ospab/ospab.network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bb9692aa1648d2d44973d3a8df43fd3522d1f3ed
ospab.network/docs/DEPLOYMENT.md
ospab fc00214b07 Initial commit: OSTP stealth VPN protocol with anti-RE protection 
- Core transport layer (ostp): ChaCha20-Poly1305 AEAD, X25519 key exchange, TLS mimicry
- Control plane (oncp): Session management, SQLite billing, user registry
- Network layer (osn): TUN device abstraction and routing
- DNS forwarder (osds): Stealth DNS with anti-hijack detection
- Anti-RE protection (ostp-guard): String obfuscation, anti-debug, anti-VM, control flow obfuscation
- CLI binaries: ostp-server (Linux), ostp-client (Windows) with interactive setup
- Comprehensive documentation: README, LICENSE, deployment guides
- Hardened release profile: LTO, symbol stripping, static linking
2026-01-01 19:03:31 +03:00

13 KiB
Raw Blame History

OSTP Deployment Best Practices

Guidelines for deploying OSTP in production environments with maximum security and reliability.

Infrastructure Planning

Server Placement Strategy

1. Geographic Distribution

  • Deploy servers in multiple regions to minimize latency
  • Consider legal jurisdictions favorable to privacy
  • Use data centers with strong physical security
  • Avoid countries with mandatory data retention laws

2. IP Address Selection

  • Use clean IPs without reputation issues
  • Avoid IP ranges commonly associated with VPN providers
  • Consider using residential proxy IPs for maximum stealth
  • Rotate server IPs periodically (every 3-6 months)

3. Network Architecture

[Internet] → [CDN/Proxy] → [OSTP Server] → [Internal Network]
                              ↓
                        [User Database]
                        [DNS Forwarder]

Benefits:

  • CDN/proxy layer provides DDoS protection
  • Hides real server IP from direct client access
  • Allows for traffic distribution

Security Hardening

Server Operating System

Minimal Installation

# Ubuntu Server minimal install
sudo apt update
sudo apt install -y ufw fail2ban sqlite3

# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable cups
sudo systemctl disable avahi-daemon

# Enable automatic security updates
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Kernel Hardening (/etc/sysctl.conf):

# Disable IPv6 if not needed
net.ipv6.conf.all.disable_ipv6 = 1

# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0

# Log martian packets
net.ipv4.conf.all.log_martians = 1

Firewall Configuration

Defense in Depth:

# Default deny policy
sudo ufw default deny incoming
sudo ufw default deny outgoing

# Allow only necessary ports
sudo ufw allow out 53/udp  # DNS
sudo ufw allow out 123/udp # NTP
sudo ufw allow in 8443/tcp # OSTP

# Allow established connections
sudo ufw allow out on tun0 from any to any

# Enable firewall
sudo ufw enable

SSH Hardening

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 22222  # Non-standard port
AllowUsers admin
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

Fail2Ban Configuration

Create /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 22222

PSK Management

Generation Strategy

# Generate PSK with high entropy
ostp-server gen-key > /secure/storage/psk-$(date +%Y%m%d).txt

# Or use system random
xxd -p -l 32 /dev/urandom | tr -d '\n'

Distribution Methods

Secure Channels:

  1. Signal/Telegram Secret Chats — End-to-end encrypted messaging
  2. PGP-Encrypted Email — Encrypt PSK with user's public key
  3. Password Managers — Share via 1Password/Bitwarden shared vaults
  4. QR Codes — Generate QR codes for in-person distribution
  5. Hardware Tokens — Store on encrypted USB drives

Never:

  • Send PSKs via unencrypted email
  • Post PSKs in public forums or chat groups
  • Store PSKs in version control
  • Reuse PSKs across multiple users

Rotation Schedule

User Type Rotation Frequency Method
Individual 90 days Manual update
Corporate 30 days Automated push
High-Risk 7 days Dynamic generation

Multi-PSK Architecture (Advanced)

For large deployments, use separate PSKs per user group:

{
  "psk_groups": {
    "premium_users": "a1b2c3...",
    "trial_users": "d4e5f6...",
    "enterprise": "g7h8i9..."
  }
}

Requires custom PskValidator implementation in ostp/src/crypto.rs.

Monitoring & Alerting

Metrics to Track

Connection Metrics:

  • Active connections per minute
  • Failed authentication attempts
  • Average session duration
  • Bandwidth per user

System Metrics:

  • CPU usage
  • Memory usage
  • Disk I/O
  • Network throughput

Security Metrics:

  • Failed PSK validations
  • Repeated connection attempts from same IP
  • Unusual traffic patterns
  • Anti-debug trigger counts

Logging Strategy

Log Levels by Environment:

Development: debug
Staging: info
Production: warn
High-Security: error only

Log Aggregation:

# Forward logs to central syslog server
sudo apt install -y rsyslog
echo "*.* @@log-server:514" >> /etc/rsyslog.conf
sudo systemctl restart rsyslog

Log Retention:

  • Keep 30 days of detailed logs
  • Archive 1 year of summarized logs
  • Purge logs older than 1 year

Alerting Rules

Set up alerts for:

  • Server CPU >80% for 5 minutes
  • Disk usage >90%
  • Failed auth rate >100/minute (potential attack)
  • Service downtime >1 minute
  • Certificate expiration <30 days (if using real certs)

Backup & Disaster Recovery

Backup Strategy

Daily Backups:

#!/bin/bash
# /usr/local/bin/ostp-backup.sh

DATE=$(date +%Y%m%d-%H%M)
BACKUP_DIR=/backup/ostp

# Backup user database
sqlite3 /var/lib/ostp/users.db ".backup '$BACKUP_DIR/users-$DATE.db'"

# Backup configuration
cp /etc/ostp/server.json $BACKUP_DIR/config-$DATE.json

# Compress and encrypt
tar czf - $BACKUP_DIR/*-$DATE.* | \
  gpg --encrypt --recipient admin@ospab.host > \
  $BACKUP_DIR/ostp-backup-$DATE.tar.gz.gpg

# Upload to remote storage (S3, Backblaze, etc.)
aws s3 cp $BACKUP_DIR/ostp-backup-$DATE.tar.gz.gpg \
  s3://ostp-backups/

# Clean up old backups (keep 7 days)
find $BACKUP_DIR -mtime +7 -delete

Crontab Entry:

0 2 * * * /usr/local/bin/ostp-backup.sh

Disaster Recovery Plan

RTO (Recovery Time Objective): 1 hour RPO (Recovery Point Objective): 24 hours

  1. Server Failure:

    • Spin up new VPS from template
    • Restore latest backup
    • Update DNS records
    • Notify users (if IP changed)

  2. Database Corruption:

    • Stop ostp-server
    • Restore from latest backup
    • Verify data integrity
    • Restart service

  3. PSK Compromise:

    • Generate new PSK immediately
    • Deploy to server
    • Distribute to all users via secure channels
    • Invalidate old PSK

Performance Optimization

Connection Limits

Based on server specs:

RAM CPU Cores Max Connections Notes
1 GB 1 core 100 Minimal
2 GB 2 cores 500 Recommended
4 GB 4 cores 1000 High capacity
8 GB 8 cores 5000 Enterprise

Load Balancing

For >1000 concurrent users:

          [DNS Round-Robin]
                 ↓
     +-----------+-----------+
     ↓           ↓           ↓
[OSTP Server 1] [Server 2] [Server 3]
     ↓           ↓           ↓
        [Shared Database]

Use database replication (PostgreSQL) instead of SQLite for multi-server deployments.

Bandwidth Management

# Rate limit per connection (Linux tc)
tc qdisc add dev eth0 root tbf rate 10mbit burst 32kbit latency 400ms

# Or use iptables hashlimit
iptables -A INPUT -p tcp --dport 8443 \
  -m hashlimit --hashlimit-name ostp \
  --hashlimit-above 10/s --hashlimit-mode srcip \
  -j DROP

Compliance & Legal

Data Retention Policies

Recommended Minimal Logging:

  • Do NOT log plaintext traffic content
  • Do NOT log destination IPs
  • Do log: connection timestamps, total bytes transferred, user IDs

Compliance Requirements:

  • GDPR (EU): User data deletion requests
  • CCPA (California): Data access requests
  • National regulations: Vary by jurisdiction

Privacy by Design

  1. Minimize Data Collection: Only collect necessary metadata
  2. Encrypt at Rest: Database encryption for user data
  3. Anonymize Logs: Hash IPs before storing
  4. Short Retention: Delete logs after 30 days
  5. No Third Parties: Never share user data

Warrant Canary (Optional)

Create a canary.txt on your website:

As of January 1, 2026, OSTP has NOT received:
- National security letters
- Gag orders
- Warrants for user data
- Requests to install monitoring software

This canary will be updated monthly.

If you receive a gag order, stop updating the canary (signals users).

Scaling Strategy

Phase 1: Single Server (0-500 users)

  • 1 VPS with 2GB RAM
  • SQLite database
  • Direct client connections

Phase 2: Vertical Scaling (500-2000 users)

  • Upgrade to 4GB RAM, 4 cores
  • Optimize database indexes
  • Add monitoring

Phase 3: Horizontal Scaling (2000+ users)

  • Deploy multiple servers
  • Shared PostgreSQL database with replication
  • DNS-based load balancing
  • Separate user database server

Phase 4: Global Infrastructure (10000+ users)

  • Regional server clusters
  • Geo-DNS routing
  • CDN integration
  • Dedicated DDoS protection

Cost Analysis

Single Server Monthly Costs

Provider Specs Price Notes
Hetzner 2GB RAM, 40GB SSD $5 Best value
DigitalOcean 2GB RAM, 50GB SSD $12 Easy setup
Vultr 2GB RAM, 55GB SSD $12 Global locations
AWS Lightsail 2GB RAM, 60GB SSD $12 AWS ecosystem

Additional Costs:

  • Domain name: $10-15/year
  • Backup storage: $2-5/month
  • Monitoring: $10-20/month (optional)
  • DDoS protection: $20-100/month (if needed)

Revenue Model (Optional):

  • Free tier: 5GB/month
  • Basic: $5/month (100GB)
  • Premium: $15/month (unlimited)

Update Strategy

Binary Updates

Server Updates:

# Download new version
wget https://releases.ospab.host/ostp-server-v2.0.0

# Backup current binary
cp /usr/local/bin/ostp-server /usr/local/bin/ostp-server.backup

# Replace binary
mv ostp-server-v2.0.0 /usr/local/bin/ostp-server
chmod +x /usr/local/bin/ostp-server

# Restart service
systemctl restart ostp-server

# Verify version
ostp-server --version

Client Updates:

  • Provide download link via secure channel
  • Include SHA256 hash for verification
  • Document breaking changes
  • Maintain compatibility for 1 version back

Database Migrations

For schema changes:

-- Check current version
SELECT value FROM metadata WHERE key = 'schema_version';

-- Migrate v1 → v2
ALTER TABLE users ADD COLUMN last_seen DATETIME;
UPDATE metadata SET value = '2' WHERE key = 'schema_version';

Incident Response

Security Incident Playbook

1. Detection:

  • Monitor alerts for anomalies
  • Investigate suspicious patterns
  • Verify authenticity of alerts

2. Containment:

  • Isolate affected servers
  • Block malicious IPs
  • Rotate compromised PSKs
  • Snapshot system state

3. Eradication:

  • Identify root cause
  • Patch vulnerabilities
  • Remove backdoors
  • Reset credentials

4. Recovery:

  • Restore from clean backups
  • Verify system integrity
  • Monitor for reinfection
  • Document timeline

5. Post-Mortem:

  • Write incident report
  • Implement prevention measures
  • Update documentation
  • Notify affected users (if required)

Testing & Validation

Pre-Deployment Checklist

  • Server OS fully updated
  • Firewall configured and tested
  • OSTP server starts without errors
  • PSK generated and secured
  • Client successfully connects
  • Traffic encrypted (verify with Wireshark)
  • TLS mimicry working (check SNI)
  • Anti-debug protection active (release build)
  • Logs rotating correctly
  • Backups automated and tested
  • Monitoring alerts configured
  • Documentation complete

Performance Testing

# Simulate 100 concurrent connections
for i in {1..100}; do
  ostp-client connect -s server:8443 -p $PSK -c US &
done

# Monitor server resources
htop
iotop
nethogs

Security Testing

  • Port Scanning: Verify only 8443 is open
  • DPI Testing: Use GFW test tools to verify mimicry
  • Traffic Analysis: Capture packets and analyze with Wireshark
  • Penetration Testing: Hire professional auditors (recommended annually)

Advanced Configurations

Multi-Hop Routing

Chain OSTP servers for enhanced anonymity:

[Client] → [OSTP Server 1] → [OSTP Server 2] → [Internet]

Requires custom routing configuration.

Split Tunneling

Route only specific traffic through VPN:

# Route only HTTPS through VPN
ip route add 0.0.0.0/0 via 10.8.0.1 table 100
ip rule add fwmark 1 table 100
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 1

Bridge Mode

Allow clients to access LAN resources:

[OSTP Client] ←→ [OSTP Server] ←→ [Corporate LAN]

Requires NAT and routing configuration on server.

Support & Maintenance

Regular Maintenance Tasks

Daily:

  • Check service status
  • Review critical alerts
  • Monitor disk space

Weekly:

  • Review security logs
  • Check backup integrity
  • Update block lists (if applicable)

Monthly:

  • Apply security updates
  • Review user quotas
  • Analyze performance metrics
  • Test disaster recovery

Quarterly:

  • Rotate PSKs
  • Audit user access
  • Review documentation
  • Plan capacity upgrades

For additional guidance or enterprise support, contact ospab@ospab.host.

Last updated: January 2026

Reference in New Issue View Git Blame Copy Permalink