I'd like to hear how this is different from Streisand? [0] (and also Sovereign, which I see someone else posted below).
I set up Streisand on a $5/mo Digital Ocean droplet a while back and the whole family uses it on all our devices with great results. It is pretty much a 'fire and forget' solution that I haven't had to touch in over a year.
I've been using streisand for a while (from China) and it's great; the main reason I can see that you might want to use the linked project instead is that it has a lot less surface area so it could be more secure (it's a lot easier to harden/audit openvpn alone than all the services streisand includes).
That said, if I was going to pick one protocol out of the selection offered by streisand, it would be l2tp/ipsec instead of openvpn (assuming you're hosting on digital ocean. The networks on AWS and GCE are more restrictive and you can't serve l2tp/ipsec from there). I found this to be easier to set up (the client-side software is already included in most operating systems) and to have the best performance.
From another subthread, https://github.com/trailofbits/algo is an ipsec-only alternative to streisand that looks good (although it requires an app to be installed on android). They also get ipsec working on aws/gce, so apparently whatever obstacle streisand faces with this configuration is solvable.
This project aims to "do one thing and do it well".
I posted this elsewhere but it bears repeating. This project is designed to be simple, auditable, and disposable, and have the minimum attack surface and maintenance costs.
Other tools are great, but the cost of swapping certificates and IP addresses and zone files can weigh you down.
Streisand would do well to have numerous playbooks that remix roles for smaller services (if they don't already).
They have different objectives. Streisand's goal is to circumvent censorship, so it provisions a set of different VPN protocols (OpenVPN, LT2P/IPSEC, Shadowsocks, etc...) and instructions on how to use them, where as sovereign sets up e-mail, caldav, and other cloud related tools (which Streisand does not do).
I misread your question, my apologies.
At a quick glance (and a very quick one at that), Streisand's OpenVPN setup is configured to work on both TCP and UDP ports, where as the references project is being templated from [https://github.com/Stouts/Stouts.openvpn/tree/9c83736608e4cc...].
Looking at the linked project's setup, it seems it's using outdated configurations for OpenVPN (BF-CBC instead of AES-CBC, 1024 bit keys instead of 2048) [https://github.com/Stouts/Stouts.openvpn/blob/9c83736608e4cc...]. It's also configured to log info where as Streisand tries its best not to.
I have a VPS and I use it for webhosting for myself and some friends. I've thought about (in some cases tried) and then decided against setting up my own mail server, my own irc bouncer, my own xmpp server and my own cloud storage. Each time, the killer was basically "I could do this, but it would take too long to figure out and it would probably not be super secure at the end.
At the very least, a project like Sovereign (written using something as declarative and idempotent as Ansible) would be great to look through and see how it manages certain things.
And that doesn't detract from your project, OP - I like that your focus is tight and your setup instructions detailed. I'm far more likely to actually try installing a small project like yours than a behemoth that will change who knows what throughout my system.
Just be aware the authors deliberately target only very recent clients. [2]
I recently spun up a new Algo instance on an Ubuntu host and discovered I could no longer SSH from an old Snow Leopard Mac because it locked sshd down to only 'modern ciphers'[3].
last time I set up an openvpn server on digitalocean without `tun-ipv6`, it leaked my ISP's ipv6 address to the internet while my ipv4 address was correct (a digitalocean address). disabling ipv6 on a vpn by default doesn't make a lot of sense to me if the intention is a layer of privacy around your ISP.
Hi, thanks for your feedback. Can you submit a github issue? I need to establish a traffic testing method for assessing whether any traffic is leaking. This would be a valuable general tool for all vpn toolchains.
testing is a good idea, and I've seen it done in other "road warrior" type scripts in an unsafe way via `curl -s6 https://canhazip.com`. I may not have the time to contribute for a while, but what I would contribute is mostly laid out in the openvpn docs for enabling ipv6[0].
most of what you need to do with ipv6 is analagous to what you'd do with ipv4 like remembering to uncomment net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf ( just as you would with net.ipv4.ip_forward). use tun-ipv6 instead of tun, and server-ipv6 in addition to server. ip6tables rules in addition to iptables rules. etc etc. although that may be it -- can't think of anything else of the top of my head. I'll look more at your code and see if there's anything I can help with as time allows- ping me if I forget :)
wow, I admire the dedication to supporting multiple operating systems, but that script is a mess IMHO. why is there a hardcoded version of easyrsa? I haven't worked with easyrsa in a while but does it still do 1024 bit dh parameters by default? because that would also be a mistake. it looks like there is sufficient interest, so maybe I'll cobble together a bash script.
I'd like to see some hardening of the box if it's going to be used as a VPN server. My boxes in the DO IP range routinely get targeted by malicious traffic from China and Russia.
This tool is to protect you from verizon supercookies and comcast deep packet inspection. These companies sell access to this data to local law enforcement without requiring a warrant. LEO make choices based on the narrative about you they can build. We need to protect ourselves from people who would do us harm in clever and careful ways.
Depending on your threat model it's perfectly fine. It won't work against a nation-state-level adversary, but I don't get the feeling it's meant to. Against opportunistic passive sniffing or active MitM in cafés and such it's adequate.
It's oftentimes worse than nothing against passive surveillance: If you surf from home, your local spooks are with some likelihood forbidden from arbitrarily looking into your communications. Once you pipe it to abroad and terminate the "VPN" on that end, you can be pretty sure your browsing/torrenting habits enjoy no protection from any country's spooks, including your own. And traffic analysis lets eavesdroppers trivially correlate the VPN endpoints with the traffic leaving the VPN.
I set up Streisand on a $5/mo Digital Ocean droplet a while back and the whole family uses it on all our devices with great results. It is pretty much a 'fire and forget' solution that I haven't had to touch in over a year.
[0] - https://github.com/jlund/streisand