Setting up Shadowsocks server on AWS + clients on windows/android/linux

Intent : Secure VPN setup for bypassing firewalls. Not meant for setup of a virtual company network for secure exchange of information.

Step 1 : Setup a free tier AWS account. Can skip this step if an account is already setup. Login into your AWS account.

Step 2: Find a good location for your server. Your VPN server has to sit between the majority of the sites you access and you. For example, if you are in Asia and significant traffic is in US, HK and Tokyo make good choices. Take a look at the undersea cable map below to decide –

Courtesy : http://publichealthintelligence.org

Step 3: Choose the region in the top right corner of your AWS console.

Step 4: Browse to EC2 service

Step 5: Launch an EC2 instance.

Step 6 : Search for ubuntu instance and choose the top result (64-bit, x86)

Step 7 : Launch the instance. You may be asked to create a key or choose one. If you are creating. Make sure you download the key and keep it safely. There is no other way of logging into the newly created instance if you don’t have the key. A couple of useful links are shown on the following page. If you are new to all of this, do check out the links to understand how to login into the instance.

Step 8: Login into the instance using the key.

Step 9: Prepare for fast encryption and decryption (install libsodium). . Read this page and you will understand why – https://bearssl.org/speed.html. Also, change the TCP congestion handling algo

#install libsodium
sudo apt-get update
sudo apt-get -y install python-m2crypto
sudo apt-get -y install build-essential
git clone https://github.com/jedisct1/libsodium.git
cd libsodium
git checkout stable
./configure 
make 
sudo make install
sudo ldconfig
cd - 

#install BBR
wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh 
chmod +x bbr.sh 
sudo ./bbr.sh

Step 10: Speed up the routing, congestion handling. Be extremely careful while copying and pasting these commands. You can completely mess up the system by getting it wrong.

sudo su - #all commands as root
echo  "net.ipv4.tcp_congestion_control = bbr" >> /etc/sysctl.conf
echo "* soft nofile 51200" >> /etc/security/limits.conf
echo "* hard nofile 51200" >> /etc/security/limits.conf
echo "session required pam_limits.so" >> /etc/pam.d/common-session
echo "ulimit -n 51200" >> /etc/profile

Step 11 : Install and configure shadowsocks

sudo apt-get -y install shadowsocks

Edit /etc/shadowsocks/config.json

{
   "server":"0.0.0.0",
   "server_port":8888,
   "local_address": "127.0.0.1",
   "local_port":1080,
   "password":"12345678",
   "timeout":300,
   "method":"chacha20",
   "fast_open": false,
   "workers": 1,
   "prefer_ipv6": false
}

Step 12: Go to the EC2 console and edit the security group on AWS to make sure the required ports a open.

Note the name of the security group. Then go the security groups in the EC2 console.

Choose, the security group noted in the earlier step. Although not advised, just for simplicity sake, just open all ports from 1000 onwards for both TCP and UDP –

Step 13 : For client side setup, follow the instructions, go here – https://shadowsocks.org/en/download/clients.html

Setting up Algo VPN on AWS + clients on windows/android/linux

Intent : Secure VPN setup for bypassing firewalls. Not meant for setup of a virtual company network for secure exchange of information.

Step 1 : Setup a free tier AWS account. Can skip this step if an account is already setup. Login into your AWS account.

Step 2: Find a good location for your server. Your VPN server has to sit between the majority of the sites you access and you. For example, if you are in Asia and significant traffic is in US, HK and Tokyo make good choices. Take a look at the undersea cable map below to decide –

Courtesy : http://publichealthintelligence.org

Step 3: Choose the region in the top right corner of your AWS console.

Step 4: Browse to EC2 service

Step 5: Launch an EC2 instance.

Step 6 : Search for ubuntu instance and choose the top result (64-bit, x86)

Step 7 : Launch the instance. You may be asked to create a key or choose one. If you are creating. Make sure you download the key and keep it safely. There is no other way of logging into the newly created instance if you don’t have the key. A couple of useful links are shown on the following page. If you are new to all of this, do check out the links to understand how to login into the instance.

Step 8: Login into the instance using the key.

Step 9: Download Algo VPN scripts from here . Or directly –

git clone https://github.com/trailofbits/algo.git

Step 10: Follow the steps prescribed here to install the dependencies, edit the user list in config.cfg and launch the script – https://github.com/trailofbits/algo

sudo apt-get update
sudo apt-get install python3-pip
sudo apt install -y python3-virtualenv
python3 -m virtualenv --python="$(command -v python3)" .env && source .env/bin/activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt

While running the script, two questions are important. The rest can be left to defaults.

What provider would you like to use?
11. Install to existing Ubuntu 18.04 or 19.04 server (Advanced)

And,

Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate).

Here, you have to enter the domain name as indicated on the EC2 console. Right click on the instance and click on “Connect” to find out the domain name. It should be something like – ec2-XX-XX-XX-XX.eu-central-1.compute.amazonaws.com

Step 11: Go to the EC2 console and edit the security group on AWS to make sure the required ports a open.

Note the name of the security group. Then go the security groups in the EC2 console.

Choose, the security group noted in the earlier step. Although not advised, just for simplicity sake, just open all ports from 1000 onwards for both TCP and UDP –

Step 12 : For client side setup, follow the instructions here.

Windows installer – https://download.wireguard.com/windows-client/wireguard-amd64-0.0.29.msi

You can locate the conf files and the PNG files for scanning in a subdirectory on the server –
/algo/configs/ec2-xx-xx-xx-xx.eu-central-1.compute.amazonaws.com/wireguard