Streisand - set up your own free* VPN server in the cloud

[danb35]

Maybe it's well-known, having been around for a couple of years already, but I just learned of it recently, and it sounds like it has potential to be pretty handy. Streisand is a set of scripts that will build a VPN server for you (by default it supports L2TP/IPsec, OpenVPN, Wireguard, Shadowsocks, and probably a couple of others I'm forgetting at the moment) on the public cloud service of your choice (it'll deal directly with AWS, Google compute engine, Linode, Digital Ocean, and Rackspace, or run on a Ubuntu Server 16.04 instance anywhere you have it). It builds a web interface for that server which gives you links to download all the client software (locally hosted), as well as configs for all services (locally, and randomly, generated), including how to configure any of them on your client environment of choice (Windows, Mac, Linux, iOS, Android). It also builds a pretty HTML page telling you how to reach that site, with its TLS cert imbedded if you didn't have Let's Encrypt generate one at install time.

OK, the "free" thing. AWS has a one-year free trial that will give you (among other things) an EC2 "micro" instance, which is adequate to run this system. So, if you use AWS, it will be free for a year, then around $10-12/mo. Google, however, has a free tier that includes their "micro" instance, and is free "forever" (i.e., until they change their mind).

This isn't going to be the thing to use if you want your traffic to get "lost" with a bunch of other users', as might be the case with someone doing things of questionable legality--but it seems like a good choice for avoiding censorship (which is its intent), or for protecting yourself on insecure networks.

 

[MatthewSteinhoff]

I looked into rolling my own VPN and have enough internet-exposed shells scattered around the United States that I could have spun up multiple instances for geographic and network diversity. In the end, it just wasn't worth the effort especially since the endpoint could easily be tracked back to me. The more I learned about VPN, the more I learned what it took to do it right and the less I felt I had those skills.

I finally went out and bought a real VPN service. It costs less than $3 a month and completely anonymous; paid with a VISA gift card purchased with untraceable cash. Up to five devices can use the VPN account at the same time. Gateways in dozens of countries. Good performance, too.

Cheers,
Matt

 

[danb35]

Yeah, this isn't something that's going to give you anonymity at the endpoint, as the GCE/EC2/whatever instance is almost certainly traceable to you, and it's only your traffic (or, at most, a small number of other users') going through it. OTOH, if you're facing attempted network censorship, commercial VPN providers could well be blocked. And you're trusting that your VPN provider is doing it right, which may or may not be the case (I've seen a few incidents recently where traffic wasn't being encrypted at all, for example), and is nearly impossible to audit.

Streisand has one of the Let's Encrypt engineers heavily involved, which gives it warm fuzzy points with me that they're doing things reasonably well. But it's all about your threat model.

 

[svtkobra7]

@danb35 I was excited to see your post as I just stumbled across Streisand last week. I was able to spin up an Ubuntu VM for the install, deploy to GCE, and connect via Open VPN to my pfSense firewall quite easily. I was quite impressed that it even obtained a Let's Encrypt cert.

My objective is to use Streisand for something other than the intended purpose, simply obtain a static external IP so I can connect a NextCloud instance (I'm double NATed and don't have a static IP) and ultimately I hope to deploy policy based routing in pfSense to achieve the following.

• NextCloud <=> Streisand <=> DOMAIN.com
• All other traffic <=> Commercial VPN

I haven't played with it much since I installed Streisand, but I shouldn't have much issue passing port 443 to GCE, right? Do you know what configuration changes I may need to make to the Streisand instance?

NB1: You may be aware, but here is another script based install alternative: https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
NB2: I'd much rather have pfSense deployed instead of the the vm instance that Streisand creates, and was able to install it on GCE, but never able to get it working.