StreisandEffect / streisand
- суббота, 14 апреля 2018 г. в 00:15:20
Shell
Streisand sets up a new server running your choice of L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow a…
English, Français, 简体中文, Русский | Mirror
Silence censorship. Automate the effect.
The Internet can be a little unfair. It's way too easy for ISPs, telecoms, politicians, and corporations to block access to the sites and information that you care about. But breaking through these restrictions is tough. Or is it?
Please read all installation instructions carefully before proceeding.
Streisand is based on Ansible, an automation tool that is typically used to provision and configure files and packages on remote servers. Streisand automatically sets up another remote server with the VPN packages and configuration.
Streisand will spin up and deploy another server on your chosen hosting provider when you run on your home machine (e.g. your laptop). Usually, you do not run Streisand on the remote server as by default this would result in the deployment of another server from your server and render the first server redundant (whew!).
In some circumstances advanced users may opt to use the local provisioning mode to have the system running Streisand/Ansible configure itself as a Streisand server. This is a configuration mode best reserved for when it isn't possible to install Ansible on your home machine or when your connection to a cloud provider is too unreliable for Ansible's SSH connections.
Complete all of these tasks on your local home machine.
Streisand requires a BSD, Linux, or macOS system. As of now, Windows is not supported. All of the following commands should be run inside a Terminal session.
Python 2.7 is required. This comes standard on macOS, and is the default on almost all Linux and BSD distributions as well. If your distribution packages Python 3 instead, you will need to install version 2.7 in order for Streisand to work properly.
Make sure an SSH public key is present in ~/.ssh/id_rsa.pub.
SSH keys are a more secure alternative to passwords that allow you to prove your identity to a server or service built on public key cryptography. The public key is something that you can give to others, whereas the private key should be kept secret (like a password).
To check if you already have an SSH public key, please enter the following command at a command prompt.
ls ~/.ssh
If you see an id_rsa.pub file, then you have an SSH public key.
If you do not have an SSH key pair, you can generate one by using this command and following the defaults:
ssh-keygen
If you'd like to use an SSH key with a different name or in a non-standard location, please enter 'yes' when asked if you'd like to customize your instance during installation.
Please note: You will need these keys to access your Streisand instance over SSH. Please keep them for the lifetime of the Streisand server.
Install Git.
On Debian and Ubuntu
sudo apt-get install git
On Fedora
sudo yum install git
On macOS (via Homebrew)
brew install git
Install the pip package management system for Python.
On Debian and Ubuntu (also installs the dependencies that are necessary to build Ansible and that are required by some modules)
sudo apt-get install python-paramiko python-pip python-pycurl python-dev build-essential
On Fedora
sudo yum install python-pip
On macOS
sudo easy_install pip
sudo pip install pycurl
Install Ansible.
On macOS (via Homebrew)
brew install ansible
On BSD or Linux (via pip)
sudo pip install ansible markupsafe
Install the necessary Python libraries for your chosen cloud provider. If you are using the advanced local provisioning mode or the existing server mode you can skip this section.
Amazon EC2
sudo pip install boto boto3
Azure
sudo pip install ansible[azure]
DigitalOcean
sudo pip install dopy==0.3.5
sudo pip install "apache-libcloud>=1.17.0"
Linode
sudo pip install linode-python
Rackspace Cloud
sudo pip install pyrax
Important note if you are using a Homebrew-installed version of Python you should also run these commands to make sure it can find the necessary libraries:
mkdir -p ~/Library/Python/2.7/lib/python/site-packages
echo '/usr/local/lib/python2.7/site-packages' > ~/Library/Python/2.7/lib/python/site-packages/homebrew.pth
Clone the Streisand repository and enter the directory.
git clone https://github.com/StreisandEffect/streisand.git && cd streisand
Execute the Streisand script.
./streisand
Follow the prompts to choose your provider, the physical region for the server, and its name. You will also be asked to enter API information.
Once login information and API keys are entered, Streisand will begin spinning up a new remote server.
Wait for the setup to complete (this usually takes around ten minutes) and look for the corresponding files in the 'generated-docs' folder in the Streisand repository directory. The HTML file will explain how to connect to the Gateway over SSL, or via the Tor hidden service. All instructions, files, mirrored clients, and keys for the new server can then be found on the Gateway. You are all done!
If you can not run Streisand in the normal manner (running from your client home machine/laptop to configure a remote server) Streisand supports a local provisioning mode. Simply choose "Localhost (Advanced)" from the menu after running ./streisand
.
Note: Running Streisand against localhost can be a destructive action! You will be potentially overwriting configuration files and must be certain that you are affecting the correct machine.
You can also run Streisand on a new Ubuntu 16.04 server. Dedicated hardware? Great! Esoteric cloud provider? Awesome! To do so, simply choose "Existing Server (Advanced)" from the menu after running ./streisand
and provide the IP address of the existing server when prompted.
The server must be accessible using the $HOME/id_rsa
SSH Key, and root is used as the connecting user by default. If your provider requires you to SSH with a different user than root (e.g. ubuntu
) specify the ANSIBLE_SSH_USER
environmental variable (e.g. ANSIBLE_SSH_USER=ubuntu
) when you run ./streisand
.
Note: Running Streisand against an existing server can be a destructive action! You will be potentially overwriting configuration files and must be certain that you are affecting the correct machine.
Alternative scripts and configuration file examples are provided for noninteractive deployment, in which all of the required information is passed on the command line or in a configuration file.
Example configuration files are found under global_vars/noninteractive
. Copy
and edit the desired parameters, such as providing API tokens and other choices,
and then run the appropriate script.
To deploy a new Streisand server:
deploy/streisand-new-cloud-server.sh \
--provider digitalocean \
--site-config global_vars/noninteractive/digitalocean-site.yml
To run the Streisand provisioning on the local machine:
deploy/streisand-local.sh \
--site-config global_vars/noninteractive/local-site.yml
To run the Streisand provisioning against an existing server:
deploy/streisand-existing-cloud-server.sh \
--ip-address 10.10.10.10 \
--ssh-user root \
--site-config global_vars/noninteractive/digitalocean-site.yml
If there is something that you think Streisand should do, or if you find a bug in its documentation or execution, please file a report on the Issue Tracker.
Jason A. Donenfeld deserves a lot of credit for being brave enough to reimagine what a modern VPN should look like and for coming up with something as good as WireGuard. He has our sincere thanks for all of his patient help and high-quality feedback.
We are grateful to Trevor Smith for his massive contributions. He suggested the Gateway approach, provided tons of invaluable feedback, made everything look better, and developed the HTML template that served as the inspiration to take things to the next level before Streisand's public release.
Huge thanks to Paul Wouters of The Libreswan Project for his generous help troubleshooting the L2TP/IPsec setup.
Starcadian's 'Sunset Blood' album was played on repeat approximately 300 times during the first few months of work on the project in early 2014.