Building a distributed VPN service

Summary:

  1. Why?
  2. Pre-requisites
  3. Architecture
  4. Installation
  5. Deployment
  6. Conclusion

1. Why?

Maybe you want a personal global VPN with servers in different countries that you can share with your friends and family.

Maybe you travel a lot and want to have a secure connection with minimal latency.

Maybe you want an efficient adblocker for your mobile.

I don't know your use-case, but mine was to build DataBuster. The process was fun so I thought I could share it here.

2. Pre-requisites

  • Any VPS or physical server with root access
  • Ubuntu 16.04 for server
  • A backend database, I used MariaDB
  • A backend language, I used PHP 7.1

Read this and the README of Algo.

3. Architecture

Architecture

I won't talk about the backoffice and the application logic in details, because this really depends on your need but you can easily make a small CRUD to manage your servers and users across servers.

Set up a database with a least one table for your server(s). You should store its IP address, the CA key from Algo installation and maybe you can store some metadata like the country code, the provider and some other stuff.

4. Installation

  1. Order a VPS or physical server with root access and Ubuntu 16.04
  2. Install basic packages like git and do apt-get update && apt-get upgrade
  3. Git clone my Algo fork where you want on the server : git clone https://git.stan.sh/SL-Process/DataBuster-VPN.git
  4. Install Algo, follow the instructions in the README, in the last step choose to retain the CA key.
  5. Save the CA key at the end of the installation somewhere safe, in your database in the master server for example.

5. Deployment (with snippets)

Algo creates automatically authentification files for devices like Windows & MacOS computers, Android and iOS devices.

Users are registered in the config.cfg file in the root folder of your Algo installation.

If you want to create a VPN user named "user1" in one of your servers, you have to edit the config.cfg file (located in the root folder of the Algo installation) of this Algo server. You should run manually the task ./algo update-users to add this user and remove those deleted.

Hopefully I added a file at the root of Algo installation to automate this task. You can trigger those actions from the master server with the database containing at least the IP address and the CA key of the designated VPS via SSH.

These PHP snippets use phpseclib.

Add an user (user1):

<?php //...
// Send info for Slave to create the user in config.cfg
$ssh = new SSH2({IP_ADDRESS}; // Replace with the IP address of your VPS
if (!$ssh->login('', '') { // Replace with the root credentials of your VPS
      return false; // Error in SSH login
}
$ssh->exec("sed -i '/users:/a\  - user1' ALGO_PATH/config.cfg"); // Replace ALGO_PATH with where you installed Algo

Remove an user (user1):

<?php //...
// Send info for databuster Slave to delete the user in config.cfg
$ssh = new SSH2({IP_ADDRESS});
if (!$ssh->login('', '')) {
    return false;
}
$ssh->exec("sed -i '/user1/d' {ALGO_PATH}/config.cfg\n");

Run the task to update the permissions (revoke removed users and add new users):

<?php // ...
$ssh->exec("cd {ALGO_PATH} && source env/bin/activate && ./databuster.sh {IP_ADDRESS} {CA_KEY}");

Retrieve the mobileconfig file to send it to the iOS device of the user (user1):

<?php // ...
$ssh = new SSH2({IP_ADDRESS});
if (!$ssh->login('', '')) {
    return false;
}
$scp = new SCP($ssh);
$file_content = $scp->get("{ALGO_PATH}/configs/{IP_ADDRESS}/user1.mobileconfig");

6. Conclusion

You now have a way to create a simple distributed VPN using a very secure installation based on Algo.

The next steps are to automate everything else : the logs purge, the VPS installation (maybe with docker?), the user management...

Check out DataBuster to have a concrete idea of such an installation!

Feedback is welcome, my article might not be very clear.

This article is my 3rd oldest. It is 431 words long, and it’s got 0 comments for now.

© 2018 Stan Larroque. All rights reserved.