172fc348ef
* Add test to detect inline comments in Jinja2 expressions within YAML files
This test would have caught the bug reported where inline comments (#)
within Jinja2 expressions in YAML task files caused Ansible template
errors. The test:
- Extracts and validates all Jinja2 expressions from YAML files
- Specifically detects inline comments within {{ }} and {% %} blocks
- Includes regression test for the exact reported bug pattern
- Avoids false positives (# in strings, escaped #, comments outside expressions)
- Focuses on the critical inline comment issue
The original bug was in roles/strongswan/tasks/openssl.yml where comments
like "# Per-deployment UUID..." were placed inside a Jinja2 expression,
causing "unexpected char '#'" errors during playbook execution.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Refactor test to use pytest framework and add comprehensive edge cases
- Converted standalone script to proper pytest test functions
- Replaced main() with individual test functions using pytest assertions
- Added comprehensive edge case tests for inline comment detection:
* Hash symbols in strings (should pass)
* Escaped hashes (should pass)
* Comments in control blocks (should fail)
* Multi-line expressions with comments (should fail)
* URL fragments and hex colors (should pass)
- Test functions now properly integrate with pytest:
* test_regression_openssl_inline_comments() - regression test
* test_edge_cases_inline_comments() - comprehensive edge cases
* test_yaml_files_no_inline_comments() - scan all YAML files
* test_openssl_file_specifically() - test the originally buggy file
This addresses the review feedback about pytest integration and adds
the suggested test cases for better coverage.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix linter issues in test_yaml_jinja2_expressions.py
- Fixed trailing whitespace issues (W293)
- Applied ruff formatting for consistent code style
- All tests still pass after formatting changes
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add mutation testing guidance to CLAUDE.md
Added a section on writing effective tests that emphasizes the importance
of verifying that tests actually detect failure cases. This lightweight
mutation testing approach ensures:
- Tests catch the specific bugs they're designed to prevent
- We avoid false confidence from tests that always pass
- Test purposes are clear and documented
- Both success and failure cases are validated
The guidance includes a concrete example from our recent inline comment
detection test, showing how to verify both the problematic pattern
(should fail) and the fixed pattern (should pass).
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
|
||
|---|---|---|
| .github | ||
| configs | ||
| docs | ||
| files/cloud-init | ||
| library | ||
| playbooks | ||
| roles | ||
| scripts | ||
| tests | ||
| .ansible-lint | ||
| .dockerignore | ||
| .gitignore | ||
| .yamllint | ||
| algo | ||
| algo-docker.sh | ||
| algo-showenv.sh | ||
| algo.ps1 | ||
| ansible.cfg | ||
| CLAUDE.md | ||
| cloud.yml | ||
| CODEOWNERS | ||
| config.cfg | ||
| CONTRIBUTING.md | ||
| deploy_client.yml | ||
| Dockerfile | ||
| input.yml | ||
| install.sh | ||
| inventory | ||
| LICENSE | ||
| logo.png | ||
| main.yml | ||
| PULL_REQUEST_TEMPLATE.md | ||
| pyproject.toml | ||
| README.md | ||
| requirements.yml | ||
| SECURITY.md | ||
| server.yml | ||
| users.yml | ||
| uv.lock | ||
Algo VPN
Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers.
See our release announcement for more information.
Features
- Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, macOS, and Linux
- Supports WireGuard for all of the above, in addition to Android and Windows 11
- Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
- Generates Apple profiles to auto-configure iOS and macOS devices for IPsec - no client software required
- Includes a helper script to add and remove users
- Blocks ads with a local DNS resolver (optional)
- Sets up limited SSH users for tunneling traffic (optional)
- Based on current versions of Ubuntu and strongSwan
- Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, CloudStack, Hetzner Cloud, Linode, or your own Ubuntu server (for advanced users)
Anti-features
- Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
- Does not install Tor, OpenVPN, or other risky servers
- Does not depend on the security of TLS
- Does not claim to provide anonymity or censorship avoidance
- Does not claim to protect you from the FSB, MSS, DGSE, or FSM
Deploy the Algo Server
The easiest way to get an Algo server running is to run it on your local system or from Google Cloud Shell and let it set up a new virtual machine in the cloud for you.
-
Setup an account on a cloud hosting provider. Algo supports DigitalOcean (most user friendly), Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, DreamCompute, Linode other OpenStack-based cloud hosting, Exoscale or other CloudStack-based cloud hosting, or Hetzner Cloud.
-
Get a copy of Algo. The Algo scripts will be run from your local system. There are two ways to get a copy:
-
Download the ZIP file. Unzip the file to create a directory named
algo-mastercontaining the Algo scripts. -
Use
git cloneto create a directory namedalgocontaining the Algo scripts:git clone https://github.com/trailofbits/algo.git
-
-
Set your configuration options. Open
config.cfgin your favorite text editor. Specify the users you want to create in theuserslist. Create a unique user for each device you plan to connect to your VPN. You should also review the other options before deployment, as changing your mind about them later may require you to deploy a brand new server. -
Start the deployment. Return to your terminal. In the Algo directory, run the appropriate script for your platform:
macOS/Linux:
./algoWindows:
.\algo.ps1The first time you run the script, it will automatically install the required Python environment (Python 3.11+). On subsequent runs, it starts immediately and works on all platforms (macOS, Linux, Windows via WSL). The Windows PowerShell script automatically uses WSL when needed, since Ansible requires a Unix-like environment. There are several optional features available, none of which are required for a fully functional VPN server. These optional features are described in the deployment documentation.
That's it! You can now set up clients to connect to your VPN. Proceed to Configure the VPN Clients below.
"# Congratulations! #"
"# Your Algo server is running. #"
"# Config files and certificates are in the ./configs/ directory. #"
"# Go to https://whoer.net/ after connecting #"
"# and ensure that all your traffic passes through the VPN. #"
"# Local DNS resolver 172.16.0.1 #"
"# The p12 and SSH keys password for new users is XXXXXXXX #"
"# The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #"
"# Shell access: ssh -F configs/<server_ip>/ssh_config <hostname> #"
Configure the VPN Clients
Certificates and configuration files that users will need are placed in the configs directory. Make sure to secure these files since many contain private keys. All files are saved under a subdirectory named with the IP address of your new Algo VPN server.
Important for IPsec users: If you want to add or delete users later, you must select yes at the Do you want to retain the keys (PKI)? prompt during the server deployment. This preserves the certificate authority needed for user management.
Apple
WireGuard is used to provide VPN services on Apple devices. Algo generates a WireGuard configuration file, wireguard/<username>.conf, and a QR code, wireguard/<username>.png, for each user defined in config.cfg.
On iOS, install the WireGuard app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
On macOS, install the WireGuard app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose Import tunnel(s) from file..., then select the appropriate WireGuard configuration file.
On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.)
If you prefer to use the built-in IPsec VPN on Apple devices, or need "Connect on Demand" or excluded Wi-Fi networks automatically configured, see the Apple IPsec client setup guide for detailed configuration instructions.
Android
WireGuard is used to provide VPN services on Android. Install the WireGuard VPN Client. Import the corresponding wireguard/<name>.conf file to your device, then set up a new connection with it. See the Android setup guide for detailed installation and configuration instructions.
Windows
WireGuard is used to provide VPN services on Windows. Algo generates a WireGuard configuration file, wireguard/<username>.conf, for each user defined in config.cfg.
Install the WireGuard VPN Client. Import the generated wireguard/<username>.conf file to your device, then set up a new connection with it. See the Windows setup instructions for more detailed walkthrough and troubleshooting.
Linux
Linux clients can use either WireGuard or IPsec:
WireGuard: WireGuard works great with Linux clients. See the Linux WireGuard setup guide for step-by-step instructions on configuring WireGuard on Ubuntu and other distributions.
IPsec: For strongSwan IPsec clients (including OpenWrt, Ubuntu Server, and other distributions), see the Linux IPsec setup guide for detailed configuration instructions.
OpenWrt
For OpenWrt routers using WireGuard, see the OpenWrt WireGuard setup guide for router-specific configuration instructions.
Other Devices
For devices not covered above or manual configuration, you'll need specific certificate and configuration files. The files you need depend on your device platform and VPN protocol (WireGuard or IPsec).
- ipsec/manual/cacert.pem: CA Certificate
- ipsec/manual/.p12: User Certificate and Private Key (in PKCS#12 format)
- ipsec/manual/.conf: strongSwan client configuration
- ipsec/manual/.secrets: strongSwan client configuration
- ipsec/apple/.mobileconfig: Apple Profile
- wireguard/.conf: WireGuard configuration profile
- wireguard/.png: WireGuard configuration QR code
Setup an SSH Tunnel
If you turned on the optional SSH tunneling role, local user accounts will be created for each user in config.cfg, and SSH authorized_key files for them will be in the configs directory (user.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., ssh -N is required). This ensures that SSH users have the least access required to set up a tunnel and can perform no other actions on the Algo server.
Use the example command below to start an SSH tunnel by replacing <user> and <ip> with your own. Once the tunnel is set up, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server:
ssh -D 127.0.0.1:1080 -f -q -C -N <user>@algo -i configs/<ip>/ssh-tunnel/<user>.pem -F configs/<ip>/ssh_config
SSH into Algo Server
Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, cd into the algo-master directory where you originally downloaded Algo, and then use the command listed on the success message:
ssh -F configs/<ip>/ssh_config <hostname>
where <ip> is the IP address of your Algo server. If you find yourself regularly logging into the server, it will be useful to load your Algo SSH key automatically. Add the following snippet to the bottom of ~/.bash_profile to add it to your shell environment permanently:
ssh-add ~/.ssh/algo > /dev/null 2>&1
Alternatively, you can choose to include the generated configuration for any Algo servers created into your SSH config. Edit the file ~/.ssh/config to include this directive at the top:
Include <algodirectory>/configs/*/ssh_config
where <algodirectory> is the directory where you cloned Algo.
Adding or Removing Users
Algo makes it easy to add or remove users from your VPN server after initial deployment.
For IPsec users: You must have selected yes at the Do you want to retain the keys (PKI)? prompt during the initial server deployment. This preserves the certificate authority needed for user management. You should also save the p12 and CA key passwords shown during deployment, as they're only displayed once.
To add or remove users, first edit the users list in your config.cfg file. Add new usernames or remove existing ones as needed. Then navigate to the algo directory in your terminal and run:
macOS/Linux:
./algo update-users
Windows:
.\algo.ps1 update-users
After the process completes, new configuration files will be generated in the configs directory for any new users. The Algo VPN server will be updated to contain only the users listed in the config.cfg file. Removed users will no longer be able to connect, and new users will have fresh certificates and configuration files ready for use.
Additional Documentation
- FAQ
- Troubleshooting
- How Algo uses Firewalls
Setup Instructions for Specific Cloud Providers
- Configure Amazon EC2
- Configure Azure
- Configure DigitalOcean
- Configure Google Cloud Platform
- Configure Vultr
- Configure CloudStack
- Configure Hetzner Cloud
Install and Deploy from Common Platforms
- Deploy from macOS
- Deploy from Windows
- Deploy from Google Cloud Shell
- Deploy from a Docker container
Setup VPN Clients to Connect to the Server
- Setup Windows clients
- Setup Android clients
- Setup Linux clients with Ansible
- Setup Ubuntu clients to use WireGuard
- Setup Linux clients to use IPsec
- Setup Apple devices to use IPsec
- Setup Macs running macOS 10.13 or older to use WireGuard
Advanced Deployment
- Deploy to your own Ubuntu server, and road warrior setup
- Deploy from Ansible non-interactively
- Deploy onto a cloud server at time of creation with shell script or cloud-init
- Deploy to an unsupported cloud provider
If you've read all the documentation and have further questions, create a new discussion.
Endorsements
I've been ranting about the sorry state of VPN svcs for so long, probably about time to give a proper talk on the subject. TL;DR: use Algo.
-- Kenn White
Before picking a VPN provider/app, make sure you do some research https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf ... – or consider Algo
-- The Register
Algo is really easy and secure.
-- the grugq
I played around with Algo VPN, a set of scripts that let you set up a VPN in the cloud in very little time, even if you don’t know much about development. I’ve got to say that I was quite impressed with Trail of Bits’ approach.
-- Romain Dillet for TechCrunch
If you’re uncomfortable shelling out the cash to an anonymous, random VPN provider, this is the best solution.
-- Thorin Klosowski for Lifehacker
Support Algo VPN
All donations support continued development. Thanks!
- We accept donations via PayPal and Patreon.
- Use our referral code when you sign up to Digital Ocean for a $10 credit.
- We also accept and appreciate contributions of new code and bugfixes via Github Pull Requests.
Algo is licensed and distributed under the AGPLv3. If you want to distribute a closed-source modification or service based on Algo, then please consider purchasing an exception . As with the methods above, this will help support continued development.