Don’t use this, if you do not have to!

NOTE: If you came here because you want to use the Riseup VPN on Linux, then you should instead go here and use RiseupVPN. The only reason to use the following instructions is if for some reason Bitmask does not work on your Linux version! The Bitmask application is available as packages for supported versions of Debian and Ubuntu as well as stand-alone bundles that will work for other distributions. Yes, there is a command-line version as well!


To install the necessary software, open a terminal (Accessories > Terminal) and type these commands:

for Ubuntu

$ sudo apt-get install network-manager-openvpn-gnome
$ sudo service network-manager restart

for Debian

$ sudo apt-get install network-manager-openvpn-gnome
$ sudo /etc/init.d/network-manager restart


  1. Click on the network manager applet. This is a little icon in GNOME Panel that shows the status of the current network connection.
  2. Select VPN Connections > Configure VPN menu item
  3. Click Add button
  4. Choose OpenVPN if you get a choice of vpn type. Then click Create…
  5. Use these settings:
    • Gateway:: (pick from the list below)
    • Type:: password
    • Username:: your username.
    • Password:: your password or VPN Secret (VPN Secret is preferred).
    • CA Certificate:: download RiseupCA.pem
    • Available to all users:: NO! Leave this unchecked.

Note: if you later move the location of the RiseupCA.pem file, then the VPN will break until you specify the new location. For more information on the RiseupCA.pem file, and how to verify it, see Riseup Certificate Authority.

After you have saved the configuration, you can click on the network manager applet and apply it. If it worked, you should see a lock in the corner of the applet.

When you connect to the VPN for the first time, you may get a dialog box asking you about allowing access to a keyring, that is OK. The keyring will keep your VPN password stored in an encrypted format.

VPN Servers

For Gateway choose one of the following:

VPN Server Location Western US


UPDATE: VPNAutoconnect does not seem to work in the latest Ubuntu release. Alternately, you can try this python autovpn script. This script creates a little daemon that runs in the background and does two things: on new active network connection, activate VPN, if VPN connection is not disconnected by user, then reconnect. This requires NetworkManager 9.0 or above. (From:

We launched a new Riseup VPN, more accessible and secure! This documentation is for our red VPN services. Please check the Riseup VPN documentation for more information.

There is a longstanding bug in Network Manager that prevents the VPN from connecting when you login or reconnecting if the VPN connect gets dropped. In order to fix this problem, we suggest you install VPNAutoconnect. If you are running Debian or Ubuntu, download and open the appropriate .deb file (i386 is for when you have installed a 32-bit system, and amd64 is for when you have installed a 64-bit system). Note that vpnautoconnect depends on libappindicator1 and libc6 (>= 2.15) but wheezy ships libc6:amd64=2.13-38).

Alternately, If you are running Ubuntu, you can add the VPNAutoconnect repository:

$ sudo apt-add-repository ppa:barraudmanuel/vpnautoconnect
$ sudo apt-get install vpnautoconnect

Once installed, the VPNAutoconnect icon should appear in your task bar. It looks like this:

Right click on that icon and select preferences. Make sure that Follow Parent and reconnect is checked, if you want the VPN to start automatically. Next, click on the little top tab with an arrow on it:

You will get a form to add a VPN profile that should autoconnect:

  • for Parent Connection, most people will choose ‘eth0’
  • for VPN connection choose the VPN profile you just added in Network Manager.

Click Save and you are done. Note that if you are using OpenVPN and your home directory is encrypted, the connection will not automatically start up when you login if the Certificate Authority file is stored in your home directory.

UPDATE: You can also try this Bash script I found then edited, credit to qertoip on

Command Line

If you don’t want to use a graphical interface, you can run OpenVPN from the command line.

First install it:

$ sudo apt install openvpn resolvconf

Download the Riseup CA Certificate and place it in /etc/openvpn.

Download this script for updating the resolver and place it in /etc/openvpn/update-resolv.conf

Then you need to download the configuration file and you need to change it for your credentials. The auth.txt is a file with two lines, the first is your login name, the second is a VPN Secret.

In order for openvpn to create the tun device it must be started as user root. However, it will change to the user and group you specify. For user and group options, you can replace with your username or make auth.txt and RiseupCA.pem readable by nobody. Alternately, you can leave off those options to run openvpn as root.

For more options, see man openvpn.

Then you simply need to run it like this:

$ sudo openvpn riseup.ovpn

Testing via the command line

Even if you use Network Manager to access the Riseup VPN, it can still be useful to troubleshoot problems by testing the connection via the command line. For example:

$ sudo openvpn --client --dev tun --auth-user-pass --remote 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca RiseupCA.pem

Again, see man openvpn for more options.

You can also test the Network Manager connection on the command line. For example:

#find the name of your VPN connections $ nmcli connection list | grep vpn #connect to the VPN $ nmcli connection up id <Name of your VPN Connection>