STREISAND

OpenConnect / Cisco AnyConnect

OpenConnect is an extremely high-performance and lightweight VPN server that also features full compatibility with the official Cisco AnyConnect clients. The protocol is built on top of standards like HTTP, TLS, and DTLS, and it's one of the most popular and widely used VPN technologies. Due to its use among large multi-national corporations, it often means that at the protocol level, it is seldom targetted for censorship.

Platforms
- Certificates
- Windows
- macOS
- OpenConnect GUI
- OpenConnect CLI
- Linux
- Android
- iOS

Server and client Certificates (macOS, Android)

Client certificates are a mechanism by which clients can authenticate themselves securely with the server.

Your OpenConnect server issues its own server certificate. This is used by your device's client software (such as AnyConnect for iOS) to securely identify the VPN server. Download this server's certificate.
- ca.crt
Each device you wish to configure needs a client certificate in addition to the server certificate above. A client certificate is used to securely identify and authenticate your device to the VPN server. Two devices can't use the same client certificate and be logged in at the same time (one client certificate per device). Each client certificate is protected by a password, which will be needed to unlock it once you import it into your device.
- brother-various.p12, password: where.actress.lazy
- shallow-exotic.p12, password: task.federal.fetch
- uncle-task.p12, password: worth.attitude.decline
- script-pizza.p12, password: board.peasant.orchard
- rely-inherit.p12, password: clown.have.tip

Windows

Download the OpenConnect GUI installer.
Run the OpenConnect GUI installer.
Complete the TAP-Windows Setup Wizard.
- Choose the default options, and allow the TAP driver from the OpenVPN project to be installed.
Launch the OpenConnect application.
Click the Edit icon (gear) and select 'New profile advanced'.
Enter streisand-demo-site for the Name.
Enter 52.15.254.140:4443 for the Gateway.
Enter streisand for the Username and click Save.
Click Connect.
A prompt will appear during the initial connection asking you to trust the server's certificate. Click The information is accurate and the server will be automatically verified for all future connections.
Enter snake.endorse.fame.mystery.prefer for the Password and click OK.
Click No when the Windows prompt appears asking Do you want to allow your PC to be discoverable....
The current beta version of the OpenConnect GUI does not support automatically changing the DNS settings. In order to avoid DNS leaks, the following steps must be performed:
1. Right-click on the Windows Start Button.
2. Click Network Connections.
3. Right-click on the device that you are using to connect (Ethernet or Wi-Fi) and click Properties.
4. Double-click Internet Protocol Version 4 (TCP/IPv4).
5. Select Use the following DNS server addresses and enter:
  - 8.8.8.8
  - 8.8.4.4
6. Click OK.
7. Click OK to close the connection properties.
You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

macOS

OpenConnect GUI

Download the OpenConnect GUI installer.
Run the OpenConnect GUI installer.
Launch the OpenConnect application.
Click the Edit icon (gear) and select 'New profile advanced'.
Enter streisand-demo-site for the Name.
Enter 52.15.254.140:4443 for the Gateway.
Enter streisand for the Username and click Save.
Click Connect.
A prompt will appear during the initial connection asking you to trust the server's certificate. Click The information is accurate and the server will be automatically verified for all future connections.
Enter snake.endorse.fame.mystery.prefer for the Password and click OK.
You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

OpenConnect CLI

Install Homebrew, if you haven't already.
Install OpenConnect using Homebrew:

brew install openconnect
- If installing Homebrew is not an option, you can also download and compile the OpenConnect source code.
Download the server certificate file, and a client certificate file from the list above.
Place the downloaded server certificate and a selected client certificate into a separate folder (e.g. streisand-demo-site-openconnect), open your Terminal, and cd to that directory.
Run OpenConnect:

sudo openconnect --cafile ca.crt --certificate your-client-certificate.p12 --key-password 'your-client-certificate-password' --pfs 52.15.254.140:4443
You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

Linux

Install the OpenConnect plugin for NetworkManager.

sudo apt-get install network-manager-openconnect-gnome
Download the server certificate file:
- ca.crt
Open your System Settings.
Click the Network icon.
Click the + button in the lower-left of the window.
Select VPN from the Interface drop-down and click Create.
Select Cisco AnyConnect Compatible VPN (openconnect) and click Create.
Enter streisand-demo-site for the Connection name.
Enter 52.15.254.140:4443 for the Gateway.
Select the ca.crt file that you just downloaded for the CA Certificate.
Click Save.
Select the VPN in the left-hand menu, and flip the switch to ON. You can also enable/disable the VPN by clicking on the WiFi/Network icon in the menu bar, scrolling to VPN Connections, and clicking on its name.
Enter streisand for the Username and click Login.
Enter snake.endorse.fame.mystery.prefer for the Password, check Save passwords, and click Login.
You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

Android

Download Cisco AnyConnect from Google Play.
Launch the application.
Tap OK to accept the "Supplemental End User License Agreement for AnyConnect® Secure Mobility Client vx.x and other VPN-related Software".
Tap the menu icon and select Settings.
Uncheck the Block Untrusted Servers option.
- The server certificate will be imported during the initial login and automatically verified for all future connections.
Tap the back button.
Tap Connection and then tap Add New VPN Connection....
Tap Description and enter streisand-demo-site.
Tap Server Address and enter 52.15.254.140:4443.
Tap Advanced Preferences.
Tap Certificate.
- Each profile can be downloaded on the device itself using the links above, or copied from your computer via USB.
Check the Download folder if you downloaded the file directly to the device. This is where Chrome places its files, for example.
Tap Import, tap File System, and select a client certificate file from the list above that you transferred.
Enter your client certificate password when the Password prompt is displayed, and tap Connect.
You'll see a checkmark next to the newly imported certificate. Tap the back button.
Tap Done twice to save the connection.
Tap the back button to return to the main screen. You should see streisand-demo-site in the Connection section.
Slide the AnyConnect VPN switch On.
Tap Details when the Security Warning is displayed.
Tap Import and Continue when the Certificate Summary is displayed.
Tap Connect on the group selection screen. The correct default has already been chosen.
If this is your first time using AnyConnect, you will need to accept the Connection Request dialog that Android displays.
You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.

Prompted for username?

Some users have reported that their Android AnyConnect clients prompt for a username and password. This is a known bug we don't understand. See the list of Streisand AnyConnect open issues. If you're affected, you could help us understand the bug by reporting your details using the issue list's New issue button's template. Fixes are gratefully accepted too.

If you're affected, you can use this workaround:

When prompted for a user, enter streisand
When prompted for a password, use snake.endorse.fame.mystery.prefer

iOS

Note: When using AnyConnect for the first time, you may be prompted for a password prior to being connected. Enter `streisand` for the username, `snake.endorse.fame.mystery.prefer` for the password and continue. Subsequent connections will not prompt you again.

Note: Only one AnyConnect profile can be configured at any give time. To remove an existing profile, go to Settings -> General -> Profile, tap on the profile you wish to remove, then tap on Remove Profile.

Transfer a .mobileconfig file for each device you wish to configure:
- brother-various.mobileconfig
- shallow-exotic.mobileconfig
- uncle-task.mobileconfig
- script-pizza.mobileconfig
- rely-inherit.mobileconfig
- The profile can be emailed to your device (simply tap the attachment), transferred via the Apple Configurator utility, or downloaded directly by viewing these instructions on the device itself.
Follow the on-screen instructions.
You will be prompted to enter your device password or pin.
Download Cisco AnyConnect from the App Store.
Launch the application.
Tap OK to enable the software when the dialog box appears.
Tap Settings.
Turn off the Block Untrusted Servers switch.
- The server certificate will be imported during the initial login and automatically verified for all future connections.
Tap Home.
Slide the AnyConnect VPN switch on.
Tap Details when the Security Warning is displayed.
Tap Import in the top-right corner.
Tap Connect on the group selection screen. The correct default has already been chosen.
You should be good to go! You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo. It should say Your public IP address is 52.15.254.140.