Streisand - setting up a secure, private and totally free VPN

Posted by: Greg Harvey Dec 5th, 2016 Comments

A couple of weeks ago I tweeted that someone should make an Amazon Web Services (AWS) Amazon Machine Image (AMI) that allows people to automatically spin up a VPN on the AWS free tier.

Cryptography expert, Kenn White, replied to me and said they sort of have (his words) in so far as there are two projects he's aware of which provide Ansible scripts for automatically building a VPN in the public cloud:

Since, for British people particularly, this is a very relevant topic - and the masses are stuck paying for really bad VPNs or left with no real option - I decided to give them both a try and see if either, or both, represent a real easy win for the home user who needs a VPN. How easy are these open source builders for the general public to use?

Well to start with, I'd say neither project is for the absolute beginner. They make things as simple as possible, and someone who doesn't mind rolling their sleeves up and digging in, with a little help from Google (and hopefully this blog), can probably get this working, but it's not for someone who can barely find their browser! You will need a *nix-like operating system (Linux, FreeBSD, Mac OSX, etc.) and you will have to use the command line. Gulp!

That said, if you have an ounce of computer "nouse", bear with me!

Update: Free? Really??

In response to a comment I've decided, before we get started, to tackle the "free" bit. So is it free? Well, yes and no, here are some clarifications on that:

The software is all absolutely, completely free and open source. AWS, however, is more complex. To qualify for the AWS Free Tier you need to have a brand new AWS account. If you do have a brand new account, you qualify for 12 months only and after that you will pay. Also, you have 750 hours a month of free EC2 usage, which is enough to run one server all the time, no more. You also only have 15GB of data per month so if you think you'll use more than that, you'll pay for any overage.

So it is free, for new accounts, for the first year, provided you only run one instance and your usage is not too heavy. What happens when it's not free? To give you an idea, here are some cost estimates. I've assumed 20GB a month of usage and a single t2.micro instance in eu-west-1 running a free community AMI:

  • EC2 instance (the server) is $0.012/hr x 730 hours (approx. in a month) = $9.49
  • EBS (the disk) is $0.11/GB x 8GB disk (per month) = $0.88
  • Data transfer (bandwidth) is $0.01 x 20GB (per month) = $0.20

So without the benefit of the Free Tier, a reasonably light home-use VPN would cost you $10.57 (USD) each month. Even heavy users wouldn't pay much over $11, mind you, as most of the cost is data transfer, at $0.01 per GB, which is very cheap.

And far be it from me to suggest someone might make use of Google address aliasing and create a new AWS account each year with mymail+2016@gmail.com, mymail+2017@gmail.com, etc. That would be wrong. ;-)

Worth noting Streisand also supports the following providers (pricing on the same model as above and at time of writing is inline) though none have the year free thing going on:

  • DigitalOcean ($10/month)
  • Linode ($10/month)
  • Google Cloud ($14.32/month)
  • Rackspace Cloud ($25.76/month)

So it's probably not worth switching from AWS, even when your free tier lapses. It's already down there with the cheapest options.

Getting set up locally

If you have a Mac, or you're already a Linux user, you may feel smug at this point and skip on to the next section. If you're a Windows user, then your first issue is you do not have a *nix like system to work from. This is a bit of a pain if you do not want to wipe a computer to install Linux just to try a VPN building script. You have a couple of options:

Use a virtual machine

A simple way to get yourself a Linux machine is virtualisation (run a computer inside your computer). If you have a good computer (with at least 8GB of RAM) then you can install Oracle VirtualBox (which is a free and tried and tested virtualisation platform for Windows desktops) and create a virtual machine to install Linux on.

VirtualBox has good documentation, so there's no sense in me repeating that. I personally use Fedora for my Linux workstation, so if you want to stick with my instructions I advise you do the same. Here is an excellent video that walks you through getting a Fedora workstation running on VirtualBox.

Use a live USB

A live USB lets you install and use Linux temporarily, without wiping the installed operating system of your computer. Linux will run entirely on the USB stick for as long as you need it and when you switch your computer off and on again, everything will be back to normal. UNetbootin is probably the simplest way to get going with a Fedora live USB, and they have instructures here in the Fedora wiki.

Why not a public cloud VM?

Let's be realistic here, if you're not at all used to Linux, you are not about to start learning to operate with a terminal alone, setting up your own SSH keys, and so on. It's too steep a learning curve. And if you buy (or get free on the AWS free tier) a Linux server "ready to go" you will not have a desktop environment. Just a terminal. So I don't think that approach is realistic for most people.

So, on with the show!

Getting an AWS account

You probably already have an account with Amazon for online shopping, which means you're almost there. Unless you want to create a whole separate account just for this, you can go to the AWS home page and simply login with your usual Amazon credentials. It will ask you for some details, it will ask you for a credit card (in case you accidentally or deliberately consume some paid for services) and it will want to confirm your telephone number by phoning you and getting you to enter a code, so have your phone handy.

The only other thing you now need to do, so Streisand can create a server for you and run all the configuration it needs to, is create an AWS user for it to use (AWS call this an IAM User). Login to your console, click Services and select IAM, as shown here:

Go to the IAM section.

Click on Users on the left-hand menu and then you should have an Add User button at the top of the page. Click that and you should see the first page of the user creation process, which looks like this:

Creating a new user.

Note, you only need to enter a username and check the Programmatic Access box, as shown. Then click the Next: Permissions button in the bottom right corner. On the next screen you need to click the Attach Existing Policies Directly button, as shown here:

Add existing IAM policies.

In the resulting window there is a search box. Type "Admin" in that box to reduce the list and check the box next to the role called AdministratorAccess, as shown:

Select the AdministratorAccess policy.

Note, this gives this new IAM user full permissions to do everything. For most purposes this is fine. Streisand does not need all these permissions, but it saves you picking through selecting the ones it does need when, we presume for the purposes of this post, you are only using this AWS account for your VPN anyway!

Click Next and you're through to the final screen. Be sure to click the Download .csv button and keep the document somewhere safe and secure. You will need it later and possibly in the future as well.

Download your user details.

Click Close and we're all set!

Algo

I won't dwell too long on Algo. I tried it first, because on the face of it it seemed the more simple option of the two. It has fewer moving parts and usually simplest is best. The documentation is a little light, I hit a few undocumented issues getting the scripts running, but once I got there it was fine. It ran and set up an IPSec VPN on an Amazon EC2 instance, however:

  • it created a non-free-tier VM, which was irritating! (update - apparently a fix is already being worked on)
  • while good instruction is provided for a lot of platforms, configuring this kind of IPSec VPN with Linux proved extremely fiddly - I tried for a few hours and gave up.

So, Algo: installed fine (more or less) but after hours of fighting, spitting and swearing I still had not managed to make a workstation connect to the provided VPN. So at this point I decided to try Streisand.

Update - Kenn White got back to me regarding Algo with some noteworthy points, specifically:

Linux users might try the "Road Warrior" client for IPSec, it might make life easier (I haven't had chance to try yet).

Algo creates a profile for Android and iOS which, if downloaded and enabled, forces all net traffic through IPSec.

At some future point I will have another go at Algo with a Linux workstation, I didn't bother this time because the whole purpose was to get something up and running fast and prove it's easy. And Algo wasn't, at time of writing, for Linux workstation users.

Streisand

It's important to note that both Streisand and Algo are predominantly designed to run on your computer and orchestrate a virtual server on the cloud platform of your choice (in our case, the AWS free tier). At this point, if you're on a Mac or Linux machine you can just follow the instructions in the Streisand documentation for getting set up. If you're on a Windows PC, now is the time to jump into your virtual machine, or boot up from your live USB.

But before you do that, Mac users should do a little revising on the Terminal with this short blog. Linux users mostly know how to find Terminal, but if you're running most Linux desktops these days, just hit the Windows key and start typing "terminal" and up it will pop. Just click it to open it:

Start your terminals, please!

Installing Streisand

In your *nix system? Got your terminal open? Good! So let's get started with the prerequisites:

https://github.com/jlund/streisand#prerequisites

For Fedora I have to say all this stuff just worked first time, I didn't have to fix up anything. I hope the same is true of Macs, but I have no way of testing. One thing to note, the documentation says the install program is yum but that is no longer the case. So you need to swap yum for dnf in Fedora commands, but otherwise it's fine.

So to quickly recap the relevant commands for Fedora, you would do this in your terminal (copy and paste is fine) - I should note we're assuming you don't have an SSH key pair here too - if you do, careful not to overwrite anything you need! Just say yes or accept defaults to all these:

ssh-keygen
sudo dnf install git python-pip
sudo pip install ansible markupsafe boto

And that's it (for Fedora, at least). Assuming you got no errors (and I didn't on Fedora 24) we've just:

  • generated an SSH key pair;
  • installed Git (version control system for getting the Streisand code down on to our computer);
  • installed PIP (an installation framework for the Python scripting language);
  • used PIP to install Ansible (which we need to run the Streisand scripts);
  • used PIP to installed 'boto' (which is an AWS connector so Streisand can automatically create our machine and associated services).

Now Streisand itself:

https://github.com/jlund/streisand#execution

It's worth noting, I'm assuming you've just opened a terminal and not changed directory, in which case Streisand will be cloned into your Home directory, which is absolutely fine. In fact it really doesn't matter where you put Streisand, it is only some provisioning scripts, once you're finished you can even delete it entirely. The only thing you'll need from Streisand once you're done is the documentation it generated (see later).

Again, just to make life easier, I'll paste the commands here, this time valid for all systems - just copy and paste:

git clone https://github.com/jlund/streisand.git && cd streisand
./streisand

Running Streisand

Now the Streisand scripts will start to run. The first few questions are fairly straightforward, choose Amazon, pick your region (I used number 7, Dublin) and accept defaults for everything else:

Configuring Streisand, first steps.

At this point it wants to know our AWS Access Key ID. Remember that CVS file we downloaded earlier when we created our AWS IAM user? It was called credentials.csv and now's the time to find it and open it. You need to copy and paste the Access Key ID from there into Streisand, same goes for the next value, the Secret Access Key:

Configuring Streisand, enter AWS credentials.

And you're done. One more press of the Enter key and Streisand will start the orchestration process. Go make a coffee, this will take 10 minutes or so...

Using your VPN

This is where I think Streisand gets particularly cool. Assuming everything went smoothly (and I've no reason to believe it won't, from my testing) Stresaid has created a 'generated-docs' folder where you checked it out from Git (normally a streisand folder your Home folder) and within there two HTML files with documentation for your setup:

-rw-rw-r--. 1 greg greg  6943 Dec  4 19:31 streisand-firewall-information.html
-rw-rw-r--. 1 greg greg 18877 Dec  4 19:31 streisand.html

Open streisand.html:

Open the configuration documents.

You should read the instructions carefully with regard to trusting the provided SSL certificate on your computer before you proceed. This is important, you need to know if you're connecting in an Internet café or some other public space, that you are not being subjected to a man in the middle (MITM) attack. Once you have installed the certificate you can jump down to the link to the SSL site and continue:

Scroll down to SSL site instructions.

Open the VPN instructions website.

If you see something like this, you did not correctly install the SSL certificate, please back up and try again:

Deal with the SSL certificate warnings.

Otherwise, just continue to the main site and enter the username and password from the page before, where you'll find...

Et voila, the documentation for all your VPN needs!

Fabulous! All my instructions for any platform you can shake a stick at!

In summary

I can see why Algo went for IPSec only, and indeed, Dan explains the reasoning in the readme, however it's just too high a bar for even reasonably experienced users. If anything goes wrong, IPSec is just too fiddly and complicated to debug unless you're a professional network engineer!

Streisand also offers an IPSec option, but it offers various other options too. I haven't tried all of them, but in my Fedora workstation I went direct for the Cisco AnyConnect / OpenConnect VPN and set up my NetworkManager connection following the provided instructions, and it worked perfectly and immediately. Larger attack surface? Maybe. More complexity when it comes to updates as well, though you can always blow your VM away and run Streisand again - which I'd recommend anyway if you're not up to doing Linux updates on your VPN server. Nevertheless, the fact you have multiple fallback options and, thus far, everything I've tried works perfectly, is just great.

Perhaps best of all, Streisand auto-generates such comprehensive and clear documentation, for any platform you might need, that it really is easy for VPN users - once set up - to interact with it.

So if you want a secure, easy to use and free VPN, AWS free tier + Streisand is my recommendation.

VPN services

Code Enigma provides Enterprise Linux hosting and server management, including managed VPN solutions. Contact us for more details.

Image of Greg HarveyGreg Harvey