Hardware Streisand client - ideas & brainstorming about streisand HOT 9 CLOSED

@jlund it took a heck of a long time-- apparently nearly two years!

Here's what's up to make this work:

• Triple Stack your traffic:
  • ipv4 (everything here assumes that this is the "souce" internet connection)
  • ipv6 via he.net
  • ipv6 via miredo

So right there, you've got three paths. This is crucial, as the "path count" is what needs to be increased in order to optimize the harmony of your internet. In some areas in China, ipv6 is enough to brush aside Mr. Xi's thought banishment tool's.

But it surely wouldn't be enough to satisfy my need for speed, so: you use an MPTCP kernel, and a tool similar to multi to ensure that v4 and v6 connections are properly multipathed by your system. then you would scatter some sexy streisands around the world:

from streisand.

@faddat I'd be interested in hearing more about how this went and your current implementation.

from streisand.

Same here, what's your setup, @faddat ?

What I am working on now is highly-available shadowsocks setup. I have four shadowsocks servers running in four different locations (Hong Kong, Tokyo, Singapore, Los Angeles). I start sslocal on four different ports. I use these as backends for haproxy in tcp mode:

frontend shadowsocks-ha
    bind 0.0.0.0:1080
    default_backend shadowsocks
backend shadowsocks
    balance roundrobin
    mode tcp
    option tcp-check
    tcp-check send-binary 050100
    tcp-check expect binary 0500
    tcp-check send-binary 0501000167193c412711
    tcp-check expect binary 05000001000000000000
    tcp-check expect binary 34320a
    server shadowsocks-la 127.0.0.1:12346 check weight 70
    server shadowsocks-sg 127.0.0.1:12347 check weight 10
    server shadowsocks-jp 127.0.0.1:12348 check weight 10 
    server shadowsocks-hk 127.0.0.1:12349 check weight 10

Problem are the checks, as even when the remote server is unreachable, sslocal responds to tcp requests (default haproxy check), and even if you just initiate socks connection (050100), it responds as if everything is fine -> you have to try to connect somewhere. So I connect to one of the servers, where there is

ncat -l 10001 -k --exec "/bin/echo 42" 

Next step is putting the whole thing behind redsocks2 to be able to route any tcp (and udp) traffic through it. This all is in an openwrt router. Then one ssid will be with direct connection and one with shadowsocks.

Next next step is automatic changing of weight. haproxy can make a tcp connection, read a number and use it as weight. So I need to write a script that will somehow check the connectivity to the server - I'm thinking about a combination of ping packet loss ( = congestion) and transfer speed - and make it available on a simple tcp socket (ncat again I guess).

from streisand.

Software for doing this:

• Zeroshell - it seems to do everything that we might need to set up the load balancing. Actually making a StriesandBox from that point on seems rather trivial. Who knows? Maybe you'll be able to buy/flash one yourself before too long!

from streisand.

This sounds like an interesting idea! How did the Zeroshell experiment go?

from streisand.

@jlund
No luck with it just yet, more or less due to a lack of time. Step one is getting zeroshell or pfsense or equivalent (not sure if openwrt will let me do this or not) running on a BananaPi. The VM was causing network "wierdness" so I canned that option for now.

from streisand.

I'm going to bring in @miolini on this. He is a lot more qualified to help with things like this than I am. My current setup is "being refactored" at the moment, but when I have it re-implemented I'll put it here and put relevant scripts in a repo somewhere. (And I'm talking with him to determine the likelihood that this can be commercially implemented in an entirely open source manner across 100's of VPSes scattered throughout our planet's various networks)

@hydrant I see no mention of MPTCP in your setup. Have you played with that at all?

from streisand.

@faddat Hi, this topic is very interesting, but I didn't get the load balance thing, you mean that you had a tiny box with access to two or more Streisand host for optimizing routes based on destinations?... when you connect, for example, from US to UK and have 5 hops until destination, if you set a Streisand host on UK you will have 1 hop (your computer to Streisand host) and then 1 or 2 hops until same destination on UK... BUT, the outside VPN connection from your tiny box to that Streisand host will have probably the other 3 or 4 hops under the hood, the one needed to bring up the tunnel... doesn't it?

The Highly Available mentioned later by @hydrandt sounds interesting too, if many tiny boxes connect to a pool of Streisand hosts, in that way if you add more boxes, you will have more availability adding more host, you can grow or shrink dinamically. And if you lost a host, you still have everything working as HA also may feature as fail-over.
In OpenWrt I know route-metric-iptables trick to do some kind of load balancing, there is also a mwan (multiwan) package that performs very well too to do the job, and OpenVPN is known to rotate when config has many remote. Also if you add a properly configured DNS with the multiple IP, you could work as a CDN like, rotating IP of the Streisand host on different DNS responses to distribute the load a little bit or even geolocalized depending of the IP of the DNS query.

I just uploaded an article on the Wiki today, step-by-step instructions tutorial to Setting an OpenWrt Router as OpenVPN Client:

#166 (comment)

https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Router-as-OpenVPN-Client

PS: About the vm weirdness you mention, I am pretty sure that is probably related to Promiscuos mode, without it vm losses network packages (happened many times to me using VMware)

from streisand.

I think this conversation is sufficiently far from the goals of the Streisand project as to be inappropriate to keep discussing here in a Github issue. Thanks for understanding!

from streisand.