You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: nettests/ts-026-riseupvpn.md
+15-9Lines changed: 15 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Specification version number
2
2
3
-
2021-02-15-000
3
+
2023-03-20-000
4
4
5
5
*_status_: current
6
6
@@ -20,7 +20,7 @@ The ability to detect both if the RiseupVPN API and its gateways can be reached
20
20
21
21
## Import document or import data format
22
22
23
-
None. In the next iteration we will allow the user to specify a provider, the default is riseup.net.
23
+
None. We aim to allow the user to specify a provider in a future version, the default is riseup.net.
24
24
25
25
# Test description
26
26
@@ -46,15 +46,17 @@ The locations of RiseupVPNs endpoints are:
46
46
47
47
*https://api.black.riseup.net:443/3/config/eip-service.json fetched with GET request, contains gateway addresses, available transports, location, ports, etc.). Versions is 3 here.
48
48
49
-
*https://api.black.riseup.net:9001/json contains the the client's IP address, geolocation and gives a list of gateways that's the closest and/or under less stress (from other users). This can be different and change.
49
+
*https://api.black.riseup.net:9001/json(hereafter referred to as geo service) contains the the client's IP address, geolocation and gives a list of gateways that's the closest and/or under less stress (from other users). This can be different and change.
50
50
51
-
We consider RiseupVPN API to be blocked when we can't fetch a valid self-signed x509 certificate or we don't get a valid HTTP response. If fetching a valid certificate failed, the experiment will skip all subsequent tests.
51
+
We consider RiseupVPN API to be blocked when we can't fetch the main configuration json eip-service.json.
52
+
The failure of other API endpoints will be reported in the tests, but might related to server sided misbehavior and therefore cannot be used as an indicator for a blocked API.
53
+
If fetching a valid certificate failed, the experiment continues without TLS verification. If the API was not reachable, a tunnel through Tor and Snowflake is attempted. That circumvention strategy simulates the actual behavior of RiseupVPNs clients. If the API is still unreachable via Tor and Snowflake, the subsequent gateway tests are skipped because the required configuration data to reach them is missing.
52
54
53
55
Example output if API endpoints couldn't be reached by HTTP GET requests
54
56
55
57
```json
56
58
{
57
-
"api_failure": "FAILURE STRING",
59
+
"api_failure": ["FAILURE STRING"],
58
60
"api_status": "blocked",
59
61
"ca_cert_status": true,
60
62
}
@@ -72,7 +74,8 @@ If all parts of the API are functional and reachable then we write:
72
74
73
75
## RiseupVPN gateways test
74
76
75
-
If the provider API is reachable, it provides a JSON-file which contains the IP addresses and capabilites of the VPN gateways. The reachability of gateways will be tested depending on their capabilities as described by the provider (ports, OpenVPN, obfs4) by performing TCP handshakes. If a TCP handshake fails we assume the corresponding port and transport of that gateway to be blocked and add it to the list of failing gateways.
77
+
If the provider API is reachable, it provides a JSON-file which contains the IP addresses and capabilites of the VPN gateways. A subset of max. three gateways will be tested: gateways that are not overloaded (deduced from the geo service) and which are part of the top two locations having most redundancy regarding obfs4 bridges.
78
+
The reachability of gateways will be tested depending on their capabilities as described by the provider (ports, OpenVPN, obfs4) by performing TCP handshakes. If a TCP handshake fails we assume the corresponding port and transport of that gateway to be blocked and add it to the list of failing gateways.
76
79
We consider a transport to be accessible if it was possible to connect at least to one gateway port providing that transport.
77
80
78
81
Example output for reported blocked gateways:
@@ -110,7 +113,7 @@ If none of the gateways are blocked then we write:
110
113
}
111
114
```
112
115
113
-
If for whatever reason one or more gateway servers are overloaded, suffer a network outage or aren't reachable for other reasons, then the corresponding gateway statuses will be still shown as blocked. In order to avoid these false positives the **transport_status should be considered as the main indicator for successful censorship attempts of the VPN**.
116
+
If for whatever reason one or more gateway servers suffer a network outage or aren't reachable for other reasons, then the corresponding gateway statuses will be still shown as blocked. In order to avoid these false positives the **transport_status should be considered as the main indicator for successful censorship attempts of the VPN**.
114
117
115
118
# Expected output
116
119
@@ -130,7 +133,7 @@ JSON fields described above.
130
133
131
134
```
132
135
{
133
-
"api_failure": "FAILURE STRING" | null,
136
+
"api_failure": ["FAILURE STRING"] | null,
134
137
"api_status": "blocked"| "ok",
135
138
"ca_cert_status": true | false,
136
139
"transport_status":{
@@ -147,7 +150,10 @@ JSON fields described above.
147
150
}
148
151
```
149
152
150
-
`api_failure` can be any error string flagged with `(PE)` defined in `df-007-errors` or `invalid_ca` in case fetching a valid ca certificate failed.
153
+
`api_failure` can be any error string flagged with `(PE)` defined in `df-007-errors` or:
154
+
*`invalid_ca` in case the fetched ca certificate is invalid
155
+
*`invalid_eipservice_response` in case the fetched eip-service.json is invalid
156
+
*`invalid_geoservice_response` in case the fetched geo service response is invalid
0 commit comments