Streisand

Streisand

The Streisand effect in full force.

The internet is not fair to us. ISPs, carriers, and politicians collude to block the websites and information we care about and pay attention to. Maybe it’s time to break the chains and fight back head-on.

About Streisand

  • With just a simple script, you can run multiple different internet freedom tools on a fresh Ubuntu 16.04
    server, allowing you to stay anonymous while encrypting all of your network traffic.
  • Streisand natively supports multiple VPS providers, including Amazon EC2, Microsoft Azure, DigitalOcean, Google Cloud Platform, Linode, and Rackspace; as development continues, more cloud and VPS providers will be supported—as long as they run Ubuntu
    16.04
    , this deployment method works regardless of the provider, even across hundreds of instances.
  • If everything goes smoothly, the entire deployment process takes about 10 minutes. Imagine that someone without system administration skills might spend days completing just one of these tasks, while
    Streisand gives you a smooth out-of-the-box experience.
  • Once deployment is complete, you can send the user guide to your friends, family, and anyone you consider important **(Translator’s note: the original says activists)**. That guide contains the one and only
    SSL certificate, which means all you’re sending them is a simple file.
  • The deployed gateway includes everything users need, such as setup guides and the required clients for supported operating systems. Even friends who cannot download the official clients can get the latest versions they need from the mirror on the gateway.
  • This is only the beginning—come on, the best is yet to come…

More Features

  • When new users log in, Nginx
    provides password protection and gateway encryption. The encrypted gateway is secured via SSL certificates, or through Tor hidden services.

    • The gateway automatically generates client configuration instructions and hosts them on the lightweight http
      server Nginx
      . You can easily read them in a desktop or mobile browser and configure the client step by step.
    • All client software required for internet freedom use has been verified with SHA-256
      checks and authenticated with GPG
      signatures. This ensures that users who cannot download clients through official channels can still safely download them from the mirror.
    • Any additional files required by client applications, such as OpenVPN
      configuration files, can all be downloaded through the gateway.
    • Tor users can currently use the excellent features provided by Streisand
      to transfer large files or handle other non-Tor
      traffic for the Tor service (for example, BT; traditional Tor
      is not well suited for data transfers like BT).
    • The gateway automatically generates a unique password, an SSL certificate, and an SSL
      private key. After Streisand is deployed, the gateway instructions and certificates are transmitted via SSH.
    • Different services and multiple daemons provide tremendous flexibility. If one connection method is blocked, there are still others you can try. Most of them can avoid deep packet inspection.
    • OpenConnect/AnyConnect, OpenSSH (untested), OpenVPN
      (with stunnel), Shadowsocks, and Tor
      (obfuscated with obfs4) can all be used in China
  • Every circumvention tool comes with documentation and a detailed description. Streisand
    may be the most comprehensive guide to date for helping you install and configure clients. When necessary, you can also complete any related operations manually.
  • To prevent circumvention tools from being widely disrupted, the ports are also carefully chosen by design. For example,
    OpenVPN
    does not run on the default port 1194, but on port 636, which is the standard
    LDAP/SSL connection port used by many multinational companies.

    • Special note: L2TP/IPsec
      cannot be changed to another specific port for compatibility reasons.

Services Provided

  • L2TP/IPsec is set up using Libreswan/xl2tpd.

    • Randomly generated, selected pre-shared keys and passwords;
    • Windows, macOS, Android, and iOS users can use the built-in
      VPN
      on their systems to configure and connect, without needing to download additional third-party software.
  • Monit

    • It can monitor and manage runtime status, and automatically restart and maintain processes that have crashed or stopped responding.
  • OpenSSH

    • Supports SSH tunneling on Windows and Android, and requires
      using PuTTY to export the default key pair to .ppk format;
    • Tinyproxy is installed by default and bound to the host, serving as an http(s)
      proxy for software that does not natively support SOCKS proxies to access the network through an SSH
      tunnel, such as BIRD Whisper on Android.
  • OpenConnect / Cisco AnyConnect

    • oepnConnect (ocserv) is a very powerful, lightweight VPN
      server and is fully compatible with Cisco’s AnyConnect client;
    • It includes many top-tier standard protocols, such as: HTTP, TLS, and DTLS,
      as well as many technologies that are popular and widely used by multinational companies;
    • This means OpenConnect
      is very easy to use and fast, and it stands up well to censorship, having almost never been blocked.
  • OpenVPN

    • Generates a simple client configuration file from the built-in .ovpn configuration file;
    • Supports both TCP and UDP connections;
    • Multiple clients can share the same certificate and key. But 5 separate configurations are generated by default;
    • Client DNS resolution is handled by Dnsmasq to prevent DNS leaks;
    • TLS authentication is enabled to help prevent active probing attacks. Invalid HMAC
      traffic will not be easily dropped.
  • Shadowsocks

    • Installs the high-performance libev
      version, which can handle thousands of concurrent connections;
    • On Android and iOS,
      automatic configuration can be completed simply by scanning a QR code. DNS can be set to
      8.8.8.8, or the configuration can be copied and pasted into the client one by one;
    • Uses ChaCha20 and Poly1305 to encrypt AEAD, enhancing security and improving bypass capabilities;
    • Uses the simple-obfs plugin to provide traffic obfuscation, making it easier to evade censored networks (especially under QoS throttling).
  • sslh

    • sslh
      is a protocol multiplexer (I’m not familiar with this one; if there’s a better translation, please request it). In a highly restricted network environment (for example, one where only
      http
      ports are accessible), it serves as an alternative solution that still allows connections via
      OpenSSH and OpenVPN, because sslh
      lets both share port 443.
  • Stunnel

    • Listens for and encapsulates OpenVPN traffic, disguising OpenVPN
      traffic as standard SSL traffic, allowing OpenVPN
      clients to connect successfully through the tunnel and evade deep packet inspection.
    • The OpenVPN configuration files for tunnel connections and direct OpenVPN
      connections are generated together, along with detailed instructions.
    • stunnel certificates and keys are in PKCS #12 format, which SSL
      tunneling programs support well; in particular, the OpenVPN Android version can also transmit through SSLDroid. This makes it possible to use OpenVPN
      on mobile devices in China* (to the best of the translator’s knowledge, OpenVPN had previously been completely blocked in mainland China)*.
  • Tor

    • The bridge name is generated randomly;
    • Obfsproxy is installed by default and configured to support obfs4 transport;
    • On Android phones, simply scan the QR code with Orbot to obtain the bridge information and complete automatic configuration.
  • UFW

    • The firewall is fully configured according to the different services, and any unauthorized traffic will be blocked.
  • Automatic unattended security updates for the system

    • The server where
      Streisand
      is installed is automatically configured for unattended updates, with the update level set to security updates.
  • WireGuard

    • Linux users can use this next-generation, more streamlined, kernel-based cutting-edge VPN
      , which is fast and uses many encryption types not previously available in VPNs.

Installation

Before you start messing around, read this carefully.

Important Notes

Streisand is based on Ansible , which can automatically handle configuration, packaging, and other tasks on a remote server. Streisand
is a tool that automatically configures a remote server into multiple VPN services and tools for bypassing censorship.

When Streisand
runs on your own computer (or in a virtual machine on your computer), it deploys the gateway to another server at your
VPS
provider (automatically created through your own API). In addition, if
Streisand runs on a VPS, it will deploy the gateway to another VPS, which means the original VPS where you ran Streisand
becomes unnecessary. Remember to delete it after the deployment is complete and after you have obtained the documentation. Also, you will not be able to use SSH
to connect to the deployed
VPS unless you have the public key (which is of course impossible, because during the entire configuration process no public key is provided for you to download, nor is there any way for you to extract it).

In some cases, you may need to run Streisand/Ansible on a VPS
and configure that VPS itself as the Streisand
server. This mode is suitable when you cannot run or install
Streisand/Ansible on your own computer, or when the SSH connection between your local machine and the VPS is unstable.

Preparation

Complete all of the following steps on your local computer (you can also run them on a VPS).

  • Streisand runs on BSD, Linux, or macOS. It
    cannot run on Windows. All commands must be run in the terminal.
  • Python 2.7 is required. It usually comes preinstalled on macOS, Linux, and BSD
    systems. If the distribution you are using comes with Python
    3 by default, you will need to install Python 2.7 to run Streisand.
  • Make sure your SSH key is stored in ~/.ssh/id_rsa.pub .

    • If you have never had an SSH key before, you need to generate one with the following command:

      ssh-keygen
      
  • Install Git .

    • Debian- and Ubuntu-based Linux distributions

      sudo apt install git
      
    • On Fedora

      sudo dnf install git
      
    • On macOS (installation via Homebrew is required)

      brew install git
      
  • Use Python to install the pip package manager

    • Debian- and Ubuntu-based Linux distributions

      sudo apt install python-paramiko python-pip python-pycurl python-dev build-essential
      
    • On Fedora

      sudo dnf install python-pip
      
    • On macOS

      sudo easy_install pip
      sudo pip install pycurl
      
  • Install Ansible .

    • On macOS

      brew install ansible
      
    • On Linux and other BSD systems

      sudo pip install ansible markupsafe
      
  • The Python libraries installed below using pip
    vary depending on the VPS
    provider you use. If you plan to turn your current VPS
    into a gateway, you can skip this step.

    • Amazon EC2

      sudo pip install boto
      
    • Microsoft cloud services

      sudo pip install msrest msrestazure azure==2.0.0rc5 packaging
      
    • DigitalOcean

      sudo pip install dopy==0.3.5
      
    • Google

      sudo pip install "apache-libcloud>=1.5.0"
      
    • Linode

      sudo pip install linode-python
      
    • Rackspace Cloud

      sudo pip install pyrax
      
    • It is especially important to note that if your Python was installed via Homebrew,
      you also need to run the following commands to make sure the required library files can be found

      mkdir -p ~/Library/Python/2.7/lib/python/site-packages
      echo '/usr/local/lib/python2.7/site-packages' > ~/Library/Python/2.7/lib/python/site-packages/homebrew.pth
      

Run

  1. Fetch the source code for Streisand

     git clone https://github.com/StreisandEffect/streisand.git && cd streisand
    

    If Github is blocked, use the mirror we provide.

     git clone https://area51.threeletter.agency/mirrors/streisand.git && cd streisand
    
  2. Run the Streisand script.

     ./streisand
    
  3. Based on your actual situation, fill in or select the options from the prompts that appear, such as the server’s physical location and its name. Most importantly,
    the API information (the prompts explain how to provide the API information).
  4. Once the login information and API key have been entered correctly, Streisand
    will begin installing on another VPS (or turn your current VPS
    into a gateway).
  5. The entire configuration process takes about 10 minutes or so. After it is completed, a folder called ‘generated-docs’ will be created in the Streisand
    directory. It contains 4 HTML files, including the gateway’s SSL
    certificate and detailed instructions on how to connect. Once you use these methods to connect to the gateway, the gateway documentation will describe in detail how to set up the client, what additional files need to be downloaded, client images, keys, and so on. As long as you patiently configure the client, everything will be ready.

Translator’s note: this is where the official English setup instructions come to an end. During my own setup process, I also ran into some minor issues that everyone should pay attention to.

  • If you can use the mode that installs Streisand
    onto the gateway from your local machine, that is the best choice, and you should avoid the other modes if possible, because in that case the
    generated-docs
    folder is created locally, and you can open it in your browser and download the certificate files directly without any hassle.
  • If you use Streisand on a VPS to install to a new VPS
    mode, as well as the mode introduced later that converts an already running VPS
    into a gateway, you will find that it is very difficult to read the 4 HTML
    documents in the generated-docs folder on the VPS itself. At that point, there are several methods you can choose from:

    • Use sftp to download the files;
    • Install apache2 on the current VPS, then run cp -r
      generated-doc /var/www/html/ , and then enter the VPS
      address in your browser to browse and download the keys directly (strictly speaking, this is not secure, because it is not an
      https
      connection. If the data is intercepted, someone could learn how to log in to the gateway you use for bypassing censorship. If you are using the conversion mode, do not use this method).
    • Use scp on the VPS to push the entire generated-docs
      directory to your local Linux, Unix, or
      macOS machine that is exposed to the public Internet, or to another VPS as well. The command is roughly scp -r
      generated-docs
      [email protected]×××.×××.×××.×××:/home/user/

Turn an Existing VPS into a Streisand Server (Advanced Use)

If the computer you use locally cannot run Streisand
, you can convert an already running VPS into a gateway. You only need to run
./streisand on the VPS and select “Localhost
(Advanced)” from the menu.

But please note that this operation cannot be undone. After it completely converts the VPS
you are currently using into a gateway, anything you previously hosted on it, such as a blog or software testing environment, will no longer exist once the process is complete.

Run on Other VPS Providers

You can also run Streisand on the 16.04 Ubuntu of other VPS
providers (ones with better hardware are fine, and unusual VPS providers work too).
You just need to select “Existing Server (Advanced)”
from the menu when running ./streisand.
You will need to provide the IP address of that VPS.

This VPS must use $HOME/id_rsa to store the SSH
key, and it must allow login to the
VPS using root as the default user.
If the provider does not give you the root
user as the default login user, but instead uses another username, such as: ubuntu , then before running ./streisand you need to additionally configure the ANSIBLE_SSH_USER environment variable, for example by changing it to: ANSIBLE_SSH_USER=ubuntu .

Leave a Comment

Your email address will not be published. Required fields are marked *

中文 EN
🚀

RedGate VPN

免费节点太挤太慢?
升级高速稳定专线

立即体验 →

告别卡顿

RedGate VPN
全球高速节点

免费下载 →
Scroll to Top