• Streisand is an open source DIY VPN solution that helps netizens bypass internet censorship
  • We tested Streisand in China using a 5$/ month Digital Ocean VPS server (San Francisco)
  • Most of the VPN protocols included in Streisand did not work in China.
  • However, Streisand worked decently well using the Shadowsocks protocol.

Internet Censorship in China

The internet is heavily censored in China, leaving most popular apps and websites inaccessible from within the mainland. Chinese internet users and foreign expats rely on the use of VPNs (virtual private networks) to bypass the “Great Firewall” internet filter.

Unfortunately, using a commercial VPN app can be costly and potentially a privacy concern for Chinese users as one can never be sure what data a VPN provider might give up to authorities.

DIY VPN Solutions

One way to ensure the privacy and security of your VPN is to self-host a VPN server yourself. This way you can be relatively certain that your traffic is not being logged or your VPN usage reported to governments. (Note: Your server provider could also be monitoring or logging your network behavior. Setting up a Raspberry Pi server at the home of a friend or family might mitigate this risk.)

Streisand: An Open Source DIY VPN Solution

Streisand is an open source DIY VPN solution that sets up a new server running your choice of VPN/ tunneling tools like

  • WireGuard,
  • OpenConnect,
  • OpenSSH,
  • OpenVPN,
  • Shadowsocks,
  • sslh,
  • Stunnel, or a Tor bridge.

It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

As daily VPN users and VPN connoisseurs based in China, we wanted to test Streisand to see if it could bypass the Great Firewall and its speed performance.

Installation and Setup

To install Streisand you will need either:

  • Ubuntu server, + macOS or Windows computer OR
  • Two Ubuntu servers.

Your main Ubuntu server (which will act as the VPN server) will need to be located outside of China in order to bypass censorship.

After downloading the package from Github you can follow the instructions on the official Streisand Github page to complete the installation.

During the installation, all the dependencies needed for Streisand to run will be displayed and you will need to run the commands provided to install them as seen below:

If you don’t have the API key for the listed services provided you can select the last option.

To install Streisand on an existing server, you will need to provide the IP address of your sever and make sure you have the SSH key needed to login on the server you provided with the correct name.

Install using Existing Server

Installing Streisand can take a long time. It took me more than an hour to setup with the default options / protocols:

  • OpenConnect/CiscoAnyConnect,
  • OpenVPN(direct),
  • OpenVPN(stunnel),
  • Shadowsocks,
  • SSH
  • WireGuard

After the installation is complete, you can access an information web page containing the login details to access the Streisand server (access by entering the IP address of your server in a browser URL bar). The files generated can be seen below

Accessing the generated docs which contain the password for the install server :

Testing Streisand Protocols and Clients

Anyconnect

iOS

Unable to use the Anyconnect iOS app see issue below:

https://github.com/StreisandEffect/streisand/issues/838

Windows

I was able to install the AnyConnect / OpenConnect client on my PC but unable to connect to the server because the password provided in the generated doc didn’t match the password for the server for some reason.

wps_2019-08-05_23-29-10

OpenVPN

OpenVPN can’t be used in China since OpenVPN traffic is easily detected by the Chinese firewall. You can’t even start it since the handshake between your device and the server always fails. This is why most basic VPN apps don’t work in China.

chrome_2019-08-05_23-39-36

OpenVPN (Stunnel)

This protocol uses OpenVPN but tunneled through an extra SSL layer.

Windows:

I was able to install both OpenVPN and stunnel on windows but I was unable to connect to the openvpn server even after routing the OpenVPN traffic through stunnel. See below:

chrome_2019-08-07_18-17-57

Android

I was able to install and run OpenVPN (stunnel) on Android. It was able to connect but the connection was not stable enough and the speed was poor.

2019-08-07_18-58-32
9d0c1043115bf4f6b6c05226237f9d5

SSH

I was able to connect through SSH and port forward the traffic from my PC through the SSH tunnel.

But I was unable to connect to blocked sites like Google and Youtube. I could access other unblocked sites like Bing and Baidu.

cmd_2019-08-07_17-56-29

Wireguard

I was able to install Wireguard but unable to use it. I could connect to the server but after connecting I lost the connection or I couldn’t access any sites. Please see links below about Wireguard being easily detected by the Chinese firewall.

https://lists.zx2c4.com/pipermail/wireguard/2018-September/003289.html

https://news.ycombinator.com/item?id=18722662

chrome_2019-08-07_18-02-51
ff18c699e0cd180087837561a57b53e

Shadowsocks

I was able to connect using Shadowsock on PC , Android and iOS without any issues. The speed wasn’t the best because Streisand probably uses the default settings for Shadowsocks and doesn’t include BBR updates to improve the network performance.

Shadowsocks_2019-08-07_20-06-36
d4eb68c8a6fe0175eafd988d90df47c

Conclusions

Streisand is a DIY VPN that offers a lot of different VPN protocols, but unfortunately most do not work in China. The best protocol that we tested was Shadowsocks. But those looking to setup a Shadowsocks VPN would probably be better served by using Outline (by Jigsaw / Google), another DIY open source VPN solution, which is much easier to setup than Streisand.

There are no comments.

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>