Prerequisites:
On your VPS:
- A brand-new Ubuntu 16.04 installation—this means either just purchased and provisioned, or reinstalled using the dashboard.
On your local machine:
- A BSD, Linux, or OS X system (no Windows support)
- A working SSH key at ;~/.ssh/id_rsa.pub
- Git
- The pip package management system for Python—see here for installation instructions
- Ansible
Step 1. Copying your SSH key to the bare server
We’ve covered SSH keys at length in other tutorials, but we’ll quickly walk through the steps here again.
In order for Streisand VPN to communicate with your server through Ansible, it needs to use public key authentication rather than passwords. We’ll create a private key on our local machine, and then copy the public key to the VPS to enable this connection.
Don’t have an SSH key
Simply create a new SSH key using the ssh-keygen command:
$ ssh-keygen -t rsa
When asked where to save the key, just hit Enter—we want the default location in this case.
Whether or not you enter a passphrase is entirely up to you—they can be blank—but we recommend a strong, secure passphrase to improve the integrity of your server if your private key was ever exposed.
Now that you have an SSH key, or if you had one already
Now that we’re all on the same page with an SSH key, let’s quickly copy that over to the server in question.
$ ssh-copy-id root@IP_ADDRESS
You can double-check that the SSH key is working by establishing an ssh connection. If you connect either automatically (if no passphrase), or after you’ve entered your passphrase, then you know your key is working.
Step 2. Getting the Streisand repository
Before we get started, we need to set up our local environment to allow the Streisand VPN installer to run correctly.
Remember: The following instructions are to be completed on your local machine, not the VPS.
First, download the Streisand github repository and cd into it.
$ git clone https://github.com/jlund/streisand.git && cd streisand
At this point, all you need to do is run the ./streisand command, which will chain into all the Ansible tasks that need to be run.
$ ./streisand
$ ./streisand S T R E I S A N D Which provider are you using? 1. Amazon 2. Azure 3. DigitalOcean 4. Google 5. Linode 6. Rackspace 7. Localhost (Advanced) 8. Existing Server (Advanced)
After typing in 8 and then hitting Enter, the command will ask for the IP address of the server you’re installing Streisand on. You’ll then see the following—one last warning to let you know that installing Streisand will override any existing configurations with impunity.
THIS WILL OVERWRITE CONFIGURATION ON THE EXISTING SERVER. STREISAND ASSUMES ███.███.███.█ IS A BRAND NEW UBUNTU INSTANCE AND WILL NOT PRESERVE EXISTING CONFIGURATION OR DATA. ARE YOU 100% SURE THAT YOU WISH TO CONTINUE? Please enter the word 'streisand' to continue:
If all goes well, the installer will take off, and you’ll see lots of output from Ansible as it installs and configures the applications that make up the Streisand core.
Troubleshooting
Seeing this error: Permission denied (publickey,password)? I had the same issue the first time I tried installing Streisand on a brand new server. After some investigation, I discovered that, apparently, Streisand doesn’t allow you to input your passphrase when it invokes an ssh connection, leading to the rejected connection.
I discovered a workaround in the way that most systems keep passphrase-protected SSH keys open for a short period of time after being unlocked for ease of use. We can utilize this feature by first connecting to the server in question and unlocking our key with the passphrase.
ssh root@IP_ADDRESS
Immediately after, you should re-run the ./streisand command, and it should work.
If it doesn’t, you might want to look into ssh-agent or whatever keychain your OS comes with.
Step 3. Connecting to your new Streisand VPN server
With any luck, the actual Streisand installation went smoothly, and you’ll see the following output.
[streisand-gateway : Success!] Server setup is complete. The `HOSTNAME.html` instructions file in the generated-docs folder is ready to give to friends, family members, and fellow activists. Press Enter to continue.:
Hit Enter and then check out the generated-docs folder.
cd generated-docs
Open the HOSTNAME.html file in your browser of choice, and you’ll see extensive directions on how to download the SSL certificate that will allow you to connect to your new Streisand VPN server. Follow the instructions according to your operating system or browser of choice—while you can only install Streisand from a Linux/OS X system, you can certainly connect to your existing Streisand server from a Windows machine.
Once you have the certificate installed, you can access your server via your IP address and the username/password combination that’s generated. There’s also a Tor/.onion link available for those who want to use that protocol instead of HTTPS.
After entering your username and unique password, you’ll see documentation on how to connect to the various services enabled. The really cool thing about Streisand’s documentation is that it’s completely customized to your server’s IP address. There are built-in instructions for OpenVPN, L2TP/IPsec, Wireguard, Tor, and more.