StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.2k stars 1.99k forks source link

List of locations where Streisand is tested/works #190

Closed ShenZhouHong closed 7 years ago

ShenZhouHong commented 9 years ago

It would be important, and informational for us to maintain a list of locations where Streisand is known to work - and the connection types that are used. Why don't we start that here? Users can submit locations where they used Streisand, the types of connections that worked, and other various misc information. This would be helpful for future users.

I'll start off first.

ShenZhouHong commented 9 years ago

As of 15th of September, 2015 - Streisand is known to work via the native L2TP/IPsec on Mac OS X Yosemite in Shenzhen, China.

Connection speed is excellent.

nickolasclarke commented 9 years ago

As of 15th Sept 2015 - Known working in Kunming and Beijing, China routing through Singapore on Digital Ocean using both L2TP/IPsec native on Windows and Android as well as Shadowsocks on both Android and Windows. Speed and stability is variable.

On Tue, Sep 15, 2015 at 10:01 PM, Hong Shen Zhou notifications@github.com wrote:

It would be important, and informational for us to maintain a list of locations where Streisand is known to work - and the connection types that are used. Why don't we start that here? Users can submit locations where they used Streisand, the types of connections that worked, and other various misc information. This would be helpful for future users.

I'll start off first.

— Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/190.

nosliwneb commented 8 years ago

Shenzhen, China 2016/02 All on Debian Linux, using a DigitalOcean Singapore server speed tests done on speedtest.net, connecting to Santa Cruz, CA, USA

kennyluk commented 8 years ago

Guangzhou, China

Ubuntu 14 LTS on VMs in Digital Ocean Singapore and in Other Provider in Hong Kong. Configurations were tested as working before departure.

Clients are iOS 7 and 8. All jailbroken to enable stunnel.

I concur with nosliwneb above that the speed feels a lot faster than normal, and likely is the CNY effect.

jlund commented 8 years ago

I'm surprised to hear that stunnel is no longer working. I wonder if moving it to a different port instead of 993 will help?

@nosliwneb: I just pushed an update to the OpenVPN (direct) instructions so that they include the DNS leak mitigation steps from the stunnel instructions. This omission was accidental; thanks for pointing it out!

I also added a new connection option today: OpenConnect / Cisco AnyConnect. Based on what I've read, it works really well in China. I would love to hear some feedback on that if anyone in this thread wants to give it a try.

nickolasclarke commented 8 years ago

I'll gladly guinea pig anything here in China. Shadowsocks is the only thing kindof working any longer for me and I have to move to a fresh IP daily.

I'll spin an updated instance asap and test.

sent from my mobile On Feb 16, 2016 11:06 AM, "Joshua Lund" notifications@github.com wrote:

I'm surprised to hear that stunnel is no longer working. I wonder if moving it to a different port instead of 993 will help?

@nosliwneb https://github.com/nosliwneb: I just pushed an update to the OpenVPN (direct) instructions so that they include the DNS leak mitigation steps from the stunnel instructions. This omission was accidental; thanks for pointing it out!

I also added a new connection option today: OpenConnect http://www.infradead.org/ocserv/index.html / Cisco AnyConnect. Based on what I've read, it works really well in China. I would love to hear some feedback on that if anyone in this thread wants to give it a try.

— Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/190#issuecomment-184492174.

kennyluk commented 8 years ago

I concur with @kydan above, SS is the only thing that is reliable. I was in GZ, HanZhou and Beijing and the only place it didn't work at all was in GZ airport and for that site it looks as if they have a very restrictive hard port based firewall in place.

Up to about a year ago I had access to a corporate Cisco Anyconnect and it does work fairly well. Plus the iOS persistent connection support is a definite plus. I am willing to give it a shot.

@jlund what's the best way to update the instances on DO? Is it automatic? Or should I spin a new VM up?

jlund commented 8 years ago

You'll need to make a new instance. Technically, you could run it against one of the existing instances too, but it's probably easier to start fresh.

pjrobertson commented 8 years ago

@jlund @nosliwneb stunnel still works perfectly here. Beijing, China. L2TP availability depends on ISP I've found. Some ISPs block it, others don't.

aanwark commented 8 years ago

Harbin, China (03/01/16)

Ubuntu 14.04 at LA, USA on Vultr

L2tp/Ipsec: Connects but times out after a while AnyConnect: With official Cisco client on iOS and Android works fine. However, with openconnect on my Linux Mint 17.2, I have experienced some timeouts. OpenVPN (Direct): Didn't try OpenVPN (stunnel): Works for me really well, even better than Shadowsocks Shadowsocks: Works flawlessly, however, I feel that speed is a bit lower than OpenVPN over Stunnel SSH/SSShuttle: Connects and works fine SSH: Connects and Works fine.

df-sh commented 8 years ago

Shanghai 3/1/16 Rackspace (Virginia and Dallas) and Amazon (US West 1/2 US East 1) Shadowsocks 70mbps on rackspace 50mbps on Amazon (average for all locations) Anyconnect Rackspace 10mpbs Amazon 5mbps

xlphs commented 8 years ago

Shenzhen, China ISP: China Telecom

L2TP: works, reached 1.5Mbps torrenting AnyConnect: works (Cisco Anyconnect 4.2) OpenVPN (stunnel): works Didn't try any other methods because they aren't convenient

I think what really matters here is your ISP rather than your location. I had my friend in Shanghai who uses another ISP tested and none of the methods will work.

jackkav commented 8 years ago

Beijing ISP: China Unicom DigitalOcean Singapore 50mbps line inside china, 5-10mbps outside china L2tp: no dice OpenVPN(direct): works but slow <1mbps, Shadowsocks: works great Shadowsocks speedtest.net against a server in San Francisco: D:33.80Mb/s U:5.30Mb/s P:147ms Vultr Japan Similar results: Shadowsocks speedtest.net against a server in San Francisco: D:28.47Mb/s U:5.09Mb/s P:198ms

Both very fast and stable over shadowsocks for the last 2 months. Great work! Unfortunately no netflix over shadowsocks :(

faddat commented 8 years ago

I imagine everyone knows, but given the concentration of people in China, I suppose I'll mention that during my March trip to China, I had great luck using getlantern.org :).

aanwark commented 8 years ago

Harbin ISP: China Educational Network DigitalOcean SFO1 and Singapore

Continuously facing problems with Shadowsocks, and OpenVPN(Stunnel). Other protocols are not working for me either. Packets drop somewhere in Beijing (checked through mtr) and the connection is lost for some time. I am even not able ssh into the server or ping it while the connection is lost.

nickolasclarke commented 8 years ago

fwiw @denoza I've migrated away from SIN as I have found that that route has become more and more degraded. Its a pain in the ass to tell why of course, but I've had better luck since moving back to SFO1

On Tue, May 3, 2016 at 1:47 PM, denoza notifications@github.com wrote:

Harbin ISP: China Educational Network DigitalOcean SFO1 and Singapore

Continuously facing problems with Shadowsocks, and OpenVPN(Stunnel). Other protocols are not working for me either. Packets drop somewhere in Beijing (checked through mtr) and the connection is lost for some time. I am even not able ssh into the server or ping it while the connection is lost.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/190#issuecomment-216443846

xlphs commented 8 years ago

@kydan Have you tried Vultr LA location? I've been using the same IP since March and it's like perfect, can't ask more for $5/mo.

nickolasclarke commented 8 years ago

@xlphs I've been on DO the whole time since I wrote some scripts to handle automatically re-provisioning when the connection gets throttled. I'll look into how hard it would be to port to them though. Thanks for the heads up!

btw, what kind of throughput are you getting and where in china are you?

xlphs commented 8 years ago

@kydan In Shenzhen and using China Telecom. I use L2TP all the time, get 1~1.5Mbps torrenting (not that I torrent all the time), I also stream amazon prime videos, however hulu can detect I'm using vpn, I don't use netflix though.

nickolasclarke commented 8 years ago

@xlphs great, thanks for the info!

nickolasclarke commented 8 years ago

@jlund btw, I've been running Openconnect with the FOSS windows client (having some trouble getting the official windows client to work) and the official android client. Works fairly well, though the connection often goes stale. On the windows FOSS client, you never know, things just start routing through the normal net again and you have to reset the connection. On android it either drops the connection, or stays stale until you reset it manually. Throughput its pretty good by my very very low china standards..I usually can pull files down at around 125-500kbps, but sometimes it likes to place nice and jumps up to over 1mbps

hydrandt commented 8 years ago

@kydan @xlphs I can really recommend BudgetVM and Chunkhost. Both in LA and both great peering with Chinese telcos, ping about 160 ms and good bandwidth. Chunkhost is 60 USD/year, BudgetVM 25USD/year (!) for their container (which can enable tun/tap interfaces, so no problem with Streisand). Really great value for the price. If you want Singapore, Linode has much better peering with China than Digital Ocean or AWS. Linode would be about 170 ms (China Telecom) or 220 ms (Unicom), latter two double. From Shanghai. A friend of mine tried AWS Korea and said to have ping around 70 ms (From Shanghai), might be worth trying - which reminds me that this location is missing in Streisand, right? :-) Chance for my first contribution!

nickolasclarke commented 8 years ago

@hydrandt what protocol are you usually running?

hydrandt commented 8 years ago

Almost all the time shadowsocks. The best choice for everything but ios devices. I use l2tp/ipsec there so far, but wanted to try the cisco anyconnect - no experience with it so far.

nickolasclarke commented 8 years ago

indeed. I just switched to a xiaomi Mi5 and shadowsocks not longer works on that device unfortunately. Thanks again for the beta. I'll be moving to shanghai in a few months, and I would love to meet up with any streisand users there so we can swap best practices.

On Tue, May 3, 2016 at 3:32 PM, hydrandt notifications@github.com wrote:

Almost all the time shadowsocks. The best choice for everything but ios devices. I use l2tp/ipsec there so far, but wanted to try the cisco anyconnect - no experience with it so far.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/190#issuecomment-216458379

aanwark commented 8 years ago

@kydan I have had no problems with SFO1 lately, my issues started a couple of days back. The weather in north of China is pretty rough these days, perhaps that is why I am having connectivity issues. Nonetheless, recently I started to use SSH as a proxy and didn't face any problems. May be the GFW is updated or Shadowsocks is busted. I have used Shadowsocks for 3-4 months without a glitch but it was until 2 days ago.

nickolasclarke commented 8 years ago

@denoza I'm still actively using shadowsocks on my laptop with few issues here in Yunnan. Throughput isn't great, but it's been pretty consistent. Of course there seems to be no rhyme or reason to performance of protocols across China. On May 3, 2016 16:58, "denoza" notifications@github.com wrote:

@kydan https://github.com/kydan I have had no problems with SFO1 lately, my issues started a couple of days back. The weather in north of China is pretty rough these days, perhaps that is why I am having connectivity issues. Nonetheless, recently I started to use SSH as a proxy and didn't face any problems. May be the GFW is updated or Shadowsocks is busted. I have used Shadowsocks for 3-4 months without a glitch but it was until 2 days ago.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/190#issuecomment-216472310

jlund commented 8 years ago

Ansible doesn't have native modules for Vultr, but a lot of people love them. I spun up my first server there not too long ago. It was super fast, and their interface is great. I will look into adding support directly through their API. Assuming it's sane (no SOAP, please) and isn't too tough, it seems like that would help a lot of people.

@hydrandt The last time that I checked (which was a couple of months ago, at least) the Boto Python library didn't have support for that region yet. That has probably changed by now, and that would be a great first pull request :)

@kydan Thanks for the update on OpenConnect. I have been really curious to hear more about that. It works perfectly for users on OS X and Linux (it's what I'm using right now), but the situation on Windows for the open source client continues to be disappointing. What issues did you run into when using the official AnyConnect client?

Thanks for all of the updates, everyone. They really mean a lot. I promise that I will keep doing everything that I can to help you fight against the Great Firewall.

nickolasclarke commented 8 years ago

@jlund earlier it wasnt liking the password, though I think the packets may have just been getting dropped. Just tested again and it hangs on setting up the adapter, though that may be due to the fact that I switched to the insider preview fast ring of Win10 this week to get at Bash on Windows. I'll report back once I hack at it a bit more.

As an aside, I did two quick tests of 100 mb file speed tests from both Digital Ocean SFO1 and Vultr LA. I was pulling a breezy 5.5Mbps on vultr (maxing out my connection) at the high end and 1.2 MBps on the low, while I was pulling ~25KBps on DO-SFO1. I tested a few times and saw similar results. I'll try across time of day as well.

That said, if others are seeing such spectacular throughput on vultr as well, having support for vultr and other hosts that have good peering agreements with chinese telecos would be very helpful. Their API looks like a pretty straightforward REST api (https://www.vultr.com/api/) as well as already having images for the latest Ubuntu (Ubuntu 15.10 x64, Ubuntu 15.10 i386, Ubuntu 16.04 x64, Ubuntu 16.04 i386 etc supported)

I feel like a chump, I dont think I'll be able make a pull for this in a timely manner, my chops are mostly in node.js, but if I can get some time to hack at it, I'll try to help on this.

faddat commented 8 years ago

@kydan Sounds like I'll be spinning up a vultr node before I next head to Shenzhen! and-- regarding rhyme and reason:

There is and is not: They slow whatever they know to be used for VPN-age (minimally, it is slowed. maximally, of course it is blocked.) and that leaves a lot of gray area-- like VPS providers. I don't know how they decide between blocks of addresses relative to one another though.

Then, there are the per-locality and per-ISP variations, which have little apparent rhyme or reason, but I have to guess very specific motivations.

hydrandt commented 8 years ago

I strongly believe it is much simpler than most people imagine. Connectivity is expensive in Asia, and they just don't get enough. Chinese telcos are huge and cheap (1900 CNY/year for 200 down/20 up). Even between Shanghai and Beijing the lines are oversubscribed. Nobody peers with nobody and as a result half of your traffic for southeast Asia and Europe gets routed through US.

Sure the stuff they do with the traffic for the great firewall must affect the throughput too, but I believe oversubscription is underestimated when talking about Chinese internet :-)

Trying Vultr now, Japanese DC, so far not better than Chunkhost or BudgetVM. Ping about 200ms (telecom) and 70ms (unicom), throughput is tragic, getting only about 10kB/s now from both locations, 100-500kB/s from Chunkhost. And now a few minutes later the other way round (with the throughput)...need to automatize the testing and do it a bit more long term. What I can say is that chunkhost has been usable for watching low-res youtube on Shanghai China Telecom. Not in the evenings from about 19:00-23:00.

nickolasclarke commented 8 years ago

That 5+ MBps didnt last long. Ran a few tests 1 hour later and it had dropped to 50-125 KBps and I've not seen that 5mbps come back since. @hydrandt I heartily agree that oversubscription and piss poor peering is a huge part of the problem, but its hard to know, what, exactly is going on. Why did my connection absolutely fly at 5.5+ MBps to the LA Vultr DC for an hour and then drop to very unremarkable speeds just an hour later (still in the middle of the day as well). Was it QoS on the part of the teleco? Was it oversubscribed lines? Was it GFW tampering? Why does nearly every DNS query fail, even for sites that are not blocked? etc, etc etc. So many why's and because there is absolutely zero faith in every single hop once it leaves my router and hits my modem until it leaves the country, I find it very hard to try to troubleshoot connections.

pjrobertson commented 8 years ago

I think this whole debate about which providers are better/which technologies work better in China is over-complicated. From my experience it's the China-side telecom that is the biggest problem (as the last two comments are referring to). Shadowsocks works fine, stunnel works fine in China, but it depends on your telecom. At work I can get 7+MBps download from a JP server, at home I never get more than 0.5MBps (two different Beijing telecos).

If we really want to know the truth about these circumnavigation tools and China, we need to run the same tests using the same set of servers (e.g. 1 x JP, 1 x US, 1 x SG, 1 x HK) across 5 or 6 locations in China, using first of all the same telecos, then different telecos.

xlphs commented 8 years ago

I concur, I've got dedicated internet at my office (fiber, static IPs, allocated bandwidth) and we routinely use L2TP with predictable performance. I chose Vultr simply because it's a cheaper version of Linode, in terms of support and billing.

aanwark commented 8 years ago

I agree, there is huge confusion when it comes to the performance of these tools. I second that it all ranges from ISPs, locations, as well as the tempering from the GFW. For example, some people report smooth operation of L2TP/IPSec however for me it never worked. Shadowsocks work fine in my lab but at home, with same ISP I have issues with it, while Chinese sites work flawlessly at both locations.

If you guys are up for the test, then count me in. I can do some testing as well.

aanwark commented 8 years ago

By the way, did anyone here use Bandwagonhost? I heard that there packages are really cheap, but I have not found any review about their service or reliability.

df-sh commented 8 years ago

Based out of shanghai using free options of aws free tier, and rackspace dev account in april and may using shadowsocks on windows and android, my results have been as follows: AWS: Virginia 215ms 35MBPS California 235ms 35MBPS Oregon 215ms 35MBPS Tokyo 90ms 45MBPS

Rackspace Hong Kong 33ms 60MBPS Dallas 205MS 20MBPS

nickolasclarke commented 8 years ago

@df-sh which provider?

On Sat, May 7, 2016 at 1:52 PM, df-sh notifications@github.com wrote:

Based out of shanghai using free options of aws free tier, and rackspace dev account in april and may my results have been as follows: AWS: Virginia 215ms 35MBPS California 235ms 35MBPS Oregon 215ms 35MBPS Tokyo 90ms 45MBPS

Rackspace Hong Kong 33ms 60MBPS Dallas 205MS 20MBPS

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/190#issuecomment-217609909

df-sh commented 8 years ago

tested on china telecom for home (not vip foreign internet package, 50mbps line) and china unicom 4g for mobile with amusingly similar results... without shadowsocks running, 15ms ping and 65MBPS

this is using speedtest.net if you have a better suggestion for testing results let me know... i feel like something is off with these results as when i tried these tests on friends computer using 360 browser i got very... harmonious results.

jlund commented 7 years ago

I just merged WireGuard support into the master branch today. I'm curious and excited to hear how this performs in China. Early results look promising, and its design should make it highly resilient to active probing attacks. If you are a Linux user in China, please give it a shot!

nickolasclarke commented 7 years ago

@jlund do you know the state of any of the other clients being worked on at the moment? I poked around, but there doesn't seem to be much published.

cpu commented 7 years ago

I don't think the Streisand repo is the correct place to try and maintain a wiki-like list of tested providers. The discussion has also drifted substantially from that initial topic (e.g. RE: Wireguard) and I think at this point the best thing to do is close the issue. Thanks all!