Not Wireguard fault, but in my case IPSEC worked better. I guess I could encapsulate it, but it's just annoying to do and on some platforms it's just too much trouble.
If your firewall blocks UDP packets in general, you're in a world of pain either way, since TCP over TCP is pretty bad.
[0] https://www.wireguard.com/quickstart/#nat-and-firewall-trave...
by @mistaken, not Linus: http://lists.openwall.net/netdev/2018/08/02/124
OpenVPN is a mess. IPSEC and basically all implementations thereof are messes.
(As a personal anecdote, have you ever tried to get OpenVPN to do anything remotely sensible with MTUs or MTU-related ICMP errors? You can’t, because every possible configuration gets it at least partially wrong [0]. Wireguard get it entirely correct AFAICT.)
Of course, if you’re using a VPN to try to protect your browsing activity from authorities, obviously a major cloud provider may be more willing to turn your info over to someone else.
Lol. Funny, good VPNs are like good fishing spots, the ones who know the difference tend not to share their favourites, keeping it for themselves :)
Usable? Infinitely. I've noticed quite a few web sites and services putting obnoxious blocks or filters or other impediments against users coming from "widely-known" VPN and VPS provider IP addresses. But few seem to bother with Microsoft or Amazon IPs.
So for something that has the purpose of either getting me out from behind a restrictive network or wrapping my traffic on an insecure network, a VPN to an Azure- or EC2-provisioned virtual machine works just fine.
But if you just want to secure your data from an untrustworthy local network, it's a reasonable choice. You're less likely to be flagged as connecting from a "bad" IP.
ansible setup-vpn 1.2.3.4
Ansible expects you to write host address into a file in /etc. So inconvenient. Also, Ansible doesn't support Windows and Cygwin.
It turned out it was easier to write instructions into a Bash program. Sadly, it is non-portable and works only with a specific distribution.
It is also surprising how many files are there in the repository for a relatively simple task. And how complicated installation process is. In PHP everything would be easier, because you can pack your application into a single phar archive like in Java.
They don't support builtin Android client. I remember I installed Strongswan or something like this and it worked with Android out of the box.
I wouldn't recommend Digital Ocean. They don't accept virtual debit card (they want a real card so they can charge you whenever they want) and their VPS are too expensive. $5 per month is too expensive when you can find offers as low as 1 euro/month in Europe with pre-paid system.
When I was first learning ansible, I was very frustrated about things like this. I came to learn, though, that it is very flexible, and this behavior, as well as other weirdness is completely overrideable.
Two ways to override this behavior, with the inventory.ini file in the same directory as the project:
1) ansible.cfg in the project directory that points to the inventory file (you can also override other default behaviors using this file.)
2) pass in a -i argument with the path to the file.
I usually just go with option 1, because I like overriding many of the default behaviors (like making cowsay random, or turning it off sometimes), or setting up my ansible vault.
https://www.ansible.com/integrations/infrastructure/windows
I don’t get the Ansible hate, it’s great.
I recommend checking what VPS technology is used. If it is OpenVZ or similar then you won't be able to edit iptables config, load kernel modules, setup ipsec. Because OpenVZ is more like a userspace container rather than a virtual machine. KVM, XEN, VMWare work fine.
You shouldn’t use Algo if you are concerned about surveillance from corporations/governments, you should use Algo if you are concerned about surveillance/attacks from your local network or ISP.
The real quality to discuss is threat models. Even using a public-mix VPN is not going to protect against Klein-style wholesale tapping (due to packet correlation). Using your own VPN to exit will not protect against legal attacks (subscriber info will still be subpoenaed). But either will protect against revealing (to every service you connect to) your roaming between access networks - eg the discovery of who is friends from their connecting to the same WiFi.
(Also, distinguishing between "government" and "commercial" surveillance is a bit of a red herring as well. Much government surveillance is done by the "private" sector, which the government at least then buys fulls access to, if it doesn't constitute a de facto government on its own - eg credit bureaus in the US)
A VPN does not 'hide' your IP address. It merely changes it.
I was using openvpn and then switched to wireguard because openvpn was consuming a lot of power on my phone.
Why would I want to use Ipsec?
It's already built into your phone. (Probably)
Why wouldn't you?
And I have observed(from just using IPsec and wireguard on my phone) that wireguard is quite good(maybe even better) than IPsec at not annihilating internet bandwidth.
It is a shadowsocks client and even non-technical users can provision VPNs on cloud hosting providers.
- Shadowsocks is not a VPN, it's a per-application SOCKS proxy. What has Jigsaw done to ensure that packets don't leak outside of the tunnel? All UDP traffic leaks, so it looks like they did nothing! https://github.com/shadowsocks/shadowsocks-rust/issues/78
- Shadowsocks is dangerously full of bad configuration options to avoid. Did Jigsaw avoid all of them when it built Outline? Their copy of shadowsocks appears to use an unauthenticated CFB mode by default (https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...), but then this setting is overridden elsewhere. Good luck checking all the rest.
- They enabled an automated update system they called "Watchtower." Is this safe to use? Who controls the keys? When are updates pushed out? How would it react to a subpoena?
- Is shadowsocks safe? It's a giant pile of C that was purpose-built to evade censorship by the Chinese Great Firewall, nothing more. It wasn't written or designed by an expert in secure communications and it was not even intended for that purpose. It's had a bunch of bugs before (https://x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/) and none of the crypto makes sense (https://crypto.stackexchange.com/questions/39776/evaluatung-...)!
- The setup process is bonkers. Outline has an Electron app that builds a cloud server, authenticates to it over a random port, then somehow bootstraps encrypted communication with a self-signed certificate. I haven't had time to review the process in all its detail but what the hell? The certificate does not even appear pinned correctly: https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...
- Jigsaw did not pay for a reputable security review of the code. This security review is one of the worst, possibly THE worst, that I have ever read. It looks like shadowsocks was in scope at first, but then eliminated from scope. There's some weird fascination with parsing bugs in local configuration files. I don't know what's going on here, but it's a waste of paper: https://s3.amazonaws.com/outline-vpn/static_downloads/ros-re...
Jigsaw is advertising this as a method to keep high-risk journalists safe and it's likely to get someone killed (https://medium.com/jigsaw/introducing-outline-making-it-safe...). They are conflating two different use cases: Outline may be acceptable for bypassing censorship (low-risk, where success is immediately visible), but it is wholly unacceptable for protecting the safety or anonymity of speech online (which carries the risk of an invisible and potentially fatal failure in a hundred different ways if traffic can be inspected or even just attributed to a person).
tl;dr Outline is a flaming pile of garbage. Stop recommending it.
UDP seems to work properly with Outline without any issues. SOCKS proxies does allow UDP to be proxied.
>Shadowsocks is dangerously full of bad configuration options to avoid. Did Jigsaw avoid all of them when it built Outline? Their copy of shadowsocks appears to use an unauthenticated CFB mode by default (https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...), but then this setting is overridden elsewhere. Good luck checking all the rest.
How can CBF mode by "unauthenticated"? What does that even mean?
>They enabled an automated update system they called "Watchtower." Is this safe to use? Who controls the keys? When are updates pushed out? How would it react to a subpoena?
Not sure about this one
>Is shadowsocks safe? It's a giant pile of C that was purpose-built to evade censorship by the Chinese Great Firewall, nothing more. It wasn't written or designed by an expert in secure communications and it was not even intended for that purpose. It's had a bunch of bugs before (https://x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/) and none of the crypto makes sense (https://crypto.stackexchange.com/questions/39776/evaluatung-...)!
Shadowsocks is/was written in Python. The CVEs you have linked affect the Python version only. There is however a much cleaner C version. If you'd read the spec, the crypto makes perfect sense, as pointed out by the stack exchange post, the lack of a PDF on the password is probably the only weakpoint.
>The setup process is bonkers. Outline has an Electron app that builds a cloud server, authenticates to it over a random port, then somehow bootstraps encrypted communication with a self-signed certificate. I haven't had time to review the process in all its detail but what the hell? The certificate does not even appear pinned correctly: https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d....
>Jigsaw did not pay for a reputable security review of the code. This security review is one of the worst, possibly THE worst, that I have ever read. It looks like shadowsocks was in scope at first, but then eliminated from scope. There's some weird fascination with parsing bugs in local configuration files. I don't know what's going on here, but it's a waste of paper: https://s3.amazonaws.com/outline-vpn/static_downloads/ros-re....
>Jigsaw is advertising this as a method to keep high-risk journalists safe and it's likely to get someone killed (https://medium.com/jigsaw/introducing-outline-making-it-safe...). They are conflating two different use cases: Outline may be acceptable for bypassing censorship (low-risk, where success is immediately visible), but it is wholly unacceptable for protecting the safety or anonymity of speech online (which carries the risk of an invisible and potentially fatal failure in a hundred different ways if traffic can be inspected or even just attributed to a person).
In a reply to a thread where it's about a easy to set up VPN, I think it is perfectly acceptable.
>tl;dr Outline is a flaming pile of garbage. Stop recommending it.
Outline is a fine iOS app that let's you connect to a shadowsocks server as a easy to use VPN. I can't speak for anything else.
Something like this (this is for OpenVPN): https://arstechnica.com/gadgets/2017/05/how-to-build-your-ow...
I currently have a pfSense router set up with Algo, but I have to disable the IPSec policy whenever I want to use Netflix. (Discussion here: https://github.com/trailofbits/algo/issues/292 - see comments near the bottom.)
Here is detailed tutorial https://forum.opnsense.org/index.php?topic=4979.0
Not sure if anyone else has had luck - that was all I was using Azure for was to test Algo out so had nothing else running on Azure at the time. I also ran into a few snags trying to deplay Algo onto Azure so haven't bothered trying to set it up elsewhere. My goal of the VPN was to get a JP address as a few sites I browse are easier to browse with a JP address (eg: I don't get forced bad English translations with no way to toggle to the JP version of the site because I'm coming from an American IP...)
We have many successful reports of using Azure for AlgoVPN. I would appreciate it very much if you could file an issue and include the full details of what happened, including any communications you received from Microsoft (https://github.com/trailofbits/algo/issues/new). I have contacts at Azure that I can escalate this issue to directly.
Thanks for extending a hand. I'll look for the email tomorrow - and if found - I'll open an issue. Though if you don't hear from me, it's because the email in all likelihood was deleted shortly after getting it. My use wasn't critical need, so I didn't particularly care to deal with the headache of getting things sorted.
I do work at MSFT but my algo VM is inside of my personal account.
Algo and Streisand have too much features, making them unwieldy.
Although I recognize IPsec is a widely supported protocol and suitable for this use case, did the readme intend to imply OpenVPN is risky?
https://github.com/trailofbits/algo/blob/master/docs/faq.md#...
I prefer this feature since I travel a lot and would like to have lower latency wherever I am.
They are friends of mine whom I know well so don't worry about one of my IP addresses being used to download child porn.
https://www.wireguard.com/install/#android-play-store-f-droi...
Here are some reasons you might want to self-host:
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-th...
Does it call OpenVPN a risky server? Why?
Found it https://github.com/trailofbits/algo/blob/master/docs/faq.md#...
https://www.mail-archive.com/cryptography@metzdowd.com/msg12...
four of the seven listed are cloud providers that actively encourage censorship for the sake of their business model. at best, you would be a fool to run a personal VPN on them, at worst the fact that support exists at all could be evidence that this software is in fact worse than openVPN or TOR in that it facilitates an obviously poor implementation.
Google and Microsoft both joined the PRISM program in 2009.
https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#M...
