Router support

[dguido]

Many users have installed Algo on their routers, rather than a VPS provider, and this issue aggregates documentation for them.

• [ ] PFSense (writeups one and two)
• [ ] OpenWRT
• [ ] Ubiquiti EdgeMax
• [ ] Troubleshooting router problems

[jackivanov]

We need to combine this into a doc

[colindean]

Would this include instructions or additional config that would enable an Algo server to be setup inside a firewall and its clients able to talk to the rest of the LAN?

That is, to use the gateway (already works) and allow access to other resources on the LAN (didn't work OOTB for me).

I've setup Algo on my home network as an easy way of provisioning a more secure VPN server than my router (Ubiquiti USG) or NAS (QNAP) can provide. Having a secure connection through my own house back out to the 'net is sufficient for my needs right now but it'll be really nice for connected devices to be "on the LAN" like router's VPN server provides.

[TC1977]

I think to do that, you need to deploy with the "BetweenClients_DROP" flag set to false in config.cfg. This should be in the FAQ as well.

[colindean]

@TC1977, thanks! Would that also enable VPN clients to access the rest of the LAN?

[TC1977]

Just to clarify - let's say your Algo server is on the LAN at 192.168.1.1, and other machines are on the same subnet. Your Wireguard subnet by default is 10.19.49.x, and your IPsec subnet is 10.19.48.x. Your Algo server advertises itself as a DNS server at 172.16.y.z. You want clients connecting at 10.19.49.x to connect to machines at 192.168.1.x as well?

I don't have a way of testing this, but I don't think it'll work. You may need an additional rule in your Algo server's iptables. Try it and lemme know.

[colindean]

Almost like that but more enterprise-friendly.

An example closer to my reality:

Gateway and DHCP server for the LAN is at 10.1.1.1 with subnet /24. DNS server is at 10.1.1.2. Algo server is 10.1.1.3. The gateway host also has a WAN-facing VPN service that distributes leases in the 10.1.2.1/29 range and points DNS to 10.1.1.2.

As such, I'd like to put Algo's Wireguard lease range at 10.1.3.0/29 and IPSEC at 10.1.4.0/29(these should be trivial to do, I've just not done it yet). Then, configure Algo to pass 10.1.1.2 for DNS and ~allow traffic from either of its ranges to access anything on the subnet (I really should reduce the subnet range for tidiness if nothing else~. Upon testing, I can access the LAN already - by IP. I need to get Wireguard to use 10.1.1.2 for DNS resolution itself or to pass it to clients.

[TC1977]

Ok, so redirecting to a DNS server on the LAN is a slightly different issue. Algo installs dnscrypt-proxy with DOH and DNSSEC required, to better secure your DNS requests going into/out of its home network (AWS/DO/whatever, using the simplest cloud install model). But if you already control your own network, that part might not be necessary at all.

So the simplest way to do this might be to just send all DNS from the clients to your internal DNS server. You can try simply changing the DNS server in the client.conf to 10.1.1.2 and see if that works. But then you'll have to change all the client.conf files, either with a script before distributing files or by modifying the Ansible scripts somewhere to hijack the line setting the DNS to local_service_ip.

Another way which doesn't involve changing an enterprise-level number of client.conf files would be to keep dnscrypt-proxy on the Algo server, but point it to your internal DNS. You could deploy by setting dns_encryption to false, and changing dns_servers: to 10.1.1.2 in the appropriate IPv4 and IPv6 fields.

EDIT: @colindean wanna open this up as a separate issue, and we can work on it there?

[colindean]

Broke my concerns out into https://github.com/trailofbits/algo/issues/1609.