This is the Dockerized Streisand for convenience.
- Step1: Download
chmod a+x ./sted && ./sted ssh-keypair-name
Input the accesskey and keypair name when it prompts and wait for ansible to do all the boring things for you！
Step3: Finally, use your browser to open the docs in ./docs/*.html and follow the instructions.
If you don't have an openssh keypair in advance, then you may check the auto-generated one in ./sshkey
- L2TP/IPsec using Libreswan and xl2tpd
- A randomly chosen pre-shared key and password are generated.
- Windows, OS X, Android, and iOS users can all connect using the native VPN support that is built into each operating system without installing any additional software.
- Monitors process health and automatically restarts services in the unlikely event that they crash or become unresponsive.
- An unprivileged forwarding user and SSH keypair are generated for sshuttle and SOCKS capabilities.
- Windows and Android SSH tunnels are also supported, and a copy of the keypair is exported in the .ppk format that PuTTY requires.
- Tinyproxy is installed and bound to localhost. It can be accessed over an SSH tunnel by programs that do not natively support SOCKS and that require an HTTP proxy, such as Twitter for Android.
- OpenConnect / Cisco AnyConnect
- OpenConnect (ocserv) is an extremely high-performance and lightweight VPN server that also features full compatibility with the official Cisco AnyConnect clients.
- The protocol is built on top of standards like HTTP, TLS, and DTLS, and it's one of the most popular and widely used VPN technologies among large multi-national corporations.
- This means that in addition to its ease-of-use and speed, OpenConnect is also highly resistant to censorship and is almost never blocked.
- Self-contained "unified" .ovpn profiles are generated for easy client configuration using only a single file.
- Both TCP and UDP connections are supported.
- Multiple clients can easily share the same certificates and keys, but five separate sets are generated by default.
- Client DNS resolution is handled via Dnsmasq to prevent DNS leaks.
- TLS Authentication is enabled which helps protect against active probing attacks. Traffic that does not have the proper HMAC is simply dropped.
- The high-performance libev variant is installed. This version is capable of handling thousands of simultaneous connections.
- A QR code is generated that can be used to automatically configure the Android and iOS clients by simply taking a picture. You can tag '188.8.131.52' on that concrete wall, or you can glue the Shadowsocks instructions and some QR codes to it instead!
- AEAD support is enabled using ChaCha20 and Poly1305 for enhanced security and improved GFW evasion.
- Sslh is a protocol demultiplexer that allows Nginx, OpenSSH, and OpenVPN to share port 443. This provides an alternative connection option and means that you can still route traffic via OpenSSH and OpenVPN even if you are on a restrictive network that blocks all access to non-HTTP ports.
- Listens for and wraps OpenVPN connections. This makes them look like standard SSL traffic and allows OpenVPN clients to successfully establish tunnels even in the presence of Deep Packet Inspection.
- Unified profiles for stunnel-wrapped OpenVPN connections are generated alongside the direct connection profiles. Detailed instructions are also generated.
- The stunnel certificate and key are exported in PKCS #12 format so they are compatible with other SSL tunneling applications. Notably, this enables OpenVPN for Android to tunnel its traffic through SSLDroid. OpenVPN in China on a mobile device? Yes!
- Firewall rules are configured for every service, and any traffic that is sent to an unauthorized port will be blocked.
- Your Streisand server is configured to automatically install new security updates.
- Linux users can take advantage of this next-gen, simple, kernel-based, state-of-the-art VPN that also happens to be ridiculously fast.
- In addition to the public-key crypto that WireGuard uses by default, a pre-shared key is also configured to help provide post-quantum resistance. Use the VPN of the future with an eye towards the future!