I've been using streisand for a while (from China) and it's great; the main reason I can see that you might want to use the linked project instead is that it has a lot less surface area so it could be more secure (it's a lot easier to harden/audit openvpn alone than all the services streisand includes).

That said, if I was going to pick one protocol out of the selection offered by streisand, it would be l2tp/ipsec instead of openvpn (assuming you're hosting on digital ocean. The networks on AWS and GCE are more restrictive and you can't serve l2tp/ipsec from there). I found this to be easier to set up (the client-side software is already included in most operating systems) and to have the best performance.

From another subthread, https://github.com/trailofbits/algo is an ipsec-only alternative to streisand that looks good (although it requires an app to be installed on android). They also get ipsec working on aws/gce, so apparently whatever obstacle streisand faces with this configuration is solvable.

Caveat: That unconditionally blocks traffic between your friends and family (see issue #166).

This project aims to "do one thing and do it well".

I posted this elsewhere but it bears repeating. This project is designed to be simple, auditable, and disposable, and have the minimum attack surface and maintenance costs.

Other tools are great, but the cost of swapping certificates and IP addresses and zone files can weigh you down.

Streisand would do well to have numerous playbooks that remix roles for smaller services (if they don't already).

Does this work for offshore usage of USA Netflix or do they detect Digital Ocean?

I have to disable this in the US to use netflix.

I wish they would allow VPN users through based on an address based authentication.

It should. Netflix only blocks known IP-blocks of VPN services.

Netflix is blocked from DO. Just tried. If anybody can buy and use an IP, Netflix has pretty much blacklisted that IP space, as far as I have tried.

Came here to say the same thing. How is this better than Streisand?

Both even use Ansible.

They have different objectives. Streisand's goal is to circumvent censorship, so it provisions a set of different VPN protocols (OpenVPN, LT2P/IPSEC, Shadowsocks, etc...) and instructions on how to use them, where as sovereign sets up e-mail, caldav, and other cloud related tools (which Streisand does not do).

Yeah, my question was comparing the linked project to Streisand, not Sovereign to Streisand.

I misread your question, my apologies. At a quick glance (and a very quick one at that), Streisand's OpenVPN setup is configured to work on both TCP and UDP ports, where as the references project is being templated from [https://github.com/Stouts/Stouts.openvpn/tree/9c83736608e4cc...]. Looking at the linked project's setup, it seems it's using outdated configurations for OpenVPN (BF-CBC instead of AES-CBC, 1024 bit keys instead of 2048) [https://github.com/Stouts/Stouts.openvpn/blob/9c83736608e4cc...]. It's also configured to log info where as Streisand tries its best not to.

I may have to fork the Stouts.openvpn role.

I also am not pleased that their easy-rsa tarball is not easily auditable rather than pulling it as a subrepository directly from OpenVPN.

edit: I have audited the easy-rsa tarball. It's still not a totally appropriate way to manage things.

easy-rsa 3 has saner defaults, especially how it configures OpenSSL, so if you fork that would be a good place to start.

This project is designed to be auditable and disposable. It does only one thing and (hopefully) does it well.

Also this project is intended to be broadly accessible to people who feel they can do the basics of managing a server.