March 2017. We deployed changes to our VPN Red which may need adjustments in your client to work. Please check the changes.
Note! When you connect to the internet through the VPN Red you are bypassing any firewalls on your local network. Your computer will get its own IP address on the open internet. This is great, because that way your computer can communicate freely with others without getting blocked. However, bypassing the local firewall also means that your computer is more vulnerable to attack. Therefore, you should enable a firewall on your computer.
The VPN Red service supports OpenVPN.
Although each client is different, there are five values that must be configured in your OpenVPN client:
- VPN Server: vpn.riseup.net
- Authentication method: password
- VPN username: your riseup.net login (ie if your account is email@example.com, just enter “joe_hill”)
- Password: either your riseup.net password or a vpn-secret.
- CA Certificate: RiseupCA.pem (download and verify here)
- Cipher: AES-256-CBC NEW
- Digest: SHA256 NEW
Optional configuration options:
- Port: either 1194, 443, or 80. Port 1194 is the normal default for OpenVPN, but sometimes it might be blocked by the network you are on. You should not normally need to change this setting. If you do, ports 443 and 80 will likely not be blocked, since these are the ports for normal web traffic.
- Protocol: either UDP or TCP. UDP is faster, but TCP might be required to get around some network restrictions. UDP is the default, so you only need to fiddle with this if something is blocking your VPN access.
Example configuration file:
## ## REQUIRED ## client cipher AES-256-CBC auth SHA256 remote 220.127.116.11 80 # alternately: # remote vpn.riseup.net 443 # remote vpn.riseup.net 80 dev tun proto udp # alternately (try instead if udp doens't work): # proto tcp auth-user-pass # alternately: # auth-user-pass ~/vpn/auth.txt <ca> -----BEGIN CERTIFICATE----- MIIF2jCCA8KgAwIBAgIIVogyQTSIzc8wDQYJKoZIhvcNAQELBQAwgYYxGDAWBgNV BAMTD1Jpc2V1cCBOZXR3b3JrczEYMBYGA1UEChMPUmlzZXVwIE5ldHdvcmtzMRAw DgYDVQQHEwdTZWF0dGxlMQswCQYDVQQIEwJXQTELMAkGA1UEBhMCVVMxJDAiBgkq hkiG9w0BCQEWFWNvbGxlY3RpdmVAcmlzZXVwLm5ldDAiGA8yMDE2MDEwMjIwMjU0 MFoYDzIwMjYwMzMwMjAyNjAxWjCBhjEYMBYGA1UEAxMPUmlzZXVwIE5ldHdvcmtz MRgwFgYDVQQKEw9SaXNldXAgTmV0d29ya3MxEDAOBgNVBAcTB1NlYXR0bGUxCzAJ BgNVBAgTAldBMQswCQYDVQQGEwJVUzEkMCIGCSqGSIb3DQEJARYVY29sbGVjdGl2 ZUByaXNldXAubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw2VV uoz4xqeB1ROIwXBRaj0prOqEFX89A7+2rslGRfjM8NPHyBLGleoHTK3DPwadtQeg ulaEOAjM5EMXTEX/o9H46L6h729HUWPCwVssvvOjyxTyGJDf7Ihd/Ab7ODtlJSyc g31aXMioA5pGz5QnS3VGz4nE9+NL+jobc/NbhaacsEPR/7xO7meRNu/1S+YiHK1y BSVrfap3XItlcNHDGNQkPyyJbS3pAS1lQs2HCBTzcFCamCkDOC7cRh9wZ4GH8U2f 2s0mDD5zhRpheNW4gFBtGpqHiRXv7WJW612aaXzKQQoIq2loGNvOpnyBPKL3jjUT Rxv5IzWMV0nAofMCy25u/S4J65uSEd9mLNXFJ3rl+cFaybcOUXktTbS7bZy6cMyf /gO28bEXIWr5WfZf8jCbPyOVfExZquG3aS+0YPWmIJCheXQzgiwplZy93oND1GGQ f+1R2F7GPwNXQdefv2xm7PTWhHbSWHHmeY89qYED+yFJrX5ChoFoBbYs1lMmdU/C 2MnQBFtvcVockXFAUONyMKiq8ZP6sQ1lu0rO9Bvkhx55sJLZOmjN3g4S1K97PbbI 5DzHKcR0JQSt8ZtCY/MuMbwvlNYo98bFWvlfKET0KPtogNNH0PNfJmStKR8jWGjE HnUNXo7YDfK90iEKTjLz2K5CYzH5Dm6iYJNaaykCAwEAAaNGMEQwEgYDVR0TAQH/ BAgwBgEB/wIBADAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTGek7ebtq2Ibm+ 2K6je1IMobvEkzANBgkqhkiG9w0BAQsFAAOCAgEAO2B3jnL+8LeoRkc282qUpHyu xYj0Qd68l0CJ0FjfA2OCR/6h1W4gZVH+fTd/mhgrNXj28GRT53JEh1jdRC7ENTXu W9O8I9gCbWQ6V4nkZ9lpq8UEmKTFGnngVu8VCmSDF+y0kFuEtmt0jyd2UkJfC/vy Gh78OCHEdGAeOTYHXamiuA9Z7wMuncPjP476gSW2kfWTdxV25ad4tT5dA5d42xDm YE2UKzHeB9amOmvyh08LPD0idT5oROCIHsHBhQC9oltJXO5j6GyHRg88C1inyv6R xk+w9ek4wSBpoJg5t3hdbZr3JTUsuu4WPtAET0fMQpJC+niaBbegwtvdLZFM+d8x ead3ZpMO+XrpazDFGtdPTQdi5EIYmr2RL9eTeQbVPwMB9TgFpBXP+iYIuTpNo8jn 8zS4EcPRmz6PQJVK4zkHczfvquyU9RuOwEgb8qN4tSNxF0Z94uSVUoXCG9WZLf8q MfsGesYiR/qLnLn3MfAyWm3OVOUvGzczDE2T8VvY7rXc2+8ra5aK0TNAgEz9ey6D /dGzM1JCCe1A08s+2+eRX//pmqmOCoGrY7zwIVS2T249h6iIMM9yT0C3ZXRoTnVN osyidOkVuQr0YK6shJ0WaK4F1MktdjOZKPoIc9QLw+TrSU2hfyla36T0bNWMC/TJ YtxDI+d1jIFZ7zMmts4= -----END CERTIFICATE----- </ca> ## ## OPTIONAL ## nobind persist-tun persist-key resolv-retry infinite remote-cert-tls server script-security 0 # remove this if your system does not support 1.2 tls-version-min 1.2
If you are thinking of running a Tor Exit node on the Riseup VPN, please read this. There is nothing wrong with running a Tor Exit node on top of the VPN, however it can cause a problem that we’d like to avoid.
Tor exit nodes are listed regularly in block lists. This is due to heavy abuse that happens over Tor, so there are lists that are automatically created for every Tor exit node that registers itself on the network. This wouldn’t be a big deal, except that the block lists block the entire network, not just the single IP that you are using. This causes problems for other services, such as sending mail.
Fortunately, there is a way around it, its just a matter of changing your Tor exit policy so that certain ports are not allowed. It seems as if these block lists only list Tor exit nodes that enable certain well-known ports that are used for abuse. According to one of the block list operators a tor exit node is added to the block list if it uses the default exit policy because there are a few ports in the default policy that are problematic, these ports are: 6660-6670, 6697, 7000-7005
This can easily be changed so you do not allow these ports through your Tor exit node by changing your torrc as follows:
ExitPolicy reject *:6660-6670 ExitPolicy reject *:6697 ExitPolicy reject *:7000-7005
and then restarting your Tor daemon.