Algo VPN — Automated Personal VPN Deployment on Any Cloud

Introduction

Algo is a set of Ansible scripts that simplify deploying a personal VPN server. Created by Trail of Bits, it focuses on security defaults and minimal attack surface rather than being a general-purpose VPN platform.

What Algo Does

• Deploys WireGuard and IPsec VPN to DigitalOcean, AWS, Azure, GCP, Hetzner, Vultr, or local servers
• Generates per-user configuration profiles for all major operating systems
• Sets up an on-demand VPN that only activates when needed, reducing cloud costs
• Blocks DNS ads using a local DNS resolver with configurable blocklists
• Supports adding and revoking users without redeploying the server

Architecture Overview

Algo uses Ansible playbooks to provision a fresh cloud VM, install WireGuard (primary) and strongSwan (IPsec fallback), configure unbound as a local DNS resolver, and generate client profiles. The entire stack runs on a single lightweight VM with no persistent state beyond user keys.

Self-Hosting & Configuration

• Requires Python 3.10+ and Ansible; all dependencies install into a virtualenv
• Cloud API keys are provided interactively or via environment variables during deployment
• User list is defined in config.cfg before running ./algo
• Supports SSH tunneling and local installation for on-premises hardware
• Re-running Algo on the same server updates users without full redeployment

Key Features

• Zero-knowledge DNS: local unbound resolver means DNS queries never leave the VPN
• WireGuard-first design with IPsec fallback for devices that lack WireGuard support
• Apple Configurator and mobileconfig profiles for easy iOS/macOS onboarding
• Hardened security: automatically configures SSH key-only access and firewall rules
• Disposable by design: deploy, use, tear down, and redeploy in minutes

Comparison with Similar Tools

• Outline VPN — GUI-focused, Shadowsocks-based; Algo uses WireGuard and targets Ansible-comfortable users
• PiVPN — single-server installer for Raspberry Pi; Algo supports multi-cloud provisioning
• Streisand — archived predecessor; Algo is its maintained spiritual successor
• Tailscale — mesh VPN with a coordination server; Algo is a traditional hub-and-spoke self-hosted VPN
• WireGuard directly — Algo automates what you would otherwise configure by hand

FAQ

Q: Does Algo require a dedicated server? A: Yes, Algo expects a fresh Ubuntu VM. It configures the entire system and should not share the host with other services.

Q: Can I add users after initial deployment? A: Yes. Edit config.cfg, then run ./algo update-users to add or revoke users without redeploying.

Q: Which cloud provider is recommended? A: Any supported provider works. DigitalOcean and Vultr are popular for low-cost, quick deployments.

Q: Does Algo support split tunneling? A: Yes. WireGuard profiles can be configured for full tunnel or split tunnel depending on client settings.

Sources

• https://github.com/trailofbits/algo
• https://trailofbits.github.io/algo/