{"id":116,"date":"2017-04-12T00:00:00","date_gmt":"2017-04-12T00:00:00","guid":{"rendered":"http:\/\/ssdnodes.billabailey.com\/2017\/04\/12\/an-idiot-and-his-vpn\/"},"modified":"2025-05-18T13:08:08","modified_gmt":"2025-05-18T13:08:08","slug":"an-idiot-and-his-vpn","status":"publish","type":"post","link":"https:\/\/www.ssdnodes.com\/blog\/an-idiot-and-his-vpn\/","title":{"rendered":"Should Setting up a VPN Be This Hard?"},"content":{"rendered":"

In the last days of March, the U.S. government overturned rules aimed at protecting the privacy<\/a> of users of internet service providers (ISP). With the rules gone, ISPs no longer need to obtain permission to sell user data. For a lot of people, that's a little scary.<\/p>\n

Now, I recognize that ISPs are not selling my own specific data, but rather my data in aggregate with probably thousands of other customers just like me. I also know that they're not snooping in on HTTPS-secured traffic. I also know that tools like "Internet Noise"<\/a> are less actual solutions to the problem and more one-off experiments to occupy a developer over their weekend.<\/p>\n

Tech blogs and journalists have been touting the value of a virtual private network (VPN) ever since. I've been hearing about them for years, but mostly as a means to 1) get past region-blocked content on Netflix or 2) ensuring a secure connection when using hotel\/airport WiFi. I knew that neither of those two applications appeal to me, and I knew that I didn't want to run my VPN with some company operating out of the Seychelles.<\/p>\n

Because that's just boring.<\/p>\n

Finding the right solution<\/h2>\n

I'm not completely militant about securing (or obscuring) my internet traffic with a VPN\u2014if I was truly worried about that, I'd have started a long time ago, or would be using something like Tor instead. More than anything, these recent changes are a catalyst to convince me to finally poke around something that I've been curious about for years.<\/p>\n

All this is to say I'm okay with an imperfect solution. I'm okay with only marginal protection. And I'm okay with failure, but only if it's my fault<\/em>.<\/p>\n

Matt, the CEO of SSD Nodes (and my boss), recommended that I try out OpenVPN<\/a> over any of the other solutions. He's got good reasons to do so\u2014it's a trusted solution that's been around for 15 years.<\/p>\n

At first, I was a little horrified by the OpenVPN tutorials that I found floating around online. I'm a decent<\/em> Linux administrator\u2014I've used a VPS for hosting personal sites for years and have personally walked through all of the tutorials on this blog to ensure they work properly\u2014but I'm nothing special.<\/p>\n

I did find openvpn-install<\/a>, which purports to set up the VPN with a single command. At the time, I figured it simply wasn't for me.<\/p>\n

When searching beyond OpenVPN for something a little more streamlined, I found algo<\/a>, a "a set of Ansible scripts that simplify the setup of a personal IPSEC VPN." As part of their release annoucement, they published a blog post that touted Algo as "the VPN that works"<\/a>. I have to admit, I was convinced by their marketing.<\/p>\n

The Algo installation<\/h2>\n

Since I work for SSD Nodes<\/a>, my provider choice is simple. I opted for the cheapest server<\/a>, knowing that 2TB of bandwidth is far, far more than I need\u2014my ISP says I use about 250GB of bandwidth per month.<\/p>\n

Installation was incredibly easy. I copied by public SSH key<\/a> over to the new server and followed the instructions on the GitHub repository. No issues and I was given a folder with config files and certificates to work from.<\/p>\n

ok: [xxx.xx.xx.xx] => {\n    \"msg\"<\/span>: [\n        [\n            \"\"#                          Congratulations!                            #\"\"<\/span>,\n            \"\"#                     Your Algo server is running.                     #\"\"<\/span>,\n            \"\"#    Config files and certificates are in the .\/configs\/ directory.    #\"\"<\/span>,\n            \"\"#              Go to https:\/\/whoer.net\/ after connecting               #\"\"<\/span>,\n            \"\"#        and ensure that all your traffic passes through the VPN.      #\"\"<\/span>,\n            \"\"#          Local DNS resolver and Proxy IP address: 172.16.0.1         #\"\"<\/span>,\n            \"\"<\/span>\n        ],\n        \"    \"#                The p12 and SSH keys password is xxxxxxxxx             #\"n\"<\/span>,\n        \"    \"<\/span>,\n        \"    \"<\/span>\n    ]\n}\n<\/code><\/pre>\n
Thanks to this Ubuntu Forums thread<\/a>, I realized it was time to build some packages from source.<\/p>\n
wget http:\/\/download.strongswan.org\/strongswan-5.5.2.tar.bz2\ntar xjf strongswan-5.5.2.tar.bz2\ncd<\/span> strongswan-5.5.2\n\n.\/configure \u2013sysconfdir=\/etc \u2013prefix=\/usr \u2013libexecdir=\/usr\/lib \n\u2013disable<\/span>-aes \u2013disable<\/span>-des \u2013disable<\/span>-md5 \u2013disable<\/span>-sha1 \u2013disable<\/span>-sha2 \n\u2013disable<\/span>-fips-prf \u2013disable<\/span>-gmp \u2013enable<\/span>-openssl \u2013enable<\/span>-nm \u2013enable<\/span>-agent \n\u2013enable<\/span>-eap-gtc \u2013enable<\/span>-eap-md5 \u2013enable<\/span>-eap-mschapv2 \u2013enable<\/span>-eap-identity\nmake\nmake install\n\nwget https:\/\/download.strongswan.org\/NetworkManager\/NetworkManager-strongswan-1.4.1.tar.bz2\ntar xjf NetworkManager-strongswan-1.x.x.tar.bz2\ncd<\/span> NetworkManager-strongswan-1.x.x\n\n# build the NetworkManager strongsSwan plugin (if you changed prefix\/libexecdir above, set \u2013with-charon=\/path\/to\/charon-nm)<\/span>\n.\/configure \u2013sysconfdir=\/etc \u2013prefix=\/usr \u2013with-charon=\/usr\/lib\/ipsec\/charon-nm\nmake\nmake install\n<\/code><\/pre>\n
After all this, plus a few additional installations to get strongswan<\/code> and its plugin to configure, I was able to configure the VPN via Network Manager. Almost there, right?<\/p>\n
Of course, it didn't work. Neither did installing the .mobileconfig<\/code> on my macOS machine. I simply couldn't connect to the VPN, and as-is, Algo's documentation and troubleshooting details are a little scarce<\/em>. A few GitHub issues seemed to suggest that while Algo could be installed<\/em> on an Ubuntu 16.04 server, the same OS can't currently be used as a client.<\/p>\n
After about an hour of poking around, I gave up.<\/p>\n
openvpn-install<\/h2>\n
I tried first with Nyr's script<\/a>, which I mentioned earlier, but had no luck with it whatsoever. I couldn't say exactly where the installation went wrong, but I was unable to connect to the VPN.<\/p>\n
Next up, a fork of Nyr's script from Angristan<\/a>, which purports to be an updated, more secure version of the original. I can get down with that. Installation was pretty simple. I made sure to enable TUN\/TAP before going any further\u2014Matt warned me that's where most VPN installations run afoul.<\/p>\n
apt-get update\nwget https:\/\/raw.githubusercontent.com\/Angristan\/OpenVPN-install\/master\/openvpn-install.sh\nchmod +x openvpn-install.sh\n.\/openvpn-install.sh\n<\/code><\/pre>\n
I had an issue with the openvpn<\/code> server service not running right off the bat, but I fixed that thanks to an Ask Ubuntu thread<\/a>. I commented out the LimitNPROC<\/code> line in code>\/lib\/systemd\/system\/openvpn@.service<\/code<\/a>, ran systemctl daemon-reload<\/code>, and then systemctl start openvpn@server<\/code>.<\/p>\n
The script spat out a user.ovpn file. I just needed to pipe the contents of that file onto my local machine.<\/p>\n
ssh root@xxx.xx.xx.xxx \"cat client.ovpn\"<\/span> > client.ovpn\n<\/code><\/pre>\n
I imported that file into Network Manager and connected to the VPN immediately. Success!<\/p>\n
The next steps<\/h2>\n
Do I feel more secure as I browse the web? I'm not sure. Do I feel accomplished? Somewhat.<\/p>\n
There's absolutely more to be done here\u2014perhaps in a future blog post:<\/p>\n
    \n
  1. Figure out why Algo isn't working for me<\/li>\n
  2. Harden the existing VPN server<\/li>\n
  3. Figure out if I can install Tomato\/dd-wrt onto my router to route all traffic through the VPN, rather than install clients on every machine<\/li>\n
  4. Investigate other solutions:\n
My initial hangup was with adding the VPN to Linux Mint's Network Manager, as even though I installed strongswan<\/code> and network-manager-strongswan<\/code>, it didn't appear in the Network Manager GUI. Apparently this is a known bug<\/a> that's fixed in 1.4.x of the plugin.<\/p>\n