Skip to content

Latest commit

 

History

History
41 lines (39 loc) · 5.82 KB

Services.md

File metadata and controls

41 lines (39 loc) · 5.82 KB

Services

Services Provided

  • OpenSSH
    • Windows and Android SSH tunnels are also supported, and a copy of the keypair is exported in the .ppk format that PuTTY requires.
    • Tinyproxy can be installed and bound to localhost. It can be accessed over an SSH tunnel by programs that do not natively support SOCKS and that require an HTTP proxy, such as Twitter for Android.
    • An unprivileged forwarding user and SSH keypair can be generated for sshuttle and SOCKS capabilities.
  • OpenConnect / Cisco AnyConnect
    • OpenConnect (ocserv) is an extremely high-performance and lightweight VPN server that also features full compatibility with the official Cisco AnyConnect clients.
    • The protocol is built on top of standards like HTTP, TLS, and DTLS, and it's one of the most popular and widely used VPN technologies among large multi-national corporations.
      • This means that in addition to its ease-of-use and speed, OpenConnect is also highly resistant to censorship and is almost never blocked.
  • OpenVPN
    • When enabled, self-contained "unified" .ovpn profiles are generated for easy client configuration using only a single file.
    • Both TCP and UDP connections are supported.
    • Client DNS resolution is handled via Dnsmasq to prevent DNS leaks.
    • TLS Authentication is enabled which helps protect against active probing attacks. Traffic that does not have the proper HMAC is simply dropped.
  • Shadowsocks
    • When enabled, the high-performance libev variant is installed. This version is capable of handling thousands of simultaneous connections.
    • A QR code is generated that can be used to automatically configure the Android and iOS clients by simply taking a picture. You can tag '8.8.8.8' on that concrete wall, or you can glue the Shadowsocks instructions and some QR codes to it instead!
    • AEAD support is enabled using ChaCha20 and Poly1305 for enhanced security and improved GFW evasion.
    • The v2ray-plugin plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling).
  • sslh
    • Sslh is a protocol demultiplexer that allows Nginx, OpenSSH, and OpenVPN to share port 443. This provides an alternative connection option and means that you can still route traffic via OpenSSH and OpenVPN even if you are on a restrictive network that blocks all access to non-HTTP ports.
  • Stunnel
    • When enabled, listens for and wraps OpenVPN connections. This makes them look like standard SSL traffic and allows OpenVPN clients to successfully establish tunnels even in the presence of Deep Packet Inspection.
    • Unified profiles for stunnel-wrapped OpenVPN connections are generated alongside the direct connection profiles. Detailed instructions are also generated.
    • The stunnel certificate and key are exported in PKCS #12 format so they are compatible with other SSL tunneling applications. Notably, this enables OpenVPN for Android to tunnel its traffic through SSLDroid. OpenVPN in China on a mobile device? Yes!
  • Tor
    • If chosen by the user a bridge relay is set up with a random nickname.
    • Obfsproxy is installed and configured with support for the obfs4 pluggable transport.
    • A BridgeQR code is generated that can be used to automatically configure Orbot for Android.
  • UFW
    • Firewall rules are configured for every service, and any traffic that is sent to an unauthorized port will be blocked.
  • unattended-upgrades
    • Your Streisand server is configured to automatically install new security updates.
  • WireGuard
    • Users can take advantage of this next-gen, simple, kernel-based or user-space-based, state-of-the-art VPN that also happens to be ridiculously fast and uses modern cryptographic principles that all other highspeed VPN solutions lack. It is noticeably more performant and enery-saving, and is highly advantageous in roaming network-to-network environments, like mobile phones. A connection can be made as simply as scanning a QR code, which makes it perfect for sharing with friends and family members. It currently offers an official client for macOS, iOS, Android, Windows, a variety of Linux distibutions, OpenBSD and FreeBSD.
  • Cloudflared DNS-over-HTTPS
    • Even when you are visiting a site using HTTPS, by default your DNS query is sent over an unencrypted connection (between the Streisand server and upstream DNS servers). With Streisand's DNS-over-HTTPS service provided by the cloudflared client enabled, your DNS queries are blocked from view by the cloud provider hosting your Streisand server and everyone in between them and the upstream DNS server. The DNS reply from the upstream server is also protected from both view and tampering on its way back to your Streisand server.