VPNs aren't that great. If you don't know why I say that, watch this video or read this blog post or something. I'll henceforth assume you know what you're doing and can make your own decisions about how much to trust any given provider.
What is Riseup?
Riseup is a "friendly autonomous tech collective" which offers a free, no account VPN service. (Please bear in mind that Riseup is a nonprofit operating this service at no cost. Consider donating if you find the service useful.)
How to set up RiseupVPN on Qubes OS
Riseup provides a client for its VPN service, but that's not as nice a time on Qubes OS as just setting up OpenVPN yourself for the standard VPN gateway setup.
Prepare the TemplateVM
You'll need the appropriate NetworkManager plugins for OpenVPN.
- If you're using a Fedora template, install the NetworkManager-openvpn and NetworkManager-openvpn-gnome packages:
- Shut down the TemplateVM. Wait for it to fully shut down before continuing.
sudo dnf install NetworkManager-openvpn NetworkManager-openvpn-gnome
Create the ProxyVM
- Click the Qubes menu icon and select Qubes Tools > Create Qubes VM.
- Input a name for your new qube (e.g., sys-vpn-riseup), set the type to AppVM, and set the template and networking as needed. Check the Launch settings after creation box.
- Switch to the Advanced tab and check the box for Provides network access to other qubes. When you're done with these configurations, click OK.
- The settings menu should come up for your new qube. Go to the Services tab and add network-manager to the list of services.
- Apply your changes.
Configure RiseupVPN in the ProxyVM
- Start your ProxyVM.
- Run a terminal emulator in your ProxyVM.
- First, download the CA certificate for RiseupVPN:
- Using the CA cert we just downloaded for TLS, download a user certificate/private key:
- Download the list of servers:
- Look through eip-service.json and choose one you like with type "openvpn" (or choose multiple and repeat steps 7-12 for each). You'll need the server's IP address.
- Click on the NetworkManager applet on your panel.
- Select VPN Connections > Add a VPN connection....
- Select OpenVPN and click Create....
- Enter the IP address of the selected server (not the domain) as the Gateway.
- In the authentication section, set the following:
A NetworkManager applet should appear on your panel.
To set up the VPN, we'll need to download some certificates and such.
curl -LO https://0xacab.org/leap/bitmask-vpn/-/raw/main/providers/riseup/riseup-ca.crt
curl -Lo riseup-vpn.pem --cacert riseup-ca.crt https://api.black.riseup.net/3/cert
Requesting this endpoint multiple times seems to yield a different key each time. In this guide, we'll set the VPN up to use the same key each time we reboot (effectively having a persistent "account"), but if you're very concerned with remaining anonymous (rather than pseudonymous) from Riseup, you may prefer to request a new key each time you use the service. This can probably be automated fairly easily with a script in /rw/config/rc.local, but I haven't tried.
Update: You can set the VM to request a new key each time it boots by adding something like this to your /rw/config/rc.local:
while ! ping -c 1 -W 1 188.8.131.52;do sleep 1 done curl -L --cacert /home/user/riseup-ca.crt -o /home/user/riseup-vpn.pem https://api.black.riseup.net/3/cert
This requires the
ping command, which means on Fedora you need to install the iputils package (in the TemplateVM).
curl -LO --cacert riseup-ca.crt https://api.black.riseup.net/3/config/eip-service.json
This file lists the servers available for use.
- Type: Certificates (TLS)
- CA certificate: riseup-ca.crt
- User certificate: riseup-vpn.pem
- User private key: riseup-vpn.pem
I did not try to configure NetworkManager to autostart the VPN. I have gotten that working with other VPNs in the past, but it's hard to figure out, and it's not a huge burden to me to just manually tell it to connect when I run the ProxyVM.
iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -i eth0 -j DROP ip6tables -I FORWARD -o eth0 -j DROP ip6tables -I FORWARD -i eth0 -j DROP
Use ProxyVM as NetVM
Rather than use the VPN directly in this VM you just set up, create new AppVMs with this ProxyVM as their NetVM (or set existing AppVMs to use this ProxyVM). All traffic from these downstream VMs should be routed over the VPN.
This post would not have been possible without these two resources. Huge thanks from me to them!