Streisand VPN tutorial: How to install and configure
The furor over new legislation rising through various governments around the world that would make it easier and more profitable for ISPs to monitor user traffic has faded some, but the importance many see in protecting their browsing habits hasn’t. We’ve written about VPNs before, but the Streisand VPN, with a supposedly easy installation process, has caught our eye.
The results are clear: Streisand VPN is one of the easiest VPS+VPN installations we’ve found. It’s much easier than OpenVPN, and only the Outline VPN is easier to install, depending on your particular needs.
In the following tutorial, you’ll learn how to set up the Streisand VPN on a new Ubuntu 16.04 VPS in a matter of minutes (plus a handful more for Ansible).
On your VPS:
- A brand-new Ubuntu 16.04 installation—this means either just purchased and provisioned, or reinstalled using the dashboard.
On your local machine:
- A BSD, Linux, or OS X system (no Windows support)
- A working SSH key at ;
pippackage management system for Python—see here for installation instructions
- Ansible—see our Ansible tutorial or the official documentation for more details
Get up to 80GB of free NVMe bonus storage!
For a limited time, get a 50% storage bonus (up to 80GB) with any Performance VPS plan featuring NVMe. Load websites up to 10x faster. Blaze through database applications. And deliver a silky smooth user experience. But what will 10x IOPS performance cost you?
Right now, get 24GB RAM with 180GB of hyperspeed NVMe storage for just $12.99/month.
Step 1. Copying your SSH key to the bare server
We’ve covered SSH keys at length in other tutorials, but we’ll quickly walk through the steps here again.
In order for Streisand to communicate with your server through Ansible, it needs to use public key authentication rather than passwords. We’ll create a private key on our local machine, and then copy the public key to the VPS to enable this connection.
If you don’t have an SSH key yet
Simply create a new SSH key using the
ssh-keygen -t rsa
When asked where to save the key, just hit
Enter—we want the default location in this case.
Whether or not you enter a passphrase is entirely up to you—they can be blank—but we recommend a strong, secure passphrase to improve the integrity of your server if your private key was ever exposed.
Now that you have an SSH key, or if you had one already
Now that we’re all on the same page with an SSH key, let’s quickly copy that over to the server in question.
ssh-copy-id [email protected]IP_ADDRESS
You can double-check that the SSH key is working by establishing an
ssh connection. If you connect either automatically (if no passphrase), or after you’ve entered your passphrase, then you know your key is working.
Step 2. Getting the Streisand repository
Before we get started, we need to set up our local environment to allow the Streisand installer to run correctly.
Remember: The following instructions are to be completed on your local machine, not the VPS.
First, download the Streisand git repository and
cd into it.
git clone https://github.com/jlund/streisand.git && cd streisand
At this point, all you need to do is run the
./streisand command, which will chain into all the Ansible tasks that need to be run.
$ ./streisand S T R E I S A N D Which provider are you using? 1. Amazon 2. Azure 3. DigitalOcean 4. Google 5. Linode 6. Rackspace 7. Localhost (Advanced) 8. Existing Server (Advanced)
After typing in
8 and then hitting
Enter, the command will ask for the IP address of the server you’re installing Streisand on. You’ll then see the following—one last warning to let you know that installing Streisand will override any existing configurations with impunity.
THIS WILL OVERWRITE CONFIGURATION ON THE EXISTING SERVER. STREISAND ASSUMES ███.███.███.█ IS A BRAND NEW UBUNTU INSTANCE AND WILL NOT PRESERVE EXISTING CONFIGURATION OR DATA. ARE YOU 100% SURE THAT YOU WISH TO CONTINUE? Please enter the word 'streisand' to continue:
If all goes well, the installer will take off, and you’ll see lots of output from Ansible as it installs and configures the applications that make up the Streisand core.
Seeing this error:
Permission denied (publickey,password)? I had the same issue the first time I tried installing Streisand on a brand new server. After some investigation, I discovered that, apparently, Streisand doesn’t allow you to input your passphrase when it invokes an
ssh connection, leading to the rejected connection.
I discovered a workaround in the way that most systems keep passphrase-protected SSH keys open for a short period of time after being unlocked for ease of use. We can utilize this feature by first connecting to the server in question and unlocking our key with the passphrase.
ssh [email protected]_ADDRESS
Immediately after, you should re-run the
./streisand command, and it should work.
If it doesn’t, you might want to look into
ssh-agent or whatever keychain your OS comes with.
Step 3. Connecting to your new Streisand-enabled server
With any luck, the actual Streisand installation went smoothly, and you’ll see the following output.
[streisand-gateway : Success!] Server setup is complete. The `HOSTNAME.html` instructions file in the generated-docs folder is ready to give to friends, family members, and fellow activists. Press Enter to continue.:
Enter and then check out the
HOSTNAME.html file in your browser of choice, and you’ll see extensive directions on how to download the SSL certificate that will allow you to connect to your new Streisand server. Follow the instructions according to your operating system or browser of choice—while you can only install Streisand from a Linux/OS X system, you can certainly connect to your existing Streisand server from a Windows machine.
Once you have the certificate installed, you can access your server via your IP address and the username/password combination that’s generated. There’s also a Tor/.onion link available for those who want to use that protocol instead of HTTPS.
After entering your username and unique password, you’ll see documentation on how to connect to the various services enabled. The really cool thing about Streisand’s documentation is that it’s completely customized to your server’s IP address. There are built-in instructions for OpenVPN, L2TP/IPsec, Wireguard, Tor, and more.
Final thoughts on the Streisand VPN
Personally, I was able to get an OpenVPN connection running in just about 5 minutes after connecting to the Streisand server and following the customized instructions. As far as I can tell, that makes Streisand the easiest path to a VPN out there right now, solving much of the complexity of installing OpenVPN manually or struggling with the likes of Algo. We hope you agree! Let us know about your VPN success stories in the comments.