In this tutorial, we will use Google Cloud as our host for the VPN, but any cloud provider can be used.
Firstly create a project on Google Cloud and open the Cloud Shell.
To install the VPN server we will use Algo to simplify the setup.
git clone https://github.com/trailofbits/algo.git
sudo apt install -y --no-install-recommends python3-virtualenv file lookup
## Go in the Algo repository
cd algo
python3 -m virtualenv --python="$(command -v python3)" .env &&
source .env/bin/activate &&
python3 -m pip install -U pip virtualenv &&
python3 -m pip install -r requirements.txt
The config.cfg file is used to configure the VPN server. In this file we can add all the users we need. Keep in mind that each computer that wants to connect to the VPN needs to be created there.
We also need to change a few configs to allow communication between users in our VPN. This is called the "Road Warrior" setup. Change BetweenClients_DROP in config.cfg to false, and also consider change block_smb and block_netbios to false.
During the configuration process all the configuration settings can be kept to their default values.
## Create the project to group the resources
### You might need to change it to have a global unique project id
PROJECT_ID=${USER}-algo-vpn
BILLING_ID="$(gcloud beta billing accounts list --format="value(ACCOUNT_ID)")"
gcloud projects create ${PROJECT_ID} --name algo-vpn --set-as-default
gcloud beta billing projects link ${PROJECT_ID} --billing-account ${BILLING_ID}
## Create an account that have access to the VPN
gcloud iam service-accounts create algo-vpn --display-name "Algo VPN"
gcloud iam service-accounts keys create configs/gce.json \
--iam-account algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \
--role roles/compute.admin
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \
--role roles/iam.serviceAccountUser
## Enable the services
gcloud services enable compute.googleapis.com
./algo -e "provider=gce" -e "gce_credentials_file=$(pwd)/configs/gce.json"
Once the VPN client is installed you can copy the client configs onto each client and then proceed to the WireGuard installation. The Algo-generated config files for WireGuard are named configs/<ip_address>/wireguard/<username>.conf on the system where you ran ./algo. One file was generated for each of the users you added to config.cfg. Each WireGuard client you connect to your AlgoVPN must use a different config file. Choose one of these files and copy it to your clients.
Since Jetsons use a different version of the Linux Kernel, WireGuard cannot be installed by simply doing sudo apt install wireguard. For this reason we will instead use wireguard-go.
## Install the latest version of go
wget https://go.dev/dl/go1.22.3.linux-arm64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.3.linux-arm64.tar.gz
export PATH=$PATH:/usr/local/go/bin
## Verify that go is installed correctly
go version
## Install WireGuard-Go
git clone https://git.zx2c4.com/wireguard-go
cd wireguard-go
make
## Setup the wg0 interface
wireguard-go wg0
## Install wireguard-tools and make sure that wireguard is not already installed
sudo apt remove wireguard
sudo apt install wireguard-tools
## Configure WireGuard
### Install the config downloaded from the Algo server
sudo install -o root -g root -m 600 <username>.conf /etc/wireguard/wg0.conf
### Start the WireGuard VPN:
sudo systemctl start wg-quick@wg0
### Check that it started properly:
sudo systemctl status wg-quick@wg0
### Verify the connection to the AlgoVPN:
sudo wg
### See that your client is using the IP address of your AlgoVPN:
curl ipv4.icanhazip.com
### Optionally configure the connection to come up at boot time:
sudo systemctl enable wg-quick@wg0
We can now successfully talk between VPN clients using their address e.g.
ssh markhor@10.49.0.2.