Wireguard for VPN on Android

August 31, 2018
android wireguard vpn

Both Windows and Android has gotten a lot of flack for not supporting strong ciphers natively on Android and iOS. Some time ago Algo gained support for a very awesome newcomer called Wireguard. Compared to other application layer tunneling software, like OpenVPN, it is clearly more modern in its approach. The most impressive of Wireguard is its the small codebase with as little as 4000 lines of code. Do note that they that it “can” be implemented for the Linux kernel on that little. Anyways, OpenVPN has a massive codebase in comparison.

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

I previously wrote about Algo in my Tactical Travel Protection Model article. To get a more holistic experience, please read up on that, also for other technical travel recommendations.

One thing that I had an issue with previously with Wireguard, and that I feel was a little sparingly documented was always-on VPN. That has always been an issue with Android for me, since it has had an tendency to not be an easy way there. However, IPSec on iOS has always been straight forward - and configurable in the mobileconfig format. It turns out that it is supported.

Wireguard is still in preview on the Google Play Store, so it won’t be available for those running G Suite - unluckily.

First, to get an algo server up and running with Ansible (easy-install_2.7 ansible) and dopy (easy-install_2.7 dopy) installed on macOS, you simply do the following. You also need an account at e.g. Digital Ocean.

git clone https://github.com/trailofbits/algo.git ansible-algo
cd ansible-algo
python2 -m ensurepip --user
python2 -m pip install --user --upgrade virtualenv
python2 -m virtualenv --python=`which python2` env &&
source env/bin/activate &&
python -m pip install -U pip &&
python -m pip install -r requirements.txt
vim config.cfg # edit users

Follow the steps in the guide on the latter command. Set iOS always-on to yes, and I recommend the same for establishing an ad-block service.

So now you have a Algo-server up and running. To find the relevant configuration (its like mobileconfig on iOS), go to configs/<ip of VPN-node>/wireguard/. Each user will have its own file ending with .config. Find a suitable transfer path to the handset you want to protect e.g. through end-to-end encrypted Pushbullet messaging, Signal or simply a memory card. These files are unencrypted, so exposing them, will expose the VPN user.

Open Wireguard and press the +, then choose “Create from file or archive”. Select configuration file you transferred and stored. When that’s complete you can enable the connection which will appear in the application.

Now, swipe down like shown below. Then press the VPN connection. In the pop-up, you select “Open VPN Settings”.

After opening the VPN settings, select the gear icon in the VPN settings:

Then, enable Always-on and block all other connection attempts.

Easy as that.

Thanks for reading!

Automating a Cloud Wireguard Server with Ansible

February 18, 2019
vpn wireguard configuration- setup