riseup_vpn 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 061471e29bcb71a8ad7d20c0757f445ed026913613deb3a289bde237aa40022e
+  data.tar.gz: 7a780713819d589fdf07e4abd684c6b341e61e5d0ffdf6ccc331693f35cc5301
+SHA512:
+  metadata.gz: ae6548f93e8f3734c6578a0f593b979384735e34d07e84d6ffc6bf71ec741440086e0a480b2e19c7939072ee0876a33bf53b33224c3283e15ca7d913c98bd8d1
+  data.tar.gz: 6e5c748da5d135578357540b95d0ea97fb8e92287408443dac4acd655da6a8cd8ecd7dcb8bec4cc0944ad419a9eb4770c76447590da7d2927fb8efcab1a62652

data/.rubocop.yml

@@ -0,0 +1,19 @@
+---
+plugins:
+  - rubocop-minitest
+  - rubocop-performance
+  - rubocop-rake
+
+AllCops:
+  TargetRubyVersion: 3.1
+  NewCops: enable
+
+Style/HashSyntax:
+  Enabled: false  # yuk Ruby 3.1
+
+Style/RegexpLiteral:
+  Exclude:
+    - 'Guardfile'
+
+Minitest/TestMethodName:
+  Enabled: true

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2025-04-19
+
+- Initial release

data/Guardfile

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# NOTE: rake runs threadsafe tests separately from others. Guard may show false positives when running all tests
+guard :minitest, all_on_start: false do
+  watch(%r{^test/(.*)/?test_(.*)\.rb$})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb$}) { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  # watch(%r{^test/test_helper\.rb$}) { 'test' } # See note. Run bundle exec rake instead.
+  ignore %r{^/}, /Guardfile/ # See note. Run bundle exec rake instead.
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 MatzFan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,77 @@
+[![Gem Version](https://badge.fury.io/rb/riseup_vpn.svg)](https://badge.fury.io/rb/riseup_vpn)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
+
+# RiseupVPN
+
+A tool to create .ovpn ([OpenVPN](https://openvpn.net)) client config files for use with [RiseupVPN](https://riseup.net/vpn). Such files can be imported using, for example, the Debian [openvpn NetworkManager plugin](https://packages.debian.org/search?keywords=network-manager-openvpn). You will then be able to route your network connection through any of Riseup's 20+ VPN gateways! Screenshot below shows Linux Mint's Network Manager panel applet with an active VPN connection to RiseupVPN's Seattle gateway.
+
+This project was inspired by [this](https://sizeof.cat/project/riseupvpn-to-openvpn) very excellent web tool.
+
+![image info](assets/vpns.png)
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+```bash
+bundle add riseup_vpn
+```
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+```bash
+gem install riseup_vpn
+```
+
+## Usage
+
+```ruby
+require 'riseup_vpn'
+
+generator = RiseupVpn::Generator.new
+# => instance_of RiseupVpn::Generator
+
+generator.ovpns
+# => {"vpn01-sea.riseup.net" => "client\ntls-client\ndev tun\nproto udp\nremote 204.13.164.252 1194 ...
+
+generator.ovpns.size
+# => 21
+
+RiseupVpn::Generator::OPTS # returns a list of valid options which maybe passed at initialization.
+# => {proto: ["udp", "tcp"]} # e.g. RiseupVpn::Generator.new(proto: 'tcp') default is 'udp'
+
+generator.write_files '~/.config/riseup_vpn' # dir must exist
+```
+The last command creates the following files in the chosen directory:
+- an .ovpn file for each VPN gateway
+- the Certificate Authority cert file (ca.crt)
+- the client private key file (client.key)
+- the client cert file (client.crt)
+
+Note: OpenVPN requires that cert & key files shared across .ovpn client config files are present in the same directory.
+
+## \_why?
+
+I can use Riseup's white-labeled [desktop app](https://leap.se) to access Riseup's VPNs, so why the need?
+
+- You can use this gem's Ruby interface to make Riseup's VPNs available to your apps!
+- This approach saves you installing another app on your laptop/desktop (at least on Linux).
+- Integrating Riseup's VPNs directly into your network manager means you can select individual gateways. The LEAP app currently allows selection by location only and there can be a wide disparity in connection speeds between them.
+- You can configure your firewall to deny outgoing connections except on port 1194 (assuming UDP). LEAP's app makes DNS and HTTPS requests on startup to 1) get the gateway info and client key/cert and 2) determine the 'best' VPN for your location.
+- This approach does mean you need to periodically update the client key/cert, as expiry is currently set for 30 days. A simple `cron` job can fix this and we are working into incorporating that functionality into this gem. 
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Known issues are recorded [here](https://gitlab.com/matzfan/riseup_vpn/-/issues).
+
+Bug reports and pull requests are welcome on GitLab at https://gitlab.com/matzfan/riseup_vpn. For a pull request please checkout a suitably named feature branch before making and submitting changes.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'minitest/test_task'
+require 'rake/testtask'
+require 'rubocop/rake_task'
+
+# Minitest::TestTask.create
+
+namespace :test do
+  Rake::TestTask.new do |t|
+    t.name = 'api'
+    t.description = 'Run only API tests'
+    t.libs << 'lib'
+    t.test_files = ['test/riseup_vpn/test_api.rb']
+  end
+
+  Rake::TestTask.new do |t|
+    t.name = 'ex_api'
+    t.description = 'Run tests without API tests'
+    t.libs << 'lib'
+    t.test_files = FileList['test/**/test_*.rb']
+    t.test_files = FileList['test/**/test_*.rb'] - ['test/riseup_vpn/test_api.rb']
+  end
+end
+
+desc 'Run the test suite'
+task :test do
+  Rake::Task['test:api'].invoke
+  Rake::Task['test:ex_api'].invoke
+end
+
+RuboCop::RakeTask.new
+
+task default: %i[test rubocop]

data/lib/riseup_vpn/api.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module RiseupVpn
+  # parses ca.cert, client cert/key & gateways data from riseup.net API
+  module Api
+    class ApiError < StandardError; end
+
+    PROVIDER = 'https://riseup.net/provider.json' # entry point for API
+    API_URI = 'https://api.black.riseup.net' # 443
+    API_VERSION = '3'
+    CA_CERT_URI = 'https://black.riseup.net/ca.crt'
+    CERT = 'cert' # not available from provider uri..
+    EIP = 'eip-service.json' # not available from provider uri..
+
+    class << self
+      def ca_crt
+        OpenSSL::X509::Certificate.new get(CA_CERT_URI)
+      end
+
+      def client_key_and_crt
+        str = get(File.join(API_URI, API_VERSION, CERT))
+        [OpenSSL::PKey.read(str), OpenSSL::X509::Certificate.new(str)]
+      end
+
+      def client_key
+        OpenSSL::PKey.read get(File.join(API_URI, API_VERSION, CERT))
+      end
+
+      def eip
+        get_json File.join(API_URI, API_VERSION, EIP)
+      end
+
+      def get(url)
+        URI(url).read
+      rescue NoMethodError, URI::Error
+        raise ApiError, "Bad URI: '#{url}'"
+      rescue OpenURI::HTTPError
+        raise ApiError, "Failed to get url: '#{url}'"
+      end
+
+      def get_json(url)
+        JSON.parse get(url)
+      rescue JSON::ParserError
+        raise ApiError, "Failed to parse JSON at: '#{url}'"
+      end
+    end
+  end
+end

data/lib/riseup_vpn/generator.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'yaml'
+
+require_relative 'api'
+
+module RiseupVpn
+  # create a .ovpn config file for a gateway
+  class Generator
+    TEMPLATE = YAML.load_file File.join(__dir__, 'template_ovpn.yml')
+    OPTS = { proto: %w[udp tcp] }.freeze # default is 1st value
+    LINE_METHODS = %i[remote verify-x509-name].freeze
+
+    attr_reader :ovpns
+
+    def initialize(opts = {})
+      @opts = validate_options opts.transform_keys!(&:to_sym)
+      @server_config = server_config
+      @template = template
+      @ovpns = generate_ovpns # hash { gateway_name => string }
+    end
+
+    def write_files(dir)
+      dir = File.expand_path dir.to_s
+      write_ovpn_files dir
+      write_ca_file dir
+      write_client_key_and_crt_files dir
+    rescue Errno::ENOENT, Errno::EACCES
+      raise ArgumentError, "Dir #{dir} doesn't exist or isn't writable"
+    end
+
+    private
+
+    def write_ovpn_files(dir)
+      ovpns.each { |k, v| File.write(File.join(dir, "#{k}.ovpn"), v) }
+    end
+
+    def write_ca_file(dir)
+      File.write File.join(dir, 'ca.crt'), Api.ca_crt.to_s.chomp
+    end
+
+    def write_client_key_and_crt_files(dir)
+      client_key, client_crt = Api.client_key_and_crt
+      File.write File.join(dir, 'client.key'), client_key.to_s.chomp
+      File.write File.join(dir, 'client.crt'), client_crt.to_s.chomp
+    end
+
+    def gateways
+      Api.eip['gateways']
+    end
+
+    def server_config
+      Api.eip['openvpn_configuration'].transform_keys(&:to_sym)
+    end
+
+    def validate_options(opts)
+      OPTS.each_key { |k| raise ArgumentError, "Valid #{k} opts: #{OPTS[k]}" if opts[k] && !OPTS[k].include?(opts[k]) }
+
+      OPTS.transform_values(&:first).merge opts
+    end
+
+    def generate_ovpns
+      gateways.inject({}) { |memo, gway| memo.merge(file_name(gway) => generate_ovpn(gway).join("\n")) }
+    end
+
+    def generate_ovpn(gateway)
+      @template.map { |k, v| generate_line(k.to_sym, v, gateway).to_s.strip }
+    end
+
+    def template
+      return TEMPLATE.except(*%i[up down]) if RiseupVpn.os == 'darwin'
+      return TEMPLATE if RiseupVpn.os == 'linux'
+
+      raise RiseupVpnError, "Unsupported OS: '#{RiseupVpn.os}'"
+    end
+
+    def generate_line(key, val, gateway)
+      return "#{key} #{val}" if val # hard coded key/value in template file
+      return "#{key} #{@opts[key]}" if @opts[key]
+      return server_config_line(key) if @server_config[key]
+      return send(regularize_method_name(key), gateway) if LINE_METHODS.include? key
+
+      key # hard coded key only in template file
+    end
+
+    def server_config_line(key)
+      return key if @server_config[key] == true # nobind & persist-key
+
+      "#{key} #{@server_config[key]}"
+    end
+
+    def regularize_method_name(sym)
+      sym.to_s.tr('-', '_').to_sym
+    end
+
+    def remote(gateway)
+      "remote #{gateway['ip_address']} #{@opts[:proto] == 'udp' ? 1194 : 80}" # TODO: check port 80 in json
+    end
+
+    def verify_x509_name(gateway)
+      "verify-x509-name #{name(gateway)} name"
+    end
+
+    def name(gateway)
+      gateway['host'].split('.').first
+    end
+
+    def file_name(gateway)
+      "#{name(gateway)}.riseup.net"
+    end
+  end
+end

data/lib/riseup_vpn/template_ovpn.yml

@@ -0,0 +1,30 @@
+---
+:client:
+:tls-client:
+:dev:
+:proto:
+:remote:
+:auth:
+:cipher:
+:keepalive:
+:tls-cipher:
+:float:
+:resolv-retry: infinite
+:nobind:
+:verb:
+:persist-key:
+:persist-tun:
+:reneg-sec: 0
+:pull:
+:auth-nocache:
+:script-security: 2
+:up: /etc/openvpn/update-resolv-conf
+:down: /etc/openvpn/update-resolv-conf
+:tls-version-min:
+:redirect-gateway: ipv6
+:remote-cert-tls: server
+:remote-cert-eku: "\"TLS Web Server Authentication\""
+:verify-x509-name:
+:ca: ca.crt
+:cert: client.crt
+:key: client.key

data/lib/riseup_vpn/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RiseupVpn
+  VERSION = '0.1.0'
+end

data/lib/riseup_vpn.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'open-uri'
+
+# namespace
+module RiseupVpn
+  class RiseupVpnError < StandardError; end
+
+  def self.os
+    @os ||= Gem::Platform.local.os
+  end
+end

data/sig/riseup_vpn.rbs

@@ -0,0 +1,4 @@
+module RiseupVpn
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,56 @@
+--- !ruby/object:Gem::Specification
+name: riseup_vpn
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- MatzFan
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+description: Gem to configure RiseupVPN
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rubocop.yml"
+- CHANGELOG.md
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- assets/vpns.png
+- lib/riseup_vpn.rb
+- lib/riseup_vpn/api.rb
+- lib/riseup_vpn/generator.rb
+- lib/riseup_vpn/template_ovpn.yml
+- lib/riseup_vpn/version.rb
+- sig/riseup_vpn.rbs
+- tmp/.placeholder
+homepage: https://gitlab.com/matzfan/riseup_vpn
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://gitlab.com/matzfan/riseup_vpn
+  source_code_uri: https://gitlab.com/matzfan/riseup_vpn
+  changelog_uri: https://gitlab.com/matzfan/riseup_vpn/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.7
+specification_version: 4
+summary: RiseupVPN configuration
+test_files: []