Companies all over the world sell VPN services to secure your online activity, but can you really trust a VPN provider? If you want, you can create your own virtual private network with the open-source Algo software, and the cloud-hosting provider of your choice.
VPNs and Trust
If trusting faceless online services isn’t your thing, one alternative is to run your own VPN server. This used to be a daunting task, but thanks to the open-source project Algo from security company Trail of Bits, creating your own VPN is now easy.
For $5 per month, you can run and control your own full-time VPN server. Even better, you can use Algo to set up and tear down VPN servers as you need them, and save money in the process.
To set-up Algo, you have to use the command line. If that’s off-putting, don’t worry—we’ll walk you through every step.
These instructions might seem like a lot, but that’s only because we’re explaining as much as we can. Once you’ve created a VPN with Algo a few times, it shouldn’t take very long at all. Plus, you only have to set up Algo’s installation environment once. After that, you can create a new VPN server with a few keystrokes.
But can you trust that Algo’s scripts aren’t doing anything untoward? Well, the good news is Algo’s code is public on GitHub for anyone to look at. Plus, many security experts are interested in the Algo project, which makes misdeeds less likely.
What Algo Can (and Can’t) Do
A VPN is a good way to protect your online activity—especially on a public Wi-Fi network in an airport or coffee shop. A VPN makes web browsing more secure and stymies any malicious actors who might be on the same local Wi-Fi network. A VPN can also help if your ISP restricts certain kinds of traffic, like torrents.
But watch out, pirates! Downloading booty through your own VPN isn’t a good idea, as the activity can more easily be traced back to you.
Also, if you wanna watch Netflix over your VPN, you’ll have to look elsewhere—Algo doesn’t work with it. However, there are many commercial services that do support Netflix.
Prerequisites for Algo
To get an Algo VPN server up and running, you need a Unix Bash shell. On a Mac or Linux system, you can use your Terminal program, but on Windows, you’ll have to activate the Subsystem for Linux. Here’s how to install and use the Linux Bash shell on Windows 10.
You’ll also need an account at a cloud server hosting provider. Algo supports all of the following:
- Amazon Lightsail
- Amazon EC2
- Microsoft Azure
- Google Compute Engine
- Hetzner Cloud
- It also installs to OpenStack and CloudStack instances.
If you’ve never used any of these services, we recommend DigitalOcean, as it’s very user-friendly. It’s also the service we’re using in this tutorial. The process will be a bit different if you use a different provider.
When your DigitalOcean account is ready to go, sign in, and then, from the primary dashboard, select “API” from the left rail under the “Account” heading.
On the next page, click “Generate New Token.” An access token is a long string of letters and numbers that permits access to account resources without a username and password. You’ll need to name the new token. Generally, it’s a good idea to name it after the application you’re using, such as “algo” or “ian-algo” (if your first name happens to be Ian).
After the new token is generated, copy and paste it into a text document on your desktop. You’ll need it in a few minutes.
Setting Up Your Environment
Back on your desktop, open a fresh terminal window, type
cd (for “change directory,” which is what folders are called in the Unix world), and hit Enter. This will ensure you’re working from the terminal’s home directory.
At this writing, Algo requires Python 3.6 or later. Type the following into your terminal program:
If you get a response like
Python 3.6.9, you’re good to go; if not, you’ll have to install Python 3.
To install Python 3 on Mac, you can use the Homebrew package manager. When Homebrew’s ready to go, type the following command in a Terminal window:
brew install python3
If you’re using Ubuntu Linux or WSL on Windows, they should have Python 3 by default. If not, installation methods vary depending on your version of Linux. Search online for “install Python 3 on [insert your version of Linux here]” for instructions.
Next, you need to install Python3’s Virtualenv to create an isolated Python environment for Algo. Type the following in Bash on a Mac:
python3 -m pip install --upgrade virtualenv
On Ubuntu Linux and WSL, the command is the following:
sudo apt install -y python3-virtualenv
Note that we’re tailoring this tutorial for Ubuntu and related distributions, but these instructions will also work for other versions of Linux with some minor alterations. If you’re using CentOS, for example, you’d substitute the instructions using
Next, we need to download Algo with the
wget command. Macs don’t have
wget installed by default, so to get it via Homebrew, type the following:
brew install wget
Now, let’s download Algo’s files:
wget finishes, there will be a compressed file called “master.zip” in your terminal’s home directory; let’s check that with
If you see “master.zip” in the list of files and folders that appears, you’re good to go. If not, try running
Now, we need to unzip the file, so we type the following:
After that’s done, hit
ls again. You should now see a new folder in your home directory called “algo-master.”
We’re almost ready for action, but first, we need to set up our isolated environment and install a few more dependencies. This time we’ll work inside the “algo-master” folder.
Type the following to switch to the folder:
Make sure you’re there with this command:
This stands for “print working directory,” and it should show you something like
/Users/Bob/algo-master. Now that we’re in the right place, let’s get everything ready.
Either copy and paste or type the command below on a single line (don’t press Enter until the end):
python3 -m virtualenv --python="$(command -v python3)" .env && source .env/bin/activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt
This triggers a whole lot of action inside the Algo directory to prepare to run.
Next, you have to name your users for the VPN. If you don’t name all of them now, you’ll either have to hold onto the security keys (which is less secure) or start a new server from scratch later on.
Either way, type the following in terminal:
This opens the user-friendly command-line text editor, Nano. The Algo config file has a lot of information in it, but we’re only interested in the part that says “users.” All you have to do is remove the default usernames (phone, laptop, desktop), and type a name for each device you want on your VPN.
For example, if I’m creating a VPN for myself, Bill, and Mary, the config file might look like the following:
Once you’ve named everyone, press Ctrl+O to save the file, followed by Ctrl+X to exit.
We’re almost ready for action, but first Windows folks need to take a little detour. WSL usually doesn’t set the correct user permissions for the Algo folder, which upsets Ansible (the tool Algo relies on to deploy a server).
On WSL, type the following to go back to your home directory:
Then, type the following:
chmod 755 -R ~/algo-master
To go back to the Algo folder, type:
And now is the moment of truth.
algo-master folder, type the following in the terminal window:
The Algo configuration should start running. You’ll know it’s working when it asks which cloud provider you’d like to use. In our case, we select the number (1) for DigitalOcean.
If Algo fails, it could be a number of reasons we can’t possibly predict here. If the error says your directory is “world write configurable,” then follow the instructions above for changing permissions.
If you get a different error, check the troubleshooting page in the Algo project repository on GitHub. You can also copy the error message and paste it in Google to search for it. You should find a forum post that will help, as it’s unlikely you’re the first person to receive that error.
Next, you’ll be asked for the access token you copied earlier from your DigitalOcean account. Copy and paste it into terminal. You won’t see anything because Bash doesn’t display characters for password- and security-phrase entries. As long as you hit paste, and then press Enter, though, it should be fine.
If it fails, you might have just messed up the paste, which everyone does in Bash. Just type the following to try again:
When Algo is running, answer the questions it asks. These are all pretty straightforward, like what you want to name your server (using “algo” in the name is a good idea).
Next, it will ask if you want to enable “Connect on Demand” for Mac and iOS devices. If you’re not using any of those devices, type N for no. It will also ask if you want to keep the PKI keys to add more users later; generally, you’ll type N here, as well.
That’s it! Algo will now take about 15 to 30 minutes to get your server up and running.
When Algo finishes its setup, the terminal returns to a command-line prompt, which means the VPN is ready to go. Like a lot of commercial services, Algo uses the WireGuard VPN protocol, which is the hottest new thing in the world of VPNs. This is because it offers good security, greater speeds, and is easier to work with.
As an example of what to do next, we’ll activate Algo on Windows. To set up other devices, you can refer to the Algo repository on GitHub.
First, we’ll install the generic Windows desktop client from the WireGuard site. Next, we have to feed the program our config file for the PC. The configuration files are stored deep in the algo-master folder at:
~/algo-master/configs/[VPN server IP address]/wireguard/.
There are two types of files for configuring VPN client devices: .CONF and .PNG. The latter are QR codes for devices like phones, that can scan QR codes. The .CONF (configuration) files are text files for the desktop WireGuard clients.
On Mac and Ubuntu, it shouldn’t be hard to find the
algo-master folder outside of the command line. On Macs,
algo-master is in the Home folder; just use Finder > Go > Home to get there. On Ubuntu, you can open Nautilus, and it’ll be in the Home folder.
On Windows, however, WSL is separate from the rest of the OS. For this reason, it’s just easier to copy the files over with the command line.
Using our previous example, let’s say we want the “Mary-PC.conf” configuration file to use on a Windows 10 PC. The command would look something like this:
cp ~/algo-master/configs/[VPN server IP address]/wireguard/Mary-PC.conf /mnt/c/Users/[your Windows user account name]/Desktop/
Note the space between
/mnt/; that’s how Bash knows where the file to be copied is located, and where it’s going. Case also matters, so make sure you type capitals where specified.
It’s natural on Windows to want to capitalize the C in “C:” drive, but in Bash you don’t. Also, don’t forget to replace the bits in brackets with the actual information for your PC.
For example, if your user folder is on the “D:” drive, not the “C:,” then replace
Once the file is copied, open the WireGuard for Windows client. Click “Import Tunnels From File,” and then select your configuration file on the desktop. After that’s done, click “Activate.”
In just a few seconds, you’ll be connected to your very own VPN!