Meet Algo, the VPN that works

I think you’ll agree when I say: there’s no VPN option on the market designed with equal emphasis on security and ease of use.

That changes now.

Today we’re introducing Algo, a self-hosted personal VPN server designed for ease of deployment and security. Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need.

And it’s free.

For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.

Don’t bother with commercial VPNs

They’re crap.

Really, the paid-for services are just commercial honeypots. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data.

Paid-for VPNs tend to be insecure: they share keys, their weak cryptography gives a false sense of security, and they require you to trust their operators.

Even if you’re not doing anything wrong, you could be sharing the same endpoint with someone who is. In that case, your network traffic will be analyzed when law enforcement makes that seizure.

Streisand is no better

Good concept. Poor implementation.

It installs ~40 services, including numerous remote access services, a Tor relay node, and out-of-date software. It leaves you with dozens of keys to manage and it allows weak crypto.

That’s a hefty footprint and it’s too complicated for any reasonable person to secure. If you set up an individual server just for yourself, you’d never know if or when an attacker compromised it.

OpenVPN: Requires client software

OpenVPN’s lack of out-of-the-box client support on any major desktop or mobile operating system introduces unnecessary complexity. The user experience suffers.

Speaking of users, they’re required to update and maintain this software too. That is a recipe for disaster.

Worst of all, OpenVPN depends on the security of TLS, both the protocoland its implementations. Between that, and past security incidents, we simply trust it less.

Other VPNs’ S/WAN song

The original attempt at free VPN software -FreeS/WAN- died in the early 2000’s when its dev team fractured. Three people forked it into LibreSwan, strongSwan and Openswan.

To use any of them today, you need something approaching tribal knowledge. The available documentation stymied and appalled us:

• Little differentiation – If you search for information about strongSwan’s configuration, you could easily end up at a LibreSwan page. The terms will look familiar, but the instructions will be wrong.
• Impenetrable language – Instead of using standard terms like ‘client, server, remote and local,’ they use ‘sun, moon, bob, carol,’ and a bunch of other arbitrary words.
• Brittle methodology – The vast majority of documentation and guides insist on using ‘tried and true’ methods such as L2TP and IKEv1, even though IKEv2 is simpler and stronger. Since Apple added IKEv2 to iOS 8, there’s no reason not to use it.

Only the strongest S/WAN survived

After wading through the convoluted quagmire that is the S/WAN triplets, we settled on strongSwan.

Its documentation -such as it is- is the best of the bunch. It was rewritten recently from scratch to support IKEv2 (a positive step when supporting a major new protocol version). It’s the only IPSEC software that even offers the option for a trusted key store.

And the community is helpful. Special thanks to Thermi.

But it’s still super-complicated. Too many contributors made it very arcane. Again, you need that tribal knowledge to make IPSEC do what you want.

These are examples of why cryptography software has a well-earned reputation for poor usability. A tightly knit development community only communicating with itself tends to lead to a profusion of options that should be deprecated. There’s no sign that the user interface or experience has been reviewed on behalf of less-experienced users. For anyone bold enough to consider these points, here lies the path to widespread adoption.