This repository has been archived by the owner on Jun 4, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into streisand_ipv6
- Loading branch information
Showing
15 changed files
with
290 additions
and
283 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Advanced installation | ||
|
|
||
| ### Running Streisand to Provision Localhost ### | ||
|
|
||
| If you can not run Streisand in the normal manner (running from your client home machine/laptop to configure a remote server) Streisand supports a local provisioning mode. Simply choose "Localhost (Advanced)" from the menu after running `./streisand`. | ||
|
|
||
| **Note:** Running Streisand against localhost can be a destructive action! You will be potentially overwriting configuration files and must be certain that you are affecting the correct machine. | ||
|
|
||
| ### Running Streisand on Other Providers ### | ||
|
|
||
| You can also run Streisand on a new Ubuntu 16.04 server. Dedicated hardware? Great! Esoteric cloud provider? Awesome! To do so, simply choose "Existing Server (Advanced)" from the menu after running `./streisand` and provide the IP address of the existing server when prompted. | ||
|
|
||
| The server must be accessible using the `$HOME/.ssh/id_rsa` SSH Key, and **root** is used as the connecting user by default. If your provider requires you to SSH with a different user than root (e.g. `ubuntu`) specify the `ANSIBLE_SSH_USER` environmental variable (e.g. `ANSIBLE_SSH_USER=ubuntu`) when you run `./streisand`. | ||
|
|
||
| **Note:** Running Streisand against an existing server can be a destructive action! You will be potentially overwriting configuration files and must be certain that you are affecting the correct machine. | ||
|
|
||
| ### Noninteractive Deployment ### | ||
|
|
||
| Alternative scripts and configuration file examples are provided for | ||
| noninteractive deployment, in which all of the required information is passed | ||
| on the command line or in a configuration file. | ||
|
|
||
| Example configuration files are found under `global_vars/noninteractive`. Copy | ||
| and edit the desired parameters, such as providing API tokens and other choices, | ||
| and then run the appropriate script. | ||
|
|
||
| To deploy a new Streisand server: | ||
|
|
||
| deploy/streisand-new-cloud-server.sh \ | ||
| --provider digitalocean \ | ||
| --site-config global_vars/noninteractive/digitalocean-site.yml | ||
|
|
||
| To run the Streisand provisioning on the local machine: | ||
|
|
||
| deploy/streisand-local.sh \ | ||
| --site-config global_vars/noninteractive/local-site.yml | ||
|
|
||
| To run the Streisand provisioning against an existing server: | ||
|
|
||
| deploy/streisand-existing-cloud-server.sh \ | ||
| --ip-address 10.10.10.10 \ | ||
| --ssh-user root \ | ||
| --site-config global_vars/noninteractive/digitalocean-site.yml | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Features | ||
|
|
||
| * A single command sets up a brand new Ubuntu 16.04 server running a [wide variety of anti-censorship software](#services-provided) that can completely mask and encrypt all of your Internet traffic. | ||
| * Streisand natively supports the creation of new servers at [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](https://cloud.google.com/compute/), [Linode](https://www.linode.com/), and [Rackspace](https://www.rackspace.com/)—with more providers coming soon! It also runs on any Ubuntu 16.04 server regardless of provider, and **hundreds** of instances can be configured simultaneously using this method. | ||
| * The process is completely automated and only takes about ten minutes, which is pretty awesome when you consider that it would require the average system administrator several days of frustration to set up even a small subset of what Streisand offers in its out-of-the-box configuration. | ||
| * Once your Streisand server is running, you can give the custom connection instructions to friends, family members, and fellow activists. The connection instructions contain an embedded copy of the server's unique SSL certificate, so you only have to send them a single file. | ||
| * Each server is entirely self-contained and comes with absolutely everything that users need to get started, including cryptographically verified mirrors of all common clients. This renders any attempted censorship of default download locations completely ineffective. | ||
| * But wait, there's more... | ||
|
|
||
| More Features | ||
| ------------- | ||
| * Nginx powers a password-protected and encrypted Gateway that serves as the starting point for new users. The Gateway is accessible over SSL, or as a Tor [hidden service](https://www.torproject.org/docs/hidden-services.html.en). | ||
| * Beautiful, custom, step-by-step client configuration instructions are generated for each new server that Streisand creates. Users can quickly access these instructions through any web browser. The instructions are responsive and look fantastic on mobile phones. | ||
| * The integrity of mirrored software is ensured using SHA-256 checksums, or by verifying GPG signatures if the project provides them. This protects users from downloading corrupted files. | ||
| * All ancillary files, such as OpenVPN configuration profiles, are also available via the Gateway. | ||
| * Current Tor users can take advantage of the additional services Streisand sets up in order to transfer large files or to handle other traffic (e.g. BitTorrent) that isn't appropriate for the Tor network. | ||
| * A unique password, SSL certificate, and SSL private key are generated for each Streisand Gateway. The Gateway instructions and certificate are transferred via SSH at the conclusion of Streisand's execution. | ||
| * Distinct services and multiple daemons provide an enormous amount of flexibility. If one connection method gets blocked there are numerous options available, most of which are resistant to Deep Packet Inspection. | ||
| * All of the connection methods (including direct OpenVPN connections) are effective against the type of blocking Turkey has been experimenting with. | ||
| * OpenConnect/AnyConnect, OpenSSH, OpenVPN (wrapped in stunnel), Shadowsocks, Tor (with obfsproxy and the obfs4 pluggable transport), and WireGuard are all currently effective against China's Great Firewall. | ||
| * Every task has been thoroughly documented and given a detailed description. Streisand is simultaneously the most complete HOWTO in existence for the setup of all of the software it installs, and also the antidote for ever having to do any of this by hand again. | ||
| * All software runs on ports that have been deliberately chosen to make simplistic port blocking unrealistic without causing massive collateral damage. OpenVPN, for example, does not run on its default port of 1194, but instead uses port 636, the standard port for LDAP/SSL connections that are beloved by companies worldwide. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| # Installation | ||
|
|
||
| Please read all installation instructions **carefully** before proceeding. | ||
|
|
||
| If you're an expert, and installing on a cloud provider Streisand doesn't support, make sure to read [the advanced installation instructions](Advanced%20installation.md). | ||
|
|
||
| ## Important: definitions ## | ||
| Streisand is based on [Ansible](https://www.ansible.com/), an automation tool that is typically used to provision and configure files and packages on remote servers. Streisand automatically sets up **another server** with the VPN packages and configuration. We call the machine that sets up the Streisand server the *builder*. Think of the builder as "a place to stand." | ||
|
|
||
| * If you don't have a suitable builder machine, you could set up another cloud server to use as your builder. That means you'd have two cloud servers at the end — the builder, and your fresh new Streisand *server*. When you're done with the builder, make sure you download the *builder's* `streisand` directory — very important to keep the contents of that directory! — you could delete the *builder* cloud server.) | ||
|
|
||
| * Although it's not recommended, sometimes you can use a fresh server as both the builder and the server. See the [the advanced installation instructions](Advanced%20installation.md). | ||
|
|
||
| ## Prerequisites ## | ||
|
|
||
| The Streisand builder requires a Linux, macOS, or BSD system. | ||
|
|
||
| * Using native Windows as a builder is not supported, but Ubuntu on the [Windows Subsystem For Linux (WSL)](https://docs.microsoft.com/en-us/windows/wsl/faq) should work. ([Ubuntu install link on Microsoft Store](https://www.microsoft.com/en-us/p/ubuntu-1804-lts/9n9tngvndl3q)) | ||
|
|
||
| Complete all of these tasks on your local machine. All of the commands should be run inside a command-line session. | ||
|
|
||
| ### SSH key | ||
|
|
||
| Make sure an SSH public key is present in `~/.ssh/id_rsa.pub`. | ||
|
|
||
| * SSH keys are a more secure alternative to passwords that allow you to prove your identity to a server or service built on public key cryptography. The public key is something that you can give to others, whereas the private key should be kept secret (like a password). | ||
|
|
||
| To check if you already have an SSH public key, enter the following command at a command prompt: | ||
|
|
||
| ``` | ||
| ls ~/.ssh | ||
| ``` | ||
|
|
||
| If you see an `id_rsa.pub` file, then you have an SSH public key. If you do not have an SSH key pair, you can generate one by using this command and following the defaults: | ||
|
|
||
| ``` | ||
| ssh-keygen | ||
| ``` | ||
|
|
||
| If you'd like to use an SSH key with a different name or from a non-standard location, please enter *yes* when asked if you'd like to customize your instance during installation. | ||
|
|
||
| * **Please note**: You will need these keys to access your Streisand instance over SSH. Please keep `~/.ssh/id_rsa` and `~/.ssh/id_rsa.pub` for the lifetime of the Streisand server. | ||
|
|
||
|
|
||
| ## Bootstrap ## | ||
|
|
||
| Install the bootstrap packages: Git, and `pip` for Python 2.7. (Streisand still requires Python 2.7.) Some environments need additional packages. | ||
|
|
||
| Here's how to set up these packages: | ||
|
|
||
| * On Debian and Ubuntu: | ||
|
|
||
| ``` | ||
| sudo apt-get install git python-pip | ||
| ``` | ||
|
|
||
| * On Fedora 27, some additional packages are needed later: | ||
|
|
||
| ``` | ||
| sudo dnf install git python2-pip gcc python2-devel \ | ||
| python2-crypto python2-pycurl libcurl-devel | ||
| ``` | ||
|
|
||
| * On CentOS 7, `pip` is available from the EPEL repository; some additional packages are needed later: | ||
|
|
||
| ``` | ||
| sudo yum -y update && sudo yum install -y epel-release | ||
| sudo yum -y update && sudo yum install -y \ | ||
| git gcc python-devel python-crypto python-pycurl \ | ||
| python-pip libcurl-devel | ||
| ``` | ||
|
|
||
| * On macOS, `git` is part of the Developer Tools, and it will be installed the first time you run it. If there isn't already a `pip` command installed, install it with: | ||
|
|
||
| ``` | ||
| sudo python2.7 -m ensurepip | ||
| ``` | ||
|
|
||
|
|
||
| ## Execution ## | ||
|
|
||
| 1. Clone the Streisand repository and enter the directory. | ||
|
|
||
| git clone https://github.com/StreisandEffect/streisand.git && cd streisand | ||
|
|
||
| 1. Run the installer for Ansible and its dependencies. The installer will detect missing packages, and print the commands needed to install them. | ||
|
|
||
| ./util/venv-dependencies.sh ./venv | ||
| 1. Activate the Ansible packages that were installed. | ||
|
|
||
| source ./venv/bin/activate | ||
|
|
||
| 1. Execute the Streisand script. | ||
|
|
||
| ./streisand | ||
| 1. Follow the prompts to choose your provider, the physical region for the server, and its name. You will also be asked to enter API information. | ||
| 1. Once login information and API keys are entered, Streisand will begin spinning up a new remote server. | ||
| 1. Wait for the setup to complete (this usually takes around ten minutes) and look for the corresponding files in the `generated-docs` folder in the Streisand repository directory. The HTML file will explain how to connect to the Gateway over SSL, or via the Tor hidden service. All instructions, files, mirrored clients, and keys for the new server can then be found on the Gateway. You are all done! | ||
|
|
||
| ## Keep the results! | ||
|
|
||
| You should keep a copy of the `generated-docs` directory for the life of the server. | ||
|
|
||
| Remember to save your `~/.ssh/id_rsa` and `~/.ssh/id_rsa.pub` SSH keys too. You'll need them in case you want to troubleshoot or perform maintenance on your server later. |
Oops, something went wrong.