# Algo VPN — Automated Personal VPN Deployment on Any Cloud

> Algo sets up a personal WireGuard and IPsec VPN on any cloud provider in minutes using Ansible. Ideal for developers and teams who want disposable, self-hosted VPN servers without manual configuration.

## Install

Save as a script file and run:

# Algo VPN — Automated Personal VPN Deployment on Any Cloud

## Quick Use
```bash
git clone https://github.com/trailofbits/algo.git
cd algo
python3 -m virtualenv --python="$(command -v python3)" .env
source .env/bin/activate
python3 -m pip install -U pip virtualenv
python3 -m pip install -r requirements.txt
./algo
```

## Introduction
Algo is a set of Ansible scripts that simplify deploying a personal VPN server. Created by Trail of Bits, it focuses on security defaults and minimal attack surface rather than being a general-purpose VPN platform.

## What Algo Does
- Deploys WireGuard and IPsec VPN to DigitalOcean, AWS, Azure, GCP, Hetzner, Vultr, or local servers
- Generates per-user configuration profiles for all major operating systems
- Sets up an on-demand VPN that only activates when needed, reducing cloud costs
- Blocks DNS ads using a local DNS resolver with configurable blocklists
- Supports adding and revoking users without redeploying the server

## Architecture Overview
Algo uses Ansible playbooks to provision a fresh cloud VM, install WireGuard (primary) and strongSwan (IPsec fallback), configure unbound as a local DNS resolver, and generate client profiles. The entire stack runs on a single lightweight VM with no persistent state beyond user keys.

## Self-Hosting & Configuration
- Requires Python 3.10+ and Ansible; all dependencies install into a virtualenv
- Cloud API keys are provided interactively or via environment variables during deployment
- User list is defined in `config.cfg` before running `./algo`
- Supports SSH tunneling and local installation for on-premises hardware
- Re-running Algo on the same server updates users without full redeployment

## Key Features
- Zero-knowledge DNS: local unbound resolver means DNS queries never leave the VPN
- WireGuard-first design with IPsec fallback for devices that lack WireGuard support
- Apple Configurator and mobileconfig profiles for easy iOS/macOS onboarding
- Hardened security: automatically configures SSH key-only access and firewall rules
- Disposable by design: deploy, use, tear down, and redeploy in minutes

## Comparison with Similar Tools
- **Outline VPN** — GUI-focused, Shadowsocks-based; Algo uses WireGuard and targets Ansible-comfortable users
- **PiVPN** — single-server installer for Raspberry Pi; Algo supports multi-cloud provisioning
- **Streisand** — archived predecessor; Algo is its maintained spiritual successor
- **Tailscale** — mesh VPN with a coordination server; Algo is a traditional hub-and-spoke self-hosted VPN
- **WireGuard directly** — Algo automates what you would otherwise configure by hand

## FAQ
**Q: Does Algo require a dedicated server?**
A: Yes, Algo expects a fresh Ubuntu VM. It configures the entire system and should not share the host with other services.

**Q: Can I add users after initial deployment?**
A: Yes. Edit `config.cfg`, then run `./algo update-users` to add or revoke users without redeploying.

**Q: Which cloud provider is recommended?**
A: Any supported provider works. DigitalOcean and Vultr are popular for low-cost, quick deployments.

**Q: Does Algo support split tunneling?**
A: Yes. WireGuard profiles can be configured for full tunnel or split tunnel depending on client settings.

## Sources
- https://github.com/trailofbits/algo
- https://trailofbits.github.io/algo/

---
Source: https://tokrepo.com/en/workflows/asset-239a5ad2
Author: Script Depot