The Changelog: Software Development, Open Source - Meet Algo, your personal VPN in the cloud (Interview)
Episode Date: January 20, 2020The commercial VPN industry is a minefield to navigate and many open source solutions are a pain to use or ill-suited for the task. Algo VPN, on the other hand, is a self-hosted personal VPN designed ...for ease of deployment and security. It uses the securest industry standards, builds on rock-solid solutions like WireGuard and Ansible, and runs on an ever-growing list of cloud hosting providers. On this episode Dan Guido –CEO of security firm Trail of Bits and Algo's creator– joins Jerod to discuss the project in depth.
Transcript
Discussion (0)
Bandwidth for Changelog is provided by Fastly. Learn more at Fastly.com.
We move fast and fix things here at Changelog because of Rollbar.
Check them out at Rollbar.com.
And we're hosted on Linode cloud servers. Head to Linode.com slash Changelog.
This episode is brought to you by DigitalOcean.
DigitalOcean's developer cloud makes it simple to launch in the cloud and scale up as you grow.
They have an intuitive control panel, predictable pricing, team accounts, worldwide availability with a 99.99 uptime SLA, and 24-7, 365 world-class support to back that up.
DigitalOcean makes it easy to deploy, scale, store, secure, and monitor your cloud environments.
Head to do.co.chelog to get started with a
100 credit again do.co slash changelog
welcome back everyone this is the changelog where we feature the hackers the leaders and the
innovators of the software world i'm jared Santo, Managing Editor here at Changelog.
The commercial VPN industry is a minefield to navigate,
and many open-source solutions are a pain to use or ill-suited for the task.
Algo VPN, on the other hand, is a self-hosted personal VPN
designed for ease of deployment and security.
On this episode, Dan Guido, CEO of security firm TrailerBits,
joins me to discuss the project in depth.
Here we go.
So Dan, we're here to talk about Algo, the VPN that works.
And before we do that, let's get to know you a little bit and how you became part of the
team that built Algo with Trail of Bits.
Tell us about yourself and tell us about your business.
Yeah, sure. So my name is Dan Guido. I'm the CEO and co-founder of Trail of Bits.
We are an eight-year-old software security research and development firm,
which means that we try to work on things that are unsolved problems in the field of computer security.
I founded the company with a few friends of mine back in 2012, and it's just grown iteratively, piece by piece,
over the last eight years. We started off doing a lot of research for the US government with DARPA.
We added on an engineering team that builds software on contract for people a few years back.
And now we have an assurance team that does code reviews for people that are building software
themselves. AlgoVPN really sits outside of all that. It's a little bit of a hobby project that I made
somewhere in those eight years that's kind of grown out of control and is now the most popular
project that we have on our GitHub. I did not expect that. It's funny how that happened. Yeah.
That's the tale with lots of open source software. Yeah, I knew I had a winner when we put it out
there. And you know, we don't really do any marketing behind it.
I just put out a blog post
and the number of likes on GitHub
just exploded to the point that,
you know, we produce software as a company.
So there are dozens and dozens of projects
that our company,
much more talented developers than me,
have released as open source.
But AlgoVPN kind of blows them all away
in terms of traffic,
in terms of stars, in terms of GitHub issues, like every metric I could imagine.
So it's kind of funny that me, the guy who writes about a page of code a year now,
is still sitting on top of the most popular project in the company.
Well, you struck a chord, and it's interesting with VPNs.
They're something that existed, I think, entirely in the land of nerds like us for
many years and have started to trickle out because of the mass need for security and privacy. VPNs
are now mainstream, sort of, in terms of the concept of VPNs. Now, I did read that you used
to teach a course at NYU on security. So you think educationally, how do you explain VPNs to neophytes? Like brand new, what's a VPN? How do you start there?
Yeah, sure. So funny you bring that up. Yes, I was an instructor at NYU for about seven years.
They made me into the hacker in residence at NYU for a while. Funny title. But I got to do a lot
of things there. I taught their capstone course and software exploitation for a while. I taught
about 300 kids
how to write exploits. That was fun. And then I tried to represent their program to other random
folks that could be students, that could be sponsors, that could be people that hired those
students for a long time. It was a really fun part of my career. But at some point, I kind of
grew out of it. I've lost touch with the kids these days.
So now I try to support people that are starting their own companies instead,
which is a little bit closer to my current experience.
There's other folks at Trail of Bits that do a lot of teaching still,
and I think it was really like a formative part of my past career.
I got a lot out of it, and certainly a lot in terms of how do you explain something
that people can understand when it's a complex topic like this one. The really easy analogy here
is that when you're talking to a website, and you're not going over a VPN, there's a chance
that what you're doing is you're kind of sending them a postcard. You've written some instructions
about, hey, you know, Comcast, please send me the contents of such
and such website, and you scribble it on the outside of a postcard, and you send it through
the mail system.
And as that postcard goes through the mail system, every single person that handles it
can read exactly what you requested.
Not only that, but on the other way, when it comes back, somebody can read the response.
That's open to abuse, and it has been abused by a lot of people
sometimes people pull out their own pen and scribble some extra stuff on the end of it
other people will tear off part of that postcard and send back only half of it and then sometimes
people will like oh this is going to dan and they'll strap you know a a glitter bomb to it
and then it'll show up at my house and I'll have to be cleaning it for weeks.
Right.
Yeah.
So a VPN is one way to ensure that at least part of that conversation you have
with a third party is stuffed inside of an envelope and not just any envelope,
but like,
you know,
a lock box,
like something like a safe,
like you're mailing a safe through the mail.
The other person you're speaking to doesn't have the key to it. Really, the person that has the
key is like somebody at the postal service. So that way, all the mail handlers, like the guy
who delivers your mail, your mailman can't read whatever you scribbled on that note now. But the
person at the United States Postal Service, like they can still open it up, they have to be able
to so they know where to send the contents of it.
So there's, you know, not complete protection,
but it's still pretty good.
It's much better than just sending postcards
to everybody all the time.
Yeah, protected in transit, definitely.
So that's a great, I think, analogy for laymen.
And I think probably equipping our audience
with ways of explaining these things
to friends and family, of course.
That being said, most of our listeners do know what VPNs are.
So in terms of like the conceptually how they are.
So if you go down the stack level and maybe get a little more technical
and describe a VPN to a developer who's not very security aware
or somebody, maybe your one-on-one students back when you were teaching at NYU,
get into the nitty gritty a little bit and explain how VPNs work.
Yeah, sure. I mean, it's just protecting data in transit.
So it's a lot like, you know, if you know how TLS works and SSL works,
it's pretty much the same sort of thing,
just at a different level of the OSI stack.
Here, you know, you're protecting individual packets
and not like a higher level like HTTP communication.
But we're using IPsec and we're using WireGuard inside of AlgoVPN.
In particular, we're using a suite of IPSec standards called Ikev2, which is the latest
version of that standard, as well as...
So WireGuard is itself the name of the code that implements the WireGuard protocol.
So it's kind of got a little bit of an overloaded term there, but that's fine.
But that's a brand new VPN protocol that was designed from scratch in the last year by somebody who actually knows what they're doing and isn't subject to a
huge design by committee kind of review like the IETF or the IEEE would put them through.
So this is your benevolent dictator for life kind of situation.
Who is that person?
Jason Donenfeld. He really knows what he's doing. And he's had the code and the protocol for it
reviewed by a lot of academics by a lot of software security professionals. And he's been
able to really whittle down the design to the minimum possible amount of code required to
implement it as well, but the minimum number of cryptographic components required to implement
it, which really is the kind of stuff that gets protocols like IPsec in trouble. But this is a whole other tangent. I mean, really, so let's
just talk about what AlgoVPN is. AlgoVPN is a way that you can gain access to these
industry standard VPN tools for yourself. So it's a set of Ansible scripts that spin up a personal VPN server that
is private to you and is hosted typically on a cloud provider for which Algo has built-in support
of like 10 or so different services. So you can just download this project, run the installation
script. It prompts you for about like five to 10 different questions. You type in the answers and then five minutes later, you have your own completely modern, absolutely secure VPN server that only
you can access, which means that it's going to be fast. It's going to be safe. You're going to be
aware of where all the traffic gets sent. And it's probably not going to get hacked.
There you go. I like that probably.
Qualifiers are important.
So let's talk about the VPN landscape.
So you just described what AlgoVPN, very important.
It's a self-hosted but cloud-enabled,
so you self-host it in terms of you're in control,
but you don't have to have your own hardware somewhere sitting on a network rack or a rack.
And yet the alternative to that is available commercial VPNs.
So in your announcement post, you mentioned this isn't a brand name project.
You wrote that announcement in December 2016.
So three years ago, Algo VPN was announced and still gaining steam.
In fact, I found it just a few months back.
I think people are continuing to find it as interest in VPNs continues to boom.
So there are commercial VPNs.
And one of the things that you say in there
is that they're all crap.
And you link to Ken White's gist,
which I'll also put in our show notes,
which goes through some of the pitfalls
with commercial VPNs.
And it's interesting because
there is a boom in VPN services right now.
I think it's somewhat a easy industry to get into.
And then it's also booming.
So there's competition.
I mean, you hear advertising all over podcasts and YouTubes,
NordVPN, ExpressVPN, PureVPN, TigerVPN.
The list goes on and on.
There's probably a dozen, maybe two dozen popular ones.
And they're all advertising or they're offering ease of use
and other things.
I'm sure they add their own features.
Why would you opt for a self-hosted, I have to worry about it myself, VPN like Algo
versus one of these commercial VPNs? Why are they all crap?
Yeah, sure. So a lot of these VPN services, you're right. The startup costs are pretty minimal. Like
you tomorrow could be running your own VPN service and hawking your wares on whatever Reddit subforum that these things are
popularly discovered on. The startup costs are like a dude with a server somewhere in Iraq and
an ability to make posts to Reddit or to Twitter and get like a fancy logo designed. So there's
the proliferation of hundreds of these services. You don't really
know who's running them. You don't really know what they're doing with the traffic. But hey,
they're going to shift your location and let you watch TV that you couldn't before. And that's the
general reason that people use VPNs, I think, is they're trying to get around content blocks,
usually for like geographically locked down media. So security isn't really top of mind, I think, for like 98% of the
people that are using VPNs. And the issue here is that you really do need to think about security
when you're using a VPN service. What is that person going to do with your traffic? Because
you're taking every single packet that comes out of your computer and handing it over to some guy
you've never met in a country that's not in yours,
that has a different set of laws that you might not be familiar with, that might not have the competence to actually run it. Like I could probably set up a VPN service, but I'm a super
conservative security professional. And I don't think I could do it right, at least not right now
and not with the resources I have today. So if I can't do it right, what makes you think that some
random dude out in Eastern Europe can?
So first off, there's this question of trust. Who are these people running the service and are they actually living up to whatever they say in their marketing? That's problem number one.
Problem number two is, do they have the competence to be running a complex network
service like this that requires ultimate security? Problem number three is they have this problem of
user support. You described the ease of use as a major factor in the proliferation of these services.
You have to support every device under the sun. Somebody's going to sign up with an Android phone
from five years ago, and it's going to have all these different weaknesses in its APIs and its SDKs.
And you still need to take that person's money and provide a service to them.
So how do you support that?
And that's what Ken White was really railing on.
And that gist was all these people have adopted the lowest common denominator for VPN protocols.
They've taken L2TP and ICV1 and they have static passwords
and they have all these
poorly configured network services in order to support the largest number of people. Because
at the end of the day, you want to make as much money as you can. So the incentives aren't really
set up right to provide the highest security service. And then, I mean, number four is the
way that people find out about these is through marketing.
You have an inexperienced buyer.
As a buyer of a VPN service, it is not easy for me to investigate whether it's well-constructed.
So because you have this information disadvantage, there isn't really a good incentive for you to do your job well. So yeah, all these things combine in this perfect storm to make this very
shady industry of people that are willing to take, you know, a couple bucks and say, Oh, yes, please
give us all your traffic. There's a funny little meme that I posted to the algo VPN Twitter account.
It's a screenshot from Rick and Morty, where they're, they're in the devil's little shop,
where he's selling them all these wares that perform,
you know, actions on Morty and Summer that like they don't expect. And I think the quote is,
you could say that you don't pay with money. Because a lot of the data that you send in there
just gets abused. And that's how they make up the cost. So end of rant. Does that all make sense
for why I'm a little bit skeptical of
these things? Yes, I'm with you on that. I understand that there's a lot of misaligned
incentives. I didn't think about it with regard to the lowest common denominator of security because
you want to service as many people as possible. So that's very interesting. I'm sure there are
some of these services which are doing the best they can and aren't some random person in Europe or wherever they happen to live. And
there's nothing wrong with Europe. But I definitely see where that is problematic. And I think where
it becomes an issue, especially for folks who aren't well-versed in these things, is how can
you tell which ones are worth their salt and which ones
aren't, especially when there's so many of them. And like you said, it's so easy to start up.
That being said, the entrepreneur in me and the one that likes to see these things is like,
it's a perfect market opportunity. I do like when people take something that is exclusive to
technical folks and can open it up to a broader user base and say like, that's a business
opportunity. It's like, here's this thing, which is very useful. And even when they're using it to folks and can open it up to a broader user base and say like that's a business opportunity it's
like here's this thing which is very useful and even whether you're using it to to get access to
disney plus or you're using it to actually secure yourself when you're at a coffee shop and you
don't want people reading your email it's very useful service but it traditionally difficult
to acquire for people who aren't technical and now we can all get access to it. I like that idea, but I understand how it ends up not so idealistic. I just cannot imagine how many VPN installations
that baby Yoda has driven in the last few weeks. But let's dive into that because, yeah, there are
some VPN service providers out there that are doing a good job and are doing their diligence
as good as one can do with those kinds of risks, right? Because no matter who
you are, if you're running a VPN service, you are painting a huge target on your back.
For sure.
That means there is one person who has stood up and said, I own the traffic for these
100,000, these million people, it all goes through the set of services that I own.
And that means that you become a target for hackers, you become a target for law enforcement,
and you can't make any mistakes because if you
make any of those like harebrained mistakes that people do when they manage technology equipment,
it might mean disclosing ultimately all the security of your users, including historical
content that they've sent through your network. The consequences for failure are kind of high.
So we're getting credit where credit's due. There's a woman named Yale who worked on a
review of VPN service providers for Wirecutter that is by far the best review that I've seen done.
I really appreciated that the way that she started that review was,
okay, the only people that are going to qualify for the Wirecutter review are the people that
have had professional security reviews. If you haven't had a professional security review,
get out. You're disqualified.
Because I think that's the minimum standard that these kinds of third party services need to meet in order to accept all of this potentially, like privacy sensitive information from hundreds of
thousands or millions of people. So like, there's huge variance in that, like, there's a lot of
people that are offering these no log reviews, which I think are kind of janky and hard for me to trust. Obviously, a security review is a point-in-time
review. Somebody is going to get the keys to your production infrastructure, and they're going to go
pinball around looking for logs, like some truffle hog trying to sniff out the secret place where
you're backing everything up. And then maybe they don't find anything. And just because they didn't
find anything doesn't mean that you're not logging. And also, just because they didn't find
anything doesn't mean that the day after they leave, you don't just go and turn the logging
back on. So these no-log reviews are really, I don't think, very productive. On the other hand,
there's a different kind of review where you're doing a security architecture review. You're
looking like, hey, is this service defensible from attack? If somebody came in and stole the keys from one of
my system administrators, would it be possible for them to tap all of the network data that's
being sent through the VPN service? And that, I think, is far more productive because then you
get into a back-and-forth conversation with the VPN service provider and the engineers that work there around what changes they can make to further withstand external attacks or to further secure
their users data. That's, I think, a lot more impactful than these like no log audits, which I
think are close to meaningless. I swept up that Wirecutter review, the best VPN service for 2019,
put it in the show notes for those who are interested in at least saying what's out there and a review that you
can trust. It's interesting. You can't trust the services themselves. Sometimes you can't trust the
reviewers themselves. So now we have to trust you, Dan. Here's a guy who says this reviewer of these
kinds of services is good. And I guess our listeners can judge for themselves. Yeah. It's frustrating
because you're right. A lot of the review sites are actually driven by the marketing budgets
for all the VPN providers, right?
They pay for those reviews.
I know for a fact because I've participated in the Wirecutter one
that there was no payment involved.
On the other hand, a lot of people cite like there's, what is it,
that one privacy site or something where it tries to break down
every single technical specification whatsoever.
Hundreds of indicators, like 200 different feature comparisons that they use to try and
figure out what the difference is between all these different VPNs.
And really, it just boils down to three to five different features.
Did you get a security review?
That's a great one to start.
Are you using modern VPN software?
Have you been
compromised in the past? These are some things that are like, is the ownership of your company
known? Can I find out who it is? Because when you look into the details, there was a study done
earlier this year where they found that close to one third of the VPN services on the market
were secretly operated by firms in China. If you look at PIA, somebody found
out last, actually, I think it was Ken White found out last week that PIA is actually operated,
founded and operated by the same guy who ran Mt. Gox, the Bitcoin exchange that lost hundreds of
billions of dollars in Japan. Nobody knew that. So like, is that the guy that you want to be
giving all your traffic to? Like every packet that you send to the internet?
Probably not.
This episode is brought to you by Algolia.
Search technology to power your business.
Trusted by Twitch, Stripe, Adobe, and many more.
Even us.
Yes, we use them to power
our search and we love the way they obsess over that developer experience. They let us fine tune
the index for the best results and report back what people are searching for, even servicing
search terms that get zero results, which we love. Check the show notes for a link to get
started for free or head to algolia.com to learn more.
Okay, so you sold us on no commercial VPNs, or at least the only ones approved by the Wirecutter.
But you have AlgoVPN and we're all nerds and I can set up my own self-hosted cloud thingy.
So why did you build AlgoVPN and what inspired it in the first place?
So this is back in 2016 and I live in Brooklyn, New York City.
And my girlfriend, who I'm still with, took a job in Berlin for a year.
She was on contract with a large engineering firm and was going to write software for them from Berlin for
a year, which is great. It was a huge opportunity. I took it and I love Berlin. So I knew that I was
going to have fun traveling there. But on my very first flight there, I was on the plane right over
and I'm like, oh, shoot, I probably should get something to tunnel my traffic back home. Like,
is there a way I can send all my IP back through a server in my house or Digital
Ocean has a data center in New York? Just so that it's a lot like home. And I found that this was a
lot harder to do than I expected in 2016. IPsec, especially services like StrongSwan and the other
services that implement those protocols are very difficult
to use. And there were some existing projects like the Streisand project was one that purport
to offer easier setup of these services. So I started with Streisand, I started to install it.
And while it was installing, it also installed about 40 different services that I wasn't really
aware that it was doing. It installed Tor. It had
all these weird listening ports on this Linux server that wasn't really configured to be
defensible. I didn't know if any of those services were getting patched. It created dozens and dozens
of keys, where now I'm just like, you know, I'm sure some listeners out there are in the position
where they've got like 1000 two factor off keys, and they have no idea what to do with them when they get a new phone. This is the situation that I thought about
when this thing was spitting out keys at me. Like, what am I going to do with all this stuff? I need
to protect it somewhere. I need to rotate these keys every once in a while. Like, what are these
keys even good for? So I kind of panicked and I shut down the install right in the middle. I'm
like, ah, I can't do this.
And it was at that moment that I decided I would set up my own. So I dove into StrongSwan. I got a lot of help from some of the StrongSwan developers to come up with the ideal, the perfect
StrongSwan configuration for just a roaming laptop around the world. And that took a lot of work.
Like, I didn't want to support every protocol under the sun. I didn't want to enable a lot of these features that are more suited for enterprise use.
I really wanted the minimal configuration possible where there's only one way to do it right.
And then set that as the standard.
And that would be it.
So as I was building this up, I finally got it to work after a couple days after I landed in Berlin,
which was even funnier because I walk into the apartment
that this firm rented for my girlfriend,
and the TV is set to all Russian language channels,
and it has this really cheap Chinese router
that's already been set up with internet service.
She didn't know where it came from.
And you're thinking, I wish my VPN was already set up already.
Yeah, I should have had some forethought.
But I finally got it to work after
two or three days. And then I started to automate it. So I added some Ansible scripting around it.
That's a long time, two or three days. Oh, it was I mean, and that wasn't even like working well,
that was like, Oh, I can send a packet and then it dies, or it only works on, you know, this version
of Mac OS or whatever. And it took me a while to work out all the kinks.
But I just started wrapping more automation around it
until we got to this minimum viable product
of one simple Ansible script that set up a server
that was pretty vanilla.
Over time, it got a lot more complicated.
Like once I got it to work, I shared it with my company.
And then it became the standard VPN for anybody at Trail of Bits
when we go to travel.
And then everybody had feature requests.
So we started adding more code to it.
We started sandboxing every service inside of an app armor policy, app armor security policy.
We added some CPU accounting to make sure it was harder to exploit things like heap overflow or whatever.
So you would just get your process killed if it started to use up too much memory.
Was Ansible always just your
tool of choice and you just happened to be like,
I'm just going to write some Ansible scripts because that's what I do?
Or did you start off with a bash script and then you
graduated it? Was it just Ansible
from the start?
It was just Ansible from the start, I think.
Ansible is nice because there isn't a server component
to it. It's really just a thin wrapper
around SSH. It's really just a thin wrapper around SSH.
It's like a structured bash script, right?
Chef and Puppet, they have a lot more complexity involved
in building out infrastructure.
And I think today, if I was rebuilding this from scratch,
starting today, I'd probably be using Terraform.
But Ansible is still a great tool.
It's very simple.
It doesn't require any server-side components, which is nice. That is nice. I just know I personally wouldn't even reach for Ansible is still a great tool. It's very simple. It doesn't require any server-side components, which is nice.
That is nice.
I just know I personally wouldn't even reach for Ansible.
I would have just been writing bash scripts,
and I probably wouldn't have never packaged it up,
and it'd be just living on my computer.
So you took it a step farther than I would have.
I wonder if that's just the way you always do things,
or were you, I guess, your company, you were going to share it internally,
and so that probably required you to at least put it in Git
and get it out there and start collaborating
with people. Yeah, I mean,
if you're not using Ansible and you're just using
Bash, it's really hard to test that. It's
much more structured. You can find errors in your
code a lot more easily if you're using Ansible.
And there's also a set of reusable
components that we can rely on.
So it's possible for us to support
all the cloud providers we do because we use Ansible
and they have Ansible plugins for all of them.
I didn't have to invent the universe from scratch, which was nice.
That is nice.
Yeah, we've done Bash for a couple other projects that were one-offs,
but the bar for code that Trillibits puts out is pretty high.
We try, even for our hobby projects,
to meet a pretty good standard of quality whenever we release something.
It's got tests, the tests run in CI, that it's maintainable,
that it's easy to track down errors and debug things with it.
So that definitely, that approach shows up
in the way that we designed Algo VPN.
So let me tell you where you sold me in the intro blog post
is when you said that it only does the most secure thing
and that's just the only way that it works is that it just does this one way like you said you wanted one way to
do it and it's just this is how it works and you don't have to like pick your cryptography or your
hashing you know what any of the i don't want any choices on those particular things yes give me
customization on usability but i remember distinct, this was probably years ago now,
when I set up a stock Vanilla Nginx server for a customer or something,
and I went out and ran SSL labs against it or something.
And you accept, not insecure,
but deprecated old SSL and TLS versions.
And that means that your Nginx install is not hard
and it's not as secure as it could be.
And I remember thinking, why shouldn't
it just come out of the box doing the best thing?
I understand because of backwards compatibility,
and there's lots of reasons why that's like that,
or developer laziness, whatever it is.
And I'm a fan of Nginx.
This is just the way things are.
I support these 13
different handshakes.
But 12 of them shouldn't be used anymore.
What do you need them for?
Yeah, it's totally backwards.
Just pick the best one.
And like, we don't have to all think about it
because Dan and his team at Trail of Bits have thought about it.
And this is kind of an industry standard.
And it's just going to do that one way.
That's it.
Stop thinking about it.
I love that.
Yep.
Yeah.
No, choice is bad.
When it comes to cryptographic protocols, you don't want a choice.
You just want to have something that's safe all the time.
A lot of the history behind a lot of that choice comes from things like encryption regulations.
There used to be export ciphers that software built in the U.S.
had to weaken themselves to when it got exported outside the country.
So every single piece of software, like an IPSec VPN,
would have to have this configurable mode
where there was like actually good mode and then like crippled right and then there's also this
huge design by committee where the itf standards for a lot of these protocols have various people
from different companies that all say oh i want my thing to do this and i want my thing to do that
and you have to kind of satisfy them all but But you look at like WireGuard, WireGuard does the same thing conceptually that AlgoVPN does, where it only supports one cryptographic protocol,
there's one suite of algorithms, you don't get a choice, you can't screw it up. So really,
AlgoVPN is made so that you can't screw it up. All the way to the point that like, once you create
the AlgoVPN server, all those keys that I mentioned that Streisand created for me, AlgoVPN
just takes them all and deletes them.
It's like, we just needed this to set up a server.
You're never going to log into this ever again.
So let's just make it
a black box that routes your traffic.
And you don't need to ever be able
to log into it. And that's the safest
way to do it, because if you can log
into it, that means other people might be able to log
into it, which means they could hack the box and they could change the configuration or they could grab logs
out of it or whatever. So why would you even want that feature? You know, it's really an anti-feature.
It's something that degrades the quality. Yeah. And that's the other thing that impressed me
about Algo when I first came across it is that you have a list of features and you also have a
list of anti-features
and you say these are things that we don't
do and it's not that we don't do them
because we don't care, we're incompetent
we don't do them because you shouldn't want these things
these are anti-features and so
it's a strong way of setting yourself apart
from other options as saying
these are things
that we don't do on purpose
is that something you do with all your software?
Where did that idea come from?
I'm going to list anti-features,
just because you're a very opinionated person.
This is a real security engineer building software approach.
Yeah, I think that's true.
Yeah, I'm thinking about this like I have a budget,
and there's only so many things that I can do.
First off, before I overwhelm the user,
already I mentioned there's about five to 10 questions you need to answer when you deploy
Algo VPN, I was always worried that was too much. And there's been certain features that we've
eliminated from Algo VPN, after we realized people didn't use them, and it made operating it too
complicated. But yeah, like, there are certain things, certain features that we could add to
Algo VPN that would compromise the ideals,
that would compromise the mission that it has, the values that it has.
Where like, you know, installing OpenVPN is a good example.
OpenVPN as client software has had tons of issues.
If you want to force your users to install client software, they have to patch that.
I don't want to make people patch anything.
There should be software you don't need to patch that. I don't want to make people patch anything. This should be software you don't need to patch.
It should have enough defense in depth, and it should reuse existing components so that it's much lighter weight, which means I don't have to think about it as much.
We don't want to depend on TLS either, and OpenVPN does.
TLS has been riddled with all kinds of security issues,
a lot because you can negotiate those ciphers and negotiate the protocols
that you're using with TLS,
which OpenVPN inherits, right?
Like, what are we doing?
Like, this is a total shoehorn in the first place.
TLS is not made to be a VPN.
It operates in a totally different layer.
It's made to do something different.
Like, it was a poor fit to begin with.
We shouldn't be using it here.
And then, yeah, like the marketing,
really to differentiate ourselves from the VPN services, like there are things that a VPN can do.
And there are things that it can't. And what it can't is it can't prevent you from getting arrested by the FBI, as we've seen many, many times. But that's kind of how marketing works
for these people. They say anything, there's no repercussions about it. And a big part
of AlgoVPN is, I don't want to lie to anybody.
So unpack that for everybody.
It does not provide anonymity.
You think it does,
but there's no onion routing
or anything in a VPN. It's still,
you go ahead and explain it.
Why do people get that wrong, or what are people promising?
That this is a completely
anonymous thing? Is it because they're sending your traffic through a third party IP address?
Is that the deal? The simplest way to describe it is not even in technical terms at all.
All you have to do is look empirically at how many people have been arrested that have used VPN
services. And there's quite a long list. Like the FBI has put out indictment after indictment of
people doing really evil things that were using a VPN to hide their activity and it turned out that wasn't a big deal for them to
get around you can send national security letters you can get a lawfully ordered subpoena you can
modify the software that runs inside of a VPN service provider to collect logs even when it
didn't before which is why I said those no log audits aren't really sufficient to prove anything to me. So like empirically, if you are doing bad things on the internet and it catches the
attention of the FBI, they're going to sit and wait and plot for months or years until
they have the success they need to find you and arrest you.
So it's also a full spectrum activity.
Like, it doesn't just have to be
the VPN that screws up,
right? A lot of people that were operating,
say, Tor hidden services,
like, were discovered by
law enforcement services, not because
of any flaw in Tor,
but a flaw in the way they operated the service.
Like, a flaw in how they set up
their server.
They left some HTTP header turned on on their Apache,
and Apache had a virtual host that was serving on their internet ETH config instead of their Tor config, and then you could find the real address,
and then you could go track down who owned it, that kind of stuff.
And that's exactly how VPN services shoot themselves in the foot too.
Like, let me see,
NordVPN getting hacked last year
or who's the other one?
There was another one.
I have like a note here about it.
Whatever.
Yeah, there are a couple of different VPN services
that are all like completely compromised
end to end by some kid probably
in the last few months that got access to their data center and started, you know,
rebooting machines and getting super user access to all of them and just
digging through files.
It's interesting. There's a couple of kinds of trouble.
There's the kind of trouble where you're in trouble,
but you know you're in trouble, you know?
And then there's the kind where you think you're not in trouble.
And so now you're, now you're brazen and bold and you actually are.
And then you find out.
Ignorance is not bliss in this case.
And so if you think you're anonymous and you're being promised anonymity by somebody or maybe you set it up yourself, like you said, and you're assuming anonymity, well, now you can get yourself in all sorts of trouble because you assume that to be the case and it's not true.
So this happens, I think, a lot.
I think that Greg has a really good quote here.
There's a tweet he made.
I think it was something along the lines of like,
no one is going to go to jail for your $5 a month
quote-unquote logless VPN service.
If it comes down to the operator of that service
having to spend 10 years in prison
versus handing over the details, yeah, sorry, man, it's not going to work.
But yeah, that's just the thing. When somebody like that, whether it's the NSA, the CIA, the FBI,
the FSB, whoever it is, if they've got their sights set on you, that VPN is not going to be...
You need to think about this more holistically if you're at actual target of
attackers like that. But luckily, you know what? Most people aren't.
Most people are using VPNs to access TV.
So you shouldn't be selling out all your internet traffic to some random dude
so that you can watch Disney Plus.
If you like this show, I bet you'd enjoy listening to brain science.
Join clinical psychologist Muriel Reese and Adam Sokoviak as they explore the inner workings of the human brain to understand behavior change, habit formation, mental health, and being human.
Here's a quick taste of what you can expect. It's from episode four about coping skills and strategies. Take a listen.
I often use this acronym with people when they're trying to cope because, and it's HALT,
H-A-L-T, HALT. Because if we are hungry, angry, lonely, or tired,
your coping will invariably look different.
I don't care if you're three, 33, 73.
Right.
If you are hungry or hangry, angry, lonely, or tired,
you just have less to be able to navigate it.
Brain Science is a great podcast.
Check it out at changelog.com slash
brain science or just search brain science in Apple Podcasts, Spotify, or your favorite podcast
directory. You'll find it. While you're at it, upgrade to our master feed at changelog.com slash
master and let your podcast app download all the shows we produce. Then you can pick and choose
the ones you're interested in the most and skip the rest. What have you got to lose? All right,
back to the show.
So briefly walk us through setting up the Algo server today.
What do you do?
What does it do?
What don't you have to do?
And then we'll talk about running as a client and we'll kind of go from there.
But how do you just get it going?
It's an Ansible script, so I'm assuming it's Python.
Get some Python on your machine and run it.
Yeah, pretty much.
We wrote the readme so that it is simple enough
that if you can open a terminal and copy and paste
what's in the readme into the terminal,
then you can set up Algo VPN.
Basically, at a high level, the steps include on Mac or Linux
or Windows if you have Windows services for Linux.
You download one of the releases, you unzip it, you CD into the directory,
and then you install some dependencies, Python if you don't have it,
and then you just run the install script.
Once you have those dependencies, it'll just work.
The install script will ask you some questions like,
what do you want to name the server?
You have to give it a name.
It has a default name, you can just press enter.
You have to give it an API key.
And that means for one cloud service that you'd like to deploy it to,
you need to go log into that cloud service with your account there
and then grab an API key from that service
that lets the Ansible scripts do things to it.
So now with that API key, Ansible and AlgoVPN will start up a server,
add the VPN software to it, generate the keys needed on your local machine,
send those keys over to the remote server, and then lock the whole thing down.
And locking it down means a lot of things.
It means
setting up app armor policies for each service. It means reconfiguring a couple of Linux defaults
to be a little bit more secure, changing some file permissions in places and kernel parameters
in places, setting CPU accounting to make sure that certain services can't run out of control.
And then at the end of it, it prints out a congratulations message that says,
you've got a new personal VPN, and here's the key for it.
At the end of that message, now you've got a bunch of files that are like
pre-configured profiles for the VPN users that you wanted to create.
So those profiles are things like an Apple profile.
So if you have an iPhone, you can take an Apple profile,
send it over to your iPhone,
and then now you've got your VPN on your iPhone.
We usually suggest people airdrop those because that's kind of an encrypted local communication
between you and your desktop.
It also has WireGuard profiles.
WireGuard profiles are cool because they're QR codes.
So you don't have to airdrop anything.
You can just take your phone,
hold it up to the screen and scan it.
And then you've got your configured WireGuard VPN on your phone.
WireGuard is a third-party thing on iOS?
Is it part of iOS?
So with WireGuard, you'd have to download an app.
And there's apps in the Android App Store and the iPhone App Store.
And there's also the Mac App Store.
It's got support for pretty much everything these days, including Windows.
Okay.
But you said the other option of airdropping a config,
that's without a third-party app, or you still need WireGuard?
That's right. That's with IPsec.
And IPsec is built into...
Gotcha.
So when we were originally developing AlgoVPN,
we ran into a lot of complexity
getting random operating systems
to support the best version of IPsec.
In particular, Windows just had some weird rough edges
where they didn't actually support the protocols
and the cipher suites that we really wanted them to.
So we had to have all these weird corner cases for it.
Android, too.
Android, for years, has been hobbled
by a really bad VPN implementation
that comes stock with Android.
And there wasn't any way to work around it.
Android, as an operating system,
backed themselves into a technical corn
where they could only support iQV1
and where they could only support
certain Cypher suites that we didn't want to use.
So as WireGuard has matured,
it's been able to circumvent
all of these problems
on all the different platforms
that we'd like to support
so that you can just download the WireGuard app on every platform and it'll just work.
And as we mentioned before, there's no real way to configure WireGuard.
It either works or it doesn't.
So that makes it pretty easy.
But yeah, and since WireGuard is built as defensible software,
it's got very little code that implements it.
The chances that there are catastrophic bugs in it are pretty small.
So we're comfortable doing that.
Is WireGuard itself open source?
Yes, the protocol is openly documented.
It's been reviewed by academics.
There's some formal verification on top of the cryptography.
The code itself is open source,
and a lot of it's being upstream to Linux right now.
So the current version of Linux that's in development right now has had WireGuard
merged into it, which means that a few months from now, it'll actually be included by default
on every Linux system out there, which is amazing.
Wow. Because I would like to make it
even easier to use. That'll be one way to do that.
But yeah, so once you get that you know qr code for wireguard you scan it now you got your vpn for me like now you've got the
vm up in digital ocean or aws or whatever that's routing all your traffic from time to time we
enhance the way that our vpn works you don't update Agile VPN. Like, there's no kind of,
how do I upgrade
from version 2
to version 3?
You don't.
I was going to ask you that.
Yeah.
You just blow up
the server.
I like that answer.
Okay.
Yeah.
Like,
just throw it out.
There's absolutely
no reason to maintain this.
You just destroy the server
and you start it up again.
And the new version
will have,
you know,
any enhancements
that we made.
So then you just reprovision whatever you configure
or the thing on your devices and you're good to go.
The first time you use AgroVPN,
it might be like 10, 20 minutes
to really learn what it expects and how to use it.
But then subsequent redeployments
are really just going to be muscle memory.
You're just going to open up that zip file again,
run through the commands, press enter. It'll just going to open up that zip file again, run through the
commands, press enter. It'll take two to three minutes end to end, and you'll have a new fresh
server. So I do that about once a month. If I'm going to a new, taking a new vacation out to
Berlin or whatever, maybe I'll deploy a new one. But in general, I don't worry about it too much.
We're not adding massive new features.
I was gonna say like, how much churn is there on the algo software? It seems like can't be that much new things that I'm gonna have to snatch up and use.
It's not a lot of it is support for new cloud providers. Sometimes we tighten the constraints
on the app armor policies, or the CPU accounting, you know, we'll update some dependencies now and
then. But again, even if there's some kind of exploitable bug in StrongSwan,
like a remotely exploitable bug in the VPN service
that's on the Algo VPN server,
you're going to have a lot of...
You'll have to get through the AppArmor sandbox.
You'll have to avoid tripping the CPU accounting.
You'll have to get out of all the Linux security controls
that we tightened around it. And then you're on
this box where there's
literally nothing else running.
So it's kind of
a difficult environment for somebody
to successfully attack. The need
to patch the day
something like that comes out, and nothing like that has ever
come out, because finding remotely exploitable
bugs and services like
StrongSwan is kind of uh
hunting for like mining for diamonds nowadays it's really really difficult you should add this
to your list of anti-features there's no upgrade path yeah yeah you know the guy when it comes to
self-hosted software i mean there's even for for technically minded folks who understand all the
implications and they're like well do i actually want to run yet another thing because i have all these little self-hosted things that i run or it's always the
the question is like how much maintenance is this going to require how much how many times
when you have to ssh in and fix a thing or reboot a thing or upgrade a thing and the upgrade path
is often painful as somebody who's run a lot of services just for myself or small teams over the years,
it can become where you're like,
oh, not another upgrade.
Like, stop working on your software.
But it's kind of nice if you're like,
well, this is the kind of thing
that you just blow it away and start over.
No big deal.
It's like, okay, that's an anti-feature that I like.
There is Ubuntu auto-updates turned on,
and that's configurable.
If you want to turn that off, that's fine.
Some people may perceive risk in,
well, what happens if somebody sends down
a Trojan software update
and somebody's backdoored WireGuard or whatever,
and now instead of protecting my keys,
it tarballs my keys and sends them out to a remote server.
And stuff like that has happened.
I think the Bitcoin community, the Python community, the NPM community, RubyGems as well,
all of these package managers have at some point had typo-squatted dependencies.
They've had developers that had their accounts compromised and malicious packages uploaded.
Chrome extensions, too, are pretty popular for attacks like this.
That's another reason why we wanted to limit the software on AlgoVPN to the minimum possible, because I don't want to inherit
all that supply chain risk.
Yeah, there's no need to be running software that you don't need, right?
Or to be updating software that you're not using,
because it's supposed to do one thing, do that well, do nothing else.
I mean, that's sound security practice right there, for sure.
Yeah, but you're right.
It is supposed to be very easy.
So that's our thing about running this for other people.
So I did notice it's multi-user and you start to think, okay, well, I'm savvy enough that
I can get Python 3 on my machine and run this, but I would like to run it for my girlfriend
or my wife or my friends or my mom and dad.
And that seems like something that's totally feasible,
especially if you can just get them to download WireGuard
and then send them this QR code and say, boom, here's your QR code.
You're all set. You're on a VPN.
Is it as simple as that to get multiple people up and using it?
Yeah, there's a config file in AgroVPN,
and you just add however many users you want to a list.
Out of the box, it comes pre-configured with two users,
Dan and Jack.
Jack is my co-developer.
Dan, you're trying to hack your way into all of our VPNs, man.
Come on.
It's just the username.
I don't actually have any private keys.
Those are all generated on demand.
But yeah, so Dan and Jack are the default accounts.
But you would just add, you know,
Michelle, Alicia, Lauren, whatever, to your list of users,
save that file, and then when you deploy your AgoVPN,
it'll have all those accounts built in.
So you want to, as a rule, generate one account for every device.
You actually don't want to generate accounts for people.
So you want a different one for your phone,
a different one for your laptop, a different one for your desktop.
So it doesn't hurt to generate extra.
You can always just make 20 of them and hand them out
as you encounter people that you would like to add to your VPN server.
But because AlgoVPN really requires no maintenance,
you could do this over Thanksgiving or over Christmas break or whatever.
And you're probably not going to have to touch that server until next Christmas.
Because that's the challenge. Like once you get somebody to install it, it's usually a lot harder to talk to your parents and tell them to like, oh, you have to go delete this profile and uninstall
this software. Right. All of a sudden the no upgrade path becomes a headache because you have
to basically reprovision every device if you do update the software.
Exactly. Yeah. So really like for people like that, you know, once a year upgrade cycle when you actually see them in person over the holidays is kind of a reasonable approach. there in terms of your bandwidth? Because maybe I give it to my friend Sally and she lives somewhere that can't
get Disney plus. And so she's using my VPN,
she's using it for Disney plus and she just can't get enough baby Yoda.
Am I going to get my digital ocean bandwidth just exploded or what's going to
happen?
Probably not. So in terms of bandwidth accounting,
like there's a lot of services out there that offer a flat rate.
Amazon LightSail and DigitalOcean both have these flat $5 a month plans that make them really easy to predict how much it's going to cost you to run them.
On the other hand, the concern that you might have is,
well, if they're using all the bandwidth to torrent the latest season of Silicon Valley
or whatever it might be, am I going to have enough bandwidth?
Am I going to suffer by sharing a VPN service with them?
And overwhelmingly, the answer is going to be no.
Like the amount of bandwidth that's provisioned to a single virtual instance of a Ubuntu server
in a service like DigitalOcean or Amazon is just enormous.
So I see, you know, I have gigabit fiber at home.
I'm calling you from a Fios connection where I routinely, you know, I have gigabit fiber at home, I'm calling you from a Fios
connection, where I routinely, you know, without a VPN get like 900 950 megabits per second.
And that isn't really slowed down when I'm running a VPN, my upstream to the internet,
even though it's tunneling through one of those cloud services, really does not see a whole lot
of slowdown at all. So you know, I don't anticipate that somebody out there is going to be completely saturating
a 500 megabit link 24 seven.
And if they are, then I actually probably would use that to start a conversation with
them.
Yeah, it's time to have a conversation.
Yeah.
Cool, Dan.
Well, thanks so much for joining us today.
Thanks for algo.
I'm definitely going to give this a try and get it set up.
And it looks very useful.
And I like a lot of the opinions you have here
and the way you've gone about this, I think is sound.
I think there's no doubt why it's becoming
the most recommended self-hosted VPN out there.
So keep up the good work.
How can people contact you?
How can they get involved?
We'll have, of course, all the links
to the different things we mentioned in the show notes.
And Algo is on GitHub, trailofbits.com.
So that will also be in the show notes.
But what are some waypoints where people can get involved
either in the software or in Trail of Bits
or other things you're up to?
I know you have other projects as well.
Yeah.
So Trail of Bits, we do a ton of outreach,
really try to put out code that people want to
use. Algo VPN is just one of the more accessible ones. Our GitHub is filled with projects that
people should look at. There's some really nice and easy ones like TWA, the tiny website auditor
that helps you review the security of various websites that you're on, or various fuzzers and
tools like KRF, our kernel syscall fuzzer.
But you can keep up with us on Twitter, Trail of Bits.
I'm personally dguido on Twitter.
We have a mailing list on MailChimp that's always pinned to the top of our Twitter.
Very low volume.
Every other week summarizes all the cool stuff that we do.
And we also do a lot of engagement with the open source community.
So we just wrapped up some projects
with the Python Software Foundation
to help them add two-factor authentication to PyPy
so that when you get those packages,
hopefully they're not backdoored
because all the people using PyPy now
can use WebAuthn and TOTP tokens
to secure their accounts.
So if you're in the position
where you need somebody to add security features
to your software,
you should definitely talk to us
because we'd love to help you.
Very cool.
Well, as I said,
links in the notes.
You all know where the notes are.
That's our show.
Dan, thanks again.
It's been a lot of fun.
Yeah, thanks for having me.
All right.
Thank you for tuning
into The Change Log.
If you aren't subscribed
to our weekly newsletter,
you're missing out on what's moving and shaking in software and why it's important.
Hate email newsletters? Fun fact.
KillTheNewsletter.com was created by someone just like you
who wanted ChangeLog Weekly so bad,
they wrote a program to subscribe on their behalf.
And of course, it's 100% free.
Fight your FOMO at ChangeLog.com slash weekly.
When we need music, we summon the beat freak, Breakmaster Cylinder.
Our sponsors are awesome.
Support them, they support us.
We've got Fastly on bandwidth,
Linode on hosting,
and Rollbar on mugs.
Thanks again for listening.
We'll talk to you next time. Thank you. Bye.