Skip to content

Instantly share code, notes, and snippets.

@crass

crass/RiseupVPN-NetworkManager.md

Last active January 19, 2024 15:03
Show Gist options
  • Save crass/7952d79b596a89e067292ea68e3f0754 to your computer and use it in GitHub Desktop.
Save crass/7952d79b596a89e067292ea68e3f0754 to your computer and use it in GitHub Desktop.
Download ZIP
Use RiseupVPN via NetworkManager
Raw
RiseupVPN-NetworkManager.md

A short tutorial on using the RiseupVPN via NetworkManager's OpenVPN plugin.

I didn't want to run an extra binary.

First using a webbrowser download this CA certificate. This will allow us to securely communicate with various Riseup servers.

Next you'll want to download the user certificate and private key (all in one file). I use curl to do this because its easier. If you want to use your browser you'll need to add the Riseup CA cert to your browser's trusted root certs. curl -vL --cacert riseup-vpn.ca.crt -o riseup-vpn.pem https://api.black.riseup.net/3/cert

What's left is choosing an openvpn gateway. This command will show the available endpoints as a list of json objects. Some of the gateways have transport type "obfs4" which is a protocol for obsfucating vpn traffic. I ignore those endpoints because I don't think they are useable via the plain openvpn NetworkManager plugin (but I haven't verified that). curl -vL --cacert riseup-vpn.ca.crt https://api.black.riseup.net/3/config/eip-service.json 2>&1|less

The following commands can be used to find the most optimal servers to use from the list above, they are sorted as best first. curl -vL --cacert riseup-vpn.ca.crt https://api.black.riseup.net:9001/json

Once you've selected a server from the list above, make sure to set the correct port and protocol in the Advanced... options in the VPN tab of the Network Manager connection editor. I also explicitly set the cipher and hmac auth to what is shown at the end of the eip-service.json json file in the json object with key openvpn_configuration.

One gotcha is that the "gateway" field must be the IP of the gateway chosen above, not its host name. Also, use the same PEM file for both "User certificate" and "User private key" fields.

After setting this up go to your favorite dns leaks tester to verify you're not leaking (eg. https://ipleak.net). Remember that accessing the RiseupVPN this way and not through their bitmask client introduces the potential for configuation issues that might make you less secure than if you used their client. You also do not get the benefit of traffic obsfucation if that's important to you.

Slightly more info on the service end points can be found here.

NOTE to self: Worth it to create a script to automate this and output an ovpn config file?

@for-coursera
Copy link

You also do not get the benefit of traffic obsfucation

Traffic obfuscation from RiseUP themselves, you mean? Or from whom?

@crass
Copy link
Author

crass commented Jun 30, 2022

You also do not get the benefit of traffic obsfucation

Traffic obfuscation from RiseUP themselves, you mean? Or from whom?

Obfucation between you and RiseUP. They have some obs4 transports usable on some VPNs. This howto was not meant to address how to access the VPNs via the obs4 transport. I'm sure it can be done, I just haven't looked into it.

@ksdrummer
Copy link

Thank you very much for the tutorial, this is exactly what I was looking for !
Would be great to be able to have traffic obfuscation (that's far from my abilities).
But thank you !!!

@097115
Copy link

097115 commented Jan 19, 2024

Obtaining riseup-vpn.pem from https://api.black.riseup.net/3/cert seems to be broken :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment