[feat] Reorganize code

Let's use a more structured folder system:
https://github.com/golang-standards/project-layout

- Resolves: #99

10 files changed, 1199 insertions, 0 deletions

diff --git a/pkg/standalone/bonafide.go b/pkg/standalone/bonafide.go
new file mode 100644
index 0000000..c4d588e
--- /dev/null
+++ b/pkg/standalone/bonafide.go
@@ -0,0 +1,311 @@
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"math/rand"
+	"net/http"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const (
+	certAPI        = "https://api.black.riseup.net/1/cert"
+	eipAPI         = "https://api.black.riseup.net/1/config/eip-service.json"
+	geolocationAPI = "https://api.black.riseup.net:9001/json"
+	secondsPerHour = 60 * 60
+)
+
+var (
+	caCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQ0FADBZMRgwFgYDVQQKDA9SaXNl
+dXAgTmV0d29ya3MxGzAZBgNVBAsMEmh0dHBzOi8vcmlzZXVwLm5ldDEgMB4GA1UE
+AwwXUmlzZXVwIE5ldHdvcmtzIFJvb3QgQ0EwHhcNMTQwNDI4MDAwMDAwWhcNMjQw
+NDI4MDAwMDAwWjBZMRgwFgYDVQQKDA9SaXNldXAgTmV0d29ya3MxGzAZBgNVBAsM
+Emh0dHBzOi8vcmlzZXVwLm5ldDEgMB4GA1UEAwwXUmlzZXVwIE5ldHdvcmtzIFJv
+b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC76J4ciMJ8Sg0m
+TP7DF2DT9zNe0Csk4myoMFC57rfJeqsAlJCv1XMzBmXrw8wq/9z7XHv6n/0sWU7a
+7cF2hLR33ktjwODlx7vorU39/lXLndo492ZBhXQtG1INMShyv+nlmzO6GT7ESfNE
+LliFitEzwIegpMqxCIHXFuobGSCWF4N0qLHkq/SYUMoOJ96O3hmPSl1kFDRMtWXY
+iw1SEKjUvpyDJpVs3NGxeLCaA7bAWhDY5s5Yb2fA1o8ICAqhowurowJpW7n5ZuLK
+5VNTlNy6nZpkjt1QycYvNycffyPOFm/Q/RKDlvnorJIrihPkyniV3YY5cGgP+Qkx
+HUOT0uLA6LHtzfiyaOqkXwc4b0ZcQD5Vbf6Prd20Ppt6ei0zazkUPwxld3hgyw58
+m/4UIjG3PInWTNf293GngK2Bnz8Qx9e/6TueMSAn/3JBLem56E0WtmbLVjvko+LF
+PM5xA+m0BmuSJtrD1MUCXMhqYTtiOvgLBlUm5zkNxALzG+cXB28k6XikXt6MRG7q
+hzIPG38zwkooM55yy5i1YfcIi5NjMH6A+t4IJxxwb67MSb6UFOwg5kFokdONZcwj
+shczHdG9gLKSBIvrKa03Nd3W2dF9hMbRu//STcQxOailDBQCnXXfAATj9pYzdY4k
+ha8VCAREGAKTDAex9oXf1yRuktES4QIDAQABo2AwXjAdBgNVHQ4EFgQUC4tdmLVu
+f9hwfK4AGliaet5KkcgwDgYDVR0PAQH/BAQDAgIEMAwGA1UdEwQFMAMBAf8wHwYD
+VR0jBBgwFoAUC4tdmLVuf9hwfK4AGliaet5KkcgwDQYJKoZIhvcNAQENBQADggIB
+AGzL+GRnYu99zFoy0bXJKOGCF5XUXP/3gIXPRDqQf5g7Cu/jYMID9dB3No4Zmf7v
+qHjiSXiS8jx1j/6/Luk6PpFbT7QYm4QLs1f4BlfZOti2KE8r7KRDPIecUsUXW6P/
+3GJAVYH/+7OjA39za9AieM7+H5BELGccGrM5wfl7JeEz8in+V2ZWDzHQO4hMkiTQ
+4ZckuaL201F68YpiItBNnJ9N5nHr1MRiGyApHmLXY/wvlrOpclh95qn+lG6/2jk7
+3AmihLOKYMlPwPakJg4PYczm3icFLgTpjV5sq2md9bRyAg3oPGfAuWHmKj2Ikqch
+Td5CHKGxEEWbGUWEMP0s1A/JHWiCbDigc4Cfxhy56CWG4q0tYtnc2GMw8OAUO6Wf
+Xu5pYKNkzKSEtT/MrNJt44tTZWbKV/Pi/N2Fx36my7TgTUj7g3xcE9eF4JV2H/sg
+tsK3pwE0FEqGnT4qMFbixQmc8bGyuakr23wjMvfO7eZUxBuWYR2SkcP26sozF9PF
+tGhbZHQVGZUTVPyvwahMUEhbPGVerOW0IYpxkm0x/eaWdTc4vPpf/rIlgbAjarnJ
+UN9SaWRlWKSdP4haujnzCoJbM7dU9bjvlGZNyXEekgeT0W2qFeGGp+yyUWw8tNsp
+0BuC1b7uW/bBn/xKm319wXVDvBgZgcktMolak39V7DVO
+-----END CERTIFICATE-----`)
+)
+
+type bonafide struct {
+	client         httpClient
+	tzOffsetHours  int
+	eip            *eipService
+	defaultGateway string
+}
+
+type httpClient interface {
+	Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
+}
+
+type eipService struct {
+	Gateways  []gateway
+	Locations map[string]struct {
+		CountryCode string
+		Hemisphere  string
+		Name        string
+		Timezone    string
+	}
+	OpenvpnConfiguration map[string]interface{} `json:"openvpn_configuration"`
+}
+
+type gateway struct {
+	Capabilities struct {
+		Ports     []string
+		Protocols []string
+	}
+	Host      string
+	IPAddress string `json:"ip_address"`
+	Location  string
+}
+
+type gatewayDistance struct {
+	gateway  gateway
+	distance int
+}
+
+type geoLocation struct {
+	IPAddress      string   `json:"ip"`
+	Country        string   `json:"cc"`
+	City           string   `json:"city"`
+	Latitude       float64  `json:"lat"`
+	Longitude      float64  `json:"lon"`
+	SortedGateways []string `json:"gateways"`
+}
+
+func newBonafide() *bonafide {
+	certs := x509.NewCertPool()
+	certs.AppendCertsFromPEM(caCert)
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: certs,
+			},
+		},
+	}
+	_, tzOffsetSeconds := time.Now().Zone()
+	tzOffsetHours := tzOffsetSeconds / secondsPerHour
+
+	return &bonafide{
+		client:         client,
+		tzOffsetHours:  tzOffsetHours,
+		eip:            nil,
+		defaultGateway: "",
+	}
+}
+
+func (b *bonafide) getCertPem() ([]byte, error) {
+	resp, err := b.client.Post(certAPI, "", nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("get vpn cert has failed with status: %s", resp.Status)
+	}
+
+	return ioutil.ReadAll(resp.Body)
+}
+
+func (b *bonafide) getGateways() ([]gateway, error) {
+	if b.eip == nil {
+		err := b.fetchEipJSON()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return b.eip.Gateways, nil
+}
+
+func (b *bonafide) setDefaultGateway(name string) {
+	b.defaultGateway = name
+	b.sortGateways()
+}
+
+func (b *bonafide) getOpenvpnArgs() ([]string, error) {
+	if b.eip == nil {
+		err := b.fetchEipJSON()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	args := []string{}
+	for arg, value := range b.eip.OpenvpnConfiguration {
+		switch v := value.(type) {
+		case string:
+			args = append(args, "--"+arg)
+			args = append(args, strings.Split(v, " ")...)
+		case bool:
+			if v {
+				args = append(args, "--"+arg)
+			}
+		default:
+			log.Printf("Unknown openvpn argument type: %s - %v", arg, value)
+		}
+	}
+	return args, nil
+}
+
+func (b *bonafide) fetchGeolocation() ([]string, error) {
+	resp, err := b.client.Post(geolocationAPI, "", nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("get geolocation failed with status: %s", resp.Status)
+	}
+
+	geo := &geoLocation{}
+	dataJSON, err := ioutil.ReadAll(resp.Body)
+	err = json.Unmarshal(dataJSON, &geo)
+	if err != nil {
+		_ = fmt.Errorf("get vpn cert has failed with status: %s", resp.Status)
+		return nil, err
+	}
+
+	return geo.SortedGateways, nil
+
+}
+
+func (b *bonafide) fetchEipJSON() error {
+	resp, err := b.client.Post(eipAPI, "", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		return fmt.Errorf("get eip json has failed with status: %s", resp.Status)
+	}
+
+	var eip eipService
+	decoder := json.NewDecoder(resp.Body)
+	err = decoder.Decode(&eip)
+	if err != nil {
+		return err
+	}
+
+	b.eip = &eip
+	b.sortGateways()
+	return nil
+}
+
+func (b *bonafide) sortGatewaysByGeolocation(geolocatedGateways []string) []gatewayDistance {
+	gws := []gatewayDistance{}
+
+	for i, host := range geolocatedGateways {
+		for _, gw := range b.eip.Gateways {
+			if gw.Host == host {
+				gws = append(gws, gatewayDistance{gw, i})
+			}
+		}
+	}
+	return gws
+}
+
+func (b *bonafide) sortGatewaysByTimezone() []gatewayDistance {
+	gws := []gatewayDistance{}
+
+	for _, gw := range b.eip.Gateways {
+		distance := 13
+		if gw.Location == b.defaultGateway {
+			distance = -1
+		} else {
+			gwOffset, err := strconv.Atoi(b.eip.Locations[gw.Location].Timezone)
+			if err != nil {
+				log.Printf("Error sorting gateways: %v", err)
+			} else {
+				distance = tzDistance(b.tzOffsetHours, gwOffset)
+			}
+		}
+		gws = append(gws, gatewayDistance{gw, distance})
+	}
+	rand.Seed(time.Now().UnixNano())
+	cmp := func(i, j int) bool {
+		if gws[i].distance == gws[j].distance {
+			return rand.Intn(2) == 1
+		}
+		return gws[i].distance < gws[j].distance
+	}
+	sort.Slice(gws, cmp)
+	return gws
+}
+
+func (b *bonafide) sortGateways() {
+	gws := []gatewayDistance{}
+
+	geolocatedGateways, _ := b.fetchGeolocation()
+
+	if len(geolocatedGateways) > 0 {
+		gws = b.sortGatewaysByGeolocation(geolocatedGateways)
+	} else {
+		log.Printf("Falling back to timezone heuristic for gateway selection")
+		gws = b.sortGatewaysByTimezone()
+	}
+
+	for i, gw := range gws {
+		b.eip.Gateways[i] = gw.gateway
+	}
+}
+
+func tzDistance(offset1, offset2 int) int {
+	abs := func(x int) int {
+		if x < 0 {
+			return -x
+		}
+		return x
+	}
+	distance := abs(offset1 - offset2)
+	if distance > 12 {
+		distance = 24 - distance
+	}
+	return distance
+}
diff --git a/pkg/standalone/bonafide_integration_test.go b/pkg/standalone/bonafide_integration_test.go
new file mode 100644
index 0000000..5beb8aa
--- /dev/null
+++ b/pkg/standalone/bonafide_integration_test.go
@@ -0,0 +1,58 @@
+// +build integration
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"bytes"
+	"testing"
+)
+
+var (
+	privateKeyHeader = []byte("-----BEGIN RSA PRIVATE KEY-----")
+	certHeader       = []byte("-----BEGIN CERTIFICATE-----")
+)
+
+func TestIntegrationGetCert(t *testing.T) {
+	b := newBonafide()
+	cert, err := b.getCertPem()
+	if err != nil {
+		t.Fatal("getCert returned an error: ", err)
+	}
+
+	if !bytes.Contains(cert, privateKeyHeader) {
+		t.Errorf("No private key present: \n%q", cert)
+	}
+
+	if !bytes.Contains(cert, certHeader) {
+		t.Errorf("No cert present: \n%q", cert)
+	}
+}
+
+func TestGetGateways(t *testing.T) {
+	b := newBonafide()
+	gateways, err := b.getGateways()
+	if err != nil {
+		t.Fatal("getGateways returned an error: ", err)
+	}
+
+	for _, gw := range gateways {
+		if gw.IPAddress == "5.79.86.180" {
+			return
+		}
+	}
+	t.Errorf("5.79.86.180 not in the list")
+}
diff --git a/pkg/standalone/bonafide_test.go b/pkg/standalone/bonafide_test.go
new file mode 100644
index 0000000..7bfcaa0
--- /dev/null
+++ b/pkg/standalone/bonafide_test.go
@@ -0,0 +1,100 @@
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"reflect"
+	"testing"
+)
+
+const (
+	certPath = "testdata/cert"
+	eipPath  = "testdata/eip-service.json"
+)
+
+type client struct {
+	path string
+}
+
+func (c client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error) {
+	f, err := os.Open(c.path)
+	return &http.Response{
+		Body:       f,
+		StatusCode: 200,
+	}, err
+}
+
+func TestGetCert(t *testing.T) {
+	b := bonafide{client: client{certPath}}
+	cert, err := b.getCertPem()
+	if err != nil {
+		t.Fatal("getCert returned an error: ", err)
+	}
+
+	f, err := os.Open(certPath)
+	if err != nil {
+		t.Fatal("Can't open ", certPath, ": ", err)
+	}
+	defer f.Close()
+
+	certData, err := ioutil.ReadAll(f)
+	if err != nil {
+		t.Fatal("Can't read all: ", err)
+	}
+	if !reflect.DeepEqual(certData, cert) {
+		t.Errorf("cert doesn't match")
+	}
+}
+
+func TestGatewayTzLocation(t *testing.T) {
+	// tzOffset -> location
+	values := map[int]string{
+		-12: "c",
+		-10: "a",
+		-5:  "a",
+		-3:  "a",
+		-1:  "b",
+		0:   "b",
+		2:   "b",
+		5:   "c",
+		8:   "c",
+		12:  "c",
+	}
+
+	for tzOffset, location := range values {
+		b := bonafide{
+			client:        client{eipPath},
+			tzOffsetHours: tzOffset,
+		}
+		gateways, err := b.getGateways()
+		if err != nil {
+			t.Errorf("getGateways returned an error: %v", err)
+			continue
+		}
+		if len(gateways) < 4 {
+			t.Errorf("Wrong number of gateways: %d", len(gateways))
+			continue
+
+		}
+		if gateways[0].Location != location {
+			t.Errorf("Wrong location for tz %d: %s, expected: %s", tzOffset, gateways[0].Location, location)
+		}
+	}
+}
diff --git a/pkg/standalone/launcher.go b/pkg/standalone/launcher.go
new file mode 100644
index 0000000..4dc4761
--- /dev/null
+++ b/pkg/standalone/launcher.go
@@ -0,0 +1,97 @@
+// +build !linux
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+)
+
+const (
+	helperAddr = "http://localhost:7171"
+)
+
+type launcher struct {
+}
+
+func newLauncher() (*launcher, error) {
+	return &launcher{}, nil
+}
+
+func (l *launcher) close() error {
+	return nil
+}
+
+func (l *launcher) openvpnStart(flags ...string) error {
+	byteFlags, err := json.Marshal(flags)
+	if err != nil {
+		return err
+	}
+	return l.send("/openvpn/start", byteFlags)
+}
+
+func (l *launcher) openvpnStop() error {
+	return l.send("/openvpn/stop", nil)
+}
+
+func (l *launcher) firewallStart(gateways []gateway) error {
+	ipList := make([]string, len(gateways))
+	for i, gw := range gateways {
+		ipList[i] = gw.IPAddress
+	}
+	byteIPs, err := json.Marshal(ipList)
+	if err != nil {
+		return err
+	}
+	return l.send("/firewall/start", byteIPs)
+}
+
+func (l *launcher) firewallStop() error {
+	return l.send("/firewall/stop", nil)
+}
+
+func (l *launcher) firewallIsUp() bool {
+	res, err := http.Post(helperAddr+"/firewall/isup", "", nil)
+	if err != nil {
+		return false
+	}
+	defer res.Body.Close()
+
+	return res.StatusCode == http.StatusOK
+}
+
+func (l *launcher) send(path string, body []byte) error {
+	var reader io.Reader
+	if body != nil {
+		reader = bytes.NewReader(body)
+	}
+	res, err := http.Post(helperAddr+path, "", reader)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+
+	resErr, err := ioutil.ReadAll(res.Body)
+	if len(resErr) > 0 {
+		return fmt.Errorf("Helper returned an error: %q", resErr)
+	}
+	return err
+}
diff --git a/pkg/standalone/launcher_linux.go b/pkg/standalone/launcher_linux.go
new file mode 100644
index 0000000..672eb1f
--- /dev/null
+++ b/pkg/standalone/launcher_linux.go
@@ -0,0 +1,139 @@
+// +build linux
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"errors"
+	"log"
+	"os"
+	"os/exec"
+)
+
+const (
+	systemOpenvpnPath = "/usr/sbin/openvpn"
+	snapOpenvpnPath   = "/snap/bin/riseup-vpn.openvpn"
+)
+
+var bitmaskRootPaths = []string{
+	"/usr/sbin/bitmask-root",
+	"/usr/local/sbin/bitmask-root",
+}
+
+type launcher struct {
+	openvpnCh chan []string
+}
+
+func newLauncher() (*launcher, error) {
+	l := launcher{make(chan []string, 1)}
+	go l.openvpnRunner()
+	return &l, nil
+}
+
+func (l *launcher) close() error {
+	return nil
+}
+
+func (l *launcher) openvpnStart(flags ...string) error {
+	log.Println("openvpn start: ", flags)
+	arg := []string{"openvpn", "start", getOpenvpnPath()}
+	arg = append(arg, flags...)
+	l.openvpnCh <- arg
+	return nil
+}
+
+func (l *launcher) openvpnStop() error {
+	l.openvpnCh <- nil
+	log.Println("openvpn stop")
+	return runBitmaskRoot("openvpn", "stop")
+}
+
+func (l *launcher) firewallStart(gateways []gateway) error {
+	log.Println("firewall start")
+	arg := []string{"firewall", "start"}
+	for _, gw := range gateways {
+		arg = append(arg, gw.IPAddress)
+	}
+	return runBitmaskRoot(arg...)
+}
+
+func (l *launcher) firewallStop() error {
+	log.Println("firewall stop")
+	return runBitmaskRoot("firewall", "stop")
+}
+
+func (l *launcher) firewallIsUp() bool {
+	err := runBitmaskRoot("firewall", "isup")
+	return err == nil
+}
+
+func (l *launcher) openvpnRunner(arg ...string) {
+	running := false
+	runOpenvpn := func(arg []string) {
+		for running {
+			err := runBitmaskRoot(arg...)
+			if err != nil {
+				log.Printf("An error ocurred running openvpn: %v", err)
+			}
+		}
+	}
+
+	for arg := range l.openvpnCh {
+		if arg == nil {
+			running = false
+		} else {
+			running = true
+			go runOpenvpn(arg)
+		}
+	}
+}
+
+func runBitmaskRoot(arg ...string) error {
+	bitmaskRoot, err := bitmaskRootPath()
+	if err != nil {
+		return err
+	}
+	arg = append([]string{bitmaskRoot}, arg...)
+
+	cmd := exec.Command("pkexec", arg...)
+	err = cmd.Run()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func bitmaskRootPath() (string, error) {
+	if os.Getenv("SNAP") != "" {
+		path := "/snap/bin/riseup-vpn.bitmask-root"
+		if _, err := os.Stat(path); !os.IsNotExist(err) {
+			return path, nil
+		}
+	}
+	for _, path := range bitmaskRootPaths {
+		if _, err := os.Stat(path); !os.IsNotExist(err) {
+			return path, nil
+		}
+	}
+	return "", errors.New("No bitmask-root found")
+}
+
+func getOpenvpnPath() string {
+	if os.Getenv("SNAP") != "" {
+		return snapOpenvpnPath
+	}
+	return systemOpenvpnPath
+}
diff --git a/pkg/standalone/main.go b/pkg/standalone/main.go
new file mode 100644
index 0000000..f7e1976
--- /dev/null
+++ b/pkg/standalone/main.go
@@ -0,0 +1,80 @@
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+
+	"github.com/apparentlymart/go-openvpn-mgmt/openvpn"
+)
+
+// Bitmask holds the bitmask client data
+type Bitmask struct {
+	tempdir          string
+	statusCh         chan string
+	managementClient *openvpn.MgmtClient
+	bonafide         *bonafide
+	launch           *launcher
+}
+
+// Init the connection to bitmask
+func Init() (*Bitmask, error) {
+	statusCh := make(chan string, 10)
+	tempdir, err := ioutil.TempDir("", "leap-")
+	if err != nil {
+		return nil, err
+	}
+	bonafide := newBonafide()
+	launch, err := newLauncher()
+	if err != nil {
+		return nil, err
+	}
+	b := Bitmask{tempdir, statusCh, nil, bonafide, launch}
+
+	err = b.StopVPN()
+	if err != nil {
+		return nil, err
+	}
+	err = ioutil.WriteFile(b.getCaCertPath(), caCert, 0600)
+
+	go b.openvpnManagement()
+	return &b, err
+}
+
+// GetStatusCh returns a channel that will recieve VPN status changes
+func (b *Bitmask) GetStatusCh() <-chan string {
+	return b.statusCh
+}
+
+// Close the connection to bitmask
+func (b *Bitmask) Close() {
+	b.StopVPN()
+	err := b.launch.close()
+	if err != nil {
+		log.Printf("There was an error closing the launcher: %v", err)
+	}
+	err = os.RemoveAll(b.tempdir)
+	if err != nil {
+		log.Printf("There was an error removing temp dir: %v", err)
+	}
+}
+
+// Version gets the bitmask version string
+func (b *Bitmask) Version() (string, error) {
+	return "", nil
+}
diff --git a/pkg/standalone/status.go b/pkg/standalone/status.go
new file mode 100644
index 0000000..42c4687
--- /dev/null
+++ b/pkg/standalone/status.go
@@ -0,0 +1,91 @@
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/apparentlymart/go-openvpn-mgmt/openvpn"
+)
+
+const (
+	On       = "on"
+	Off      = "off"
+	Starting = "starting"
+	Stopping = "stopping"
+	Failed   = "failed"
+)
+
+var statusNames = map[string]string{
+	"CONNECTING":   Starting,
+	"WAIT":         Starting,
+	"AUTH":         Starting,
+	"GET_CONFIG":   Starting,
+	"ASSIGN_IP":    Starting,
+	"ADD_ROUTES":   Starting,
+	"CONNECTED":    On,
+	"RECONNECTING": Starting,
+	"EXITING":      Stopping,
+	"OFF":          Off,
+	"FAILED":       Off,
+}
+
+func (b *Bitmask) openvpnManagement() {
+	// TODO: we should warn the user on ListenAndServe errors
+	newConnection := func(conn openvpn.IncomingConn) {
+		eventCh := make(chan openvpn.Event, 10)
+		log.Println("New connection into the management")
+		b.managementClient = conn.Open(eventCh)
+		b.managementClient.SetStateEvents(true)
+		b.eventHandler(eventCh)
+	}
+	log.Fatal(openvpn.ListenAndServe(
+		fmt.Sprintf("%s:%s", openvpnManagementAddr, openvpnManagementPort),
+		openvpn.IncomingConnHandlerFunc(newConnection),
+	))
+}
+
+func (b *Bitmask) eventHandler(eventCh <-chan openvpn.Event) {
+	// TODO: we are reporing only openvpn status, missing firewall status
+	for event := range eventCh {
+		log.Printf("Event: %v", event)
+		stateEvent, ok := event.(*openvpn.StateEvent)
+		if !ok {
+			continue
+		}
+		status, ok := statusNames[stateEvent.NewState()]
+		if ok {
+			b.statusCh <- status
+		}
+	}
+	b.statusCh <- Off
+}
+
+func (b *Bitmask) getOpenvpnState() (string, error) {
+	if b.managementClient == nil {
+		return "", fmt.Errorf("No management connected")
+	}
+	stateEvent, err := b.managementClient.LatestState()
+	if err != nil {
+		return "", err
+	}
+	status, ok := statusNames[stateEvent.NewState()]
+	if !ok {
+		return "", fmt.Errorf("Unkonw status")
+	}
+	return status, nil
+}
diff --git a/pkg/standalone/testdata/cert b/pkg/standalone/testdata/cert
new file mode 100644
index 0000000..4968b3f
--- /dev/null
+++ b/pkg/standalone/testdata/cert
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA3TQAmZs9U6e1xqQqVWkb132AGXdaO97bsXPOrrKUp63hKeXD
+2OQbmG96H3COi0uubVFQT1cAmpuym2COtgahQlnv42p0u2CYsBqfrCHw3iSK7nf6
+Q8RaG2oUIvlQj5m4DUk1wfRBgG5z0pN2HwFWmgheoT0RnOelTO3vcLCaSJA6PF4M
+Wehg5ScXi9wr0vibKsANpqab3oUxcHEYcNcKfJKRnXryJx6ctLrRp1WPv3JAXLnn
+oUtQ00S0dSHrLED5yPwGFV08q4bkv54qFai2cPO8ITReC6BpvrilBzOjT6fjCmzm
+6MCwBot7aRHYcWJgfp7H2b2S7T2qhnC4c2u6mwIDAQABAoIBAFue83SsOS2SNJdv
+Xd18qLyLzeg+aFCOET8h8YSokSwWuEGLWqBWcxujaNjm3RPTKA89c9848RYY0VTM
+HLBGdLqv183BRVJrQzMGBAbfFA5e4nC9nxo8lPnv6SFHVNf12qceILcSPaM9nJmm
+3HEhM8afGtr8GXR8+hmwH9H0RCMzXIjO1//WrY3nfOP8LRuQpSnnhsfZRyngWhot
+xsJlDP5plFNw7J/PDLtbjnbOXOktv0fhhq7aWR+A+0s0627r7Tidk1YoNwusYJeB
+uKrzNW1+c7Z9xl2yvMQ6+0Wry7A5YUVYP/BakYb/f/skB4ox/zz8vcWeQ4ShZ7m6
+LwPN0ckCgYEA+9wjSBbOlksath3QrJywikD1sQYFOdNrINTBFQnuipKOYKLJNhQM
+OzKHY1OiO7G6FcEvz9gKYMpMyMOs8TsISyKPNOXLpnwpgIUx6WRo6qxgEuyWLpBb
+Q3Kodl1a/q51dw56pPDEATKjSB1CjXXzm717m5FimH5csPKj9SzrGecCgYEA4Nbb
+QML1Jh9cu7TvlK3WqbAFJa4Mx/0+OQ+5xlhbs/ygn3/AZiSsPWdNK11XJ25jgGJw
+AucXr/kHgwJX23kFpCYB3zZE0Vh/hOqk/KlUFmptuADIDOAVst0v8MqBLZpZessN
+TXph5VBT6P51Oz/ZLC67uno02R1vUhDMB5VCyy0CgYEAoriZuuuxUXz4pw0gU0Vw
+8gICOvsuySuFHVMX5GXkTnddsaW65kuRk3WT72KLgJHVLlUAdQKZwesyLMvvonOH
+ajPL3ltRdiDmF3j2xFnxRx1TfSaJ6U+vBya/HKo4Li+9CMy8BHDh0fxLbj4pT4gT
+el2zzNDjqK6LaG976t24j6UCgYEAyTD5uRW7cIWX4Y+i4xQ7hlQwBuucHEkMKNtd
+jZL7XC+vO4qBi+U9CyUo9KjtmCc7emKbgL1xgNICWsT6ATZmSeCIxEg3hG0Ajtu5
+Dy4mRHiv/XsViA/s2sT6ZSmQNlJrx2lzWeUtPJmIvHEWThJwLw0Sh2dbavzf5DuL
+ly2FO3ECgYEA5AKnPQo45I+abEA/zKHsKHCqBPEbIaZpJJTaiInrsLiGJf+WzN4N
+zr/VAzvY+v0X5RgZmROY5ZLPVf2fTeVNzU5WzoB78hHOI67YI2Sbq7jZlatOgX4z
+Ur2BQdT0bW6VINYpDLUvS4goW5p0nQbGItdk69yyef1v3NDbCJ/Sg+Q=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIEnDCCAoSgAwIBAgIRAJzr5xxPLgDD+drzU+5p8cgwDQYJKoZIhvcNAQELBQAw
+dTEYMBYGA1UECgwPUmlzZXVwIE5ldHdvcmtzMRswGQYDVQQLDBJodHRwczovL3Jp
+c2V1cC5uZXQxPDA6BgNVBAMMM1Jpc2V1cCBOZXR3b3JrcyBSb290IENBIChjbGll
+bnQgY2VydGlmaWNhdGVzIG9ubHkhKTAeFw0xODEwMjMwMDAwMDBaFw0xOTAxMjMw
+MDAwMDBaMC0xKzApBgNVBAMMIlVOTElNSVRFRDVmbzdsMmxiY3g0OWR5ZzR5MWY4
+YXN3YXcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdNACZmz1Tp7XG
+pCpVaRvXfYAZd1o73tuxc86uspSnreEp5cPY5BuYb3ofcI6LS65tUVBPVwCam7Kb
+YI62BqFCWe/janS7YJiwGp+sIfDeJIrud/pDxFobahQi+VCPmbgNSTXB9EGAbnPS
+k3YfAVaaCF6hPRGc56VM7e9wsJpIkDo8XgxZ6GDlJxeL3CvS+JsqwA2mppvehTFw
+cRhw1wp8kpGdevInHpy0utGnVY+/ckBcueehS1DTRLR1IessQPnI/AYVXTyrhuS/
+nioVqLZw87whNF4LoGm+uKUHM6NPp+MKbObowLAGi3tpEdhxYmB+nsfZvZLtPaqG
+cLhza7qbAgMBAAGjbzBtMB0GA1UdDgQWBBRwXpI96PjilFPrkK+CHUPia++ISTAL
+BgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCQYDVR0TBAIwADAfBgNV
+HSMEGDAWgBQX9BvV5SoBAU1rol02CikJlmWARjANBgkqhkiG9w0BAQsFAAOCAgEA
+ryNFLixuicVRepocY2lTSY0cpG0eRmLuYJGupk9KeiLA5YEFzl4ZfXJLi+9UHoUR
+Bgfe6QYLBb77nO24CoeiMJQw6s593ctMLiMU++fjew31gNp6aA9DmvbLd+fNuLyO
+XObRtGw99M37cyf3ZS2SEbTBr4NBp/r3OCyUYsxPYKOzEkr9kNYa8ZZSI960i7/R
+/aiq2qemQaOQHTlmrhcBuARJoRVVlLnn2zgLSVm6ptbFLNtAk0lWriUT/WlRmn8j
+Cyn/JOuo/1wtrK1dHkaXr8bkEq1oFQzcwMN85hrZKWU0BCehELZtiUg8grqaX/sf
+/jaXD61FEqWjIXeGqY/K6ruosZCw2R8sQYzTuQNHMjxmx+J3pch7dMmJPbmA3HW2
+nA7yVp51SX8iZ26zb40S7GG6RNesU+BZxz05XVLt1GwyLx/uNxS4rFpKAT/+ifWG
+3Y1j1lMqBxx6RbuqiM1TWqU7Xtzu3hf8ytP5qP7kudXn1TyNtpZCIrzbTXbLnYiD
+nH4ZQEWGyAKBOz41eOcG6EXn0TznSGE593ueXBeFnsym7i9MjoOWNGaJ7UbkipfX
+FzxirlY5IRkWnmHCL0wGUg6YGnZ1OQ8VBBGb/dBPRMDwA7zWvoM7+3yDLR3aRaLH
+mTQzNzu3jy6CRdlpIUcPRcgbniySip1jJrHRYBui+9w=
+-----END CERTIFICATE-----
diff --git a/pkg/standalone/testdata/eip-service.json b/pkg/standalone/testdata/eip-service.json
new file mode 100644
index 0000000..d5f2413
--- /dev/null
+++ b/pkg/standalone/testdata/eip-service.json
@@ -0,0 +1,113 @@
+{
+  "gateways": [
+    {
+      "capabilities": {
+        "adblock": false,
+        "filter_dns": false,
+        "limited": false,
+        "ports": [
+          "443"
+        ],
+        "protocols": [
+          "tcp"
+        ],
+        "transport": [
+          "openvpn"
+        ],
+        "user_ips": false
+      },
+      "host": "1.example.com",
+      "ip_address": "1.1.1.1",
+      "location": "a"
+    },
+    {
+      "capabilities": {
+        "adblock": false,
+        "filter_dns": false,
+        "limited": false,
+        "ports": [
+          "443"
+        ],
+        "protocols": [
+          "tcp"
+        ],
+        "transport": [
+          "openvpn"
+        ],
+        "user_ips": false
+      },
+      "host": "2.example.com",
+      "ip_address": "2.2.2.2",
+      "location": "b"
+    },
+    {
+      "capabilities": {
+        "adblock": false,
+        "filter_dns": false,
+        "limited": false,
+        "ports": [
+          "443"
+        ],
+        "protocols": [
+          "tcp"
+        ],
+        "transport": [
+          "openvpn"
+        ],
+        "user_ips": false
+      },
+      "host": "3.example.com",
+      "ip_address": "3.3.3.3",
+      "location": "b"
+    },
+    {
+      "capabilities": {
+        "adblock": false,
+        "filter_dns": false,
+        "limited": false,
+        "ports": [
+          "443"
+        ],
+        "protocols": [
+          "tcp"
+        ],
+        "transport": [
+          "openvpn"
+        ],
+        "user_ips": false
+      },
+      "host": "4.example.com",
+      "ip_address": "4.4.4.4",
+      "location": "c"
+    }
+  ],
+  "locations": {
+    "a": {
+      "country_code": "AA",
+      "hemisphere": "N",
+      "name": "a",
+      "timezone": "-5"
+    },
+    "b": {
+      "country_code": "BB",
+      "hemisphere": "S",
+      "name": "b",
+      "timezone": "+1"
+    },
+    "c": {
+      "country_code": "CC",
+      "hemisphere": "N",
+      "name": "c",
+      "timezone": "+8"
+    }
+  },
+  "openvpn_configuration": {
+    "auth": "SHA1",
+    "cipher": "AES-128-CBC",
+    "keepalive": "10 30",
+    "tls-cipher": "DHE-RSA-AES128-SHA",
+    "tun-ipv6": true
+  },
+  "serial": 1,
+  "version": 1
+}
diff --git a/pkg/standalone/vpn.go b/pkg/standalone/vpn.go
new file mode 100644
index 0000000..941d444
--- /dev/null
+++ b/pkg/standalone/vpn.go
@@ -0,0 +1,156 @@
+// Copyright (C) 2018 LEAP
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package standalone
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+)
+
+const (
+	openvpnManagementAddr = "127.0.0.1"
+	openvpnManagementPort = "6061"
+)
+
+// StartVPN for provider
+func (b *Bitmask) StartVPN(provider string) error {
+	gateways, err := b.bonafide.getGateways()
+	if err != nil {
+		return err
+	}
+	certPemPath, err := b.getCert()
+	if err != nil {
+		return err
+	}
+
+	err = b.launch.firewallStart(gateways)
+	if err != nil {
+		return err
+	}
+
+	arg, err := b.bonafide.getOpenvpnArgs()
+	if err != nil {
+		return err
+	}
+	for _, gw := range gateways {
+		arg = append(arg, "--remote", gw.IPAddress, "443", "tcp4")
+	}
+	arg = append(arg,
+		"--verb", "1",
+		"--management-client",
+		"--management", openvpnManagementAddr, openvpnManagementPort,
+		"--ca", b.getCaCertPath(),
+		"--cert", certPemPath,
+		"--key", certPemPath)
+	return b.launch.openvpnStart(arg...)
+}
+
+func (b *Bitmask) getCert() (certPath string, err error) {
+	certPath = b.getCertPemPath()
+
+	if _, err := os.Stat(certPath); os.IsNotExist(err) {
+		cert, err := b.bonafide.getCertPem()
+		if err != nil {
+			return "", err
+		}
+		err = ioutil.WriteFile(certPath, cert, 0600)
+	}
+
+	return certPath, err
+}
+
+// StopVPN or cancel
+func (b *Bitmask) StopVPN() error {
+	err := b.launch.firewallStop()
+	if err != nil {
+		return err
+	}
+	return b.launch.openvpnStop()
+}
+
+// ReloadFirewall restarts the firewall
+func (b *Bitmask) ReloadFirewall() error {
+	err := b.launch.firewallStop()
+	if err != nil {
+		return err
+	}
+
+	status, err := b.GetStatus()
+	if err != nil {
+		return err
+	}
+
+	if status != Off {
+		gateways, err := b.bonafide.getGateways()
+		if err != nil {
+			return err
+		}
+		return b.launch.firewallStart(gateways)
+	}
+	return nil
+}
+
+// GetStatus returns the VPN status
+func (b *Bitmask) GetStatus() (string, error) {
+	status, err := b.getOpenvpnState()
+	if err != nil {
+		status = Off
+	}
+	if status == Off && b.launch.firewallIsUp() {
+		return Failed, nil
+	}
+	return status, nil
+}
+
+// InstallHelpers into the system
+func (b *Bitmask) InstallHelpers() error {
+	// TODO
+	return nil
+}
+
+// VPNCheck returns if the helpers are installed and up to date and if polkit is running
+func (b *Bitmask) VPNCheck() (helpers bool, priviledge bool, err error) {
+	// TODO
+	return true, true, nil
+}
+
+// ListGateways return the names of the gateways
+func (b *Bitmask) ListGateways(provider string) ([]string, error) {
+	gateways, err := b.bonafide.getGateways()
+	if err != nil {
+		return nil, err
+	}
+	gatewayNames := make([]string, len(gateways))
+	for i, gw := range gateways {
+		gatewayNames[i] = gw.Location
+	}
+	return gatewayNames, nil
+}
+
+// UseGateway selects name as the default gateway
+func (b *Bitmask) UseGateway(name string) error {
+	b.bonafide.setDefaultGateway(name)
+	return nil
+}
+
+func (b *Bitmask) getCertPemPath() string {
+	return path.Join(b.tempdir, "openvpn.pem")
+}
+
+func (b *Bitmask) getCaCertPath() string {
+	return path.Join(b.tempdir, "cacert.pem")
+}