Streisand: Silence censorship. Automate the effect.

rysiek rysiek at hackerspace.pl
Thu Jul 24 15:02:24 PDT 2014 

So,

this has been floating in my vincinity lately:
https://github.com/jlund/streisand

Wonder what you wonderful people think of it.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The Internet can be a little unfair. It's way too easy for ISPs, telecoms, 
politicians, and corporations to block access to the sites and information 
that you care about. But breaking through these restrictions is tough. Or is 
it?
Introducing Streisand

    A single command sets up a brand new server running a wide variety of 
anti-censorship software that can completely mask and encrypt all of your 
Internet traffic.
    Streisand natively supports the creation of new servers at Amazon EC2, 
DigitalOcean, Linode, and Rackspace—with more providers coming soon! It also 
runs on any Debian 7 server regardless of provider, and hundreds of instances 
can be configured simultaneously using this method.
    The process is completely automated and only takes about ten minutes, 
which is pretty awesome when you consider that it would require the average 
system administrator several days of frustration to set up even a small subset 
of what Streisand offers in its out-of-the-box configuration.
    Once your Streisand server is running, you can give the custom connection 
instructions to friends, family members, and fellow activists. The connection 
instructions contain an embedded copy of the server's unique SSL certificate, 
so you only have to send them a single file.
    Each server is entirely self-contained and comes with absolutely 
everything that users need to get started, including cryptographically 
verified mirrors of all common clients. This renders any attempted censorship 
of default download locations completely ineffective.
    But wait, there's more...

More Features

    Nginx powers a password-protected and encrypted Gateway that serves as the 
starting point for new users. The Gateway is accessible over SSL, or as a Tor 
hidden service.

        Beautiful, custom, step-by-step client configuration instructions are 
generated for each new server that Streisand creates. Users can quickly access 
these instructions through any web browser. The instructions are responsive 
and look fantastic on mobile phones:

        Streisand Screenshot
        The integrity of mirrored software is ensured using SHA-256 checksums, 
or by verifying GPG signatures if the project provides them. This protects 
users from downloading corrupted files.
        All ancillary files, such as OpenVPN configuration profiles, are also 
available via the Gateway.
        Current Tor users can take advantage of the additional services 
Streisand sets up in order to transfer large files or to handle other traffic 
(e.g. BitTorrent) that isn't appropriate for the Tor network.
        A unique password, SSL certificate, and SSL private key are generated 
for each Streisand Gateway. The Gateway instructions and certificate are 
transferred via SSH at the conclusion of Streisand's execution.
    Distinct services and multiple daemons provide an enormous amount of 
flexibility. If one connection method gets blocked there are numerous options 
available, most of which are resistant to Deep Packet Inspection.
        All of the connection methods (including L2TP/IPsec and direct OpenVPN 
connections) are effective against the type of blocking Turkey has been 
experimenting with.
        OpenSSH, OpenVPN (wrapped in stunnel), Shadowsocks, and Tor (with 
obfsproxy and the obfs3 or ScrambleSuit pluggable transports) are all 
currently effective against China's Great Firewall.
    Every task has been thoroughly documented and given a detailed 
description. Streisand is simultaneously the most complete HOWTO in existence 
for the setup of all of the software it installs, and also the antidote for 
ever having to do any of this by hand again.
    All software runs on ports that have been deliberately chosen to make 
simplistic port blocking unrealistic without causing massive collateral 
damage. OpenVPN, for example, does not run on its default port of 1194, but 
instead uses port 636, the standard port for LDAP/SSL connections that are 
beloved by companies worldwide.
        L2TP/IPsec is a notable exception to this rule because the ports 
cannot be changed without breaking client compatibility
    The IP addresses of connecting clients are never logged. There's nothing 
to find if a server gets seized or shut down.

Services Provided

    L2TP/IPsec using strongSwan and xl2tpd
        A randomly chosen pre-shared key and password are generated.
        Windows, OS X, Android, and iOS users can all connect using the native 
VPN support that is built into each operating system without installing any 
additional software.
        Streisand does not install L2TP/IPsec on Amazon EC2 servers by default 
because the instances cannot bind directly to their public IP addresses which 
makes IPsec routing nearly impossible.
    OpenSSH
        An unprivileged forwarding user and SSH keypair are generated for 
sshuttle and SOCKS capabilities. Windows and Android SSH tunnels are also 
supported, and a copy of the keypair is exported in the .ppk format that PuTTY 
requires.
        Tinyproxy is installed and bound to localhost. It can be accessed over 
an SSH tunnel by programs that do not natively support SOCKS and that require 
an HTTP proxy, such as Twitter for Android.
    OpenVPN
        Self-contained "unified" .ovpn profiles are generated for easy client 
configuration using only a single file.
        Multiple clients can easily share the same certificates and keys, but 
five separate sets are generated by default.
        Client DNS resolution is handled via Dnsmasq to prevent DNS leaks.
        TLS Authentication is enabled which helps protect against active 
probing attacks. Traffic that does not have the proper HMAC is simply dropped.
        The Dante proxy server is set up as a workaround for a bug in Firefox 
for Android.
    Shadowsocks
        A QR code is generated that can be used to automatically configure the 
Android and iOS clients by simply taking a picture. You can tag '8.8.8.8' on 
that concrete wall, or you can glue the Shadowsocks instructions and some QR 
codes to it instead!
    Stunnel
        Listens for and wraps OpenVPN connections. This makes them look like 
standard SSL traffic and allows OpenVPN clients to successfully establish 
tunnels even in the presence of Deep Packet Inspection.
        Unified profiles for stunnel-wrapped OpenVPN connections are generated 
alongside the direct connection profiles. Detailed instructions are also 
generated.
        The stunnel certificate and key are exported in PKCS #12 format so 
they are compatible with other SSL tunneling applications. Notably, this 
enables OpenVPN for Android to tunnel its traffic through SSLDroid. OpenVPN in 
China on a mobile device? Yes!
    Tor
        A bridge relay is set up with a random nickname.
        Obfsproxy is installed and configured, including support for the obfs3 
and ScrambleSuit pluggable transports.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20140725/749b56a4/attachment-0001.sig>

More information about the cypherpunks mailing list