Streisand - AntiCensorship software
187 views
Skip to first unread message
amadaus
Sep 6, 2016, 3:55:13 AM9/6/16
to qubes...@googlegroups.com
Hi
Some of you may be interested in setting up your own personal VPN using
streisand software? I first read obout this in Ars Technica [
http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/]
and have since tried it out in a dedicated Streisand VM.
To me, it seems to offer very high levels of security and anonominity.
Does anyone else have any views on this software? - it can be accessed
via github https://github.com/jlund/streisand.
Some of you may be interested in setting up your own personal VPN using
streisand software? I first read obout this in Ars Technica [
http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/]
and have since tried it out in a dedicated Streisand VM.
To me, it seems to offer very high levels of security and anonominity.
Does anyone else have any views on this software? - it can be accessed
via github https://github.com/jlund/streisand.
entr0py
Sep 6, 2016, 3:29:00 PM9/6/16
to amadaus, qubes...@googlegroups.com
amadaus:
I wasn't aware of streisand before you mentioned it.
Normally, I would suggest that the best method for setting up a personal VPN, is to set up a personal VPN. Even for pure novices, there are many comprehensive, user-friendly guides that will set you up with a secure configuration. (Digitalocean & Linode have nice tutorials, like this one: https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server). In the process, you can also learn about firewalls, authentication, services, etc.
On the other hand, there's definitely a place for turnkey solutions with safe defaults. It's a shame though that the streisand installer is currently not able to selectively install services (https://github.com/jlund/streisand/issues/23). The security best practice of only enabling needed services to minimize attack surface is overshadowed by usability concerns. A full streisand install consists of "L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge" plus a webserver!
If you connect to a VPS anonymously, one nice advantage of using an out-of-the-box preconfigured solution is that it may give you a measure of deniability. Certainly more than you would get by applying your own unique iptables rules + comments in Swahili that would fingerprint you as sysadmin.
Seems like streisand is a project worth following. Plus it's important to remember that its purpose is to configure a censorship circumvention server, not provide network security and/or anonymity. Unless bypassing censorship is your only goal, IMO its services should be used before and/or after Tor. (and obviously, not both on the same server).
Normally, I would suggest that the best method for setting up a personal VPN, is to set up a personal VPN. Even for pure novices, there are many comprehensive, user-friendly guides that will set you up with a secure configuration. (Digitalocean & Linode have nice tutorials, like this one: https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server). In the process, you can also learn about firewalls, authentication, services, etc.
On the other hand, there's definitely a place for turnkey solutions with safe defaults. It's a shame though that the streisand installer is currently not able to selectively install services (https://github.com/jlund/streisand/issues/23). The security best practice of only enabling needed services to minimize attack surface is overshadowed by usability concerns. A full streisand install consists of "L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge" plus a webserver!
If you connect to a VPS anonymously, one nice advantage of using an out-of-the-box preconfigured solution is that it may give you a measure of deniability. Certainly more than you would get by applying your own unique iptables rules + comments in Swahili that would fingerprint you as sysadmin.
Seems like streisand is a project worth following. Plus it's important to remember that its purpose is to configure a censorship circumvention server, not provide network security and/or anonymity. Unless bypassing censorship is your only goal, IMO its services should be used before and/or after Tor. (and obviously, not both on the same server).
Connor Page
Sep 7, 2016, 9:08:16 AM9/7/16
to qubes-users
agree, when I looked at it some time ago I could not imagine why I would need all of that. too large an attack surface for my taste. however, I did investigate what individual elements are capable of and borrowed some ideas, like using port 636 and tls-auth for openvpn.
jkitt
Sep 8, 2016, 5:08:13 AM9/8/16
to qubes-users
On Wednesday, 7 September 2016 14:08:16 UTC+1, Connor Page wrote:
> agree, when I looked at it some time ago I could not imagine why I would need all of that. too large an attack surface for my taste. however, I did investigate what individual elements are capable of and borrowed some ideas, like using port 636 and tls-auth for openvpn.
> agree, when I looked at it some time ago I could not imagine why I would need all of that. too large an attack surface for my taste. however, I did investigate what individual elements are capable of and borrowed some ideas, like using port 636 and tls-auth for openvpn.
Why specifically that port?
Connor Page
Sep 8, 2016, 6:09:51 AM9/8/16
to qubes-users
it's on the front page:
"All software runs on ports that have been deliberately chosen to make simplistic port blocking unrealistic without causing massive collateral damage. OpenVPN, for example, does not run on its default port of 1194, but instead uses port 636, the standard port for LDAP/SSL connections that are beloved by companies worldwide."
"All software runs on ports that have been deliberately chosen to make simplistic port blocking unrealistic without causing massive collateral damage. OpenVPN, for example, does not run on its default port of 1194, but instead uses port 636, the standard port for LDAP/SSL connections that are beloved by companies worldwide."
Reply all
Reply to author
Forward
0 new messages