Alphabet Inc (parent company of Google) through its Jigsaw subsidiary recently took the wraps off of Outline which is a simple to setup proxy based on the popular Shadowsocks project. Aimed at journalists, small companies, and individuals, Outline is an open source project that comes in two parts: a proxy server and client applications that help configure the connection.
While companies can take advantage of an advanced mode to install Outline's server components onto an existing cloud server or an internal private server, most users can opt for the basic setup which is about as simple as it gets. Currently, Outline integrates with Digital Ocean using Digital Ocean's API and after signing in and authorizing Outline to make changes, it automatically spins up the lowest cost droplet and sets everything up. You never need to SSH into the VPS to configure anything. Rather, what little configuration there is (not much!) is done using a GUI Outline Manager application on a client device. The connection between the management application and the server is encrypted using a self-signed SSL certificate.
The proxy server is based on a Shadowbox image that is imported using Docker and is kept up to date using Watchtower (which is also installed on the droplet) which checks every hour for updated images. A cron job is also automatically configured to run and apply security updates for the host Ubuntu operating system and reboot as needed. Finally, a web server for management of it is installed in a secret path and run on a random port and only responds to queries if the secret path is specified and only over SSL.
After watching Darren Kitchen and Shannon Morse over at Hak5 check it out, I decided to also fire it up to see if it really was that easy, and sure enough it is! The entire process is very simple taking only a few minutes (the longest step was finding my phone for the two factor authentications haha) and the management of it at least seems very hands off with the automated updates.
On the security front, Outline is a SOCK5 proxy that reportedly uses strong encryption with an AEAD 256-bit ChaCha2020 IETF Poly 1305 cipher which, according to Jigsaw, ticks all at least two boxes corners of the CIA triangle (confidentiality and integrity) along with authentication using the secure keys. I think the hardest part about maintaining that security is going to be sharing the access with others as you would need a secure channel of communication to share the needed information with. While you can generate the key easily enough for them, getting them their key for the client device could prove tricky if you are physically far away from them and do not already have a secure method of messaging (e.g. encrypted email) though for most people sending it through signal or a similar mobile app or encrypted skype/facebook/whatever while not the greatest plan is likely to prove secure enough that it balances security and convenience.
In November, Outline was audited by Netherlands-based Radically Open Security and you can find the non-profit's report here (PDF).
Things are even simpler on the client side, after adding the server using the access key, all they have to do is hit a single connect button to get things connnected for most modern web browsers and other apps that respect the set Windows registry key. Note that for Android and Chrome OS, Outline acts as a system-wide VPN, but for Windows only TCP traffic is secured and not all applications are supported yet. Support for passing UDP traffic through the SOCKS5 proxy and for system-wide VPN tunneling of all traffic is coming soon but right now the only UDP traffic that is passed through the proxy is DNS which is encrypted and uses the Outline server's defualt DNS resolver rather than passing outside fo the proxy and using the Windows-configured DNS and/or ISP's DNS.
In my case, after hitting connect, Chrome automatically configured the proxy settings and I was on my way. I did run into a hiccup with getting the Outline-client app, however. I was able to download it from the Outline website using Chrome and it installed fine, but when trying to grab it through the Get Connected option in the Outline Manager app, the download link opened automatically in Microsoft Edge which proceeded to flag the file as malicous and would not let me open it (heh). Hopefully they are able to get the false posiitive resolved as that may trip up normal users and make it harder to convince them to use your Outline proxy.
So far I have not run into any other problems with it and things are running smoothly. Web pages are finally loading as fast as they should be as well which makes me think the problems of super slow webpage loads were not with my computer but with Comcast messing with me (we are talking some pages taking a minute to load on a 90/10 connection, even simple ones like Google and Gmail).
Outline is not a full VPN, but it is extremely easy to setup and share with others and may well be secure enough for most people. If you want to get a little more geeky, there is always OpenVPN which you can setup with a simple script or projects like Algo VPN or free (as in money) commercial solutions like Pro XPN or the built-in VPN in the Opera web browser. On the positive side, Outline does not store any logs (and since its your sever you can access it and monitor it to be sure) and Jigsaw/Alphabet/Google is up front about what information they do collect which includes server IP and non-identifiable information following crashes. Users can opt-in to sharing anonymous metrics but they do not have to and the default setting is off which is good. The downside is that right now it is still fairly new and not as vetted as some of the other options and while it is open source it is not necessarily free. In its best form which is slick setup using the Digital Ocean integration, it is $5 a month, but if you are privacy concious it may be money well spent and if you already have an existing server you can also use that though in that case the ease of configuration edge may not be as great and you may as well run OpenVPN unless you really dig the simple client apps and not having to manually copy and mange keys around to all your devices possibly in a non-GUI way.
Overall, it is a neat solution and I think it has promise. Hopefully if/when Google abandons it for its next big thing they let the community have at it. As of the today, Outline Manager is supported on Windows 7 (or newer) and Linux with Mac OS support coming soon. Outline supports client using apps for Windows 7 (or newer), Android, and Chrome OS with Mac OS and iOS apps coming soon. You can find both the Outline Manager and Outline Client at https://getoutline.org. If you do end up checking it out, let me know what you think about it. More screenshots can be found below.
After playing around with it
After playing around with it a bit more, I wish the Outline Manager app let you generate a QR code to share link it uses to provide the key and the download for the client app (a static page hosted on Amazon S3). The options are just to copy to clipboard the link and from there it is up to you to email or share via chat of your choosing.
Meh, if you’re trusting
Meh, if you’re trusting Digital Ocean with your traffic, you might as well be trusting a commercial VPN provider instead.
I guess a commercial VPN provider is likelier to have their server IPs blocked by parties wanting to discourage privacy.