trailofbits / algo

Set up a personal VPN in the cloud

Home Page:https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ArchLinux support (security)

resident-zero opened this issue · comments

It seems to me relevant to consider providing support for ArchLinux systems for security reasons

Unlike Ubuntu, ArchLinux is a rolling version. It provides packages of the latest version: for example, the strongswan package in the Ubuntu repositories is v5.8.2. However, the last version released is v5.9.3.

Also, the kernel versions are more recent

No?

I'm not an active maintainer of Algo, but there are a few reasons why this is probably not worth the effort:

  • Versions don't tell us everything. "Stable" distributions usually backport security fixes into the version they're pinned to, so a difference in StrongSwan versions only tells us that Arch might need a different set of configurations than Ubuntu (which adds to the maintenance load), not that the version on Ubuntu is vulnerable.
  • More recent kernel versions are not necessarily more secure, for the same reason: if the vulnerability is bad enough, it's backported. Cloud providers, in particular, tend to take this pretty seriously with the images they provide.
  • To my knowledge, Arch isn't a commonly provided image on most cloud providers. I'm sure there are some that provide it or allow you to use it via a custom image, but this is another friction point that'll probably add maintenance load.

The TL;DR is that supporting Arch Linux would not meaningfully change Algo's security posture, but would make it more difficult to maintain. Your best recourse for running a secure VPN server is to update it frequently (Algo will do this for you), disable all the features you don't need (you should be using Wireguard over StrongSwan), and avoid putting anything else on it (your Algo box should be just for Algo).