Show HN: Use Ansible to Run a “friends and Family” OpenVPN Server on Digital Ocean

I've been using streisand for a while (from China) and it's great; the main reason I can see that you might want to use the linked project instead is that it has a lot less surface area so it could be more secure (it's a lot easier to harden/audit openvpn alone than all the services streisand includes).

That said, if I was going to pick one protocol out of the selection offered by streisand, it would be l2tp/ipsec instead of openvpn (assuming you're hosting on digital ocean. The networks on AWS and GCE are more restrictive and you can't serve l2tp/ipsec from there). I found this to be easier to set up (the client-side software is already included in most operating systems) and to have the best performance.

This project aims to "do one thing and do it well".

I posted this elsewhere but it bears repeating. This project is designed to be simple, auditable, and disposable, and have the minimum attack surface and maintenance costs.

Other tools are great, but the cost of swapping certificates and IP addresses and zone files can weigh you down.

Streisand would do well to have numerous playbooks that remix roles for smaller services (if they don't already).

Does this work for offshore usage of USA Netflix or do they detect Digital Ocean?

Came here to say the same thing. How is this better than Streisand?

Both even use Ansible.

Wew, goodies is about right. That's pretty cool.

I have a VPS and I use it for webhosting for myself and some friends. I've thought about (in some cases tried) and then decided against setting up my own mail server, my own irc bouncer, my own xmpp server and my own cloud storage. Each time, the killer was basically "I could do this, but it would take too long to figure out and it would probably not be super secure at the end.

At the very least, a project like Sovereign (written using something as declarative and idempotent as Ansible) would be great to look through and see how it manages certain things.

And that doesn't detract from your project, OP - I like that your focus is tight and your setup instructions detailed. I'm far more likely to actually try installing a small project like yours than a behemoth that will change who knows what throughout my system.

I'm not sure I trust myself to run that many services securely.

I'd be interested in something like this with a strong focus on security.

Hi, thanks for your feedback. Can you submit a github issue? I need to establish a traffic testing method for assessing whether any traffic is leaking. This would be a valuable general tool for all vpn toolchains.

How did it leak it?

Please add an issue with any reference and ideas for doing this. I would love PRs too.

Is there a checklist/guide you could point to? I've come across a few but not being experienced I have a hard time judging how good/complete they are.

This tool is to protect you from verizon supercookies and comcast deep packet inspection. These companies sell access to this data to local law enforcement without requiring a warrant. LEO make choices based on the narrative about you they can build. We need to protect ourselves from people who would do us harm in clever and careful ways.

Depending on your threat model it's perfectly fine. It won't work against a nation-state-level adversary, but I don't get the feeling it's meant to. Against opportunistic passive sniffing or active MitM in cafés and such it's adequate.

/s

Name checks out! (As they like to say on a certain other message board where snarky comments are de rigueur. )

I use this script for my servers as well and it seems much quicker and easier. What benefits does OP's method provide?

I use this as well. Takes all of 2 mind to set up, or add a new user