Riseup - from RiseupVPN to OpenVPN
Donate to Riseup
Even though it’s open source, people might not want to install additional applications when you can just use a 5KB OpenVPN profile for that. Basically you just need a way to “trick” the Riseup server to give you the correct data (CA certificate, client certificate and private key) so an OpenVPN profile can be generated, and for that we’ll be using this excellent tool by nitrohorse. You can also use Postman or wget/curl to retrieve the certificates and private key.
Caveat: The generated OpenVPN profile must be re-created every 60 days, the RiseupVPN client does that transparently, but you can use cron, or whatever automation tool you fancy, to re-create the profile when needed.
Update: There is now a tool that does the same thing.
Riseup VPN gateways
The list of the Riseup VPN gateways is retrieved from here:
| Location | Host | IP | Protocols | Ports |
|---|---|---|---|---|
| Seattle | vpn01-sea.riseup.net | 204.13.164.252 | tcp, udp | 53, 80, 1194 |
| Amsterdam | vpn19-ams.riseup.net | 163.172.211.109 | tcp, udp | 53, 80, 1194 |
| Miami | vpn17-mia.riseup.net | 37.218.244.248 | tcp, udp | 53, 80, 1194 |
| Montreal | vpn10-mtl.riseup.net | 199.58.83.11 | tcp, udp | 443 |
| Seattle | vpn15-sea.riseup.net | 199.254.238.55 | tcp, udp | 53, 80, 1194 |
| Seattle | vpn16-sea.riseup.net | 198.252.153.109 | tcp | 53, 80, 1194 |
| Paris | vpn05-par.riseup.net | 195.154.106.118 | tcp, udp | 53, 80, 1194 |
| Paris | vpn14-par.riseup.net | 51.159.196.108 | tcp, udp | 53, 80, 1194 |
| Paris | vpn02-par.riseup.net | 51.159.197.108 | tcp, udp | 53, 80, 1194 |
| Paris | vpn07-par.riseup.net | 163.172.90.118 | tcp, udp | 53, 80, 1194 |
| Amsterdam | vpn04-ams.riseup.net | 51.15.9.205 | tcp, udp | 53, 80, 1194 |
| Paris | vpn11-par.riseup.net | 51.159.55.86 | tcp, udp | 53, 80, 1194 |
| Amsterdam | vpn06-ams.riseup.net | 51.158.144.32 | tcp, udp | 53, 80, 1194 |
| Amsterdam | vpn13-ams.riseup.net | 51.158.144.31 | tcp, udp | 53, 80, 1194 |
| Montreal | vpn18-mtl.riseup.net | 199.58.83.9 | tcp, udp | 443 |
| Paris | vpn08-par.riseup.net | 51.15.187.53 | tcp, udp | 53, 80, 1194 |
| New York City | vpn12-nyc.riseup.net | 185.220.103.11 | tcp, udp | 53, 80, 1194 |
| Miami | vpn09-mia.riseup.net | 37.218.244.250 | tcp, udp | 53, 80, 1194 |
Generate OpenVPN profile
Start by cloning the repository:
$ git clone https://gitlab.com/nitrohorse/bitmask-openvpn-generator.git
Cloning into 'bitmask-openvpn-generator'...
remote: Enumerating objects: 104, done.
remote: Total 104 (delta 0), reused 0 (delta 0), pack-reused 104
Receiving objects: 100% (104/104), 936.36 KiB | 3.39 MiB/s, done.
Resolving deltas: 100% (50/50), done.
$ cd bitmask-openvpn-generator
Open the script.py file in your favorite text editor, disable the Calyx provider and disable SSL certificate verification for Riseup. Modified file can be downloaded here.
diff --git a/script.py b/script.py
index 5371c7d..0c1db74 100644
--- a/script.py
+++ b/script.py
@@ -20,12 +20,6 @@ providers = [
'domain_url': 'https://riseup.net',
'provider_path': '/provider.json',
'configs_path': '/1/configs.json'
- },
- {
- 'name': 'calyx',
- 'domain_url': 'https://calyx.net',
- 'provider_path': '/provider.json',
- 'configs_path': '/1/configs.json'
}
]
@@ -100,7 +94,7 @@ def fetch_and_save_ca_cert(ca_cert_uri, ca_cert_path):
if ca_cert_uri == 'https://calyx.net/ca.crt':
receive = requests.get(ca_cert_uri, verify=False)
else:
- receive = requests.get(ca_cert_uri)
+ receive = requests.get(ca_cert_uri, verify=False)
with open(ca_cert_path, 'wb') as f:
f.write(receive.content)
Make sure you have Python3 and requests, pyopenssl and certify packages installed.
$ pip3 install --upgrade requests
$ pip3 install --upgrade pyopenssl
$ pip3 install --upgrade certifi
Now you can just run the script.py file and select a VPN server, protocol and port.
$ python3 ./script.py
Re-using provider info...
Fetching CA certificate for riseup...
Validating SHA256 fingerprints between CA certificate and provider info for riseup...
CA certificate issuer: Riseup Networks, https://riseup.net, Riseup Networks Root CA
CA certificate is valid from 2014-04-28 to 2024-04-28
Fingerprints match!
Fetching client certificate and private key for riseup...
Client certificate issuer: Riseup Networks, https://riseup.net, Riseup Networks Root CA (client certificates only!)
Client certificate is valid from 2023-05-09 to 2023-08-09 and expires in 60 days
Fetching encrypted internet proxy capabilities and gateways for riseup...
Splitting client certificate key pair file for riseup...
Ready!
Server:
1. [riseup] Amsterdam, NL (vpn19-ams.riseup.net / 163.172.211.109)
2. [riseup] Amsterdam, NL (vpn04-ams.riseup.net / 51.15.9.205)
3. [riseup] Amsterdam, NL (vpn06-ams.riseup.net / 51.158.144.32)
4. [riseup] Amsterdam, NL (vpn13-ams.riseup.net / 51.158.144.31)
5. [riseup] Miami, US (vpn17-mia.riseup.net / 37.218.244.248)
6. [riseup] Miami, US (vpn09-mia.riseup.net / 37.218.244.250)
7. [riseup] Montreal, CA (vpn10-mtl.riseup.net / 199.58.83.11)
8. [riseup] Montreal, CA (vpn18-mtl.riseup.net / 199.58.83.9)
9. [riseup] New York, US (vpn12-nyc.riseup.net / 185.220.103.11)
10. [riseup] Paris, FR (vpn03-par.riseup.net / 163.172.58.132)
11. [riseup] Paris, FR (vpn05-par.riseup.net / 195.154.106.118)
12. [riseup] Paris, FR (vpn14-par.riseup.net / 51.159.196.108)
13. [riseup] Paris, FR (vpn02-par.riseup.net / 51.159.197.108)
14. [riseup] Paris, FR (vpn07-par.riseup.net / 163.172.90.118)
15. [riseup] Paris, FR (vpn11-par.riseup.net / 51.159.55.86)
16. [riseup] Paris, FR (vpn08-par.riseup.net / 51.15.187.53)
17. [riseup] Seattle, US (vpn01-sea.riseup.net / 204.13.164.252)
18. [riseup] Seattle, US (vpn15-sea.riseup.net / 199.254.238.55)
19. [riseup] Seattle, US (vpn16-sea.riseup.net / 198.252.153.109)
Enter selection (#): 1
Protocol:
1. TCP
2. UDP
Enter selection (#): 2
Port:
1. 53
2. 80
3. 1194
Enter selection (#): 3
Generating OpenVPN configuration and writing to bitmask_ovpns/bitmask-riseup-udp-ip-amsterdam-nl-1194.ovpn
Done!
Cleaning client certificate and private keys...
Import the resulting .ovpn file that can be found in the bitmask_opvns directory, or open it in a text editor and modify the configuration.
The format of the generated OpenVPN file is similar to this, depending on the what you selected when creating the profile:
client
tls-client
dev tun
proto udp
remote 163.172.211.109 1194 # vpn19-ams.riseup.net / Amsterdam, NL
auth SHA1
cipher AES-128-CBC
keepalive 10 30
tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
tun-ipv6
float
resolv-retry infinite
nobind
verb 3
persist-key
persist-tun
reneg-sec 0
pull
auth-nocache
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
tls-version-min 1.2
redirect-gateway ipv6
remote-cert-tls server
remote-cert-eku "TLS Web Server Authentication"
verify-x509-name vpn19-ams.riseup.net name
<ca>
[...certificate contents goes here...]
</ca>
<cert>
[...certificate contents goes here...]
</cert>
<key>
[...private key contents goes here...]
</key>
Done, you don’t need no other applications.
Workflow
If you want to “manually” perform the requests and build the OpenVPN profile:
- Do a GET request to
https://riseup.net/provider.json, save theapi_uri,api_version,ca_cert_uriandca_cert_fingerprintkeys. - Do a GET request to
[api_uri]/1/configs.jsonand save the value in theeipkey. - Do a GET request to
[api_uri][eip]and get the list of gateways, ports and protocols. - Do a POST request to
[api_uri]/[api_version]/certand retrieve the private key and client certificate. - Save the OpenVPN profile with data from the selected gateway, protocol and port,
ca_cert_uricontents, client certificate and private key.
You can do this with a Postman collection, which is available here to download.