7 comments

[ 3.3 ms ] story [ 22.9 ms ] thread
This still seems too difficult for the average person who isn't a sysadmin, but still wants to protect their privacy. Python? Virtualenv? Config files? Ugh. My ideal VPN appliance would be a minimal Busybox-based disk image that updates using A/B partitions and has a nice web UI. It lets you set basic things like the hostname, time, admin password, and then regenerates all of /etc. A cross-platform GUI setup wizard uploads the disk image to a VPS provider, you get back a URL for the web UI with clear client setup instructions, and that's it. If an update becomes available, you click a button, it downloads the new image to the idle partition, modifies the GRUB config to boot from it, and restarts. Done.
I read your comment a week ago and fully agreed that I wanted something similar. So I built this: https://github.com/dan-v/dosxvpn

* It is an OSX packaged app that launches a GUI wizard and deploys to digitalocean, auto configures VPN on OSX, and spits out a mobileconfig file.

* It is based on CoreOS (not busybox) but it set to auto update the OS using A/B partitions.

* VPN docker image running on droplet is also configured to auto update

Excellent reading about why you should consider Algo, the ideas behind it, and why commercial VPNs don't do what you hope:

https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-th...

Note that Algo is designed by security professionals, is recommended by some you may have heard of FWIW (grugq, Kenn White, more), and is careful about what it claims to do:

* "Does not claim to provide anonymity or censorship avoidance"

* "Does not claim to protect you from the FSB, MSS, DGSE, or FSM"

Thanks for the support! Really cool to see a project of mine up on the front page of Hacker News.
Setting up IPSec on OpenBSD is much, much easier than on Linux. IKEv2 setup is two lines in /etc/iked.conf:

  user "someuser" "somepassword"

  ikev2 "roaming" passive esp \
    from 0.0.0.0/0 to 192.168.1.128/25 peer any \
    ikesa auth hmac-sha2-512 enc aes-128 prf hmac-sha2-512 group modp2048 \
    childsa enc aes-128-gcm group modp2048 \
    eap "mschap-v2" \
    config address 192.168.1.128/25 \
    config name-server 192.168.1.1
Then setting up NAT is as simple as this one-liner in /etc/pf.conf:

  pass out on egress from 192.168.1.128/25 to any nat-to egress
Using IKEv1 instead of IKEv2 is just as easy (one-liner in /etc/ipsec.conf), except you also have to configure L2TP. That's also very simple.

The Linux IPSec stack is just... incomparable.....

(comment deleted)