TASK: [streisand-mirror | PuTTY Releases (DSA) signs the PuTTY downloads. Import the correct GPG key.] ***
failed: [128.199.211.15] => {"changed": true, "cmd": ["gpg", "--keyserver", "x-hkp://pool.sks-keyservers.net", "--recv-keys", "0xFECD6F3F08B0A90B"], "delta": "0:00:06.091239", "end": "2014-07-25 01:58:12.497262", "rc": 2, "start": "2014-07-25 01:58:06.406023"}
stderr: gpg: requesting key 08B0A90B from hkp server pool.sks-keyservers.net
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
stdout: ?: pool.sks-keyservers.net: Network is unreachable
gpgkeys: HTTP fetch error 7: couldn't connect: Network is unreachable

Works when I manually import it though -

➜  streisand git:(master) gpg --recv-keys 08B0A90B
gpg: requesting key 08B0A90B from hkp server pool.sks-keyservers.net
gpg: key 08B0A90B: public key "PuTTY Releases (DSA) <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2015-08-18
gpg: Total number processed: 1
gpg:               imported: 1

EDIT: Issue is resolved For future readers that may run into the same problem, this is what happened: It turns out that this is a connection error, and the SSH connection dropped. Most likely a network hiccup on my part, since my area is notorious for bad internet connection. To resolve this issue, just run the streisand script again, and it will continue where it left off, then restart the server instance to make sure the services use the new configuration files.

Original Post:

During a run on a newly created Debian x64 server (that was generated via the DigitalOcean API), the following error occured:

TASK: [streisand-mirror | Mirror the Tor Browser Bundle files and signatures] *** 
changed: [222.222.222.222] =>(item=https://www.torproject.org/dist/torbrowser/3.6.2/torbrowser-install-3.6.2_en-US.exe)
changed: [222.222.222.222] => (item=https://www.torproject.org/dist/torbrowser/3.6.2/torbrowser-install-3.6.2_en-US.exe.asc)
changed: [222.222.222.222] => (item=https://www.torproject.org/dist/torbrowser/3.6.2/TorBrowser-3.6.2-osx32_en-US.dmg)
changed: [222.222.222.222] => (item=https://www.torproject.org/dist/torbrowser/3.6.2/TorBrowser-3.6.2-osx32_en-US.dmg.asc)
fatal: [222.222.222.222] => failed to transfer file to /root/.ansible/tmp/ansible-tmp-1406274418.56-83497149115257/get_url:
sftp> put /var/folders/6d/47m5s0_n48nc5hc88yymhqnc0000gn/T/tmp3twFat /root/.ansible/tmp/ansible-tmp-1406274418.56-83497149115257/get_url
Uploading /var/folders/6d/47m5s0_n48nc5hc88yymhqnc0000gn/T/tmp3twFat to /root/.ansible/tmp/ansible-tmp-1406274418.56-83497149115257/get_url

Connected to 222.222.222.222.
Connection closed


FATAL: all hosts have already failed -- aborting

Should Streisand allow users to choose what services to set up? Personally, I think this would be a beneficial addition to Streisand. It would give users more control allowing them to run Streisand on servers with less processing power. It also would allow people to avoid running certain services that are easily detectable (L2TP/IPsec) for greater privacy.

@jlund First off, this is such an amazing project. Seriously awesome work!

Test Scenario:
Client - OS X Mavericks
Server - VPS /w Ubuntu 12.04 LTS

At https://1.1.1.1/ssh/#linux-and-os: SSH Tunnel --> Linux and OS X --> 6. Step 6 should read ./sshuttle --dns -r forward@dom 0/0 -vv not sshuttle --dns -r forward@dom 0/0 -vv.

Also, after the command is issued the output in Terminal on my client hangs and doesn't successfully tunnel the traffic through sshuttle. The alternate method does work however.

user:sshuttle mavericks$ ./sshuttle --dns -r forward@dom 0/0 -vv
Starting sshuttle proxy.
Binding: 12300
Listening on ('127.0.0.1', 12300).
DNS listening on ('127.0.0.1', 12300).
[local sudo] Password: 
firewall manager ready.
c : connecting to server...
c : executing: ['ssh', 'forward@dom', '--', 'P=python2; $P -V 2>/dev/null || P=python; exec "$P" -c \'import sys; skip_imports=1; verbosity=2; exec compile(sys.stdin.read(764), "assembler.py", "exec")\'']
c :  > channel=0 cmd=PING len=7 (fullness=0)
server: assembling 'cmdline_options.py' (29 bytes)
server: assembling 'helpers.py' (914 bytes)
server: assembling 'ssubprocess.py' (13673 bytes)
server: assembling 'ssnet.py' (5446 bytes)
server: assembling 'hostwatch.py' (2270 bytes)
server: assembling 'server.py' (2370 bytes)
 s: latency control setting = True
 s: available routes:
 s:   10.8.0.0/24
 s:   10.8.0.2/32
 s:   76.72.161.0/26
c : connected.
Connected.
c : Waiting: 3 r=[3, 5, 9] w=[9] x=[] (fullness=7/0)
c :   Ready: 3 r=[] w=[9] x=[]
c : mux wrote: 15/15
c : Waiting: 3 r=[3, 5, 9] w=[] x=[] (fullness=7/0)
 s:  > channel=0 cmd=PING len=7 (fullness=0)
 s:  > channel=0 cmd=ROUTES len=39 (fullness=7)
 s: Waiting: 1 r=[4] w=[5] x=[] (fullness=46/0)
 s:   Ready: 1 r=[] w=[5] x=[]
 s: mux wrote: 15/15
 s: mux wrote: 47/47
 s: Waiting: 1 r=[4] w=[] x=[] (fullness=46/0)
c :   Ready: 3 r=[9] w=[] x=[]
c : <  channel=0 cmd=PING len=7
c :  > channel=0 cmd=PONG len=7 (fullness=7)
c : <  channel=0 cmd=ROUTES len=39
firewall manager: starting transproxy.
>> ipfw -q add 12300 check-state ip from any to any
>> ipfw -q add 12300 skipto 12301 tcp from any to 127.0.0.0/8
>> ipfw -q add 12300 fwd 127.0.0.1,12300 tcp from any to 0.0.0.0/0 not ipttl 42 keep-state setup
 s:   Ready: 1 r=[4] w=[] x=[]
 s: <  channel=0 cmd=PING len=7
 s:  > channel=0 cmd=PONG len=7 (fullness=46)
 s: mux wrote: 15/15
 s: Waiting: 1 r=[4] w=[] x=[] (fullness=53/0)
>> ipfw -q add 12300 divert 12300 udp from any to 10.0.1.1/32 53 not ipttl 42
>> ipfw -q add 12300 divert 12300 udp from any 12300 to any not ipttl 42
c : mux wrote: 15/15
c : <  channel=0 cmd=PONG len=7
c : received PING response
c : Waiting: 3 r=[3, 5, 9] w=[] x=[] (fullness=0/0)
 s:   Ready: 1 r=[4] w=[] x=[]
 s: <  channel=0 cmd=PONG len=7
 s: received PING response
 s: Waiting: 1 r=[4] w=[] x=[] (fullness=0/0)

Thanks again for all the incredible work. I look forward to following this project closely!

I was on a recent wifi hotspot that disallowed all email outbound (so even ldaps, imaps were blocked) but allowed 80 and 443. I don't think the current streisand config supports connecting through that type of setup, does it?

If not, maybe it's worth having an option where nginx isn't installed and the stunnel openvpn connection can be run from 443? Just brainstorming, there might be a better way to have nginx proxy requests through to another process locally (I've seen some pretty weird nginx configs before), but I don't know offhand how that would work.

I was able to dig through the connection instructions in the UI and I think I found all the relevant ports (22, 80, 443, 8181, 8530, 1080, 636, 41194, 8443, all tcp), but I'm not even sure these are the same for each install. And IPSEC - no clue what to allow - all IP proto 47 from anywhere plus what else?

It would be nice if the README included this info or if the install routine spit out some iptables rules at the end. And noting that the web UI password lives in /etc/nginx/gateway-password.txt would also be helpful, had to dig through yaml to figure that out. :)

Ubuntu 14.04 doesn't work with Tor's pluggable transports. Raspbian doesn't have a working version of the putty-tools package, and it also cannot install the latest versions of Nginx and Tor from the official repositories. Other Debian derivatives may have additional problems that I'm not yet aware of.

Until these issues can be resolved, Streisand should warn users that Debian 7 is the only fully tested distribution. Right now the README is the sole place where this requirement is mentioned.

Suggestion

In order to help other developers collaborate on the Streisand project, a features/development roadmap should be added in the README.md file located at the root of the streisand directory on Github.

By creating of possible future features, bugfixes, and improvements that streisand would need in the future, other developers on Github can collaborate more effectively and work on the specific items that need to be completed.

Perhaps it can be included as a list, just above the acknowledgements section in the current README.md

I'm quite newbie when it comes to Ansible so I might be doing something wrong.

I always get this error message, when trying to deploy streisand on a Raspberry Pi running a clean image of raspbian.

TASK: [ssh | Convert the OpenSSH key into a PuTTY .ppk] ***********************
<192.168.2.4> ESTABLISH CONNECTION FOR USER: pi
<192.168.2.4> REMOTE_MODULE command puttygen /home/forward/.ssh/id_rsa -o /var/www/streisand/ssh/streisand_rsa.ppk creates=/var/www/streisand/ssh/streisand_rsa.ppk
<192.168.2.4> EXEC ['ssh', '-C', '-tt', '-q', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/couto/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=pi', '-o', 'ConnectTimeout=10', '192.168.2.4', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1407023324.51-14077763642857 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1407023324.51-14077763642857 && echo $HOME/.ansible/tmp/ansible-tmp-1407023324.51-14077763642857'"]
<192.168.2.4> PUT /var/folders/gq/yqpcdpxs2sj54yxchblrp2hw0000gn/T/tmpouBaKa TO /home/pi/.ansible/tmp/ansible-tmp-1407023324.51-14077763642857/command
<192.168.2.4> EXEC ['ssh', '-C', '-tt', '-q', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/couto/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'KbdInteractiveAuthentication=no', '
-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=pi', '-o', 'ConnectTimeout=10', '192.168.2.4', u'/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=vmxzc
urxyullqgdyklckecdkxdcqqbex] password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-vmxzcurxyullqgdyklckecdkxdcqqbex; LC_CTYPE=en_US.UTF-8 LANG=en_US.UTF-8 /usr/bin/python /home/pi/.ansible/tmp/ansible-tmp-1407023324.51-14077763642857/command;
 rm -rf /home/pi/.ansible/tmp/ansible-tmp-1407023324.51-14077763642857/ >/dev/null 2>&1\'"\'"\'\'']
failed: [192.168.2.4] => {"changed": true, "cmd": ["puttygen", "/home/forward/.ssh/id_rsa", "-o", "/var/www/streisand/ssh/streisand_rsa.ppk"], "delta": "0:00:00.039177", "end": "2014-08-02 23:48:45.630859", "rc": -11, "start": "2014-08-02 23:48:
45.591682"}

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/Users/couto/streisand.retry

192.168.2.4                : ok=81   changed=24   unreachable=0    failed=1

If I disable that specific task, it ends up failing when deploying the tor bridge, and if I disable the tor bridge, it ends up failing on nginx, not sure if they're related.

I'm trying to run streisand to set up a Digital Ocean droplet, but it fails at trying to add an SSH key to Digital Ocean. I'm not sure why, since the output isn't very informative. Maybe you can help me out?

git/streisand master % ./streisand

  S T R E I S A N D  

Which provider are you using?
  1. Amazon
  2. DigitalOcean
  3. Linode
  4. Rackspace
: 2


Enter the number of the region where the server will be located:
  1. Amsterdam (one)
  2. Amsterdam (two)
  3. London
  4. New York (one)
  5. New York (two)
  6. San Francisco
  7. Singapore
 \[2]: 6

What should the server be named?
 [streisand]: 


The following information can be found on your DigitalOcean control panel.
https://cloud.digitalocean.com/api_access

What is your DigitalOcean Client ID?
: <SNIPPED>

What is your DigitalOcean API key?
: <SNIPPED>

Streisand will now set up your server. This process usually takes around ten minutes. Press Enter to continue...
: 

PLAY [Provision the DigitalOcean Server] ************************************** 

GATHERING FACTS *************************************************************** 
ok: [127.0.0.1]

TASK: [genesis-digitalocean | Remove the 'streisand' SSH key from DigitalOcean if it already exists. This is to prevent problems if two people with two different keys are sharing the same DigitalOcean account.] *** 
ok: [127.0.0.1]

TASK: [genesis-digitalocean | Get the default SSH key] ************************ 
changed: [127.0.0.1]

TASK: [genesis-digitalocean | Add the SSH key to DigitalOcean] **************** 
failed: [127.0.0.1] => {"failed": true}
msg: SSH Key failed to be created

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/Users/david/digitalocean.retry

127.0.0.1                  : ok=3    changed=1    unreachable=0    failed=1   

Was trying a manual setup of a streisand instance on azure, but unfortunately, it looks like obfsproxy port changes and needs to be added manually, but this hangs the setup process? Or maybe that step takes a long time.

Additionally, the correct external IP address (which is specified manually in my inventory) isn't used for some of the service configurations, but rather, the internal IP address of the azure node is, which isn't helpful since it won't be routable.

At first: awesome project 👍

When installing according to the docs from a DigitalOcean droplet with freshly installed Wheezy 64bit image, the installation of ansible quits with following error: Python.h: No such file or directory

Installing the package "python-dev" solved the problem.

Then after executing the "streisand" script, following error occured during the task "genesis-digitalocean":
stderr: /bin/sh: 1: ruby: not found

Installing the package "ruby" solved the problem.

It is considered good practice to install any external python libraries in the virtual environment (using virtualenv, docs here), so you don't contaminate your system and have control over the different versions of libraries for different projects.
Such environment could be in any situation easily destroyed and recreated.

So, instead of, for example:
sudo pip install boto

You should create and activate virtual environment:

sudo pip install virtualenv
virtualenv venv
source venv/bin/activate

and install external dependencies locally, in the context of this environment:
pip install boto

Moreover, you can create list of all dependencies:
pip freeze > requirements.txt

...and then install them with one command:
pip install -r requirements.txt

If you find my comment useful I can modify Readme file or, if it is needed, provide more detailed explanation.

At least some of the steps don't have conditional steps. I had a firewall kill one of the steps so I had to cancel and restart the streisand.yml which resulted in some odd artifacts like redundant iptables rules, etc. Probably others I haven't noticed yet.

Best case scenario is to maybe detect some of the changes before they're implemented to prevent states like that from occurring.

When attempting to provision streisand on a Digitalocean droplet and selecting NYC-1 ("4" in the streisand prompt), the stresiand script fails:

PLAY [Provision the DigitalOcean Server] ************************************** 

GATHERING FACTS *************************************************************** 
ok: [127.0.0.1]

TASK: [genesis-digitalocean | Get the default SSH key] ************************ 
changed: [127.0.0.1]

TASK: [genesis-digitalocean | Add the SSH key to DigitalOcean if it doesn't already exist] *** 
ok: [127.0.0.1]

TASK: [genesis-digitalocean | Get the latest 'Debian 7.0 x64' image ID from the DigitalOcean API] *** 
changed: [127.0.0.1]

TASK: [genesis-digitalocean | Create the server] ****************************** 
failed: [127.0.0.1] => {"failed": true}
msg: You specified an invalid region for Droplet creation.

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/Users/miles/digitalocean.retry

127.0.0.1                  : ok=4    changed=2    unreachable=0    failed=1 

There is no error when selecting NYC-2 (option #5 in streisand menu).

I2P is also a technology that prevents outside access to your information, like Tor.

I've replaced (most of) the certs on my streisand box with free startssl ones.
Unfortunately, I don't remember much about how I did it 👎

Would it be a desirable feature to support this out of the box?

With:

$ ruby -v
ruby 1.8.7 (2012-02-08 patchlevel 358) [universal-darwin12.0]

This happens:

TASK: [genesis-digitalocean | Get the latest 'Debian 7.0 x64' image ID from the DigitalOcean API] ***
failed: [127.0.0.1] => {"changed": true, "cmd": "curl -s 'https://api.digitalocean.com/images/?client_id=xxxxxxxxxxxxxxxxxxxxxxx&api_key=xxxxxxxxxxxxxxxxxxxxxxxx' | ruby -e 'require \"json\"; puts JSON.parse(ARGF.read)[\"images\"].select { |image| image[\"name\"] == \"Debian 7.0 x64\" }.first[\"id\"]' ", "delta": "0:00:01.240633", "end": "2014-07-25 13:17:06.557825", "rc": 1, "start": "2014-07-25 13:17:05.317192"}
stderr: -e:1:in `require': no such file to load -- json (LoadError)
    from -e:1
(23) Failed writing body

FATAL: all hosts have already failed -- aborting

Projects description states

The IP addresses of connecting clients are never logged. There's nothing to find if a server gets seized or shut down.

However that is not entirely true at least when it comes to L2TP, since xl2tpd logs client IPs in /var/log/syslog
(###.###.###.### below)

Aug  3 07:59:38 streisand charon: 13[KNL] creating delete job for ESP CHILD_SA with SPI c74e6933 and reqid {17004}
Aug  3 07:59:38 streisand charon: 07[JOB] CHILD_SA with reqid 17004 not found for delete
Aug  3 08:16:07 streisand xl2tpd[7526]: Connection established to ###.###.###.###, 1701.  Local: 6213, Remote: 22 (ref=0/0).  LNS session is 'default'
Aug  3 08:16:07 streisand xl2tpd[7526]: check_control: Received out of order control packet on tunnel 22 (got 3, expected 2)
Aug  3 08:16:07 streisand xl2tpd[7526]: handle_packet: bad control packet!
Aug  3 08:16:07 streisand xl2tpd[7526]: result_code_avp: result code not appropriate for Incoming-Call-Request.  Ignoring.
Aug  3 08:16:08 streisand xl2tpd[7526]: start_pppd: I'm running:
Aug  3 08:16:08 streisand xl2tpd[7526]: "/usr/sbin/pppd"
Aug  3 08:16:08 streisand xl2tpd[7526]: "passive"
Aug  3 08:16:08 streisand xl2tpd[7526]: "nodetach"
Aug  3 08:16:08 streisand xl2tpd[7526]: "10.9.9.1:10.9.9.100"
Aug  3 08:16:08 streisand xl2tpd[7526]: "refuse-pap"
Aug  3 08:16:08 streisand xl2tpd[7526]: "refuse-chap"
Aug  3 08:16:08 streisand xl2tpd[7526]: "auth"
Aug  3 08:16:08 streisand xl2tpd[7526]: "name"
Aug  3 08:16:08 streisand xl2tpd[7526]: "Streisand-VPN"
Aug  3 08:16:08 streisand xl2tpd[7526]: "debug"
Aug  3 08:16:08 streisand xl2tpd[7526]: "file"
Aug  3 08:16:08 streisand xl2tpd[7526]: "/etc/ppp/options"
Aug  3 08:16:08 streisand xl2tpd[7526]: "/dev/pts/0"
Aug  3 08:16:08 streisand xl2tpd[7526]: Call established with ###.###.###.###, Local: 59593, Remote: 1, Serial: 0

Hey,

I set up a droplet on DigitalOcean and went along the installation manual. After having some trouble with the SSH keys I eventually got Striesand to run through the genesis routines.

But at somepoint it stops perpetually. Sadly I have no further insight than what comes up in the console.
Looking into /var/lib/tor/state shows no entry for obfsproxy.

This is all I have:

TASK: [tor-bridge | Wait until obfsproxy information has shown up in the state file] *** 
failed: [XXX.XXX.XXX.XXX] => (item=obfs3) => {"elapsed": 300, "failed": true, "item": "obfs3"}
msg: Timeout when waiting for search string obfs3 in /var/lib/tor/state
failed: [XXX.XXX.XXX.XXX] => (item=scramblesuit) => {"elapsed": 300, "failed": true, "item": "scramblesuit"}
msg: Timeout when waiting for search string scramblesuit in /var/lib/tor/state

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/root/digitalocean.retry

127.0.0.1                  : ok=9    changed=4    unreachable=0    failed=0   
XXX.XXX.XXX.XXX             : ok=105  changed=100  unreachable=0    failed=1
´´´

TASK: [streisand-gateway | Success!] ******************************************
[XX.XX.XX.XX]
Server setup is complete. The NAMEOFSERVER.html instructions file in the generated-docs folder is ready to give to family, friends, and fellow activists. Press Enter to open these instructions.:

ok: [XX.XX.XX.XX]

TASK: [streisand-gateway | Open the instructions (Linux)] *********************
failed: [XX.XX.XX.XX] => {"cmd": "xdg-open ../generated-docs/NAMEOFSERVER.html", "failed": true, "rc": 2}
msg: [Errno 2] No such file or directory

FATAL: all hosts have already failed -- aborting

Is it possible to install and run streisand on own server i.e. private-cloud running Ubuntu 14.04.1?

Hi,
I'm trying to run Streisand on my own VM with Debian 7. But it won't work. I also tried with Ubuntu 14 server but no luck. The first thing is that I can't connect with SSH.
My question is if someone can make a how to for me, and maybe for many others, When you have already a Debian 7 running on a private VM or physical server?
TIA
fobeastic

On the generated documentation regarding Tor, Streisand says:

You should be good to go! You can verify that your traffic is being routed properly by visiting the Tor Project's check page, Are you using Tor? It should say Your IP address appears to be: ip.of.the.server.

The "ip of the server" is obviously wrong here since the server is configured as a bridge, not an exit node. You are routed to "somewhere" in the Tor network.

These two features would allow punching holes through various poorly configured firewalls. I know IP-over-DNS requires a domain name and some potentially tricky DNS setup for it to work well, but it isn't that hard to get right.

IP over ping/ICMP: http://thomer.com/icmptx/
IP over DNS: http://code.kryo.se/iodine/

Freshly cloned streisand and ansible from arch repos (yes, I have dopy).

Streisand will now set up your server. This process usually takes around ten minutes. Press Enter to continue...
: 
 __________________________________________ 
< PLAY [Provision the DigitalOcean Server] >
 ------------------------------------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||


 _________________ 
< GATHERING FACTS >
 ----------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||


failed: [127.0.0.1] => {"failed": true, "parsed": false}
invalid output was:   File "/home/ssl/.ansible/tmp/ansible-tmp-1406387269.22-70590257918076/setup", line 476
    except OSError, e:
                  ^
SyntaxError: invalid syntax

 ______________________________________________________ 
< TASK: genesis-digitalocean | Get the default SSH key >
 ------------------------------------------------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||


failed: [localhost] => {"failed": true, "parsed": false}
invalid output was:   File "/home/ssl/.ansible/tmp/ansible-tmp-1406387269.28-71318004951042/command", line 517
    except OSError, e:
                  ^
SyntaxError: invalid syntax


FATAL: all hosts have already failed -- aborting
 ____________ 
< PLAY RECAP >
 ------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||


           to retry, use: --limit @/home/ssl/digitalocean.retry

127.0.0.1                  : ok=0    changed=0    unreachable=0    failed=1   
localhost                  : ok=0    changed=0    unreachable=0    failed=1 

So all goes well until I come to Streisand will now set up your server. This process usually takes around ten minutes. Press any key to continue..., pressing any key does nothing, pressing return gives the error ERROR: retries is not a legal parameter in an Ansible task or handler.

OSX Mavericks with, I think, all deps present and up to date.

It's me. I know it's me. 😄

I noticed the openvpn configs are named with the IP address, but the original streisand.crt is not -- this means that while I'm testing (or if I'm managing multiple VMs, it's harder to keep track of the files for each). Seems an easy fix to rename the streisand.crt file slightly with either a hostname or an IP address.

Perhaps include cjdns as well in streisand?

I just wanted to say thanks for your fantastic work :)

I noticed the default openvpn config enables client-to-client connections, but you have to
know the assigned IP to find them (or use some broadcast discovery).

I noticed http://openvpn.net/archive/openvpn-users/2006-10/msg00119.html has an example of how to
automatically add client names to DNS.

The use case is being able to access (e.g.) file shares hosted on a machine at home, while I'm out.

I haven't had much luck integrating it so far (early attempts at https://github.com/DanielHeath/streisand-conf ), but if I figure it out I'll let you know.

During the OSX stunnel install, after brew install stunnel, running stunnel gives the error:

...stunnel[27619]: LOG3[27619:140735268004608]: Cannot create pid file /usr/local/Cellar/stunnel/4.56/var/run/stunnel/stunnel.pid

Don't know if this is a brew issue or what, but it's easily fixed with

mkdir -p /usr/local/Cellar/stunnel/4.56/var/run/stunnel/

Streisand should configure unattended-upgrades so that security upgrades are automatically applied and users do not need to run apt-get update and apt-get upgrade manually.

When provisioning on digitalocean and specifying an SSH key with whitespace in the name, Streisand fails with an SSH key error. Digitalocean allows keys to have whitespace in the name.

Is it possible to move streisand to a pip package and include boto/dopy/etc as dependencies to help it run out of the box? Or maybe make a PPA/brew to include ansible too?

$ pip freeze
...
dopy==0.2.3
...

Dopy is clearly installed, but when running with digital ocean:

$ ./streisand
...
PLAY [Provision the DigitalOcean Server] **************************************

GATHERING FACTS ***************************************************************
ok: [127.0.0.1]

TASK: [genesis-digitalocean | Remove the 'streisand' SSH key from DigitalOcean if it already exists. This is to prevent problems if two people with two different keys are sharing the same DigitalOcean account.] ***
failed: [127.0.0.1] => {"failed": true}
msg: dopy required for this module

FATAL: all hosts have already failed -- aborting

When the script got to the task Restart Tor so the obfsproxy ports and server fingerprint will be available in the state file, and the hidden service for the Gateway will start running it it failed with an error about the nickname being invalid.

TASK: [tor-bridge | Restart Tor so the obfsproxy ports and server fingerprint will be available in the state file, and the hidden service for the Gateway will start running] ***
failed: [188.226.140.36] => {"failed": true}
msg: Jul 26 14:11:42.764 [notice] Tor v0.2.4.22 (git-98fe7b19ea02a292) running on Linux with Libevent 2.0.19-stable and OpenSSL 1.0.1e.
Jul 26 14:11:42.764 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 26 14:11:42.764 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 26 14:11:42.764 [notice] Read configuration file "/etc/tor/torrc".
Jul 26 14:11:42.767 [warn] Failed to parse/validate config: Nickname 'visualizingDvorÃ' is wrong length or contains illegal characters.
Jul 26 14:11:42.767 [err] Reading config failed--see warnings above.


FATAL: all hosts have already failed -- aborting

What seems to have happened is that the grep -v "'" /usr/share/dict/american-english | sort -R | tail -n 2 | xargs | sed -e 's/ //' | cut -c 1-16 command managed to pick a nickname that is invalid. In my case it was visualizingDvorÃ.

The only way I found to solve the issue was to SSH into the server and run grep -v "'" /usr/share/dict/american-english | sort -R | tail -n 2 | xargs | sed -e 's/ //' | cut -c 1-16 > /etc/tor/bridge_nickname to get a new nickname. Either that or deleting the server and starting from scratch.

I'm not sure how to fix this except somehow check that the nickname is valid and get a new nickname if it isn't.

stunnel has upgrade to 5.03, build fails without that. Don't have easy access to a pull request right now I'd request one. Fix is simply:

diff --git a/playbooks/roles/streisand-mirror/vars/stunnel.yml b/playbooks/roles/streisand-mirror/vars/stunnel.yml
index f99cd8b..814d9dc 100644
--- a/playbooks/roles/streisand-mirror/vars/stunnel.yml
+++ b/playbooks/roles/streisand-mirror/vars/stunnel.yml
@@ -7,7 +7,7 @@ stunnel_mirror_href_base: "/mirror/stunnel"
 stunnel_michal_trojnara_key_id: "0xFCD53E9D74C732D1"
 stunnel_michal_trojnara_expected_fingerprint: "Key fingerprint = F6B1 BFC5 5F32 243F B2C8  919A FCD5 3E9D 74C7 32D1"

-stunnel_version: "5.02"
+stunnel_version: "5.03"
 stunnel_base_download_url: "http://www.stunnel.org/downloads"

 stunnel_installer_filename: "stunnel-{{ stunnel_version }}-installer.exe"

Or at least the OpenVPN-stunnel profile wouldn't connect after brew install stunnel but when I removed that version and compiled 5.02 from the stunnel site, it connected OK.

Not sure what you can do about it, apart from maybe updating the docs, or getting the brew formula updated. Or maybe it's just a local problem here!

Anyway, I thought I'd mention it. Thanks to all for the incredible work on this, it's fantastic.

In trying to setup streisand on a fresh Amazon EC2 Instance, I continue to get this error:

TASK: [ec2-security-group | Open the SSH port in the EC2 security group] ******
failed: [127.0.0.1] => {"failed": true}
msg: unsupported parameter for module: rules_egress

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
to retry, use: --limit @/home/ubuntu/amazon.retry

127.0.0.1 : ok=7 changed=1 unreachable=0 failed=1

I may try putting this into streisand myself over the weekend, but thought it prudent to get the thought out into the wild:

https://forums.openvpn.net/topic12605-45.html

eg. why not have a scrambled OpenVPN as an option also? Is it possible to have this and that in paralell?

(GFW blows.)

So I want to make a StriesandBox. If this isn't immediatley obivous as to it's fucntion, here's what a striesandbox is: A teeny PC (Stick PC/"Android TV Box"/beefy router) that will go about the business of launching striesand for you. Further, it should act as a 2nd internet gateway, optimizing the routes that your traffic takes based on destination. I've talked up another similar concept but haven't made significant headway yet. In fact, I'm not 100% sure how to do it, though I know it's possible. Imagine with me for a second, and technical gals & guys who've done some rather hardcore networking, I need your help in implementing this-- I guess it's optimized load balancing?

Anyway, the load balancing gets done on the StriesandBox, which in turn provides a single local gateway for end-user's home network. This way we can avoid the current difficulty with babs: she can be quite slow from time to time (this of course being a function of the censorship.) Free internet, however, is priceless (at least IMHO) and so users would likely be willing to shell out the ~$25/mo to have 5x babs to support one home internet connection. This also brings about the possibility of "Babs Bands" where users exchange multiple Babs addresses with one another.

Am I crazy, or is this a great idea? I am going to try and implement this immediatley, and will put updates here. I'm just starting off with an Ubuntu VM on my home network and will see if I can get it to connect to 5x Babs' and then create a gateway server for me to put my traffic through. My desired result is reduced latency and greater throughput.

This could be useful for getting some selected apps to works with streisand. Proxy could be just a non-caching one, so eg. squid. Pardon me if this functionality is already included.

[edit] Wait, Socks is normally unencrypted?

Since the goal is to enable evasion of blocking firewalls, it would be nice if it weren't so easy to fingerprint Streisand on the network by inspecting the SSL certificates.

If there was a semi-intelligent randomization of the strings (and even maybe some of the values?) in the SSL certificates used for OpenVPN as well as nginx it would make this much harder.

DNS/ICMP tunneling would be nice, especially to get around networks that shape/block things like SSH/OpenVPN, etc but allow outoging ICMP and/or DNS.

So I have installed Streisand to a local server behind a router. The server has an internal IP of 192.168.1.109, and the router has an external IP of 123.45.67.89 (just an example).

While I have configured the router to forward all messages to the server, and install using that public IP:

diff --git a/inventory b/inventory
index d654313..bef013e 100644
--- a/inventory
+++ b/inventory
@@ -13,5 +13,5 @@
 # 'host_key_checking = False' line in the ansible.cfg file. That setting
 # is only sensible and convenient when connecting to a brand-new host.
 #
-# [streisand-host]
-# 255.255.255.255
+[streisand-host]
+123.45.67.89

$ ansible-playbook playbooks/streisand.yml

But the generated documents refer to 192.168.1.109 instead of 123.45.67.89 everywhere.

Additionally, the OpenVPN profiles are also using the internal IP address, and the Shadowsocks configuration is only bound to 192.168.1.109 instead of 0.0.0.0.

What is the recommended way to update my streisand instance? Just running sudo apt-get update && sudo apt-get upgrade after ssh into my machine or running ./streisand once again?

The AWS 'clone' GreenQloud is a reasonable hosting company in Iceland:
https://www.greenqloud.com/

They support boto:
https://github.com/greenqloud/api-examples

and even run a tor node:
http://torstatus.blutmagie.de/cgi-bin/whois.pl?ip=46.149.18.10

If we're trying to prevent/avoid mass data collection as well as mass censorship, www.privoxy.org or similar might be a worthwhile addition to the streisand bundle.

Any interest? I might see if I can get it running next weekend.