Ocserv Installation
Install ocserv:
apt install ocserv gnutls-bin -y
Run a performance benchmark for gnuTLS and find the best one:
gnutls-cli --benchmark-tls-ciphers
Generate Diffie-Hellman parameters:
certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
Find the line:
rekey-method = ssl
Replace it with the following:
rekey-method = new-tunnel
Uncomment the following line:
dh-params = /etc/ocserv/dh.pem
Find this line:
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
Change it to something like this:
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:+AES-128-GCM"
Circumventing Path MTU Discovery issues with MSS Clamping:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Table of Contents
PAM Issue
Sometimes after the first user connects and disconnects, try to connect again, it gets the following error (Basically looks like ocserv crashes on every second try) when using PAM as authentication method libpam-cap, we can remove it and try again. we can remove it and try again:
apt remove libpam-cap -y
Algo Installation
Download and install dependencies:
apt -y install unzip python3-virtualenv
wget -c https://github.com/trailofbits/algo/archive/master.zip -O /opt/algo.zip
cd /opt/
unzip algo.zip
cd algo-master/
python3 -m virtualenv --python="$(command -v python3)" .env &&
source .env/bin/activate &&
python3 -m pip install -U pip virtualenv &&
python3 -m pip install -r requirements.txt
Open configuration file:
nano config.cfg
Specify the users you wish to create in the users list:
users:
- masoud
Run the Ansible Setup Wizard
Start the deployment:
./algo
Choose below options:
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
11
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks? [y/N]
N
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? [y/N]
N
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
Y
Do you want to enable DNS ad blocking on this VPN server? [y/N]
N
Do you want each user to have their own account for SSH tunneling? [y/N]
N
Enter the IP address of your server: (or use localhost for local installation): [localhost]
localhost
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate) [YOUR_PUBLIC_IP]
YOUR_PUBLIC_IP
Android
Install WireGuard Client:
https://www.wireguard.com/install/
For Android Device Download and Scan QR Code:
scp root@YOUR_PUBLIC_IP:/opt/algo-master/configs/YOUR_PUBLIC_IP/wireguard/masoud{.png,.conf} .
Linux
add-apt-repository ppa:wireguard/wireguard
apt update -y
apt install wireguard -y
Copy Client Configs:
sudo install -o root -g root -m 600 masoud.conf /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
Another Method:
add-apt-repository ppa:nm-l2tp/network-manager-l2tp
apt update -y
apt install network-manager-l2tp-gnome -y
Add VPN Connection.
Another Method Using IPSec:
apt install strongswan -y
scp root@YOUR_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/.pki/private/masoud.key .
scp root@YOUR_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/.pki/certs/masoud.crt .
scp root@YOUR_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/manual/* .
Copy Files
cp masoud.key /etc/ipsec.d/private/
cp masoud.crt /etc/ipsec.d/private/
cp masoud.conf /etc/ipsec.conf
cp masoud.secrets /etc/ipsec.secrets
cp cacert.pem /etc/ipsec.d/cacerts/cacert.pem
Copy Files
cp masoud.crt /etc/ipsec.d/certs/
cp masoud.key /etc/ipsec.d/private/
cp cacert.pem /etc/ipsec.d/cacerts/
cp masoud.secrets /etc/ipsec.secrets
cp masoud.conf /etc/ipsec.conf
ipsec restart
ipsec up algovpn-116.202.102.246
Visit https://whoer.net/
Add user:
After the installation, you can add other users to list in your config.cfg
users:
test
pech
admin
user2
Once the list is updated, activate the virtual environment and run the users update script.
source env/bin/activate
./algo update-users
After this process completes, the Algo VPN server will contain only the users listed in the config.cfg file.
# id test
uid=1002(test) gid=1003(test) groups=1003(test),1000(algo)
The configuration files for each VPN profile are located under the ./algo/configs/ServerIP directory.
See the conncection status:
wg show
Check if the following UDP ports are open:
nc -vz -u YOUR_PUBLIC_IP 500
nc -vz -u YOUR_PUBLIC_IP 51820
nc -vz -u YOUR_PUBLIC_IP 4500
Add a new floating IP
Open the project in hetzner console. Open the Floating IPs section and add a new one.
Add few new lines to configuration file:
nano /etc/netplan/50-cloud-init.yaml
Paste the following configuration into the editor and replace YOUR_NEW_IP with your Floating IP:
network:
version: 2
ethernets:
eth0:
addresses:
- 2a01:4f9:c010:18be::1/64
dhcp4: true
gateway6: fe80::1
match:
macaddress: 96:00:00:a6:82:87
set-name: eth0
lo:
addresses:
- YOUR_NEW_IP/32
restart your network:
netplan apply