什么是algo vpn?
根据他们的GitHub页面,”algo vpn是一组ansible脚本,可以简化个人IPsec和Wioguard VPN的设置。
它使用最安全的默认值,适用于公共云提供商,并且在大多数设备上不需要客户端软件。
“。
Algo为我们提供了一种简单的方法,可以在承诺或者云中安装和配置安全VPN以供个人使用。
请注意,我们不需要掌握Linux或者Ansible来设置这一点,过程不是繁重的。
Algo VPN的功能
下面是我们从Box中出发的Algo VPN功能列表。
支持具有强大加密(AES-GCM,SHA2和P-256)的IKEv2,以及Wioguardgenerates Apple配置为自动配置IOS和MacOS实现帮助程序脚本使用本地DNS解析器(可选)添加和删除UsersBlocksADScaleway,OpenStack或者内部服务器。
在Ubuntu/debian上设置algo vpn
对于Ubuntu和基于Debian的系统,通过运行下面的命令来安装所需的依赖项。
| 12 | sudo apt-get updatesudo apt-get install -y git build-essential python-dev python-pip python-setuptools python-virtualenv libffi-dev libssl-dev |
安装依赖项后,克隆ALGO VPN存储库。
| 1 | git clone https://github.com/trailofbits/algo.git |
安装ilgo python依赖项
更改为Algo目录并安装Python依赖项,例如Ansible,Jinja,PyAml。
| 12345 | cd algopython -m virtualenv --python=$(which python2) env && source env/bin/activate && python -m pip install -U pip virtualenv && python -m pip install -r requirements.txt |
这将收集Ansible,Jinja,Pyyaml和许多其他人。
列出用户创建
在我们喜欢的文本编辑器中打开config.cfg。
指定我们要创建的用户 users列表。
当我在系统中添加用户名称时,我遇到了错误。
用户可以运行给定的进程,并且Algo脚本返回错误。
所以使用唯一的用户名。
| 1 | vim config.cfg |
添加用户如下:
| 1234 | users: - test - pench - admin |
禁用已解决的服务(对于DNSMASQ工作)
运行以下命令以禁用已解析的服务:
| 12 | sudo systemctl disable systemd-resolvedsudo systemctl stop systemd-resolved |
另外,删除符号链接到 resolv.conf文件。
| 1 | sudo unlink /etc/resolv.conf |
然后创建新的rollev.conf文件。
| 1 | echo "nameserver 8.8.8.8" > /etc/resolv.conf |
开始部署
虽然仍然在Algo目录上,请通过运行Algo脚本来开始部署,如下所示。
这导致我们将根据设置回答的一系列问题。
我的设置如下。
| 1 | # ./algo |
选择云提供商或者现有服务器。
| 12345678910111213141516 | PLAY [Ask user for the input] TASK [Gathering Facts] * ok: [localhost] [pause] What provider would you like to use? 1. DigitalOcean 2. Amazon Lightsail 3. Amazon EC2 4. Vultr 5. Microsoft Azure 6. Google Compute Engine 7. Scaleway 8. OpenStack (DreamCompute optimised) 9. Install to existing Ubuntu 18.04 server (Advanced) Enter the number of your desired provider : 9 |
如果允许MacOS/IOS客户端连接到蜂窝网络/Wi-Fi时允许MacOS/IOS客户端启用”VPN”。
| 12345678910111213 | TASK [pause] *** ok: [localhost] TASK [Set facts based on the input] ** ok: [localhost] [pause] Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks? [y/N] : yDo you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi? [y/N] : y |
设置可信Wi-Fi网络列表。
| 1234 | List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) :Netpap |
按照我们认为适合设置其他选项。
| 12345678910111213141516171819202122232425 | Do you want to install a DNS resolver on this VPN server, to block ads while surfing? [y/N] : y TASK [pause] *** ok: [localhost] [pause] Do you want each user to have their own account for SSH tunneling? [y/N] : y TASK [pause] *** ok: [localhost] [pause] Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N] : y TASK [pause] *** ok: [localhost] [pause] Do you want to retain the CA key? (required to add users in the future, but less secure) [y/N] : y |
Ansible部署应该开始。
| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 | TASK [pause] ** ok: [localhost] TASK [Set facts based on the input] * ok: [localhost] PLAY [Provision the server] * TASK [Gathering Facts] ok: [localhost] --> Please include the following block of text when reporting issues:Algo running on: Ubuntu 18.04.1 LTS (Virtualized: kvm) Created from git clone. Last commit: 40b42c4 Get started with Azure more easily (#1323) Python 2.7.15rc1 Runtime variables: algo_provider "local" algo_ondemand_cellular "True" algo_ondemand_wifi "True" algo_ondemand_wifi_exclude "X251bGw=" algo_local_dns "True" algo_ssh_tunneling "True" algo_windows "True" wireguard_enabled "True" dns_encryption "True" TASK [Display the invocation environment] * changed: [localhost -> localhost] TASK [Install the requirements] *** changed: [localhost -> localhost] TASK [Generate the SSH private key] * changed: [localhost] TASK [Generate the SSH public key] changed: [localhost] [local : pause] Enter the IP address of your server: (or use localhost for local installation): [localhost] : localhost TASK [local : pause] ok: [localhost] TASK [local : Set the facts] ok: [localhost] TASK [local : Set the facts] ok: [localhost] [local : pause] Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) [localhost] : 192.168.1.10 (Your Public IP Here) |
当它成功完成后,我们应该看到一个像下面一样的横幅
| 12345678910111213141516171819 | TASK [debug] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ****ok: [localhost] => { "msg": [ [ "\"# Congratulations! #\"", "\"# Your Algo server is running. #\"", "\"# Config files and certificates are in the ./configs/directory. #\"", "\"# Go to https://whoer.net/after connecting #\"", "\"# and ensure that all your traffic passes through the VPN. #\"", "\"# Local DNS resolver 172.16.0.1 #\"", "" ], " \"# The p12 and SSH keys password for new users is n8L8q6bn #\"\n", " \"# The CA key password is bc6f3cc1080d166ca27b1cf5d5a14aa6 #\"\n", " " ]}PLAY RECAP ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **localhost : ok=151 changed=85 unreachable=0 failed=0 |
部署后,Algo VPN将用户添加到系统并生成与VPN客户端一起使用的配置文件以及SSH键。
添加用户
安装后,我们可以添加其他 users列出你的 config.cfg
| 12345 | users: test pech admin user2 |
更新列表后,激活虚拟环境并运行用户更新脚本。
| 12 | source env/bin/activate./algo update-users |
完成此过程后,ALGO VPN服务器将仅包含列出的用户 config.cfg文件。
| 12 | # id testuid=1002(test) gid=1003(test) groups=1003(test),1000(algo) |
每个VPN配置文件的配置文件位于 ./algo/configs/ServerIP目录。
| 12345678 | # ls | grep testipsec_test.confipsec_test.secretstest.mobileconfigtest.p12test.ssh_configtest.ssh.pemwindows_test.ps1 |