
Ansible playbooks for installing OpenVPN, IPsec, Tor, etc. on popular clouds - kevlar1818
https://github.com/jlund/streisand
======
45h34jh53k4j
Streisand is a good idea, but I don't believe users want 500 services running
on their VPN gateway. Most of these protocols require a specific client, like
OpenVPN. This is a 'kitchen sink' collection.

TrailOfBits released their ansible scripts for StrongS/WAN, which has sensible
secure defaults (IPSec using AES-GCM only). They are calling the project algo.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
codezero
For anyone about to try out algo – I assume it's great if you are using AWS or
DigitalOcean, but if you're self hosting, or have an unsupported VPS, I've had
nothing but trouble getting it up and running. I am most certainly to blame,
but just a heads up.

~~~
KingMob
Not to toot my own horn, but here's a blog post I just wrote on some issues I
ran into setting up Algo on a pre-existing Vultr server. It might help.

[http://modulolotus.net/posts/2016-03-28-setting-up-
algo/](http://modulolotus.net/posts/2016-03-28-setting-up-algo/)

~~~
codezero
Excellent I'm embarrassed that I didn't ask if anyone had done this and wrote
up their results.

From what I was experiencing, I bet it was either the root privileges, or the
SSH connection errors. Thanks a ton.

------
dboreham
Ironic that a project to do automated installation of packages on a remote
machine has two pages of manual installation instructions for prerequisites on
the command machine, before it can be run.

~~~
gmac
For this reason, amongst others, I've made a simple Bash script to install
StrongSwan:
[https://github.com/jawj/IKEv2-setup](https://github.com/jawj/IKEv2-setup)

------
alphapapa
It almost seems ironic to me to run a personal privacy-protecting server in a
cloud VM. If you assume that the "agencies" have access to the "clouds,"
whether directly through backdoors or through moles, don't you have to assume
that they could crawl VMs, detect ones like this that are virtually identical,
and automatically install rootkits in them? Or just monitor them by reading
memory through the hypervisor? How would you even know if the hypervisor were
compromised?

~~~
juliangoldsmith
This is more likely a response to the recent reversal of FCC privacy rules.

This may not defend against state actors, but will against nosy ISPs.

~~~
danellis
What about the cloud providers' ISPs?

~~~
juliangoldsmith
Backbone providers provide services to businesses. If one of them was caught
monitoring traffic, their reputation would be destroyed.

~~~
bigbugbag
That's why they go the extra length not to be caught. Even if they wanted to
alert a user that he's monitored, wouldn't national security letter come with
a gag order forbidding this ?

~~~
juliangoldsmith
We're talking ISPs here, not state actors. If an individual catches the full
attention of the NSA, there's not all that much they can do to defend their
privacy.

------
mi100hael
Here's a similar playbook more focused around self-hosting common services
like email, calendars, contacts in addition to a VPN:
[https://github.com/sovereign/sovereign](https://github.com/sovereign/sovereign)

------
pgroves
I don't know Ansible very well... is it possible to install only a subset
(namely, the vpn service you plan to actually use)? It seems like a large
attack service to have every VPN software possible running on the machine.

~~~
bitexploder
Yes. It depends on how well organized the Playbook is, but this one is nice.
As long as they kept their dependencies clean edit:

[https://github.com/jlund/streisand/blob/master/playbooks/str...](https://github.com/jlund/streisand/blob/master/playbooks/streisand.yml)

Comment out any roles you don't want with a # at the beginning of the line,
YAML is very picky about syntax.

comment edit: Think of roles in ansible like building blocks or common chores
you can apply to any server. It might be nice to not have so much stuff by
default, but this tool isn't meant for complete technical novices, so it is
expected (in my opinion) that you go in and prune anything out you don't
want/need. What is nice is that you have lots of options and if you ever need
to add a role you can just uncomment it and re-run the playbook.

~~~
brainfire
I think you'd typically want to use tags [0] for controlling which portions of
an ansible playbook run, for a one-off set of tasks like this. This one in
particular isn't set up to work that way though.

[0]
[http://docs.ansible.com/ansible/playbooks_tags.html](http://docs.ansible.com/ansible/playbooks_tags.html)

~~~
gtirloni
This one is organized around roles instead (and role dependencies).

~~~
anoother
You can tag entire roles themselves.

Lately I've been using this as a way to quickly apply selective config. It
feels 'hacked-on', but it works.

------
893helios
This reminds me of Caislean
([https://equalit.ie/portfolio/caislean/](https://equalit.ie/portfolio/caislean/)

------
ejlangev
I'm using algo
([https://github.com/trailofbits/algo](https://github.com/trailofbits/algo))
on an AWS instance, easy to set up and provides configuration across devices.
Did find my iPhone struggling to use data sometimes when connecting to the VPN
over the cell network. Can always disable that feature though.

------
vuln
Say if I wanted to set something up like this for my friends, family and
myself to use. Which would be the best and most feature rich for multi user?

I would love the option to not log ANY of the traffic or DNS requests my
friends/family initiate.

~~~
unstatusthequo
Streisand is multi user. Supports five by default if I recall, possibly more

~~~
subliminalpanda
Depends. The OpenVPN role will generate five clients, however the server is
configured to allow certificate re-use, effectively unlimited (for OpenVPN at
least).

------
fuzzygroup
Streisand is a very, very good idea -- unfortunately it simply doesn't work at
present. I've tried using it on AWS and Google Cloud and neither option works
whether I run it natively on Ansible under OSX or on Ansible under Vagrant.

It is very cleanly implemented implemented though -- nicely implemented
playbooks (I write Ansible professionally so I can actually say that).

Going to try algo today.

