We've written about VPNs before, but the Streisand VPN, with a supposedly easy installation process, has caught our eye.
The results are clear: Streisand VPN is one of the easiest VPS+VPN installations we've found. It's much easier than OpenVPN, and only the Outline VPN is easier to install, depending on your particular needs.
In the following tutorial, you'll learn how to set up the Streisand VPN on a new Ubuntu 16.04 VPS in a matter of minutes (plus a handful more for Ansible).
Prerequisites to install Streisand VPN
On your VPS:
- A brand-new Ubuntu 16.04 installation—this means either just purchased and provisioned, or reinstalled using the dashboard.
On your local machine:
- A BSD, Linux, or OS X system (no Windows support)
- A working SSH key at ;
~/.ssh/id_rsa.pub - Git
- The
pippackage management system for Python—see here for installation instructions - Ansible—see our Ansible tutorial or the official documentation for more details
Step 1. Copying your SSH key to the bare server
We've covered SSH keys at length in other tutorials, but we'll quickly walk through the steps here again.
In order for Streisand VPN to communicate with your server through Ansible, it needs to use public key authentication rather than passwords. We'll create a private key on our local machine, and then copy the public key to the VPS to enable this connection.
If you don't have an SSH key yet
Simply create a new SSH key using the ssh-keygen command:
$ ssh-keygen -t rsa
When asked where to save the key, just hit Enter—we want the default location in this case.
Whether or not you enter a passphrase is entirely up to you—they can be blank—but we recommend a strong, secure passphrase to improve the integrity of your server if your private key was ever exposed.
Now that you have an SSH key, or if you had one already
Now that we're all on the same page with an SSH key, let's quickly copy that over to the server in question.
$ ssh-copy-id root@IP_ADDRESS
You can double-check that the SSH key is working by establishing an ssh connection. If you connect either automatically (if no passphrase), or after you've entered your passphrase, then you know your key is working.
Step 2. Getting the Streisand repository
Before we get started, we need to set up our local environment to allow the Streisand VPN installer to run correctly.
Remember: The following instructions are to be completed on your local machine, not the VPS.
First, download the Streisand github repository and cd into it.
$ git clone https://github.com/jlund/streisand.git && cd streisand
At this point, all you need to do is run the ./streisand command, which will chain into all the Ansible tasks that need to be run.
$ ./streisand
S T R E I S A N D
Which provider are you using?
1. Amazon
2. Azure
3. DigitalOcean
4. Google
5. Linode
6. Rackspace
7. Localhost (Advanced)
8. Existing Server (Advanced)
After typing in 8 and then hitting Enter, the command will ask for the IP address of the server you're installing Streisand on. You'll then see the following—one last warning to let you know that installing Streisand will override any existing configurations with impunity.
THIS WILL OVERWRITE CONFIGURATION ON THE EXISTING SERVER.
STREISAND ASSUMES ███.███.███.█ IS A BRAND NEW UBUNTU INSTANCE AND WILL
NOT PRESERVE EXISTING CONFIGURATION OR DATA.
ARE YOU 100% SURE THAT YOU WISH TO CONTINUE?
Please enter the word 'streisand' to continue:
If all goes well, the installer will take off, and you'll see lots of output from Ansible as it installs and configures the applications that make up the Streisand core.
Troubleshooting
Seeing this error: Permission denied (publickey,password)? I had the same issue the first time I tried installing Streisand on a brand new server. After some investigation, I discovered that, apparently, Streisand doesn't allow you to input your passphrase when it invokes an ssh connection, leading to the rejected connection.
I discovered a workaround in the way that most systems keep passphrase-protected SSH keys open for a short period of time after being unlocked for ease of use. We can utilize this feature by first connecting to the server in question and unlocking our key with the passphrase.
ssh root@IP_ADDRESS
Immediately after, you should re-run the ./streisand command, and it should work.
If it doesn't, you might want to look into ssh-agent or whatever keychain your OS comes with.
Step 3. Connecting to your new Streisand VPN server
With any luck, the actual Streisand installation went smoothly, and you'll see the following output.
[streisand-gateway : Success!]
Server setup is complete. The HOSTNAME.html instructions file in the generated-docs folder is ready to give to friends, family members, and fellow activists. Press Enter to continue.:
Hit Enter and then check out the generated-docs folder.
cd generated-docs
Open the HOSTNAME.html file in your browser of choice, and you'll see extensive directions on how to download the SSL certificate that will allow you to connect to your new Streisand VPN server. Follow the instructions according to your operating system or browser of choice—while you can only install Streisand from a Linux/OS X system, you can certainly connect to your existing Streisand server from a Windows machine.
Once you have the certificate installed, you can access your server via your IP address and the username/password combination that's generated. There's also a Tor/.onion link available for those who want to use that protocol instead of HTTPS.
After entering your username and unique password, you'll see documentation on how to connect to the various services enabled. The really cool thing about Streisand's documentation is that it's completely customized to your server's IP address. There are built-in instructions for OpenVPN, L2TP/IPsec, Wireguard, Tor, and more.
Final thoughts on the Streisand VPN
Personally, I was able to get an OpenVPN connection running in just about 5 minutes after connecting to the Streisand server and following the customized instructions.
As far as I can tell, that makes Streisand the easiest path to a VPN out there right now, solving much of the complexity of installing OpenVPN manually or struggling with the likes of Algo. We hope you agree! Let us know about your VPN success stories in the comments.
A note about tutorials: We encourage our users to try out tutorials, but they aren't fully supported by our team—we can't always provide support when things go wrong. Be sure to check which OS and version it was tested with before you proceed.
If you want a fully managed experience, with dedicated support for any application you might want to run, contact us for more information.
