
Show HN: Use Ansible to Run a “friends and Family” OpenVPN Server on Digital Ocean - robbintt
https://github.com/robbintt/popup-openvpn
======
NickBusey
I prefer Sovereign for this. Sets up OpenVPN as well as a bunch of other
goodies.
[https://github.com/sovereign/sovereign](https://github.com/sovereign/sovereign)

~~~
tlrobinson
I'm not sure I trust myself to run that many services securely.

I'd be interested in something like this with a strong focus on security.

~~~
paws
Algo[1] may be a good fit for you.

Just be aware the authors deliberately target only very recent clients. [2]

I recently spun up a new Algo instance on an Ubuntu host and discovered I
could no longer SSH from an old Snow Leopard Mac because it locked sshd down
to only 'modern ciphers'[3].

(No affiliation, just a fan)

[1] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

[2]
[https://github.com/trailofbits/algo/issues/168](https://github.com/trailofbits/algo/issues/168)

[3]
[https://github.com/trailofbits/algo/blob/master/roles/securi...](https://github.com/trailofbits/algo/blob/master/roles/security/templates/sshd_config.j2#L48)

------
cyberferret
I'd like to hear how this is different from Streisand? [0] (and also
Sovereign, which I see someone else posted below).

I set up Streisand on a $5/mo Digital Ocean droplet a while back and the whole
family uses it on all our devices with great results. It is pretty much a
'fire and forget' solution that I haven't had to touch in over a year.

[0] - [https://github.com/jlund/streisand](https://github.com/jlund/streisand)

~~~
bdarnell
I've been using streisand for a while (from China) and it's great; the main
reason I can see that you might want to use the linked project instead is that
it has a lot less surface area so it could be more secure (it's a lot easier
to harden/audit openvpn alone than all the services streisand includes).

That said, if I was going to pick one protocol out of the selection offered by
streisand, it would be l2tp/ipsec instead of openvpn (assuming you're hosting
on digital ocean. The networks on AWS and GCE are more restrictive and you
can't serve l2tp/ipsec from there). I found this to be easier to set up (the
client-side software is already included in most operating systems) and to
have the best performance.

~~~
bdarnell
From another subthread,
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo) is
an ipsec-only alternative to streisand that looks good (although it requires
an app to be installed on android). They also get ipsec working on aws/gce, so
apparently whatever obstacle streisand faces with this configuration is
solvable.

~~~
fulafel
Caveat: That unconditionally blocks traffic between your friends and family
(see issue #166).

------
necessity
You can simply run a sh script that sets it up...
[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install)

~~~
dstryr
I use this script for my servers as well and it seems much quicker and easier.
What benefits does OP's method provide?

~~~
robbintt
Ansible provides idempotency and some measure of auditabity. Ansible is one
way to manage things.

------
tribby
> Do not check use IPv6

last time I set up an openvpn server on digitalocean without `tun-ipv6`, it
leaked my ISP's ipv6 address to the internet while my ipv4 address was correct
(a digitalocean address). disabling ipv6 on a vpn by default doesn't make a
lot of sense to me if the intention is a layer of privacy around your ISP.

~~~
robbintt
Hi, thanks for your feedback. Can you submit a github issue? I need to
establish a traffic testing method for assessing whether any traffic is
leaking. This would be a valuable general tool for all vpn toolchains.

~~~
tribby
testing is a good idea, and I've seen it done in other "road warrior" type
scripts in an unsafe way via `curl -s6
[https://canhazip.com`](https://canhazip.com`). I may not have the time to
contribute for a while, but what I would contribute is mostly laid out in the
openvpn docs for enabling ipv6[0].

most of what you need to do with ipv6 is analagous to what you'd do with ipv4
like remembering to uncomment net.ipv6.conf.all.forwarding=1 in
/etc/sysctl.conf ( just as you would with net.ipv4.ip_forward). use tun-ipv6
instead of tun, and server-ipv6 in addition to server. ip6tables rules in
addition to iptables rules. etc etc. although that may be it -- can't think of
anything else of the top of my head. I'll look more at your code and see if
there's anything I can help with as time allows- ping me if I forget :)

0\.
[https://community.openvpn.net/openvpn/wiki/IPv6](https://community.openvpn.net/openvpn/wiki/IPv6)

~~~
tomschlick
Would love to see those additions made to this script:
[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install)

~~~
tribby
wow, I admire the dedication to supporting multiple operating systems, but
that script is a mess IMHO. why is there a hardcoded version of easyrsa? I
haven't worked with easyrsa in a while but does it still do 1024 bit dh
parameters by default? because that would also be a mistake. it looks like
there is sufficient interest, so maybe I'll cobble together a bash script.

------
tedmiston
I'd like to see some hardening of the box if it's going to be used as a VPN
server. My boxes in the DO IP range routinely get targeted by malicious
traffic from China and Russia.

~~~
andreareina
Is there a checklist/guide you could point to? I've come across a few but not
being experienced I have a hard time judging how good/complete they are.

~~~
tedmiston
I'm not a security expert by any means, but I like these three guides in the
DO tutorials for a typical box.

[https://www.digitalocean.com/community/tutorials/an-
introduc...](https://www.digitalocean.com/community/tutorials/an-introduction-
to-securing-your-linux-vps)

[https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-
keys--2)

[https://www.digitalocean.com/community/tutorials/how-to-
secu...](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-
on-ubuntu-14-04)

There are a dozen or so tools mentioned in the above.

------
lucasjans
I'm surprised no one's mentioned pritunl. Open source and one click deployment
on DO [https://pritunl.com](https://pritunl.com)

------
wstrange
Given that most families probably want to use this to torrent, would this not
violate Digital Ocean's terms of service?

~~~
robbintt
This tool is to protect you from verizon supercookies and comcast deep packet
inspection. These companies sell access to this data to local law enforcement
without requiring a warrant. LEO make choices based on the narrative about you
they can build. We need to protect ourselves from people who would do us harm
in clever and careful ways.

------
caspereeko
You can also use Oh-My-VPN to install OpenVPN with a one-liner.
[https://github.com/alaa/oh-my-vpn](https://github.com/alaa/oh-my-vpn)

------
jlgaddis
Any one have a similar project but based on CentOS that they use and
recommend?

------
vxNsr
This is really great! I didn't even know this was possible thanks!

------
cabalamat
Why not just use:

    
    
        ssh -D {port} {server}
    
    ?

------
insubstantive
A VPN on the cloud. Totally private. Great idea.

~~~
andreareina
Depending on your threat model it's perfectly fine. It won't work against a
nation-state-level adversary, but I don't get the feeling it's meant to.
Against opportunistic passive sniffing or active MitM in cafés and such it's
adequate.

~~~
robbintt
Yeah exactly -- it's a condom rather than an enigma machine.

~~~
spdionis
Condoms are good security for sex. An enigma machine wouldn't be very helpful
on the other hand.

