Run Your Own VPN Server for Privacy, Security, and Anti-Censorship

Published on April 16th, 2023

Run Your Own VPN Server for Privacy, Security, and Anti-Censorship image

Twenty twenty-three is a weird year. Twitter is imploding, censorship is on the rise, and the internet is an increasingly uncertain place. In a world where online privacy and security are more important than ever, the Streisand gateway server project still stands out as a robust and capable utility for security, privacy, and fighting censorship. After successfully setting up a Streisand gateway server on a RackNerd virtual machine, I wanted to share my success as an attempt at continuing this project into 2023. I started poking around at Streisand after reading this Gist called "Don't use VPN services," which makes valid points about purchased retail VPN services:

  • Because a VPN is nothing more than a glorified proxy, the provider can see all your traffic, and do with it whatever they want - including log all of it
  • There is no way to actually verify that your VPN provider isn't logging your activity
  • It is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer should any blame every come their way. The $5 - $10 per month that you're paying for VPN services doesn't even pay for their lawyer's coffee, so expect them to diligently log for the sake of liability
  • (Some) VPN services are essentially cash grabs, in that a company could simply set up a website, deploy OpenVPN nodes on a few servers, and start reselling what is essentially marked-up bandwidth

So what are you to do, if you're security and privacy minded? This is addressed succinctly:

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually).

What is the Streisand Project?

Streisand is an open-source project that sets up a new privacy utility gateway server packed with a whole host of privacy-flavored goodies, which include: OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates a custom set of html instructions when finished that can be shared.

Streisand is important because of this simple claim:

If you have an account with a cloud computing provider, Streisand can set up a new node with many censorship-resistant VPN services nearly automatically. You'll need a little experience with a Unix command-line. (But without Streisand, it could take days for a skilled Unix administrator to configure these services securely!) At the end, you'll have a private website with software and instructions.

It's a pretty remarkable feat of engineering, as well as a pretty incredible tool for fighting censorship and information blockades. If you're curious, here's what a sample Streisand server looks like.

Setting Up Your Own Streisand Server in 2023

Finally, the fun part.

1. Prerequisites

A few things before we get started:

  • SSH keys (required, generated on your machine)
  • IP Address (required, details of your host VM)
  • Domain name (optional for SSL)

SSH Keys

Generally SSH keys are configured on the machine that you're logging in from, so it's at this point that I would highly recommend running ssh-keygen on your local machine with some appropriate flags to generate a new key pair. Before getting started, upload your .pub file to the server's ~/.ssh directory (chmod'd to 600).

IP Address: RackNerd KVM VM

I purchased a small, extremely cost-effective VM for a year from RackNerd. I chose RackNerd due to their pricing and positive reviews on Reddit and LowEndTalk. This provided me with an IP address which I could use for a domain name.

Promotional disclosure: I am in no way affiliated with, nor am I paid to endorse nor promote RackNerd. If you do decide that you would like to use RackNerd's services, you can support me by using this link to help me receive a small commission on the referral: RackNerd 1GB KVM VPS - $13/Year

My VM came default with Ubuntu 18.04, however the installation instructions for Streisand specifically call for Ubuntu 16.04. This is easily sorted by going into the VM management dashboard, choosing the Reinstall button, then choosing the Ubuntu 16.04 flavor. It only takes about 5-10 minutes depending on your machine's resources.

Domain Name

I happened to have an unused domain name laying around that I repointed at my new VM. This is completely optional, however it is nice since providing a fully qualified domain during the install process allows the system to automatically register an SSL certificate with Let'sEncrypt on your behalf. Your domain needs to be pointed at your VM's external IP address.

2. Bootstrapping Streisand

First we'll need to run through a few steps to configure our environment and satisfy some Ansible requirements. SSH into your VM and follow these steps:

  1. Bootstrap the initial bits and pieces we'll need for installation
sudo apt-get install git python3 python3-venv
  1. Clone the streisand repo and enter the directory
git clone https://github.com/StreisandEffect/streisand.git && cd streisand
  1. Run the Ansible installer and its dependencies
./util/venv-dependencies.sh ./venv
  1. Ansible will detect which packages are missing, and will offer help if it detects any gaps. "Setup will fail without these packages. To install them:" Grab everything after this line and run it to fill the missing packages.

  2. Now we'll need to make small edits to the code in a few places (source), as well as replace two public keys (source):

    1. Code changes:
      • nano -c ~/streisand/util/venv-dependencies.sh
        edit line 253 to: our_pip_install --upgrade 'pip < 21.0'
      • nano -c ~/streisand/playbooks/roles/gpg/tasks/main.yml
        edit line 88 to: when: False
    2. Key updates: download this updated openvpn_signing.key, and use it to overwrite the file of the same name in the following locations:
      • ~/streisand/playbooks/roles/openvpn/files/openvpn_signing.key
      • ~/streisand/playbooks/roles/test-client/files/openvpn_signing.key
  3. Run the Ansible installer again, but this time notice that Ansible comments that it "Found all critical packages." This step will take a few minutes to install, depending on your server configuration.

./util/venv-dependencies.sh ./venv
  1. If things were successful, you'll get a message that "All dependencies installed into ./venv." with some additional instructions. Activate the Ansible packages that were installed:
source ./venv/bin/activate
  1. Run the Streisand installer script
./streisand

3. Installing Streisand

If you see the S T R E I S A N D terminal header block the installer has kicked off. Walk through the installer as follows:

  • What provider are you using? 7: localhost (Advanced)
  • Enter "streisand" to continue
  • Press enter to customize the installation
  • Specify the correct location for your SSH private key
  • Specify how many VPN client profiles should be generated (default is 10)
  • Press enter to choose the defaults, however type no for "Enable WireGuard?"
  • If you have a fully qualified domain pointed at your VM, enter that at the prompt; otherwise press enter to skip
    • Same with the subsequent email question; skip if you skipped the previous fully qualified domain
  • W   a   i   t   💤   (about 12 minutes for me)

Finally, after a while we should get the happy message:

Server setup is complete. The `server.html` instructions file in the generated-docs folder is ready to give to friends, family members, and fellow activists. Press Enter to continue.:

Before we disconnect, grab your server's GUI login credentials. Make a note of the name of the .html file from the success message, and go have a look with: nano ~/streisand/generated-docs/[server].html. Scroll all the way to the bottom, and you'll see a username and password which you will need to make a note of and retain. You could even cat ~/streisand/generated-docs/[server].html if you want to print the contents of the HTML file to your terminal to be copied for safe keeping elsewhere.

4. Using Streisand

Up and running! 🎉

I generally use OpenVPN configuration profiles since they're the easiest to deploy. You'll want to keep track of the 10 profiles created during setup, since each allows a single client to connect at a time. Your shiny new server comes complete with instructions on how to connect for each type of connection, and within each type of connection are robust instructions per client device type.

Testing

At this point you should have a running VPN connection, and I like to validate that using ipleak.net which does a great job of showing you exactly what your upstream network looks like. If you run that site both inside and outside your new VPN connection, there should be zero overlap. If there are any IP address matches, it more than likely means your DNS is leaking which will require a few additional mitigation steps before you're fully private.

Conclusion

The Streisand gateway server project is an important tool for anyone looking to take control of their online privacy and security. By setting up your own server, you can protect yourself against surveillance and circumvent censorship. If you take this project on, I'd love to hear about it.

This was not only a great learning experience, but I was able to achieve some recurring cost avoidance, and at the same time increased my OpSec hygiene. A rare, super nerdy win win win.

Headshot of Mike Zarandona

Huge nerd, hobby collector, happy husband & dad. The personal website of Mike Zarandona.

Using Puppeteer to Keep SEO Thumbnails Current

© 2024 Mike Zarandona