I've used streisand on DO (while traveling in China) and it worked well. There's also a similar project called algo[1] which provides a single protocol with maximum security, in contrast to streisand's multi-protocol flexibility (and increased surface area).

https://github.com/trailofbits/algo

Why does he refer to OpenVPN as a "risky server"? Does it have a history of embarrassing security vulns?

I think a recurrent concern is OpenVPN's reliance on TLS, and its codebase complexity as a result of being built on OpenSSL--but with far less attention and resources and vuln hunting compared to say, actual browsers. Complexity + lack of auditing person-hours is never a good combo. (See https://twitter.com/tqbf/status/806646188158152705)

Matt Green's audit of OpenVPN, when completed, may lead to more light on the matter. Otherwise, we're just relying on informed intuitions.

Except all the shenanigans with IPSEC.

https://en.m.wikipedia.org/wiki/IPsec#Alleged_NSA_interferen...

As a "security people" I think me and tptacek could split a great number of hairs and get not too far on this one, but I am open to new info. I know a lot can hide in the complexity of OpenSSL. Maybe the whole thing with IPSEC was to sway us toward OpenVPN likes. Regardless, I still lean slightly towards OpenVPN

But honestly I am out to defeat ad networks. I only aspire to give nation states indigestion (at a mass scale). Individually if a well funded adversary wants any one of us I think they have us.

I think "other risky servers" may refer to the lesser-known servers that streisand includes, like shadowsocks.

Would a 512mb RAM DO server be enough for this? I've been looking for an alternative to a VPN for a while, but it would only be cost effective with the $5 option.

Yes. Your bottleneck will most likely be network and CPU speed as that's used for encryption. Google around for specific numbers, but my intuition is that network will max out before CPU does even on the $5/mo instance.

I'm running openvpn on one of those just fine.

I've been looking at algo but not sure how much it lives up to the billing.

The ssh configs contained within do not enable ed25519 for instance.

Why not run a utility that visits random websites to drown the signal from the noise? Imagine this thing running 24/7 and visiting all sorts of sites, including all sorts of porn and fetish sites or whatever is taboo in your culture. Now its impossible to see what I'm actually visiting and you'd be foolish to not realize that these are generated url visits. A bit like how people used to copy and paste 'NSA keywords' into their emails and web postings.

Not sure why anyone isn't proposing this. Far better than dealing with the hassle and performance issues with a VPN. Want my browsing data? Fine, how's 1 million URLs a day grab you?

I've had a few problems getting it running on AWS but setup was a breeze on GCE. So far it's been cheaper (and safer) than most VPN providers I've seen. YMMV

Can you give a rough estimate of your monthly usage and the price on GCE?

I've been looking at AWS and GCE but I'm having a hard time figuring out the actual bandwidth costs.

Any estimate on EC2 costs using this moderately?

That would depend on your traffic levels and which instance type you want to use.

This should help figure things out: http://calculator.s3.amazonaws.com/index.html

You would be better of putting it on a Digital Ocean and then create / destroy a droplet when you need it. It is what I do and my cost is like $1.50 per month (as opposed to $5).

I second the idea of using Digital Ocean, though I just pay the $5 a month and leave it running.