire algo-master folder, and that’s not a terrible idea, but remember that they will probably make improvements in the future, so remember to download a new copy if you want to start over sometime.

Now, you may want to change things in the future, such as the list of users, or the trusted networks (perhaps you decide you like this VPN thing so much you want to use it all the time).

  • If you chose to save the CA key in Step 20 above (and you held on to the “algo-master" folder), changing the user list is fairly simple. If not, you’ll have to destroy your instance (see below) and start over (from Step 2), which is not really that much work.
  • To change the list of trusted networks, open the .mobileconfig file in a text editor (PlistEdit Pro is an excellent tool for this task), navigate to your current list of trusted networks (under SSIDMatch), and add or remove networks as you please. Make sure you keep the exact formatting as shown for any new or changed lines. Then redistribute the file according to Steps 26–37.
  • To destroy the instance you created,:
    • For Amazon EC2: Log into Amazon Web Services, select EC2 (under “Compute”) from the Services menu, choose Instances, and click on Actions→Instance State→Terminate. That will allow you to start over from Step 2.
    • For Google GCE: Log into the GCE console, select Compute Engine in the sidebar, then select VM instances (it’s probably already selected). Click the three dots to the right of your “algo” VM instance, then select “Delete.” That will allow you to start over from Step 2.

Enjoy your new, personal VPN! Let me know how it goes, or any difficulties you have with these instructions, in the comments below!

1 comment:

Calion said...

Post updated with fixed links, updated instructions for macOS Mojave, and added instructions for Google Compute Engine.