For anyone wanting to try it, WireGuard with Algo VPN [1] to set it up on a server is a great combination. I found it quite easy to setup and use.
Algo has built-in support for various cloud providers, where, when you run it from, day, your desktop, it can setup the VPN server for you based on answers to some questions (with sensible defaults) and some information on connecting to the provider (like an API key, for example). You also get QR code images that you can use to install a VPN profile on your phone.
You can also run Algo from within a server and have it setup the VPN for you.
I id have some problems with algo behind a NAT. Though my usecase is a bit different, more of a road warrior, as I wanted to be able to access a server in one property (behind NAT) from my home PC (also NAT).
I suppose I just need port forwarding.
I was in a similar situation. Port forwarding worked perfectly. In my case the server I was trying to access was behind an ISP (Comcast) managed NAT so I had to go through them to open the port. Much to my surprise they were extremely helpful and understanding of the request.
If you're subject to state level actors attacking you, a VPS is probably the least of your worries. If you're just trying to make sure some kiddiot in a coffee shop isn't doing mass collections, a VPS is perfectly secure.
The bad actors who want to steal your passwords and credit-card data, and the state actors who want to spy on Persons of Interest, don't know each-other or talk to one-another. A VPS provider being compromised by a series of private individuals doesn't imply that your VPN running on such a service is going to be sneakily MITMed, because there's no obvious profit motive in doing so (unless you're a very publicly super-rich person who is also very publicly using the service, and it's very obvious how to blackmail you if you could just get data exfiltration via that service. Like Jeff Bezos with WhatsApp.)
Instead, you might get whatever elements of your identity stolen that Linode's account-management servers have possession of; or your VPS instance might become host to crypto-mining malware and then get shut down by Linode (which will come at no cost to you, other than the downtime.) But neither of these things will really focus on you personally. They're automated bulk attacks.
If you dont want to trust them now, in 2020, don't - they aren't the only provider of VMs. I'd imagine the big cloud providers (AWS/GCP/Azure) have fairly significant security teams - has there ever been a disclosure of customer VMs being compromised on any of them?
That's kind of a tautology. If you assume the system is insecure, then yes its going to be insecure with that assumption. This is going to be true of any VPN system, so i think its an unfair criticism to level against this particular VPN setup.
If you want to be secure against local adversaries, use TOR.
this is my favorite extremely annoying but massively useful "acktually..."
begging the question as a logical fallacy is prevalent in politics and media representations, and is a differentiatior between reasoned debate and talking head nonsense.
Polictician 1: UBI!
P2: free market competition!
P1: why do you want poor people to suffer, P2?!
P2: 2nd amendment!
P1: Ban firearms!
P2: why do you want americans to be put in danger, P1?!
> Does the VPS have unencrypted access to the VPN?
Not quite sure what you are asking about in this first part of your comment, but I'll get back to that.
Firstly though, I think I might see what you are getting at, but correct me if I am misunderstanding what you are saying.
> It's something I would want to avoid. (A VPS is a prime candidate to be compromised)
So, I think that what you are saying here is that by passing all of your traffic through a VPS that you set up yourself, you are increasing the attack surface that others have against you in a specific and potentially particularly dangerous way.
And to some extent I agree with that.
Unlike what the first one of the other commenters said in their response to you, I think you are not talking about state level actors. I also think that you are not talking about the VPS provider wanting to look at your traffic. I think what you are pointing out is that:
1. Keeping the operating system and services that are running on the VPS up to date with patches will be the responsibility of the person that is renting the VPS.
2. The VPS is more or less permanently connected directly to the public Internet. As such, it is under constant "fire" from automated attacks. (Anyone who has run a VPS or other server or device directly connected to the public Internet knows this to be true. It doesn't matter how big or small you are, or who you are.)
3. As a consequence of points 1 and 2, failure to keep the OS and services patched could result in compromise of your VPS. (Most likely the purpose of the compromise is that the attackers want to use the machine for things like having it participate in DDoS attacks, sending spam, compromising other actually valuable targets, or mining crypto currency. But it can indeed not be ruled out that they would potentially listen in on the traffic you are passing through your VPN on it also. And even if most of the criminals don't care about the VPNs running on the compromised servers today, they might in the future. Especially if there is a common wide-spread VPN configuration that a lot of the compromised servers are all running, so that they could mass-intercept all of the data on all of those compromised servers with little work/effort on their part.)
If that is what you mean then I agree that it might be a problem.
Compared to professional VPN providers, any individual renting a VPS is probably comparatively less skilled at keeping their VPS secure than the VPN provider is at keeping the VPN service secure from external attackers. And even if someone has all of the skill that they need to securely configuring their VPS and keeping it up to date with patches, they still have far less time on their hand available for auditing, monitoring, and all of that, than all of the people that are being paid to take care of those things at a large scale VPN provider with many employees.
So again, that's another point that I agree with you about if that is also what you mean.
At the same time, however, it should also be pointed out that it can be really hard to know who the people behind any particular VPN service provider is. But the same argument applies against a lot of the VPS providers out there.
Any random VPN service provider could claim that they have a big team, that the service they are offering is secure, and that they don't keep logs and don't record traffic. But at the end of the day for most of them, you have nothing more than their word to go on.
The same applies to random VPS providers though. With most of them you have no idea about who they are and what they are actually spending their time doing.
Sorry my comment is getting real long and yet there is more that I would like to touch on.
For example, another point in favour of the argument that I think you are making is that potentially, VPN service providers are monitoring their whole networks of hosts specifically for attacks that seek to intercept the traffic of their customers, in addition to the regular type of attacks that all hosts on the internet are subject to.
Whereas with a VPS provider, I imagine that they are primarily monitoring for the regular type of attacks mentioned before. VPS providers will notice, and shutdown VPSes that have been compromised if those compromised machines are participating in DDoS attacks on other hosts, sending spam, or burning too many CPU cycles as a result of cryptocurrency mining malware having infected them. But unless notified by one of their customer about the specific type of attack where data is being exfiltrated or tampered with on an infected VPS itself, most VPS providers would be unlikely to notice such a type of attack I think, and furthermore I think this is natural to expect. After all, when you rent a VPS, you are specifically paying the company for the privilege of you being in charge of what that VPS is doing, and for them to largely stay out of and away from your VPS itself, no? At least, that's the way that I think about it. As long as the VPSes are not consuming excessive amounts of resources and not being disruptive or malicious towards external hosts, I think both the VPS companies and their customers expect the VPS company to not interfere with what the VPS itself is doing, and to not be surveilling the processes, disk and memory of the VPSes. It's a virtual private server after all, right?
So that's another point for the argument I think you are trying to make.
But I don't see VPN service providers as being much safer as a whole. I think it is highly probable that among all of the companies that provide VPN services, it is likely that a significant portion of them are straight up malicious. By that I mean, they say they don't look at your traffic and they say they don't keep logs. But for all we know, and given the fact that many forms of cyber crime is profitable enough that criminals are engaging in it, I think it is reasonable to suspect that quite a few of the providers are mining your data or worse.
This brings me back to the first part of your comment, which has me confused about what you mean.
> Does the VPS have unencrypted access to the VPN?
Confused because yes, this is how any VPN works. You get an encrypted link between your device and the other end of the VPN connection. The VPN connection extends only to the VPN server/gateway that you connected to in the first place, no matter if that is some VPN server you are running on a VPS yourself, or if you are paying a VPN service provider for it.
The extent to which your data is encrypted or not all the way to the final destination will be entirely dependent on what kinds of traffic your device itself is sending in the first place.
If your device is tunneling unencrypted traffic inside of the VPN connection, then unencrypted traffic will be what comes out at the other end where the VPN tunnel is terminated. There is no way around that. The only thing you can do, is to ensure that your device does not try to send that kind of data through the VPN in the first place, if you are concerned about said traffic being visible at the other end of the VPN tunnel.
Thanks for the elaborate answer on my, in hindsight, not very clear question.
The use case I was referring too is where the VPN is between e.g. your corporate network and your pc when working from home. In this case the VPS doesn't need to see the unencrypted traffic.
A sibling comment made clear that the ansible recipe mentioned is to setup a VPN between e.g. a laptop in the VPS.
>The use case I was referring too is where the VPN is between e.g. your corporate network and your pc when working from home. In this case the VPS doesn't need to see the unencrypted traffic.
Your corporate IT should be providing you with VPN access directly to your corporate network. You should not be using a private VPN in addition to using your corporate VPN when working.
A VPN on a VPS would be ONLY for personal use (unless of course you are self-employed, the business owner, an independent contractor, etc.).
I would review your IT policy, you are probably breaching your policy if you are using a company owned machine to connect to your private VPN on a VPS.
I wish people would stop automatically recommending Algo, for instance it doesn't support Arch. It's the best if your platform is supported. Otherwise, it's easier to just manually set up everything.
Three of the top 20 list on distrowatch are Arch or Arch derivatives, including the number 2 spot. Its wiki is widely recommended as well for users of any distro.
"Niche" is a bad way to describe Arch.
It's probably more likely that a person interested in setting up WireGuard and their own VPN are running Arch or a derivative than any other distro.
I love Arch's wiki and the userbase's enthusiasm. But how in the world do you think Arch is the most probable distro base for a wg user? Using your distrowatch reference, 4 of the top 5 are Debian based.
I was looking at it from a perspective of who would be likely to install WG and set up their own VPN. This is me guessing (that's why I hedged and said probably), but I suspect there is great overlap in the tinkering and DIY attitude of Arch users and WG users.
Mostly I was responding to the statement that Arch was a niche distro.
I honestly think the algo ansible scripts just make it more confusing. I agree with you, setup isn't that hard, and you learn it better setting it up without ansible scripts.
Algo has built-in support for various cloud providers, where, when you run it from, day, your desktop, it can setup the VPN server for you based on answers to some questions (with sensible defaults) and some information on connecting to the provider (like an API key, for example). You also get QR code images that you can use to install a VPN profile on your phone.
You can also run Algo from within a server and have it setup the VPN for you.
[1]: https://github.com/trailofbits/algo