Hummingbird 1.0: AirVPN client based on OpenVPN 3 AirVPN

[Staff 9972]

@inc

Hello!

A GUI is planned, when the Hummingbird "backend" will run as a daemon. We are already working on it, right now.

At the moment you can see the information you need on the standard output, and rightly so! Hummingbird 1 "branch" must remain a light and stand alone binary with no graphic requirement of any kind.

If you need a GUI at the moment please run Eddie.

The problem you mention looks like a failure to DHE. Do you notice a similar problem with OpenVPN 2.x or not?

Kind regards
 

[inc 3]

I think you misunderstand, I do not want GUI , I like Hummingbird, I use Linux and could not wait to remove Eddie with it's dependency on Mono. There are two issues with Hummingbird, it does not always show the AirVPN server name  I am connected to, and there is issue with hourly handshake failing. Since Hummingbird is self contained with your version of OpenVPN  I think that it is an issue with either the server or Hummingbird, I am assuming you want feedback. Regarding OpenVPN 2  I never used any of the beta versions of Hummingbird

See below, sometimes shows server name sometimes not.
 

Tue Jan  7 10:31:42.919 2020 VERIFY OK : depth=0
cert. version     : 3
serial number     : 01:0D
issuer name       : C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
subject name      : C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
issued  on        : 2016-03-10 08:48:05
expires on        : 2026-03-08 08:48:05
signed using      : RSA with SHA1

Tue Jan  7 11:52:39.656 2020 VERIFY OK : depth=0
cert. version     : 3
serial number     : 01:5D
issuer name       : C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
subject name      : C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Orbitar, emailAddress=info@airvpn.org
issued  on        : 2019-01-22 14:37:50
expires on        : 2029-01-19 14:37:50
signed using      : RSA with SHA-512

[nexsteppe 24]

2 hours ago, inc said:

Yesterday no errors all day, today back to errors It would be good to know what the problem is.

I am also interested in these problems.  For me the new client has been at least as stable as OpenVPN 2, with sessions staying tacked up for days with no indication it ever failed rekeying.  Sometimes I'll see replay warnings when rsync'ing a repo or doing a speed test, but that was also the case with OpenVPN 2 so it is not particular to hummingbird.
 

1 hour ago, inc said:

it does not always show the AirVPN server name 

I assume this is a setting or value pulled from the server certificate rather than anything to do with hummingbird.  But I probably should let Staff confirm this.

[Staff 9972]

@inc
@hawkflights

Hello!

The remote, destination server connection is always logged. Of course it may report exclusively an IP address and not an FQDN with its resolution: that depends on the profile.

In case of Air VPN servers, the CN can be either the server name or a generic "server" string (we need to make that consistent, yes).

A full integration with the AirVPN "bootstrap" servers will come with the future frontend(s) directing the daemon we mentioned in our previous message (you may have a sort of idea by looking at Eddie Android edition source code). We will disclose an estimated release date of the Hummingbird daemon beta version soon.

Your request has been well understood: in Linux several community members asked us to drop Mono and required software "10x" faster than Eddie, and we think that we have made some important steps in the right direction, according to the general feedback (thanks!). Remember, furthermore, that even Eddie 2.18.5 piece running as root is completely written in C++ and does not require Mono (Eddie GUI does).

Please keep reporting the problem (we still think it has to do with the re-keying), and also a comparison with OpenVPN 2 from the very same system of yours, if you can and if possible.

Kind regards
 

[inc 3]

On 1/7/2020 at 1:26 PM, Staff said:

Please keep reporting the problem (we still think it has to do with the re-keying)

Yesterday I created another ovpn file using same servers but with UDP  tlscrypt, tls 1.2   and have not had error message for 24 hours.

[colorman 26]

1 hour ago, inc said:

Yesterday I created another ovpn file using same servers but with UDP  tlscrypt, tls 1.2   and have not had error message for 24 hours.

I'm also going to test

[Guest]

Hummingbird landed on HN: https://news.ycombinator.com/item?id=21997261

[nexsteppe 24]

I finally encountered the rekeying errors that others reported here.  Attached is a screenshot of when the warning output began while logged into 'Telescopium' (CA), times shown are UTC.

Interestingly, the tunnel remains up while the Client Area indicates I've no active session with the server.



I will try leaving the connection up on that machine to see when it eventually drops.  N.B. Connection finally dropped at the hour mark after the keying issue began (~13:05 UTC), with the session successfully restarting on its own.

[Staff 9972]

On 1/9/2020 at 11:57 AM, bunagga said:

Hummingbird landed on HN: https://news.ycombinator.com/item?id=21997261

Hello!

Thanks for the link. Nice that they talk about it, while it's sad to see that some people "suspect" about something weird when the code is open and a simple diff will tell you everything, even in relation to the bug fixes and new features.

If you read our forum you already know why the major changes and critical bug fixes are not in the main branch: AirVPN commits have been refused with pathetic motivations which have NEVER been technical reasons. Arne Schwabe even talked about coding standards when the code he (or OpenVPN 3 maintainers) approved previously is infested by "goto" (!!!), "break", wrong indentations and totally crazy stuff, while AirVPN code is very elegant even according to the Art of Computer Programming books.

Therefore, now OpenVPN 3 library is bugged, obsolete, without CHACHA20 support and unusable in Linux (just verify the critical bug in re-connections inside a session, which has been patched by us), while OpenVPN 3 AirVPN fork has CHACHA20 support (in Data Channel too), ncp-disable, a new class to handle AEAD ciphers, and works nicely in Android, Linux x86-64 - ARM 32 - ARM 64 and macOS.

Kind regards
 

[colorman 26]

23 hours ago, colorman said:

On 1/9/2020 at 9:59 AM, inc said:

Yesterday I created another ovpn file using same servers but with UDP  tlscrypt, tls 1.2   and have not had error message for 24 hours.

I'm also going to test

@Staff @inc

Can you explain to me what the difference is with the "normal" way.
I also experience a better speed with UDP tlscrypt, tls 1.2
No problems so far

Thanks GJ

[funkoholic 1]

I know it's a long shot, but would it be possible to introduce vpn over tor support in near future? Then I'm ready to ditch eddie Thanks.

[nexsteppe 24]

20 hours ago, colorman said:

I also experience a better speed with UDP tlscrypt, tls 1.2

I must admit I was still using tls-auth until quite recently.  However even after switching to tls-crypt I continue to have keying problems.
I'm not sure what changed, since prior to my report above I had no such problem even with earlier test releases.

[Staff 9972]

@hawkflights

Hello!

Can you please tell us your exact Linux distribution version?

@colorman

Hello!

TLS Crypt encrypts the whole OpenVPN Control Channel. Therefore DPI can't detect anymore any typical OpenVPN "fingerprint", thus can't trigger traffic shaping against OpenVPN, or similar. TLS Crypt in an agnostic network does not improve or affect negatively performance, as most of the time is spent on encryption and decryption of the Data Channel. Therefore, if you experience a better throughput with TLS crypt, a plausible explanation is that your ISP enforces traffic shaping.

@inc

Hello!

Should the re-keying errors re-appear, can you tell us your exact Linux distribution version?

@funkoholic

Hello!

Connection over Tor is not planned for the next major release, which is focused on creating an Hummingbird daemon and two different frontends, one of them in Qt, without adding major new features at least for the first release cycle.

Connection over Tor is a special case of the more general connection over a SOCKS proxy, with the addition of communications with Tor to obtain the Tor entry-node IP address and route it outside the VPN, preventing the infinite routing loop problem. Hence, we need to review the code of the library pertaining to connections over a proxy, which we did not touch.

Kind regards
 

[nexsteppe 24]

39 minutes ago, Staff said:

Can you please tell us your exact Linux distribution version?

@Staff I'm running Slackware 14.2 stable with kernel 4.4.208 and a source build of Hummingbird 1.0 against mbedtls 2.16.2.

[colorman 26]

On 1/11/2020 at 12:31 PM, Staff said:

Should the re-keying errors re-appear, can you tell us your exact Linux distribution version?
 

Had another error message today.
openSUSE 15.1 kernel: 4.12.14-lp151.28.36.1

Sat Jan 11 13:28:54.196 2020 ERROR: KEY_STATE_ERROR
Sat Jan 11 13:28:54.254 2020 ERROR: KEY_STATE_ERROR
Sat Jan 11 13:28:54.254 2020 ERROR: KEY_STATE_ERROR
Sat Jan 11 13:28:56.013 2020 ERROR: KEY_STATE_ERROR
Sat Jan 11 13:29:00.010 2020 ERROR: KEY_STATE_ERROR
Sat Jan 11 13:29:08.195 2020 ERROR: KEY_STATE_ERROR
Sat Jan 11 13:29:24.196 2020 ERROR: KEY_STATE_ERROR

[inc 3]

8 hours ago, Staff said:

@inc

Should the re-keying errors re-appear, can you tell us your exact Linux distribution version?
 

Only had one error message in last three days. Running Debian sid ( siduction) with Kernel: 5.4.10-towo.1-siduction-amd64 x86_64

[monstrocity 31]

Post moved to Eddie Desktop 2.18beta released thread

 

 

[Staff 9972]

@monstrocity

Thank you! Please post  a copy of your message in the Eddie 2.18 beta thread though. Here we just need to verify whether the problem occurs or not when Hummingbird is run by itself: when you are connected to some VPN server, over TCP, can you "ping" an arbitrary host without errors?

Faster throughput and higher general responsiveness is expected as our OpenVPN 3 AirVPN library is highly optimized, from the source code itself,  if you compare it with OpenVPN 2.x.

Kind regards
 

[harold.lewis 22]

hummingbird woks inside eddie 2.18.6 portable on plasma manjaro

[pjnsmb 13]

Error messages at random intervals from startup.
I have noticed on the last two occasions the errors started exactly on one hour and exactly on three hours from startup .
Files attached for information.

 Running Debian sid ( siduction) with Kernel: 5.5.0-rc7-siduction-amd64

airvpn 3 airvpn 2

[Staff 9972]

@pjnsmb

Thank you for your report!

1) We are aware of re-keying errors (ERROR: KEY_STATE_ERROR ecc.) and we are investigating. They do not cause disconnection but block Perfect Forward Secrecy.

2) Network lock can't be activated, and that's a new error never met before. We think it's related to some change in Debian 11. Can you tell us whether you get the following error:

ip6tables-save v1.8.4 (legacy): Cannot initialize: Address family not supported by protocol
Sat Jan 18 14:21:10.690 2020 ERROR: Cannot initialize network filter

always or only sometimes? It's an important error because it prevents network lock to be enforced, therefore please keep it into consideration, we're sorry.

Can you please check whether you have, in your system, both "iptables-legacy" and "ip6tables-legacy"? Can you also tell us whether your Debian kernel supports IPv6, and whether you have disabled IPv6 in some system configuration?

Last but not least, can you check whether Network Lock by Eddie 2.18.6 beta is enforced correctly or not, if you have time?

Kind regards

 

[pjnsmb 13]

@Staff

Installed :
Package: iptables
Version: 1.8.4-2
This package contains several different utilities, the most important ones:
iptables-legacy,
ip6tables-legacy,
etc,etc

My kernel supports IPv6 and II have disabled IPv6 in :
Network Manager settings
/etc/default/grub settings
/etc/sysctl.conf settings
/etc/netconfig settings

I have cancelled all  these IPv6 alterations in the past to see if I stopped getting all the :
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `##########': Address family not supported by protocol entries
 but they continued to show in the log.


It has produced this error seven out of seven times. 
I have re-installed eddie 2.18.6 (with the numerous dependencies- roll on a 100% working hummingbird ! )

This seems to be working quite successfully with network lock, and I have attached  the log for information.

regards





 

Eddie_20200124_100555.txt

[Staff 9972]

@pjnsmb

Hello!

Thank you very much, we will investigate.

Now you can even use Hummingbird via Eddie, if you wish so, because Network Lock is enforced by Eddie even when it runs Hummingbird. Of course please make sure that Network Lock is applied properly, just in case.

Kind regards


 

[pjnsmb 13]

@Staff

Using hummingbird through Eddie portable shows on line 59 of the attached file :
 Fri Jan 24 13:01:59.333 2020 ERROR: Cannot activate network filter and lock

So can I presume the lock is not in fact working ?
thanks for your help

UPDATE 

Errors starting exactly one hour after starting :

Fri Jan 24 14:01:59.258 2020 ERROR: KEY_STATE_ERROR
Fri Jan 24 14:01:59.315 2020 ERROR: KEY_STATE_ERROR
Fri Jan 24 14:01:59.316 2020 ERROR: KEY_STATE_ERROR
Fri Jan 24 14:02:01.258 2020 ERROR: KEY_STATE_ERROR
Fri Jan 24 14:02:05.230 2020 ERROR: KEY_STATE_ERROR
Fri Jan 24 14:02:13.259 2020 ERROR: KEY_STATE_ERROR
Fri Jan 24 14:02:29.034 2020 ERROR: KEY_STATE_ERROR
Fri Jan 24 14:02:59.244 2020 ERROR: KEV_NEGOTIATE_ERROR
Fri Jan 24 14:02:59.244 2020 ERROR: HANDSHAKE_TIMEOUT
Fri Jan 24 14:03:00.257 2020 ERROR: CC_ERROR
Fri Jan 24 14:03:02.258 2020 ERROR: CC_ERROR
Fri Jan 24 14:03:06.258 2020 ERROR: CC_ERROR
Fri Jan 24 14:03:14.258 2020 ERROR: CC_ERROR
Fri Jan 24 14:03:30.028 2020 ERROR: CC_ERROR
Fri Jan 24 14:03:59.245 2020 ERROR: KEV_NEGOTIATE_ERROR
Fri Jan 24 14:03:59.245 2020 ERROR: HANDSHAKE_TIMEOUT



 

eddie UI

Edited ... by pjnsmb
update to log

[Staff 9972]

@pjnsmb

Hello!

You are still running Hummingbird directly. To run it through Eddie (so you have Network Lock by Eddie) please see here:
https://airvpn.org/forums/topic/45326-eddie-desktop-218beta-released/?do=findComment&comment=103687

Kind regards