Streisand is a good idea, but I don't believe users want 500 services running on their VPN gateway. Most of these protocols require a specific client, like OpenVPN.
This is a 'kitchen sink' collection.
TrailOfBits released their ansible scripts for StrongS/WAN, which has sensible secure defaults (IPSec using AES-GCM only).
They are calling the project algo.
For anyone about to try out algo – I assume it's great if you are using AWS or DigitalOcean, but if you're self hosting, or have an unsupported VPS, I've had nothing but trouble getting it up and running. I am most certainly to blame, but just a heads up.
Ironic that a project to do automated installation of packages on a remote machine has two pages of manual installation instructions for prerequisites on the command machine, before it can be run.
It's install git, pip, ansible, some python libraries, and download the script. It's two pages because they support a lot of operating systems on a lot of vps providers.
I thought you were being snarky but I went and had a look and I see what you mean there, other than installing ansible, seems like that can just be another role as well.
It almost seems ironic to me to run a personal privacy-protecting server in a cloud VM. If you assume that the "agencies" have access to the "clouds," whether directly through backdoors or through moles, don't you have to assume that they could crawl VMs, detect ones like this that are virtually identical, and automatically install rootkits in them? Or just monitor them by reading memory through the hypervisor? How would you even know if the hypervisor were compromised?
That's why they go the extra length not to be caught. Even if they wanted to alert a user that he's monitored, wouldn't national security letter come with a gag order forbidding this ?
We're talking ISPs here, not state actors. If an individual catches the full attention of the NSA, there's not all that much they can do to defend their privacy.
Please don't fall for marketing wording, there's no "cloud". It's called a data center. Choose a data center where the authority you want protection from does not have access, outside of US if you want to prevent your data from being among those sold by ISPs.
As usual it depends on the threat model you want to protect from and if you are a high profile target there's not much you can do against a nation state.
This is the Mossad argument on cryptography.... if your adversary is Mossad, they'll just rubber hose cryptanalysis you, if your adversary is not Mossad, a proxy is good enough.
Here's a similar playbook more focused around self-hosting common services like email, calendars, contacts in addition to a VPN: https://github.com/sovereign/sovereign
I don't know Ansible very well... is it possible to install only a subset (namely, the vpn service you plan to actually use)? It seems like a large attack service to have every VPN software possible running on the machine.
Comment out any roles you don't want with a # at the beginning of the line, YAML is very picky about syntax.
comment edit: Think of roles in ansible like building blocks or common chores you can apply to any server. It might be nice to not have so much stuff by default, but this tool isn't meant for complete technical novices, so it is expected (in my opinion) that you go in and prune anything out you don't want/need. What is nice is that you have lots of options and if you ever need to add a role you can just uncomment it and re-run the playbook.
I think you'd typically want to use tags [0] for controlling which portions of an ansible playbook run, for a one-off set of tasks like this. This one in particular isn't set up to work that way though.
I'm using algo (https://github.com/trailofbits/algo) on an AWS instance, easy to set up and provides configuration across devices. Did find my iPhone struggling to use data sometimes when connecting to the VPN over the cell network. Can always disable that feature though.
Depends. The OpenVPN role will generate five clients, however the server is configured to allow certificate re-use, effectively unlimited (for OpenVPN at least).
Streisand is a very, very good idea -- unfortunately it simply doesn't work at present. I've tried using it on AWS and Google Cloud and neither option works whether I run it natively on Ansible under OSX or on Ansible under Vagrant.
It is very cleanly implemented implemented though -- nicely implemented playbooks (I write Ansible professionally so I can actually say that).
TrailOfBits released their ansible scripts for StrongS/WAN, which has sensible secure defaults (IPSec using AES-GCM only). They are calling the project algo.
https://github.com/trailofbits/algo