[](https://github.com/kmille/riseup-vpn-configurator/actions/workflows/tests.yaml)
# riseup-vpn-configurator
> Riseup offers Personal VPN service for censorship circumvention, location anonymization and traffic encryption. To make this possible, it [sends all your internet traffic through an encrypted connection](https://riseup.net/en/vpn/how-vpn-works) to riseup.net, where it then goes out onto the public internet.
>
> Unlike most other VPN providers, Riseup does not log your IP address.
>
> Riseup has a VPN client called **RiseupVPN**. This VPN client is super easy to use! You just install it and run it—no configuration, no account registration.
There is already a [riseup-vpn](https://aur.archlinux.org/packages/riseup-vpn) package in AUR. But there a few things I don't like:
- the software is pretty bloated (unnecessary GUI, I got `could not find polkit agent` error messages)
- the autostart feature just put's a file into `~/.config/autostart` which doesn't work with i3
- the VPN does not use the best available crypto/ciphers (TLS1.2 instead of TLS1.3)
- it's not possible to exclude routes from the VPN
The riseup-vpn-configurator is a simple command line tool that tries to solve these problems. It generates an OpenVPN configuration file that can be used by `systemctl`.
# Installation
Please don't install it as user and run it as root, as this makes it very easy for an attacker to escalate privileges. You can install the [Arch Linux AUR package](https://aur.archlinux.org/packages/riseup-vpn-configurator) or use it with `pip install --user riseup-vpn-configurator` as root. Check out the `How to use it` below to get the VPN up and running. You can start RiseupVPN with `systemctl start openvpn-client@riseup` and autostart it with `systemctl enable openvpn-client@riseup`. You can also start, stop and debug the VPN by using the `--start`, `--stop`, `--restart` and `--log` options. Please keep in mind that the client certificate is only valid for 90 and you have to update it manually.
```bash
usage: riseup-vpn-configurator [-h] [-v] [--no-check-certificate] [-d] [-u] [--uninstall] [-l] [-b] [-c] [-g] [-s] [--version]
options:
-h, --help show this help message and exit
-v, --verbose show verbose output
--no-check-certificate
skip ssl certificate check (used by --update to get the config/client private key from the API)
-d, --default-config print default config file risup-vpn.yaml
-u, --update update gateway list and client certificate/key
--uninstall remove all files in /opt/riseup-vpn
-l, --list-gateways show available VPN server
-b, --benchmark use with --list - pings the gateway and shows the latency
-c, --check-config check syntax of /etc/riseup-vpn.yaml. Generates default config
-g, --generate-config
Generate openvpn config (/etc/openvpn/client/riseup.conf)
-s, --status show current state of riseup-vpn
--start starts openvpn service
--stop stops openvpn service
--restart restarts openvpn service
--log show systemd log
--version show version
```
Default config file `/etc/riseup-vpn.yaml`
```yaml
---
# /etc/riseup-vpn.yaml
server: vpn07-par.riseup.net
protocol: udp
port: 53
# excluded_routes: list servcies that should not be routed over VPN
# can be an ipaddress, network or hostname
# your local subnet is excluded by default
excluded_routes:
- 8.8.8.8
- 192.168.123.0/24
- us02web.zoom.us
# os user/group
user: openvpn
group: openvpn
```
# How to use it
[](https://asciinema.org/a/559611)
# Installation (as a dev)
We need to run the tool with root permissions (for example to write to /etc). Running the tests also need root privileges (because we use chown). Therefore, I recommend running the dev environment also as root user.
```bash
root@linbox:tmp git clone https://github.com/kmille/riseup-vpn-configurator.git
root@linbox:tmp cd riseup-vpn-configurator
root@linbox:riseup-vpn-configurator poetry install
poetry run python riseup_vpn_configurator/__init__.py --help
root@linbox:riseup-vpn-configurator poetry run pytest -v -s -x --pdb
root@linbox:riseup-vpn-configurator poetry run flake8 --ignore=E501 riseup_vpn_configurator/
root@linbox:riseup-vpn-configurator poetry run mypy riseup_vpn_configurator/
```
# How it works
The code for the RiseupVPN Linux client can be found [here](https://0xacab.org/leap/bitmask-vpn). It uses OpenVPN. An API gives you valid OpenVPN cient credentials (certificate + key) for authentication. The client certificate is only valid for 90 days, so you have to run `--update` once in a while. The VPN gateway list and client certificate can be fetched by a public API.
# Allow for non-root user
```bash
kmille ALL = NOPASSWD: /usr/bin/riseup-vpn-configurator
```
# Monitoring with py3status
If you use [py3status](https://github.com/ultrabug/py3status) as i3bar implementation, you can use [monitor_riseupvpn.py](/monitoring/monitor_riseupvpn.py) for monitoring.
# Known issues
RiseupVPN does not support IPv6. It's routed over the tunnel but then gets blocked. Also, the VPN hangs after suspend ([see Arch Wiki](https://wiki.archlinux.org/title/OpenVPN#Client_daemon_not_reconnecting_after_suspend)). To solve this issue, the AUR package uses [openvpn-reconnect](https://aur.archlinux.org/packages/openvpn-reconnect) as a dependency. The official Linux clients add firewall rules. This client does not touch your firewall.
# Changelog
v1.0.4: You can specify user/group in the config file. For the tests, use VPN_USER/VPN_GROUP env variables to overwrite the default (openvpn). Fixes [#5](https://github.com/kmille/riseup-vpn-configurator/issues/5)
Raw data
{
"_id": null,
"home_page": "https://github.com/kmille/riseup-vpn-configurator",
"name": "riseup-vpn-configurator",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.10",
"maintainer_email": null,
"keywords": null,
"author": "kmille",
"author_email": "github@androidloves.me",
"download_url": "https://files.pythonhosted.org/packages/82/d6/792a96f726429facc382d7a9f8de958270378cb90b837fb64562b2d278ea/riseup_vpn_configurator-1.3.0.tar.gz",
"platform": null,
"description": "[](https://github.com/kmille/riseup-vpn-configurator/actions/workflows/tests.yaml)\n\n\n\n\n\n# riseup-vpn-configurator\n\n> Riseup offers Personal VPN service for censorship circumvention, location anonymization and traffic encryption. To make this possible, it [sends all your internet traffic through an encrypted connection](https://riseup.net/en/vpn/how-vpn-works) to riseup.net, where it then goes out onto the public internet.\n>\n> Unlike most other VPN providers, Riseup does not log your IP address.\n>\n> Riseup has a VPN client called **RiseupVPN**. This VPN client is super easy to use! You just install it and run it\u2014no configuration, no account registration.\n\nThere is already a [riseup-vpn](https://aur.archlinux.org/packages/riseup-vpn) package in AUR. But there a few things I don't like:\n\n- the software is pretty bloated (unnecessary GUI, I got `could not find polkit agent` error messages)\n- the autostart feature just put's a file into `~/.config/autostart` which doesn't work with i3\n- the VPN does not use the best available crypto/ciphers (TLS1.2 instead of TLS1.3)\n- it's not possible to exclude routes from the VPN\n\nThe riseup-vpn-configurator is a simple command line tool that tries to solve these problems. It generates an OpenVPN configuration file that can be used by `systemctl`.\n\n# Installation\n\nPlease don't install it as user and run it as root, as this makes it very easy for an attacker to escalate privileges. You can install the [Arch Linux AUR package](https://aur.archlinux.org/packages/riseup-vpn-configurator) or use it with `pip install --user riseup-vpn-configurator` as root. Check out the `How to use it` below to get the VPN up and running. You can start RiseupVPN with `systemctl start openvpn-client@riseup` and autostart it with `systemctl enable openvpn-client@riseup`. You can also start, stop and debug the VPN by using the `--start`, `--stop`, `--restart` and `--log` options. Please keep in mind that the client certificate is only valid for 90 and you have to update it manually. \n\n```bash\nusage: riseup-vpn-configurator [-h] [-v] [--no-check-certificate] [-d] [-u] [--uninstall] [-l] [-b] [-c] [-g] [-s] [--version]\n\noptions:\n -h, --help show this help message and exit\n -v, --verbose show verbose output\n --no-check-certificate\n skip ssl certificate check (used by --update to get the config/client private key from the API)\n -d, --default-config print default config file risup-vpn.yaml\n -u, --update update gateway list and client certificate/key\n --uninstall remove all files in /opt/riseup-vpn\n -l, --list-gateways show available VPN server\n -b, --benchmark use with --list - pings the gateway and shows the latency\n -c, --check-config check syntax of /etc/riseup-vpn.yaml. Generates default config\n -g, --generate-config\n Generate openvpn config (/etc/openvpn/client/riseup.conf)\n -s, --status show current state of riseup-vpn\n --start starts openvpn service\n --stop stops openvpn service\n --restart restarts openvpn service\n --log show systemd log\n --version show version\n```\n\nDefault config file `/etc/riseup-vpn.yaml`\n```yaml\n---\n# /etc/riseup-vpn.yaml\n\nserver: vpn07-par.riseup.net\nprotocol: udp\nport: 53\n\n# excluded_routes: list servcies that should not be routed over VPN\n# can be an ipaddress, network or hostname\n# your local subnet is excluded by default\nexcluded_routes:\n - 8.8.8.8\n - 192.168.123.0/24\n - us02web.zoom.us\n\n# os user/group\nuser: openvpn\ngroup: openvpn\n```\n# How to use it\n[](https://asciinema.org/a/559611)\n# Installation (as a dev)\n\nWe need to run the tool with root permissions (for example to write to /etc). Running the tests also need root privileges (because we use chown). Therefore, I recommend running the dev environment also as root user.\n\n```bash\nroot@linbox:tmp git clone https://github.com/kmille/riseup-vpn-configurator.git\nroot@linbox:tmp cd riseup-vpn-configurator\nroot@linbox:riseup-vpn-configurator poetry install\npoetry run python riseup_vpn_configurator/__init__.py --help\nroot@linbox:riseup-vpn-configurator poetry run pytest -v -s -x --pdb\nroot@linbox:riseup-vpn-configurator poetry run flake8 --ignore=E501 riseup_vpn_configurator/\nroot@linbox:riseup-vpn-configurator poetry run mypy riseup_vpn_configurator/\n```\n\n# How it works\nThe code for the RiseupVPN Linux client can be found [here](https://0xacab.org/leap/bitmask-vpn). It uses OpenVPN. An API gives you valid OpenVPN cient credentials (certificate + key) for authentication. The client certificate is only valid for 90 days, so you have to run `--update` once in a while. The VPN gateway list and client certificate can be fetched by a public API.\n\n# Allow for non-root user\n```bash\nkmille ALL = NOPASSWD: /usr/bin/riseup-vpn-configurator\n```\n\n# Monitoring with py3status\n\nIf you use [py3status](https://github.com/ultrabug/py3status) as i3bar implementation, you can use [monitor_riseupvpn.py](/monitoring/monitor_riseupvpn.py) for monitoring.\n\n# Known issues\nRiseupVPN does not support IPv6. It's routed over the tunnel but then gets blocked. Also, the VPN hangs after suspend ([see Arch Wiki](https://wiki.archlinux.org/title/OpenVPN#Client_daemon_not_reconnecting_after_suspend)). To solve this issue, the AUR package uses [openvpn-reconnect](https://aur.archlinux.org/packages/openvpn-reconnect) as a dependency. The official Linux clients add firewall rules. This client does not touch your firewall.\n\n# Changelog\nv1.0.4: You can specify user/group in the config file. For the tests, use VPN_USER/VPN_GROUP env variables to overwrite the default (openvpn). Fixes [#5](https://github.com/kmille/riseup-vpn-configurator/issues/5)\n",
"bugtrack_url": null,
"license": "GPL-3.0-only",
"summary": "a simple command line tool to get RiseupVPN up and running",
"version": "1.3.0",
"project_urls": {
"Homepage": "https://github.com/kmille/riseup-vpn-configurator",
"Repository": "https://github.com/kmille/riseup-vpn-configurator"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "56372a703007f4198661d5af0546fd53ab24da881bb3e2fea06bc78ef2b417f4",
"md5": "28f2429aa9687c857768934e8d5de75f",
"sha256": "7a01b74b2fb4c3c70e5d7a5cb821ab0b1e1489c3975c9c9c52ce8c63d0ec00c5"
},
"downloads": -1,
"filename": "riseup_vpn_configurator-1.3.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "28f2429aa9687c857768934e8d5de75f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.10",
"size": 22197,
"upload_time": "2024-08-30T08:28:54",
"upload_time_iso_8601": "2024-08-30T08:28:54.621624Z",
"url": "https://files.pythonhosted.org/packages/56/37/2a703007f4198661d5af0546fd53ab24da881bb3e2fea06bc78ef2b417f4/riseup_vpn_configurator-1.3.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "82d6792a96f726429facc382d7a9f8de958270378cb90b837fb64562b2d278ea",
"md5": "8305333ebda85e64286109a1e40e1d8a",
"sha256": "fa550df5b196122727c48286ddc43e2d19263d4ad0d20382d11963783b1b8514"
},
"downloads": -1,
"filename": "riseup_vpn_configurator-1.3.0.tar.gz",
"has_sig": false,
"md5_digest": "8305333ebda85e64286109a1e40e1d8a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.10",
"size": 22645,
"upload_time": "2024-08-30T08:28:55",
"upload_time_iso_8601": "2024-08-30T08:28:55.877319Z",
"url": "https://files.pythonhosted.org/packages/82/d6/792a96f726429facc382d7a9f8de958270378cb90b837fb64562b2d278ea/riseup_vpn_configurator-1.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-08-30 08:28:55",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "kmille",
"github_project": "riseup-vpn-configurator",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "riseup-vpn-configurator"
}
JSON
