Difference between revisions of "Using Algo VPN to Access SDNOG Infrastructure"

From SdNOG wiki
Jump to navigation Jump to search
(5. Install Algo VPN)
(7. Deploy Algo VPN)
Line 59: Line 59:
 
</pre>
 
</pre>
 
The deployment process will set up the VPN server according to the configuration you provided.
 
The deployment process will set up the VPN server according to the configuration you provided.
 +
<pre>
 +
TASK [Set required ansible version as a fact] *************************************************************************************************
 +
ok: [localhost] => (item=ansible==2.9.7)
 +
 +
TASK [Verify Python meets Algo VPN requirements] **********************************************************************************************
 +
ok: [localhost] => {
 +
    "changed": false,
 +
    "msg": "All assertions passed"
 +
}
 +
 +
TASK [Verify Ansible meets Algo VPN requirements] *********************************************************************************************
 +
ok: [localhost] => {
 +
    "changed": false,
 +
    "msg": "All assertions passed"
 +
}
 +
[WARNING]: Found variable using reserved name: no_log
 +
 +
PLAY [Ask user for the input] *****************************************************************************************************************
 +
 +
TASK [Gathering Facts] ************************************************************************************************************************
 +
ok: [localhost]
 +
[Cloud prompt]
 +
What provider would you like to use?
 +
    1. DigitalOcean
 +
    2. Amazon Lightsail
 +
    3. Amazon EC2
 +
    4. Microsoft Azure
 +
    5. Google Compute Engine
 +
    6. Hetzner Cloud
 +
    7. Vultr
 +
    8. Scaleway
 +
    9. OpenStack (DreamCompute optimised)
 +
    10. CloudStack (Exoscale optimised)
 +
    11. Linode
 +
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
 +
 
 +
Enter the number of your desired provider
 +
:
 +
12
 +
 +
Type 12 and hit Enter to setup Algo VPN on Ubuntu 20.04 server. You will be asked for several questions as shown below:
 +
 +
TASK [Set facts based on the input] ***************************************************************************************************************************************************************************************
 +
ok: [localhost]
 +
[Cellular On Demand prompt]
 +
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
 +
[y/N]
 +
:y
 +
 +
TASK [Cellular On Demand prompt] ******************************************************************************************************************************************************************************************
 +
ok: [localhost]
 +
[Wi-Fi On Demand prompt]
 +
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
 +
[y/N]
 +
:y
 +
 +
TASK [Wi-Fi On Demand prompt] *********************************************************************************************************************************************************************************************
 +
ok: [localhost]
 +
[Trusted Wi-Fi networks prompt]
 +
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
 +
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
 +
:HomeNet
 +
 +
TASK [Trusted Wi-Fi networks prompt] **************************************************************************************************************************************************************************************
 +
ok: [localhost]
 +
[Compatible ciphers prompt]
 +
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
 +
[y/N]
 +
:y
 +
 +
TASK [Compatible ciphers prompt] ******************************************************************************************************************************************************************************************
 +
ok: [localhost]
 +
[Retain the CA key prompt]
 +
Do you want to retain the CA key? (required to add users in the future, but less secure)
 +
[y/N]
 +
:y
 +
 +
TASK [Retain the CA key prompt] *******************************************************************************************************************************************************************************************
 +
ok: [localhost]
 +
[DNS adblocking prompt]
 +
Do you want to install an ad blocking DNS resolver on this VPN server?
 +
[y/N]
 +
:y
 +
 +
TASK [DNS adblocking prompt] **********************************************************************************************************************************************************************************************
 +
ok: [localhost]
 +
[SSH tunneling prompt]
 +
Do you want each user to have their own account for SSH tunneling?
 +
[y/N]
 +
:N
 +
Enter the IP address of your server: (or use localhost for local installation):
 +
[localhost]
 +
:
 +
localhost
 +
TASK [local : pause] **************************************************************************************************************************
 +
ok: [localhost]
 +
 +
TASK [local : Set the facts] ******************************************************************************************************************
 +
ok: [localhost]
 +
[local : pause]
 +
What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
 +
[root]
 +
:
 +
root
 +
 +
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
 +
</pre>
  
 
==== 8. Access SDNOG Infrastructure ====
 
==== 8. Access SDNOG Infrastructure ====

Revision as of 16:18, 8 August 2024

Using Algo VPN to Access SDNOG Infrastructure

Introduction

Algo VPN is a tool that simplifies the process of setting up a secure VPN server on various platforms. This guide will walk you through the steps to install and configure Algo VPN on a local Ubuntu server to access SDNOG infrastructure.

Prerequisites

  • An Ubuntu server (18.04 or later)
  • Sudo privileges on the server
  • Basic knowledge of command-line operations

Step-by-Step Guide

1. Update Your System

Before installing Algo VPN, ensure that your system is up-to-date. Open a terminal and run the following commands:

sudo apt update
sudo apt upgrade -y

2. Install Dependencies

Algo VPN requires certain dependencies to be installed. Use the following commands to install them:

apt-get install git apparmor build-essential python3-dev python3-pip python3-setuptools python3-virtualenv libffi-dev libssl-dev -y

3. Clone the Algo VPN Repository

Clone the Algo VPN repository from GitHub to your local server:

git clone https://github.com/trailofbits/algo.git
cd algo

4. Create and Activate a Python Virtual Environment

Create a Python virtual environment and activate it:

cd algo
python3 -m virtualenv --python=/usr/bin/python3 .env

5. Install Algo VPN

Install Algo VPN and its dependencies using pip:

python3 -m pip install -U pip virtualenv
python3 -m pip install -r requirements.txt

6. Configure Algo VPN

Run the Algo VPN setup script to create a configuration file:

./algo

Follow the prompts to configure your VPN. You will need to provide details such as:

The VPN server's public IP address or domain name Your preferred VPN protocol (e.g., WireGuard or IPsec) User accounts for VPN access

7. Deploy Algo VPN

Once the configuration is complete, deploy Algo VPN with the following command:

./algo

The deployment process will set up the VPN server according to the configuration you provided.

TASK [Set required ansible version as a fact] *************************************************************************************************
ok: [localhost] => (item=ansible==2.9.7)

TASK [Verify Python meets Algo VPN requirements] **********************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] *********************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] *****************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
  
Enter the number of your desired provider
:
12

Type 12 and hit Enter to setup Algo VPN on Ubuntu 20.04 server. You will be asked for several questions as shown below:

TASK [Set facts based on the input] ***************************************************************************************************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:y

TASK [Cellular On Demand prompt] ******************************************************************************************************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:y

TASK [Wi-Fi On Demand prompt] *********************************************************************************************************************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:HomeNet

TASK [Trusted Wi-Fi networks prompt] **************************************************************************************************************************************************************************************
ok: [localhost]
[Compatible ciphers prompt]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:y

TASK [Compatible ciphers prompt] ******************************************************************************************************************************************************************************************
ok: [localhost]
[Retain the CA key prompt]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:y

TASK [Retain the CA key prompt] *******************************************************************************************************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to install an ad blocking DNS resolver on this VPN server?
[y/N]
:y

TASK [DNS adblocking prompt] **********************************************************************************************************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:N
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:
localhost
TASK [local : pause] **************************************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ******************************************************************************************************************
ok: [localhost]
[local : pause]
What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]
:
root

Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)

8. Access SDNOG Infrastructure

To access SDNOG infrastructure via the VPN, you need to configure your local machine to connect to the VPN server. Download the VPN client configuration files from the Algo VPN setup and import them into your VPN client.

For WireGuard, you can use the wg-quick tool to connect:

sudo wg-quick up /path/to/your/configuration.conf

For IPsec, follow the instructions specific to your operating system to import the configuration and connect.

Troubleshooting

If you encounter issues during installation or configuration:

Check the Algo VPN documentation for troubleshooting tips. Ensure that your firewall rules allow VPN traffic. Verify that your VPN client is correctly configured.

Conclusion

By following these steps, you should have a functioning Algo VPN setup on your local Ubuntu server, providing secure access to the SDNOG infrastructure. For more advanced configurations and additional features, refer to the Algo VPN GitHub repository.