Should Setting up a VPN Be This Hard?

In the last days of March, the U.S. government overturned rules aimed at protecting the privacy of users of internet service providers (ISP). With the rules gone, ISPs no longer need to obtain permission to sell user data. For a lot of people, that's a little scary.

Now, I recognize that ISPs are not selling my own specific data, but rather my data in aggregate with probably thousands of other customers just like me. I also know that they're not snooping in on HTTPS-secured traffic. I also know that tools like "Internet Noise" are less actual solutions to the problem and more one-off experiments to occupy a developer over their weekend.

Tech blogs and journalists have been touting the value of a virtual private network (VPN) ever since. I've been hearing about them for years, but mostly as a means to 1) get past region-blocked content on Netflix or 2) ensuring a secure connection when using hotel/airport WiFi. I knew that neither of those two applications appeal to me, and I knew that I didn't want to run my VPN with some company operating out of the Seychelles.

Because that's just boring.

Finding the right solution

I'm not completely militant about securing (or obscuring) my internet traffic with a VPN—if I was truly worried about that, I'd have started a long time ago, or would be using something like Tor instead. More than anything, these recent changes are a catalyst to convince me to finally poke around something that I've been curious about for years.

All this is to say I'm okay with an imperfect solution. I'm okay with only marginal protection. And I'm okay with failure, but only if it's my fault.

Matt, the CEO of SSD Nodes (and my boss), recommended that I try out OpenVPN over any of the other solutions. He's got good reasons to do so—it's a trusted solution that's been around for 15 years.

At first, I was a little horrified by the OpenVPN tutorials that I found floating around online. I'm a decent Linux administrator—I've used a VPS for hosting personal sites for years and have personally walked through all of the tutorials on this blog to ensure they work properly—but I'm nothing special.

I did find openvpn-install, which purports to set up the VPN with a single command. At the time, I figured it simply wasn't for me.

When searching beyond OpenVPN for something a little more streamlined, I found algo, a "a set of Ansible scripts that simplify the setup of a personal IPSEC VPN." As part of their release annoucement, they published a blog post that touted Algo as "the VPN that works". I have to admit, I was convinced by their marketing.

The Algo installation

Since I work for SSD Nodes, my provider choice is simple. I opted for the cheapest server, knowing that 2TB of bandwidth is far, far more than I need—my ISP says I use about 250GB of bandwidth per month.

Installation was incredibly easy. I copied by public SSH key over to the new server and followed the instructions on the GitHub repository. No issues and I was given a folder with config files and certificates to work from.

ok: [xxx.xx.xx.xx] => {
    "msg": [
        [
            ""#                          Congratulations!                            #"",
            ""#                     Your Algo server is running.                     #"",
            ""#    Config files and certificates are in the ./configs/ directory.    #"",
            ""#              Go to https://whoer.net/ after connecting               #"",
            ""#        and ensure that all your traffic passes through the VPN.      #"",
            ""#          Local DNS resolver and Proxy IP address: 172.16.0.1         #"",
            ""
        ],
        "    "#                The p12 and SSH keys password is xxxxxxxxx             #"n",
        "    ",
        "    "
    ]
}

My initial hangup was with adding the VPN to Linux Mint's Network Manager, as even though I installed strongswan and network-manager-strongswan, it didn't appear in the Network Manager GUI. Apparently this is a known bug that's fixed in 1.4.x of the plugin.

Thanks to this Ubuntu Forums thread, I realized it was time to build some packages from source.

wget http://download.strongswan.org/strongswan-5.5.2.tar.bz2
tar xjf strongswan-5.5.2.tar.bz2
cd strongswan-5.5.2

./configure –sysconfdir=/etc –prefix=/usr –libexecdir=/usr/lib 
–disable-aes –disable-des –disable-md5 –disable-sha1 –disable-sha2 
–disable-fips-prf –disable-gmp –enable-openssl –enable-nm –enable-agent 
–enable-eap-gtc –enable-eap-md5 –enable-eap-mschapv2 –enable-eap-identity
make
make install

wget https://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.4.1.tar.bz2
tar xjf NetworkManager-strongswan-1.x.x.tar.bz2
cd NetworkManager-strongswan-1.x.x

# build the NetworkManager strongsSwan plugin (if you changed prefix/libexecdir above, set –with-charon=/path/to/charon-nm)
./configure –sysconfdir=/etc –prefix=/usr –with-charon=/usr/lib/ipsec/charon-nm
make
make install

After all this, plus a few additional installations to get strongswan and its plugin to configure, I was able to configure the VPN via Network Manager. Almost there, right?

Of course, it didn't work. Neither did installing the .mobileconfig on my macOS machine. I simply couldn't connect to the VPN, and as-is, Algo's documentation and troubleshooting details are a little scarce. A few GitHub issues seemed to suggest that while Algo could be installed on an Ubuntu 16.04 server, the same OS can't currently be used as a client.

After about an hour of poking around, I gave up.

openvpn-install

I tried first with Nyr's script, which I mentioned earlier, but had no luck with it whatsoever. I couldn't say exactly where the installation went wrong, but I was unable to connect to the VPN.

Next up, a fork of Nyr's script from Angristan, which purports to be an updated, more secure version of the original. I can get down with that. Installation was pretty simple. I made sure to enable TUN/TAP before going any further—Matt warned me that's where most VPN installations run afoul.

apt-get update
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh

I had an issue with the openvpn server service not running right off the bat, but I fixed that thanks to an Ask Ubuntu thread. I commented out the LimitNPROC line in code>/lib/systemd/system/[email protected], ran systemctl daemon-reload, and then systemctl start openvpn@server.

ssh [email protected] "cat client.ovpn" > client.ovpn

I imported that file into Network Manager and connected to the VPN immediately. Success!

The next steps

Do I feel more secure as I browse the web? I'm not sure. Do I feel accomplished? Somewhat.

There's absolutely more to be done here—perhaps in a future blog post:

1. Figure out why Algo isn't working for me
2. Harden the existing VPN server
3. Figure out if I can install Tomato/dd-wrt onto my router to route all traffic through the VPN, rather than install clients on every machine
4. Investigate other solutions:
   • IPsec without L2TP with strongSwan
   • Setting up an IPSEC tunnel
   • Pure IPSec VPN on OpenVZ

I suppose the entire point of this post, and all the work I put into it, is to prove how immature this little market is still. There's a growing demand for hosting VPNs via a VPS, but, thus far, all of the implementations are a little sticky—experienced Linux administrators might not have many problems, but relative beginners like me are going to struggle. At best, we'll put together half-baked, probably-insecure implementations that might be better than going without a VPN.

And that's the big question: Is doing something, however poorly implemented, better than nothing? Or could it possibly be worse? When I started writing this, I said that I was okay with failure. But now that my VPN is actually set up, I'm not quite so sure.