Ocserv Installation

Install ocserv:

apt install ocserv gnutls-bin -y

Run a performance benchmark for gnuTLS and find the best one:

gnutls-cli --benchmark-tls-ciphers

Generate Diffie-Hellman parameters:

certtool --generate-dh-params --outfile /etc/ocserv/dh.pem

Find the line:

rekey-method = ssl

Replace it with the following:

rekey-method = new-tunnel

Uncomment the following line:

dh-params = /etc/ocserv/dh.pem

Find this line:


Change it to something like this:

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:+AES-128-GCM"

Circumventing Path MTU Discovery issues with MSS Clamping:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

PAM Issue

Sometimes after the first user connects and disconnects, try to connect again, it gets the following error (Basically looks like ocserv crashes on every second try) when using PAM as authentication method libpam-cap, we can remove it and try again. we can remove it and try again:

apt remove libpam-cap -y

Algo Installation

Download and install dependencies:

apt -y install unzip python3-virtualenv
wget -c https://github.com/trailofbits/algo/archive/master.zip -O /opt/algo.zip
cd /opt/
unzip algo.zip 
cd algo-master/
python3 -m virtualenv --python="$(command -v python3)" .env &&
  source .env/bin/activate &&
  python3 -m pip install -U pip virtualenv &&
  python3 -m pip install -r requirements.txt

Open configuration file:

nano config.cfg

Specify the users you wish to create in the users list:

 - masoud

Run the Ansible Setup Wizard

Start the deployment:


Choose below options:

What provider would you like to use?
  1. DigitalOcean
  2. Amazon Lightsail
  3. Amazon EC2
  4. Microsoft Azure
  5. Google Compute Engine
  6. Hetzner Cloud
  7. Vultr
  8. Scaleway
  9. OpenStack (DreamCompute optimised)
  10. CloudStack (Exoscale optimised)
  11. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks? [y/N]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? [y/N]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
Do you want to enable DNS ad blocking on this VPN server? [y/N]
Do you want each user to have their own account for SSH tunneling? [y/N]
Enter the IP address of your server: (or use localhost for local installation): [localhost]
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate) [YOUR_PUBLIC_IP]


Install WireGuard Client:


For Android Device Download and Scan QR Code:

scp root@YOUR_PUBLIC_IP:/opt/algo-master/configs/YOUR_PUBLIC_IP/wireguard/masoud{.png,.conf} .


add-apt-repository ppa:wireguard/wireguard
apt update -y
apt install wireguard -y

Copy Client Configs:

sudo install -o root -g root -m 600 masoud.conf /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Another Method:

add-apt-repository ppa:nm-l2tp/network-manager-l2tp
apt update -y
apt install network-manager-l2tp-gnome -y

Add VPN Connection.

Another Method Using IPSec:

apt install strongswan -y
scp root@YOUR_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/.pki/private/masoud.key .
scp root@YOUR_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/.pki/certs/masoud.crt .
scp root@YOUR_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/manual/* .

Copy Files

cp masoud.key /etc/ipsec.d/private/
cp masoud.crt /etc/ipsec.d/private/
cp masoud.conf /etc/ipsec.conf
cp masoud.secrets /etc/ipsec.secrets
cp cacert.pem /etc/ipsec.d/cacerts/cacert.pem

Copy Files

cp masoud.crt /etc/ipsec.d/certs/
cp masoud.key /etc/ipsec.d/private/
cp cacert.pem /etc/ipsec.d/cacerts/
cp masoud.secrets /etc/ipsec.secrets
cp masoud.conf /etc/ipsec.conf
ipsec restart
ipsec up algovpn-

Visit https://whoer.net/

Add user:

After the installation, you can add other users to list in your config.cfg


Once the list is updated, activate the virtual environment and run the users update script.

source env/bin/activate
./algo update-users

After this process completes, the Algo VPN server will contain only the users listed in the config.cfg file.

  # id test
  uid=1002(test) gid=1003(test) groups=1003(test),1000(algo)

The configuration files for each VPN profile are located under the ./algo/configs/ServerIP directory.

See the conncection status:

wg show

Check if the following UDP ports are open:

nc -vz -u YOUR_PUBLIC_IP 500
nc -vz -u YOUR_PUBLIC_IP 51820
nc -vz -u YOUR_PUBLIC_IP 4500

Add a new floating IP

Open the project in hetzner console. Open the Floating IPs section and add a new one.

Add few new lines to configuration file:

nano /etc/netplan/50-cloud-init.yaml

Paste the following configuration into the editor and replace YOUR_NEW_IP with your Floating IP:

    version: 2
            - 2a01:4f9:c010:18be::1/64
            dhcp4: true
            gateway6: fe80::1
                macaddress: 96:00:00:a6:82:87
            set-name: eth0
            - YOUR_NEW_IP/32

restart your network:

netplan apply