riseup_vpn 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9fb7defcb7a949292d44dc949acfdc4524eb599a21ec1c90f5f1680c8b9d0ff
-  data.tar.gz: dcbb98a3d236a6bf35d3fab3f073549836e98d976a747a4dd134417f6f3ad43e
+  metadata.gz: 6aadf2b162813b7cc25700ac2352eda76e899498d25f8566ef6bb51b7c7aadbd
+  data.tar.gz: fbb7f9bb058abcf6c48e4a1d993ac62bd9bfcefacf67673821222abbc0a398bb
 SHA512:
-  metadata.gz: 01bf804c22e6edde11abfd61073f3a9093d33b9463e05f5456aa66f7537e44e19ef37708979499ca8193b05045439acdba5b3a46337ef4edc219053e9603e373
-  data.tar.gz: 219ee6e1de2521e85e94a558e28dda6347b3cb74e288bb293f04a86599975f76e00f4477b1d73493562403971f2e0435ff9fb4bde77404a774a690bd489dbd7f
+  metadata.gz: 628be1b80961627205b0888eb827f074bf1b2227fd06b41e1103e8871560cfafd9a04ba9077ea0cd7582f819577e68e9341a4d8eb713d4ab1b794afdf2cb83ab
+  data.tar.gz: 14d196bb02bcf7a457c4ee4d7954b356c3fa3ae9d3d8d78225286c56fd4eaaf0f75d3a17b4d8ab9f1580d6448557bb1389943f7f98ab6bc583c911932a8d28c8

data/.rubocop.yml

@@ -5,7 +5,7 @@ plugins:
   - rubocop-rake
 
 AllCops:
-  TargetRubyVersion: 3.1
+  TargetRubyVersion: 3.2
   NewCops: enable
 
 Style/HashSyntax:

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 ## [Unreleased]
 
+## [1.2.0] - 2026-02-15
+
+### New features
+
+- config dir is created if it does not exist
+- add abilty to generate ufw rules for the gateway IP addresses
+
+### Bug fixes
+
+- drop unecessary tls-version-min upgrade
+
 ## [1.1.0] - 2025-04-22
 
 ### New features

data/README.md

@@ -28,7 +28,7 @@ gem install riseup_vpn
 ```ruby
 require 'riseup_vpn'
 
-@manager = RiseupVPN::Manager.new # takes an optional positional arg for the dir path. Default is '~/.config/riseup_vpn'
+@manager = RiseupVPN::Manager.new # takes an optional positional arg for the config files dir path. Default is '~/.config/riseup_vpn'
 # => instance_of RiseupVPN::Manager
 
 @manager.ovpns
@@ -40,7 +40,6 @@ require 'riseup_vpn'
 RiseupVPN::Manager::OPTS # returns a list of valid options which maybe passed as an optional hash at initialization.
 # => {proto: ["udp", "tcp"]} defaults are the first values e.g. 'udp' for :proto
 # For example; RiseupVPN::Manager.new('/some/path', proto: 'tcp')
-
 @manager.write_files # (over)writes the VPN client config files to the dir path
 ```
 The last command creates (or overwrites) the following files:
@@ -49,9 +48,17 @@ The last command creates (or overwrites) the following files:
 - the client private key file (client.key)
 - the client cert file (client.crt)
 
-Note: The last 2 expire after 30 days and therefore need to be updated regularly.
+**Note**: The client certificate expires after 30 days and therefore needs to be updated regularly. This can be done manually by simply running `RiseupVPN::Manager.new.write_files`  again. This will overwrite all of the above files and you'll be good for another 30 days. We'd recommend running this task once a week to ensure the client certificate does not expire. If you want to automate the process by running a ruby script (a good guide on how to do this [here](https://cronitor.io/guides/ruby-cron-jobs)) you'll need an executable which looks something like this:
+```ruby
+# in executable file called update_riseup_vpn.rb or similar:
+require 'riseup_vpn'
 
-Also note: OpenVPN requires that cert & key files shared across .ovpn client config files are present in the same directory.
+RiseupVPN::Manager.new.write_files # assumes default config dir location
+```
+
+Please also note: OpenVPN requires that cert & key files shared across .ovpn client config files are present in the same directory.
+
+### Importing OpenVPN configuration files on Linux
 
 On Linux, you can do this to make Riseup's VPNs available in Network Manager. It uses `nmcli` under the hood:
 ```Ruby
@@ -59,15 +66,31 @@ On Linux, you can do this to make Riseup's VPNs available in Network Manager. It
 # the client key and cert files are updated too
 ```
 
+### Firewall rules
+
+If you use `ufw` firewall and deny/reject outgoing traffic not going through your VPN, you will need rule(s) allowing OpenVPN itself to connect. The normal way to do the latter is to allow outgoing traffic to anywhere on the relevant port (e.g. 1194/udp). The rule set might look something like [this](https://askubuntu.com/a/796281). RiseupVPN can instead generate a set of rules for outbound connections for OpenVPN's TCP/UDP ports *to the specific gateway IP addresses*. Specifying IP addresses is safer than allowing the relevant port(s) direct access everywhere. E.g:
+
+```bash
+sudo ufw allow out 1194/udp # OK
+
+# better
+sudo ufw allow out from any to 204.13.164.252 port 1194 proto udp
+sudo ufw allow out from any to 51.159.197.108 port 1194 proto udp
+...
+```
+```ruby
+@manager.ufw_rules # writes file "ufw_rules.txt" to the config files dir. Copy and paste its contents into terminal and hit return to generate the ufw rules.
+```
+
 ## \_why?
 
 I can use Riseup's white-labeled [desktop app](https://leap.se) to access Riseup's VPNs, so why the need?
 
-- You can use this gem's Ruby interface to make Riseup's VPNs available to your apps!
+- You can use this gem's Ruby interface to make Riseup's VPN configurations available to your apps
 - This approach saves you installing another app on your laptop/desktop (at least on Linux).
 - Integrating Riseup's VPNs directly into your network manager means you can select individual gateways. The LEAP app currently allows selection by location only and there can be a wide disparity in connection speeds between them.
-- You can configure your firewall to deny outgoing connections except on port 1194 (assuming UDP). LEAP's app makes DNS and HTTPS requests on startup to 1) get the gateway info and client key/cert and 2) determine the 'best' VPN for your location.
-- This approach does mean you need to periodically update the client key/cert, as expiry is currently set for 30 days. A simple `cron` job can fix this and we are working into incorporating that functionality into this gem. 
+- You can configure your firewall to deny outgoing connections except on OpenVPN's port (1194). LEAP's app makes DNS and HTTPS requests on startup to 1) get the gateway info and client key/cert and 2) determine the 'best' VPN for your location.
+- This approach does mean you need to periodically update the client key/cert, as expiry is currently set for 30 days. A simple `cron` job can fix this. 
 
 ## Development
 

data/lib/riseup_vpn/api.rb

@@ -5,20 +5,21 @@ require 'openssl'
 module RiseupVPN
   # parses ca.cert, client cert/key & gateways data from riseup.net API
   module API
-    PROVIDER = 'https://riseup.net/provider.json' # entry point for API
-    API_URI = 'https://api.black.riseup.net' # 443
-    API_VERSION = '3'
-    CA_CERT_URI = 'https://black.riseup.net/ca.crt'
-    CERT = 'cert' # not available from provider uri..
-    EIP = 'eip-service.json' # not available from provider uri..
+    PROVIDER            = 'https://riseup.net/provider.json' # entry point for API
+    API_URL             = 'https://api.black.riseup.net' # 443
+    API_VERSION         = '3'
+    CA_CERT_URL         = 'https://black.riseup.net/ca.crt'
+    CERT                = 'cert' # not available from provider uri..
+    CLIENT_KEY_CERT_URL = "#{API_URL}/#{API_VERSION}/#{CERT}".freeze
+    EIP                 = 'eip-service.json' # not available from provider uri..
 
     class << self
       def ca_crt
-        OpenSSL::X509::Certificate.new get(CA_CERT_URI)
+        OpenSSL::X509::Certificate.new get(CA_CERT_URL)
       end
 
       def client_key_and_crt
-        str = get(File.join(API_URI, API_VERSION, CERT))
+        str = get(CLIENT_KEY_CERT_URL)
         [OpenSSL::PKey.read(str), OpenSSL::X509::Certificate.new(str)]
       end
 
@@ -27,7 +28,7 @@ module RiseupVPN
       end
 
       def eip
-        get_json File.join(API_URI, API_VERSION, EIP)
+        get_json File.join(API_URL, API_VERSION, EIP)
       end
 
       def get(url)

data/lib/riseup_vpn/{errors.rb → error.rb}

@@ -4,4 +4,5 @@ module RiseupVPN
   class Error < StandardError; end
 
   class APIError < Error; end
+  class NoBinaryError < Error; end
 end

data/lib/riseup_vpn/generator.rb

@@ -10,9 +10,9 @@ module RiseupVPN
   class Generator
     include Utils
 
-    TEMPLATE = YAML.load_file File.join(__dir__, 'template_ovpn.yml')
-    OPTS = { proto: %w[udp tcp] }.freeze # default is 1st value
-    LINE_METHODS = %i[remote tls-version-min verify-x509-name].freeze
+    TEMPLATE     = YAML.load_file File.join(__dir__, 'template_ovpn.yml')
+    OPTS         = { proto: %w[udp tcp] }.freeze # default is 1st value
+    LINE_METHODS = %i[remote verify-x509-name].freeze
 
     attr_reader :ovpns, :ca_crt, :client_key, :client_crt
 
@@ -78,10 +78,6 @@ module RiseupVPN
       "remote #{gateway['ip_address']} #{@opts[:proto] == 'udp' ? 1194 : 80}" # TODO: check port 80 in json
     end
 
-    def tls_version_min(_gateway)
-      "tls-version-min #{Utils.tls_version}"
-    end
-
     def verify_x509_name(gateway)
       "verify-x509-name #{name(gateway)} name"
     end

data/lib/riseup_vpn/manager.rb

@@ -5,11 +5,19 @@ require_relative 'generator'
 module RiseupVPN
   # manages config files
   class Manager
-    DEFAULT_DIR = '~/.config/riseup_vpn'
-    OPTS = Generator::OPTS
+    DEFAULT_CONFIG_DIR = '~/.config/riseup_vpn'
+    OPTS               = Generator::OPTS
 
-    def initialize(dir = DEFAULT_DIR, opts = {})
-      @dir = File.expand_path dir.to_s
+    UFW_RULES_FILE  = 'ufw_rules.txt'
+    REMOTE_         = 'remote '
+    PROTO_          = 'proto '
+    UFW_RULE_PREFIX = 'sudo ufw allow out from any to '
+
+    attr_reader :config_dir
+
+    def initialize(config_dir = DEFAULT_CONFIG_DIR, opts = {})
+      @config_dir = File.expand_path config_dir.to_s
+      create_config_dir
       @generator = Generator.new(opts)
     end
 
@@ -22,33 +30,58 @@ module RiseupVPN
       write_ca_crt
       write_client_key
       write_client_crt
-    rescue Errno::ENOENT, Errno::EACCES
-      raise ArgumentError, "Dir #{@dir} doesn't exist or isn't writable"
     end
 
     def import_ovpn_configs
-      raise NoMethodError, 'nmcli does not appear to be installed' unless Utils.nmcli?
+      raise NoBinaryError, 'nmcli does not appear to be installed' unless Nmcli.installed?
 
       write_files
-      Dir["#{@dir}/*.ovpn"].each { |f| Nmcli.import_openvpn f }
+      Dir["#{config_dir}/*.ovpn"].each { |f| Nmcli.import_openvpn f }
+    end
+
+    def ufw_rules
+      File.write(File.join(config_dir, UFW_RULES_FILE), ovpns.values.map { |ovpn| ufw_rule_for(ovpn) }.join("\n"))
     end
 
     private
 
+    def create_config_dir
+      FileUtils.mkdir_p config_dir unless File.directory? config_dir
+    rescue Errno::EACCES
+      raise ArgumentError, "Cannot create #{config_dir}, please provide a valid dir path or create it yourself"
+    end
+
     def write_ovpn_files
-      @generator.ovpns.each { |k, v| File.write(File.join(@dir, "#{k}.ovpn"), v) }
+      @generator.ovpns.each { |k, v| File.write(File.join(config_dir, "#{k}.ovpn"), v) }
     end
 
     def write_ca_crt
-      File.write File.join(@dir, 'ca.crt'), @generator.ca_crt.to_s.chomp
+      File.write File.join(config_dir, 'ca.crt'), @generator.ca_crt.to_s.chomp
     end
 
     def write_client_key
-      File.write File.join(@dir, 'client.key'), @generator.client_key.to_s.chomp
+      File.write File.join(config_dir, 'client.key'), @generator.client_key.to_s.chomp
     end
 
     def write_client_crt
-      File.write File.join(@dir, 'client.crt'), @generator.client_crt.to_s.chomp
+      File.write File.join(config_dir, 'client.crt'), @generator.client_crt.to_s.chomp
+    end
+
+    def ufw_rule_for(multiline_str)
+      rule_str(*ip_port_proto(multiline_str))
+    end
+
+    def rule_str(ip, port, proto)
+      "#{UFW_RULE_PREFIX}#{ip} port #{port} proto #{proto}"
+    end
+
+    def ip_port_proto(multiline_str)
+      h = hashify_config(multiline_str)
+      h['remote'] + h['proto']
+    end
+
+    def hashify_config(multiline_str)
+      multiline_str.split("\n").map(&:split).inject({}) { |memo, arr| memo.merge({ arr[0] => arr[1..] }) }
     end
   end
 end

data/lib/riseup_vpn/nmcli.rb

@@ -5,6 +5,10 @@ require_relative 'generator'
 module RiseupVPN
   # in the absence of an nmcli gem..
   module Nmcli
+    def self.installed?
+      !`which nmcli`.empty?
+    end
+
     def self.nmcli(command_string)
       `nmcli #{command_string}`
     end

data/lib/riseup_vpn/utils.rb

@@ -13,13 +13,5 @@ module RiseupVPN
 
       raise Error, "Unsupported OS: '#{os}'"
     end
-
-    def self.tls_version
-      "1.#{OpenSSL::VERSION.to_i}".to_f
-    end
-
-    def self.nmcli?
-      !`which nmcli`.empty?
-    end
   end
 end

data/lib/riseup_vpn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RiseupVPN
-  VERSION = '1.1.0'
+  VERSION = '1.2.0'
 end

data/lib/riseup_vpn.rb

@@ -4,7 +4,7 @@ require 'json'
 require 'open-uri'
 
 require_relative 'riseup_vpn/api'
-require_relative 'riseup_vpn/errors'
+require_relative 'riseup_vpn/error'
 require_relative 'riseup_vpn/generator'
 require_relative 'riseup_vpn/manager'
 require_relative 'riseup_vpn/nmcli'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: riseup_vpn
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - MatzFan
@@ -23,7 +23,7 @@ files:
 - assets/vpns.png
 - lib/riseup_vpn.rb
 - lib/riseup_vpn/api.rb
-- lib/riseup_vpn/errors.rb
+- lib/riseup_vpn/error.rb
 - lib/riseup_vpn/generator.rb
 - lib/riseup_vpn/manager.rb
 - lib/riseup_vpn/nmcli.rb
@@ -47,14 +47,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.6
 specification_version: 4
 summary: RiseupVPN configuration
 test_files: []