Setting Up an Easy To Run, Super Secure VPN Server
Every tech company needs a VPN server, right? VPNs provide the user with a virtual tunnel over the plain ol’ internet to private resources on the other end of the VPN. Whether it be administrative access to servers behind a firewall, access to private corporate websites or for giving you a single egress IP address for the admins at another company to clear, you are going to need one eventually.
Unfortunately for us DevOps/infrastructure folks, there has never really been an easy, secure, go-to open source VPN implementation. Sure there’s OpenVPN, but its not that easy to set up, especially securely. Also VPN tech by its nature is very complex, combining network protocols with cryptography in a way that, well, is not something people usually are happy about having to administer.
Well, I’m happy to say that in my experience, this has changed with the release of Algo VPN server. Having tried more than a few different VPN services at more than a few different companies this one is definitely the easiest to set up, uses the most modern and secure protocol, and is relatively easy to maintain because it relies on Ansible, a configuration management tool.
Let’s back up.
Why do most VPN server solutions suck?
Most VPN solutions that I have set up for companies have a few issues:
- They generally take a bunch of manual work to install
- Many of them require you to install a client and the ones that don’t normally require some manual steps to install
- Many of the other VPN solutions use password auth, which is fairly weak, or
- In the case of OpenVPN, you can easily generate keys to distribute, but you will need to remember to manually invalidate these keys when you remove users.
Most of the other VPN solutions out there don’t use the strongest ciphers and largest key sizes by default. It’s up to the person installing the product to know how to set it up to be as secure as it can be. The devil really is in the details here. You can use a good VPN with a weak cipher and end up with something not so good.
Why is the Algo VPN better?
It uses IKEv2 (Internet Key Exchange), which is the only VPN protocol that we are relatively sure has not been broken by the NSA. It automatically hardens the implementation of this protocol to be very secure.
IKEv2 is natively supported on modern OS. Distributing and installing the VPN is as simple as sending each user their .mobileconfig file and it’s a 1-click configuration of the native Mac VPN client.
The Algo VPN service is an open source project that is really just a set of Ansible and bash scripts to quickly set up a VPN server on one of the cloud provider platforms in a secure configuration. It uses StrongSwan, which is an open-source implementation of the IPSEC protocol. In crypto, it’s best to only trust open source, well-audited projects.
If you are using mostly Apple devices (as many dev shops are), the installation is incredibly easy. I’ve yet to have anyone with a modern OSX have any issues with it.
Adding a user is done via Ansible. When you run it, it will automatically invalidate any users that were removed from your configuration file. That means all you have to do is keep that one file up-to-date with current users. This alleviates having a separate process for adding and deleting or invalidating users.
Much of your config can be stored in configuration management, so rebuilding or creating the server should be fairly easy. Read: I do say should be, because I admittedly have not done this.
Things I’m ambivalent about
This is a recent VPN “distro” and it’s still maturing. Originally, some of the options I was looking for were not there. I had to hack in adding an Elastic IP to the VPN. I’ll probably try submitting the changes I made as a PR. Development is moving along on this project, which is great to see.
Everything is set up in its own VPC, which is nice for security. But this also means that by default, your VPN won’t be able to access your other resources in the cloud. You will likely need to set up VPC peering.
There’s no option to give the server a canonical name and integrate it to DNS, which is kind of a pain. Users generally don’t like unfriendly IP addresses.
Windows isn’t nearly as well supported as OSX, mainly because they just recently (with Win10) integrated IKEv2. If you are a Windows shop, I would look elsewhere personally.
Most of these are minor inconveniences. I expect as the software matures, we will see most if not all of that list resolved.
Try it for yourself!
Seriously – it’s super easy to set up. If you can install software you can do this. It fits into the free tier at Amazon Web Services, so it’s literally free. And it’s yours so you KNOW there’s no funny business. Why pay monthly fees to send your data to a 3rd party? Don’t do that. Do this. =D