Skip to content

Commit 9346223

Browse files
cyBertabassosimone
andauthored
doc(riseupvpn): sync with ooniprobe 3.19 (#273)
This pull request syncs riseupvpn spec with ooniprobe 3.19. Closes ooni/probe#2563. --------- Co-authored-by: Simone Basso <bassosimone@gmail.com>
1 parent 7cb49bd commit 9346223

1 file changed

Lines changed: 29 additions & 68 deletions

File tree

nettests/ts-026-riseupvpn.md

Lines changed: 29 additions & 68 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Specification version number
22

3-
2021-02-15-000
3+
2023-10-17-000
44

55
* _status_: current
66

@@ -20,11 +20,11 @@ The ability to detect both if the RiseupVPN API and its gateways can be reached
2020

2121
## Import document or import data format
2222

23-
None. In the next iteration we will allow the user to specify a provider, the default is riseup.net.
23+
None. We aim to allow the user to specify a provider in a future version, the default is riseup.net.
2424

2525
# Test description
2626

27-
This test will check if a LEAP platform based VPN service like RiseupVPN is working as exepected. The experiment consists of two parts.
27+
This test will check if a LEAP-platform-based VPN service like RiseupVPN is working as exepected. The experiment consists of two parts.
2828

2929
1. The RiseupVPN API service
3030

@@ -40,77 +40,46 @@ Using the self signed certificate, we perform a HTTP GET requests to test the re
4040

4141
The locations of RiseupVPNs endpoints are:
4242

43-
* https://black.riseup.net/ca.crt fetched with a GET request, contains the self-signed x509 certificate used in all subsequent requests.
43+
* `https://black.riseup.net/ca.crt` fetched with a GET request, contains the self-signed X.509 certificate used in all subsequent requests.
4444

45-
* https://riseup.net/provider.json fetched with a GET request.
45+
* `https://riseup.net/provider.json` fetched with a GET request.
4646

47-
* https://api.black.riseup.net:443/3/config/eip-service.json fetched with GET request, contains gateway addresses, available transports, location, ports, etc.). Versions is 3 here.
47+
* `https://api.black.riseup.net:443/3/config/eip-service.json` fetched with GET request, contains gateway addresses, available transports, location, ports, etc. We use version 3 here.
4848

49-
* https://api.black.riseup.net:9001/json contains the the client's IP address, geolocation and gives a list of gateways that's the closest and/or under less stress (from other users). This can be different and change.
49+
* `https://api.black.riseup.net:9001/json` (hereafter referred to as geo service) contains the the client's IP address, geolocation and gives a list of gateways that's the closest and/or under less stress (from other users). This can be different and change.
5050

51-
We consider RiseupVPN API to be blocked when we can't fetch a valid self-signed x509 certificate or we don't get a valid HTTP response. If fetching a valid certificate failed, the experiment will skip all subsequent tests.
51+
Since ooniprobe 3.19.0 and version 0.3.0 of the riseupvpn experiment, any failure in accessing any of the above services as well as any failure in using the self-signed X.509 certificate causes the experiment to stop early, without measuring gateways.
5252

53-
Example output if API endpoints couldn't be reached by HTTP GET requests
53+
Before ooniprobe 3.19.0, the data format was different as documented by [a previous version of this document](https://github.com/ooni/spec/blob/f9bbaa83541484e3e509ffa56dd87b0c5ce8c31a/nettests/ts-026-riseupvpn.md).
5454

55-
```json
55+
Since ooniprobe 3.19.0, if all parts of the API are functional and reachable then we write:
56+
57+
```JSON
5658
{
57-
"api_failure": "FAILURE STRING",
58-
"api_status": "blocked",
59+
"api_failures": null,
5960
"ca_cert_status": true,
6061
}
6162
```
6263

63-
If all parts of the API are functional and reachable then we write:
64+
In case any API fails, we include its error into the `api_failures` string list, as follows:
6465

65-
```json
66+
```JSON
6667
{
67-
"api_failure": null,
68-
"api_status": "ok",
68+
"api_failures": ["failure1", "failure2"],
6969
"ca_cert_status": true,
7070
}
7171
```
7272

73-
## RiseupVPN gateways test
74-
75-
If the provider API is reachable, it provides a JSON-file which contains the IP addresses and capabilites of the VPN gateways. The reachability of gateways will be tested depending on their capabilities as described by the provider (ports, OpenVPN, obfs4) by performing TCP handshakes. If a TCP handshake fails we assume the corresponding port and transport of that gateway to be blocked and add it to the list of failing gateways.
76-
We consider a transport to be accessible if it was possible to connect at least to one gateway port providing that transport.
73+
The `ca_cert_status` boolean flag is set to false if we cannot get the self-signed X.509 certificate or the returned bytes are not a valid PEM-encoded certificate.
7774

78-
Example output for reported blocked gateways:
79-
80-
```json
81-
{
82-
"transport_status":{
83-
"obfs4":"blocked",
84-
"openvpn":"ok"
85-
},
86-
"failing_gateways":[
87-
{
88-
"ip":"192.0.2.1",
89-
"port":443,
90-
"transport_type":"openvpn"
91-
},
92-
{
93-
"ip":"192.0.2.1",
94-
"port":23042,
95-
"transport_type":"obfs4"
96-
}
97-
]
98-
}
99-
```
75+
## RiseupVPN gateways test
10076

101-
If none of the gateways are blocked then we write:
77+
If the provider API is reachable, it provides a JSON-file which contains the IP addresses and capabilites of the VPN gateways.
78+
The reachability of gateways will be tested depending on their capabilities as described by the provider (ports, OpenVPN, obfs4) by performing TCP handshakes. If a TCP handshake fails we assume the corresponding port and transport of that gateway to be blocked.
10279

103-
```json
104-
{
105-
"transport_status":{
106-
"obfs4": "ok",
107-
"openvpn":"ok"
108-
},
109-
"failing_gateways": null
110-
}
111-
```
80+
Before ooniprobe 3.19.0, the data format was different as documented by [a previous version of this document](https://github.com/ooni/spec/blob/f9bbaa83541484e3e509ffa56dd87b0c5ce8c31a/nettests/ts-026-riseupvpn.md).
11281

113-
If for whatever reason one or more gateway servers are overloaded, suffer a network outage or aren't reachable for other reasons, then the corresponding gateway statuses will be still shown as blocked. In order to avoid these false positives the **transport_status should be considered as the main indicator for successful censorship attempts of the VPN**.
82+
Since ooniprobe 3.19.0, we do not write any toplevel key associated with riseupvpn gateways.
11483

11584
# Expected output
11685

@@ -130,24 +99,16 @@ JSON fields described above.
13099

131100
```
132101
{
133-
"api_failure": "FAILURE STRING" | null,
134-
"api_status": "blocked"| "ok",
102+
"api_failures": ["FAILURE STRING"] | null,
135103
"ca_cert_status": true | false,
136-
"transport_status":{
137-
"obfs4": "ok" | "blocked",
138-
"openvpn":"ok" | "blocked"
139-
},
140-
"failing_gateways": [
141-
{
142-
"ip":"IP ADDRESS STRING",
143-
"port": 0-65535,
144-
"transport_type":"openvpn" | "obfs4"
145-
},
146-
] | null
147104
}
148105
```
149106

150-
`api_failure` can be any error string flagged with `(PE)` defined in `df-007-errors` or `invalid_ca` in case fetching a valid ca certificate failed.
107+
`api_failure` can be any error string flagged with `(PE)` defined in `df-007-errors` or:
108+
109+
* `invalid_ca` in case the fetched ca certificate is invalid
110+
* `invalid_eipservice_response` in case the fetched eip-service.json is invalid
111+
* `invalid_geoservice_response` in case the fetched geo service response is invalid
151112

152113
## Possible conclusions
153114

@@ -161,7 +122,7 @@ The providers will be able to learn if, where and which gateways are blocked. De
161122

162123
# Privacy considerations
163124

164-
A network observer will learn that these servers exist and see that you try to use OpenVPN.
125+
A network observer will learn that these servers exist and see that you are connecting to some IP addresses.
165126

166127
# Status and future directions
167128

0 commit comments

Comments
 (0)