Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
License
gitbork/streisand
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Silence censorship. Automate the effect.
The Internet can be a little unfair. It’s way too easy for ISPs, telecoms, politicians, and corporations to block access to the sites and information that you care about. But breaking through these restrictions is tough. Or is it?
- A single command sets up a brand new Ubuntu 16.04 server running a wide variety of anti-censorship software that can completely mask and encrypt all of your Internet traffic.
- Streisand natively supports the creation of new servers at Amazon EC2, DigitalOcean, Google Compute Engine, Linode, and Rackspace—with more providers coming soon! It also runs on any Ubuntu 16.04 server regardless of provider, and hundreds of instances can be configured simultaneously using this method.
- The process is completely automated and only takes about ten minutes, which is pretty awesome when you consider that it would require the average system administrator several days of frustration to set up even a small subset of what Streisand offers in its out-of-the-box configuration.
- Once your Streisand server is running, you can give the custom connection instructions to friends, family members, and fellow activists. The connection instructions contain an embedded copy of the server’s unique SSL certificate, so you only have to send them a single file.
- Each server is entirely self-contained and comes with absolutely everything that users need to get started, including cryptographically verified mirrors of all common clients. This renders any attempted censorship of default download locations completely ineffective.
- But wait, there’s more.
- Nginx powers a password-protected and encrypted Gateway that serves as the starting point for new users. The Gateway is accessible over SSL, or as a Tor hidden service.
- Beautiful, custom, step-by-step client configuration instructions are generated for each new server that Streisand creates. Users can quickly access these instructions through any web browser. The instructions are responsive and look fantastic on mobile phones.
- The integrity of mirrored software is ensured using SHA-256 checksums, or by verifying GPG signatures if the project provides them. This protects users from downloading corrupted files.
- All ancillary files, such as OpenVPN configuration profiles, are also available via the Gateway.
- Current Tor users can take advantage of the additional services Streisand sets up in order to transfer large files or to handle other traffic (e.g. BitTorrent) that isn’t appropriate for the Tor network.
- A unique password, SSL certificate, and SSL private key are generated for each Streisand Gateway. The Gateway instructions and certificate are transferred via SSH at the conclusion of Streisand’s execution.
- All of the connection methods (including L2TP/IPsec and direct OpenVPN connections) are effective against the type of blocking Turkey has been experimenting with.
- OpenConnect/AnyConnect, OpenSSH, OpenVPN (wrapped in stunnel), Shadowsocks, and Tor (with obfsproxy and the obfs4 pluggable transport) are all currently effective against China’s Great Firewall.
- L2TP/IPsec is a notable exception to this rule because the ports cannot be changed without breaking client compatibility
- L2TP/IPsec using Libreswan and xl2tpd
- A randomly chosen pre-shared key and password are generated.
- Windows, OS X, Android, and iOS users can all connect using the native VPN support that is built into each operating system without installing any additional software.
- Monitors process health and automatically restarts services in the unlikely event that they crash or become unresponsive.
- An unprivileged forwarding user and SSH keypair are generated for sshuttle and SOCKS capabilities.
- Windows and Android SSH tunnels are also supported, and a copy of the keypair is exported in the .ppk format that PuTTY requires.
- Tinyproxy is installed and bound to localhost. It can be accessed over an SSH tunnel by programs that do not natively support SOCKS and that require an HTTP proxy, such as Twitter for Android.
- OpenConnect (ocserv) is an extremely high-performance and lightweight VPN server that also features full compatibility with the official Cisco AnyConnect clients.
- The protocol is built on top of standards like HTTP, TLS, and DTLS, and it’s one of the most popular and widely used VPN technologies among large multi-national corporations.
- This means that in addition to its ease-of-use and speed, OpenConnect is also highly resistant to censorship and is almost never blocked.
- Self-contained «unified» .ovpn profiles are generated for easy client configuration using only a single file.
- Both TCP and UDP connections are supported.
- Multiple clients can easily share the same certificates and keys, but five separate sets are generated by default.
- Client DNS resolution is handled via Dnsmasq to prevent DNS leaks.
- TLS Authentication is enabled which helps protect against active probing attacks. Traffic that does not have the proper HMAC is simply dropped.
- The high-performance libev variant is installed. This version is capable of handling thousands of simultaneous connections.
- A QR code is generated that can be used to automatically configure the Android and iOS clients by simply taking a picture. You can tag ‘8.8.8.8’ on that concrete wall, or you can glue the Shadowsocks instructions and some QR codes to it instead!
- One-time Authentication (OTA) is enabled for enhanced security and improved GFW evasion.
- Sslh is a protocol demultiplexer that allows Nginx, OpenSSH, and OpenVPN to share port 443. This provides an alternative connection option and means that you can still route traffic via OpenSSH and OpenVPN even if you are on a restrictive network that blocks all access to non-HTTP ports.
- Listens for and wraps OpenVPN connections. This makes them look like standard SSL traffic and allows OpenVPN clients to successfully establish tunnels even in the presence of Deep Packet Inspection.
- Unified profiles for stunnel-wrapped OpenVPN connections are generated alongside the direct connection profiles. Detailed instructions are also generated.
- The stunnel certificate and key are exported in PKCS #12 format so they are compatible with other SSL tunneling applications. Notably, this enables OpenVPN for Android to tunnel its traffic through SSLDroid. OpenVPN in China on a mobile device? Yes!
- A bridge relay is set up with a random nickname.
- Obfsproxy is installed and configured with support for the obfs4 pluggable transport.
- A BridgeQR code is generated that can be used to automatically configure Orbot for Android.
- Firewall rules are configured for every service, and any traffic that is sent to an unauthorized port will be blocked.
- Your Streisand server is configured to automatically install new security updates.
- Linux users can take advantage of this next-gen, simple, kernel-based, state-of-the-art VPN that also happens to be ridiculously fast.
- In addition to the public-key crypto that WireGuard uses by default, a pre-shared key is also configured to help provide post-quantum resistance. Use the VPN of the future with an eye towards the future!
Please read all installation instructions carefully before proceeding.
Streisand is based on Ansible, an automation tool that is typically used to provision and configure files and packages on remote servers. Streisand automatically sets up another remote server with the VPN packages and configuration.
Streisand will spin up and deploy another server on your chosen hosting provider when you run on your home machine (e.g. your laptop). Usually, you do not run Streisand on the remote server as by default this would result in the deployment of another server from your server and render the first server redundant (whew!). Support for local provisioning (i.e. Streisand locally configuring the system on which it is installed) will be added soon.
Complete all of these tasks on your local home machine.
- Streisand requires a BSD, Linux, or OS X system. As of now, Windows is not supported. All of the following commands should be run inside a Terminal session.
- Python 2.7 is required. This comes standard on OS X, and is the default on almost all Linux and BSD distributions as well. If your distribution packages Python 3 instead, you will need to install version 2.7 in order for Streisand to work properly.
- Make sure an SSH key is present in ~/.ssh/id_rsa.pub.
- If you do not have an SSH key, you can generate one by using this command and following the defaults:
sudo apt-get install python-paramiko python-pip python-pycurl python-dev build-essential
sudo yum install python-pip
sudo easy_install pip sudo pip install pycurl
brew update && brew install ansible
sudo pip install ansible markupsafe
sudo pip install "apache-libcloud>=0.17.0"
sudo pip install linode-python
mkdir -p ~/Library/Python/2.7/lib/python/site-packages echo '/usr/local/lib/python2.7/site-packages' > ~/Library/Python/2.7/lib/python/site-packages/homebrew.pth
git clone https://github.com/jlund/streisand.git && cd streisand
Running Streisand on Other Providers
You can also run Streisand on any number of new Ubuntu 16.04 servers. Dedicated hardware? Great! Esoteric cloud provider? Awesome! To do this, simply edit the inventory file and uncomment the final two lines. Replace the sample IP with the address (or addresses) of the servers you wish to configure. Make sure you read through all of the documentation in the inventory file and update the ansible.cfg file if necessary. Then run the Streisand playbook directly:
ansible-playbook playbooks/streisand.yml
The servers should be accessible using SSH keys, and root is used as the connecting user by default (though this is simple to change while editing the inventory file).
- Native Microsoft Azure support.
- Role isolation and selection, allowing you to choose which daemons and services are installed.
- Easier setup.
If there is something that you think Streisand should do, or if you find a bug in its documentation or execution, please file a report on the Issue Tracker.
Jason A. Donenfeld deserves a lot of credit for being brave enough to reimagine what a modern VPN should look like and for coming up with something as good as WireGuard. He has my sincere thanks for all of his patient help and high-quality feedback.
Corban Raun was kind enough to lend me a Windows laptop that let me test and refine the instructions for that platform, and he was a big supporter of the project from the very beginning.
I cannot express how grateful I am to Trevor Smith for his massive contributions to the project. He suggested the Gateway approach, provided tons of invaluable feedback, made everything look better, and developed the HTML template that served as the inspiration to take things to the next level before Streisand’s public release. I also appreciated the frequent use of his iPhone while testing various clients.
Huge thanks to Paul Wouters of The Libreswan Project for his generous help troubleshooting the L2TP/IPsec setup.
I also listened to Starcadian’s ‘Sunset Blood’ album approximately 300 times on repeat while working on this.