OpenVPN on Ubuntu with Streisand

Status check first

Set up the VPS

A 1 GB Ubuntu 22.04 VPS from any provider works. Get one and do the basics first:

sudo apt update && sudo apt full-upgrade
sudo apt install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades

Then create a non-root user and switch to it:

sudo adduser amir
sudo usermod -aG sudo amir
sudo cp -r ~/.ssh /home/amir/.ssh
sudo chown -R amir:amir /home/amir/.ssh

Generate an SSH keypair Streisand will use

ssh-keygen -t ed25519 -f ~/.ssh/streisand
cat ~/.ssh/streisand.pub >> ~/.ssh/authorized_keys

Back the private key up somewhere safe — you'll need it after the playbook lands and the password-based SSH path is locked down.

Install Ansible and clone the playbook

sudo apt install ansible python3-pip git
git clone https://github.com/StreisandEffect/streisand.git
cd streisand

Run the configurator:

./streisand

Answer the prompts:

• Provider: "Existing server" — we already provisioned the VPS by hand.
• Custom install: yes. Don't use the kitchen-sink default.
• Enable: OpenVPN (yes), WireGuard (yes — the original blog post said no, but in 2026 WireGuard is the better day-to-day VPN).
• Disable: Shadowsocks, sslh, Tor, OpenConnect — unless you have a specific reason for any of them.
• Server IP: the VPS's public IP.
• SSH user: the non-root user you created.
• SSH key: path to ~/.ssh/streisand.

The Ansible run takes 10–25 minutes depending on the box. If it errors mid-way (the Tunnelblick step in older versions throws an ansible-galaxy warning), Ctrl+C, then "C" to continue.

Get the generated docs

When the playbook finishes, the docs are in ~/streisand/generated-docs/server-1/server-1.html. Open that in a browser; it lists download links for each client (.ovpn for OpenVPN, .conf for WireGuard) and the QR code for mobile clients.

OpenVPN tweak: allow shared common-names

If you'll be using one cert across multiple devices (phone + laptop + desktop), un-comment duplicate-cn in the server config:

sudo nano /etc/openvpn/server.conf
# Find and un-comment:
#   duplicate-cn

sudo systemctl restart openvpn@server

Better practice is to generate one cert per device, but for a personal VPN one shared cert is the lowest-friction option.

Connect from Windows

Download OpenVPN Community Edition — the official client. Install it (it'll ask for the TAP/Wintun driver), then drop the .ovpn file from the generated docs into %USERPROFILE%\OpenVPN\config\. Right-click the OpenVPN tray icon → choose your config → Connect.

For WireGuard on Windows: install the official client from wireguard.com, click Add Tunnel → Import from file, and pick the .conf from the generated docs.

Verify the tunnel

Visit dnsleaktest.com after connecting. You should see your VPS's IP, not your home IP. Run an extended test — if any of the resolvers it lists are still your ISP's, your DNS is leaking; the OpenVPN config in Streisand-generated docs sets block-outside-dns for Windows clients, but it doesn't always take.

Why I prefer WireGuard for daily use

OpenVPN works well, but WireGuard is the better default in 2026:

• ~3kLOC vs. ~70kLOC. Vastly smaller attack surface, easier to audit.
• In-kernel. No userland tun device, no encryption-in-userspace overhead. Materially faster on most hardware.
• Roaming-friendly. The connection state is in cryptographic identity, not socket identity, so a phone moving between WiFi and LTE doesn't drop.
• Simpler config. One [Interface], one [Peer]. No certificate authority needed.

OpenVPN's continued advantage is fitting through restrictive firewalls (TCP-443 over TLS looks like ordinary HTTPS). If you're VPN-ing out of a censored network or hostile corporate firewall, OpenVPN-over-TCP-443 still has a place.