Riseup - from RiseupVPN to OpenVPN

June 9, 2023    Article    1066 words    6 mins read

Donate to Riseup

Riseup’s top-notch FREE services are funded by donations from people like us, so make sure you help Riseup provide those services. Go birds!
This article was sparked by a 4chan discussion, I was under the impression that everybody (that was interested in this) knew that you can use Riseup’s VPN service without their RiseupVPN (Bitmask, developed by LEAP) client. Apparently, nobody knows that.

Even though it’s open source, people might not want to install additional applications when you can just use a 5KB OpenVPN profile for that. Basically you just need a way to “trick” the Riseup server to give you the correct data (CA certificate, client certificate and private key) so an OpenVPN profile can be generated, and for that we’ll be using this excellent tool by nitrohorse. You can also use Postman or wget/curl to retrieve the certificates and private key.

Caveat: The generated OpenVPN profile must be re-created every 60 days, the RiseupVPN client does that transparently, but you can use cron, or whatever automation tool you fancy, to re-create the profile when needed.

Update: There is now a tool that does the same thing.

Riseup VPN gateways

The list of the Riseup VPN gateways is retrieved from here:

Seattlevpn01-sea.riseup.net204.13.164.252tcp, udp53, 80, 1194
Amsterdamvpn19-ams.riseup.net163.172.211.109tcp, udp53, 80, 1194
Miamivpn17-mia.riseup.net37.218.244.248tcp, udp53, 80, 1194
Montrealvpn10-mtl.riseup.net199.58.83.11tcp, udp443
Seattlevpn15-sea.riseup.net199.254.238.55tcp, udp53, 80, 1194
Seattlevpn16-sea.riseup.net198.252.153.109tcp53, 80, 1194
Parisvpn05-par.riseup.net195.154.106.118tcp, udp53, 80, 1194
Parisvpn14-par.riseup.net51.159.196.108tcp, udp53, 80, 1194
Parisvpn02-par.riseup.net51.159.197.108tcp, udp53, 80, 1194
Parisvpn07-par.riseup.net163.172.90.118tcp, udp53, 80, 1194
Amsterdamvpn04-ams.riseup.net51.15.9.205tcp, udp53, 80, 1194
Parisvpn11-par.riseup.net51.159.55.86tcp, udp53, 80, 1194
Amsterdamvpn06-ams.riseup.net51.158.144.32tcp, udp53, 80, 1194
Amsterdamvpn13-ams.riseup.net51.158.144.31tcp, udp53, 80, 1194
Montrealvpn18-mtl.riseup.net199.58.83.9tcp, udp443
Parisvpn08-par.riseup.net51.15.187.53tcp, udp53, 80, 1194
New York Cityvpn12-nyc.riseup.net185.220.103.11tcp, udp53, 80, 1194
Miamivpn09-mia.riseup.net37.218.244.250tcp, udp53, 80, 1194

Generate OpenVPN profile

Start by cloning the repository:

$ git clone https://gitlab.com/nitrohorse/bitmask-openvpn-generator.git
Cloning into 'bitmask-openvpn-generator'...
remote: Enumerating objects: 104, done.
remote: Total 104 (delta 0), reused 0 (delta 0), pack-reused 104
Receiving objects: 100% (104/104), 936.36 KiB | 3.39 MiB/s, done.
Resolving deltas: 100% (50/50), done.
$ cd bitmask-openvpn-generator

Open the script.py file in your favorite text editor, disable the Calyx provider and disable SSL certificate verification for Riseup. Modified file can be downloaded here.

diff --git a/script.py b/script.py
index 5371c7d..0c1db74 100644
--- a/script.py
+++ b/script.py
@@ -20,12 +20,6 @@ providers = [
                'domain_url': 'https://riseup.net',
                'provider_path': '/provider.json',
                'configs_path': '/1/configs.json'
-       },
-       {
-               'name': 'calyx',
-               'domain_url': 'https://calyx.net',
-               'provider_path': '/provider.json',
-               'configs_path': '/1/configs.json'

@@ -100,7 +94,7 @@ def fetch_and_save_ca_cert(ca_cert_uri, ca_cert_path):
        if ca_cert_uri == 'https://calyx.net/ca.crt':
                receive = requests.get(ca_cert_uri, verify=False)
-               receive = requests.get(ca_cert_uri)
+               receive = requests.get(ca_cert_uri, verify=False)

        with open(ca_cert_path, 'wb') as f:

Make sure you have Python3 and requests, pyopenssl and certify packages installed.

$ pip3 install --upgrade requests
$ pip3 install --upgrade pyopenssl
$ pip3 install --upgrade certifi

Now you can just run the script.py file and select a VPN server, protocol and port.

$ python3 ./script.py
Re-using provider info...
Fetching CA certificate for riseup...
Validating SHA256 fingerprints between CA certificate and provider info for riseup...
CA certificate issuer: Riseup Networks, https://riseup.net, Riseup Networks Root CA
CA certificate is valid from 2014-04-28 to 2024-04-28
Fingerprints match!
Fetching client certificate and private key for riseup...
Client certificate issuer: Riseup Networks, https://riseup.net, Riseup Networks Root CA (client certificates only!)
Client certificate is valid from 2023-05-09 to 2023-08-09 and expires in 60 days
Fetching encrypted internet proxy capabilities and gateways for riseup...
Splitting client certificate key pair file for riseup...


1. [riseup] Amsterdam, NL (vpn19-ams.riseup.net /
2. [riseup] Amsterdam, NL (vpn04-ams.riseup.net /
3. [riseup] Amsterdam, NL (vpn06-ams.riseup.net /
4. [riseup] Amsterdam, NL (vpn13-ams.riseup.net /
5. [riseup] Miami, US (vpn17-mia.riseup.net /
6. [riseup] Miami, US (vpn09-mia.riseup.net /
7. [riseup] Montreal, CA (vpn10-mtl.riseup.net /
8. [riseup] Montreal, CA (vpn18-mtl.riseup.net /
9. [riseup] New York, US (vpn12-nyc.riseup.net /
10. [riseup] Paris, FR (vpn03-par.riseup.net /
11. [riseup] Paris, FR (vpn05-par.riseup.net /
12. [riseup] Paris, FR (vpn14-par.riseup.net /
13. [riseup] Paris, FR (vpn02-par.riseup.net /
14. [riseup] Paris, FR (vpn07-par.riseup.net /
15. [riseup] Paris, FR (vpn11-par.riseup.net /
16. [riseup] Paris, FR (vpn08-par.riseup.net /
17. [riseup] Seattle, US (vpn01-sea.riseup.net /
18. [riseup] Seattle, US (vpn15-sea.riseup.net /
19. [riseup] Seattle, US (vpn16-sea.riseup.net /

Enter selection (#): 1


1. TCP
2. UDP

Enter selection (#): 2


1. 53
2. 80
3. 1194

Enter selection (#): 3

Generating OpenVPN configuration and writing to bitmask_ovpns/bitmask-riseup-udp-ip-amsterdam-nl-1194.ovpn
Cleaning client certificate and private keys...

Import the resulting .ovpn file that can be found in the bitmask_opvns directory, or open it in a text editor and modify the configuration.

The format of the generated OpenVPN file is similar to this, depending on the what you selected when creating the profile:

dev tun
proto udp
remote 1194 # vpn19-ams.riseup.net / Amsterdam, NL
auth SHA1
cipher AES-128-CBC
keepalive 10 30
resolv-retry infinite
verb 3
reneg-sec 0
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
tls-version-min 1.2
redirect-gateway ipv6
remote-cert-tls server
remote-cert-eku "TLS Web Server Authentication"
verify-x509-name vpn19-ams.riseup.net name
[...certificate contents goes here...]
[...certificate contents goes here...]
[...private key contents goes here...]

Done, you don’t need no other applications.


If you want to “manually” perform the requests and build the OpenVPN profile:

  1. Do a GET request to https://riseup.net/provider.json, save the api_uri, api_version, ca_cert_uri and ca_cert_fingerprint keys.
  2. Do a GET request to [api_uri]/1/configs.json and save the value in the eip key.
  3. Do a GET request to [api_uri][eip] and get the list of gateways, ports and protocols.
  4. Do a POST request to [api_uri]/[api_version]/cert and retrieve the private key and client certificate.
  5. Save the OpenVPN profile with data from the selected gateway, protocol and port, ca_cert_uri contents, client certificate and private key.

You can do this with a Postman collection, which is available here to download.

Additional info