Skip to content
Snippets Groups Projects

Draft: addressed comments by Kwadro

Closed Arti requested to merge kwadro-comments-resolved into no-masters
1 file
+ 68
0
Compare changes
  • Side-by-side
  • Inline
ooni.md 0 → 100644
+ 68
0
## How to check if Bitmask/Riseup infrastructure is censored in your country
Here we will guide you on how to measure availability of Riseup servers and openVPN protocol.
To detect censorship attempts, we will be doing this **without use of obfuscation or Tor**.
This document assumes the reader has a running setup of Docker
### A word of caution
Accessing `riseup.net` or Riseup gateways may be illegal in your country or break rules of your workplace or your ISP.
If you suspect this to be the case, weigh the risks, plan risk mitigation and proceed.
We say a big Thank You to all testers who check if the services are censored.
### Simplest check
Let's start by trying to access `black.riseup.net`, a server hosting our [Menshen]() API.
The primary use of Menshen is to dispense [gateways and obfs bridges] (circumvention documentation link).
Menshen is so called after chinese gatekeeper spirits.
We will not only connect to it, but also cross-check how it is resolved across multiple DNS providers.
To automate the testing, we use [Ooni probe](), more specifically `miniooni`.
Unfortunately, not all tests we need to run can be performed on unmodified miniooni.
To enable OpenVPN testing, Leap forked ooni probe, but [merge request]() is not yet merged.
For your convenience, we made a docker container [ainghazal/miniooni-unofficial](https://hub.docker.com/r/ainghazal/miniooni-unofficial) which contains everything that we will need.
It is a [single-executable]() container, and it is used almost like a normal miniooni binary.
#### Run a connection test against `black.riseup.net`:
`docker run ainghazal/miniooni-unofficial web_connectivity -y -n -i https://black.riseup.net`
##### Breakdown
* `docker run ainghazal/miniooni-unofficial` - Download and run our container. All that follows is arguments to miniooni.
* `web_connectivity` - a test to run. This one performs DNS and connection checks.
* `-y` - Answer `yes` to prompts. It confirms that you know the risks involved.
* `-n` - Do not submit results to Ooni data collector.
* `-i <input>` - Test input. For `web_connectivity`, it is an address to test connection to.
* `https://black.riseup.net` - address of our Menshen. We try to connect to it.
#### Sending a report
If you feel comfortable sharing the report with Ooni community (and by extension, LEAP), re-run with `-n` flag omitted.
If Ooni itself is censored in your country, <insert method for stashing results and sending over tor>
### OpenVPN check
Sometimes either OpenVPN protocol itself or Riseup gateways in particular can be censored.
To figure out the exact situation with your ISP, we made miniooni talk OpenVPN, and also defined a roster of gateways to test connecting to.
`docker run ainghazal/miniooni-unofficial oonirun -y -n -i https://raw.githubusercontent.com/ainghazal/vpn-test-lists/main/oonirun/010-riseup-us.json`
#### Breakdown
* `docker run ainghazal/miniooni-unofficial` - See previous secton
* `oonirun` - we have a custom test to run (see below)
* `-y` - See previous section
* `-n` - See previous section
* `-i <input>` - Test input. For `oonirun`, it is a json specification of the test
* `https://raw.githubusercontent.com/ainghazal/vpn-test-lists/main/oonirun/010-riseup-us.json` - our test spec.
#### (Optional) A closer look
You can open `https://raw.githubusercontent.com/ainghazal/vpn-test-lists/main/oonirun/010-riseup-us.json` in your browser.
There, one can see that we perform an `openvpn` test (possible in [our fork](), not in vanilla) against a number of Gateways.
We also specify certificates to use for TLS.
#### Sending a report
See previous section
### Conclusion
Again, thank you for participating in censorship monitoring.
Thanks to you we can bring freedom of information to more people.
To leave feedback, open an Issue [here](issues)
\ No newline at end of file
Loading