negative zero

Setting up RiseupVPN on Qubes OS

2023 August 7

[qubes] [tech] [tutorial] [vpn]


Disclaimer

VPNs aren't that great. If you don't know why I say that, watch this video or read this blog post or something. I'll henceforth assume you know what you're doing and can make your own decisions about how much to trust any given provider.


What is Riseup?

Riseup is a "friendly autonomous tech collective" which offers a free, no account VPN service. (Please bear in mind that Riseup is a nonprofit operating this service at no cost. Consider donating if you find the service useful.)


How to set up RiseupVPN on Qubes OS

Riseup provides a client for its VPN service, but that's not as nice a time on Qubes OS as just setting up OpenVPN yourself for the standard VPN gateway setup.


Prepare the TemplateVM

You'll need the appropriate NetworkManager plugins for OpenVPN.

  1. If you're using a Fedora template, install the NetworkManager-openvpn and NetworkManager-openvpn-gnome packages:
    2. sudo dnf install NetworkManager-openvpn NetworkManager-openvpn-gnome
  2. Shut down the TemplateVM. Wait for it to fully shut down before continuing.

Create the ProxyVM

  1. Click the Qubes menu icon and select Qubes Tools > Create Qubes VM.
  2. Input a name for your new qube (e.g., sys-vpn-riseup), set the type to AppVM, and set the template and networking as needed. Check the Launch settings after creation box.
  3. Switch to the Advanced tab and check the box for Provides network access to other qubes. When you're done with these configurations, click OK.
  4. The settings menu should come up for your new qube. Go to the Services tab and add network-manager to the list of services.
  5. Apply your changes.

Configure RiseupVPN in the ProxyVM

  1. Start your ProxyVM.

    2. A NetworkManager applet should appear on your panel.

  2. Run a terminal emulator in your ProxyVM.

    3. To set up the VPN, we'll need to download some certificates and such.

  3. First, download the CA certificate for RiseupVPN:
    4. curl -LO https://0xacab.org/leap/bitmask-vpn/-/raw/main/providers/riseup/riseup-ca.crt
  4. Using the CA cert we just downloaded for TLS, download a user certificate/private key:
    5. curl -Lo riseup-vpn.pem --cacert riseup-ca.crt https://api.black.riseup.net/3/cert

    Requesting this endpoint multiple times seems to yield a different key each time. In this guide, we'll set the VPN up to use the same key each time we reboot (effectively having a persistent "account"), but if you're very concerned with remaining anonymous (rather than pseudonymous) from Riseup, you may prefer to request a new key each time you use the service. This can probably be automated fairly easily with a script in /rw/config/rc.local, but I haven't tried.

    Update: You can set the VM to request a new key each time it boots by adding something like this to your /rw/config/rc.local:

    while ! ping -c 1 -W 1 1.1.1.1;do
	sleep 1
done
curl -L --cacert /home/user/riseup-ca.crt -o /home/user/riseup-vpn.pem https://api.black.riseup.net/3/cert

    This requires the ping command, which means on Fedora you need to install the iputils package (in the TemplateVM).

  5. Download the list of servers:
    6. curl -LO --cacert riseup-ca.crt https://api.black.riseup.net/3/config/eip-service.json

    This file lists the servers available for use.

  6. Look through eip-service.json and choose one you like with type "openvpn" (or choose multiple and repeat steps 7-12 for each). You'll need the server's IP address.
  7. Click on the NetworkManager applet on your panel.
  8. Select VPN Connections > Add a VPN connection....
  9. Select OpenVPN and click Create....
  10. Enter the IP address of the selected server (not the domain) as the Gateway.
  11. In the authentication section, set the following:
    • Type: Certificates (TLS)
    • CA certificate: riseup-ca.crt
    • User certificate: riseup-vpn.pem
    • User private key: riseup-vpn.pem
  12. Save and connect to the VPN using the NetworkManager applet.

    13. I did not try to configure NetworkManager to autostart the VPN. I have gotten that working with other VPNs in the past, but it's hard to figure out, and it's not a huge burden to me to just manually tell it to connect when I run the ProxyVM.

  13. You probably want the ProxyVM to fail closed, so add these lines to /rw/config/qubes-firewall-user-script:
    14. iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
  14. When you start the ProxyVM, it should now prevent downstream qubes from making any connections that don't go over the VPN.

Use ProxyVM as NetVM

Rather than use the VPN directly in this VM you just set up, create new AppVMs with this ProxyVM as their NetVM (or set existing AppVMs to use this ProxyVM). All traffic from these downstream VMs should be routed over the VPN.


Sources

This post would not have been possible without these two resources. Huge thanks from me to them!