Hummingbird 1.0: AirVPN client based on OpenVPN 3 AirVPN

[pjnsmb 13]

@Staff

thanks for the clarification
that works for me
regards

[misam 9]

I successfully created a ProxyVM within QubesOS using hummingbird and I confirm that connection works, however I have problems when trying to use this ProxyVM connections for other AppVM's. They basically do not connect. Accoring to QubesOS VPN section, it should be all working but it is not. I mean, I do not expect a solution here, I think I should post to QubesOS but heads up for hummingbird working (more or less lol) in Qubes.

[misam 9]

Sometimes I am getting a bunch of KEY_STATE_ERROR messages, however connection is still on.

[monstrocity 31]

Hummingbird has been updated to 1.0.1.  Have you tried the latest version?

[misam 9]

yes I am on 1.0.1 but still getting (quite randomly) there errors. Right now while I am writing this post, I see them.

[Androidlinux 0]

Hi, thank you so much for the new client, I am going to try it, but I have one question, is there any way to change servers without stopping the process. Basically, I have a python script that triggers vpn server change, previously I used the system gui scripting (mac) , however that it can't do this in background, it always requires control over PC. Now I want to use it on Linux, is it possible to send something like a signal to change a server? Thanks

[Staff 9972]

@Androidlinux

Hello!

Currently not, we're sorry (you need to send a kill signal to Hummingbird and restart it with a new profile, which is not exactly what you ask for), but this feature will be available in the frontend+daemon solution. Hummingbird will be maintained as a stand alone binary and will also evolve in to a new software. The daemon is already in advanced development stage and initially we will release it together with a CLI frontend. Immediately after that, development of a GUI for the daemon, based on Qt, will begin.

Kind regards
 

[Androidlinux 0]

38 minutes ago, Staff said:

@Androidlinux

Hello!

Currently not, we're sorry (you need to send a kill signal to Hummingbird and restart it with a new profile, which is not exactly what you ask for), but this feature will be available in the frontend+daemon solution. Hummingbird will be maintained as a stand alone binary and will also evolve in to a new software. The daemon is already in advanced development stage and initially we will release it together with a CLI frontend. Immediately after that, development of a GUI for the daemon, based on Qt, will begin.

Kind regards
 

Thank you for the prompt answer, that will be a really cool feature! 

[frk1337 3]

The Linux binary does not run on the most recent Synology DSM (DS918+):
 

hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: /lib/libstdc++.so.6: no version information available (required by hummingbird)
hummingbird: relocation error: hummingbird: symbol _ZTINSt3_V214error_categoryE, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference

Any plans for a static Linux x86_64 binary ?

[farquaad 14]

The following is a basic script to randomise vpn connections. It works on a MacOS and can surely be adapted for Linux.
 

#!/usr/bin/env sh

# Tested on MacOS. Will require 'brew install randomize-lines' or a change of code to randomise.
# Script launches process in screen background. To reattach: 'sudo screen -r'. For more, 'man scren'

# I have the following in my user root:
# vpn/safe - All non 14 eyes and close
# vpn/toofar - All non 14 eyes and too far
# vpn/14eyes - All 14 eyes that I should never touch

# Check you are root
if [[ $(whoami) != 'root' ]]; then
  echo "You need to be root!"
  exit 1
fi

# Kill all humingbird instances. Softly first...
[ $(pgrep hummingbird) ] && pkill -15 hummingbird
[ $(pgrep hummingbird) ] && pkill -9 hummingbird

# Make sure it isn't locked before starting
hummingbird --recover-network

if [[ $1 == '' ]]; then
  # Randomise
  vpn=$(find ~/vpn/safe -type f -name '*.ovpn' | rl --count=1)
else
  vpn=$1
fi

# Start in the background
echo "Connecting to: $(basename $vpn)"
screen -d -m sudo hummingbird --network-lock on --persist-tun --auth-retry --tcp-queue-limit 4000 $vpn

Hope it can help someone out there.

[OpenSourcerer 1435]

@farquaad
A few remarks for Linux:

• I'd rewrite the question about root to a relaunch as root:

# Check you are root
if [[ $(whoami) != 'root' ]]; then
  sudo $0;
  exit 0;
fi

• Since the hummingbird binary will not be in PATH, one must decide whether to copy it to /usr/local/sbin or enter hummingbird's path to PATH. Otherwise calling hummingbird will output a command not found error.
• Randomization can be done with shuf. It's part of coreutils so everyone should have it. It accepts files directly, so one can think about calling it with shuf -n 1 ~/vpn/safe instead.
• I don't quite understand the find command, especially why you look for ".ovpn". Maybe, because I don't know the format of that safe file. Can you elaborate or even provide it? One can even think about generating it in a semi-automatic fashion in the future.
• Some distributions don't come with screen preinstalled, like Debian. I will add a check for this which terminates the script if it's not found. There are far more elegant solutions for this.
• The hummingbird options may be relevant for you only. I'd reduce them to something everyone would want, like NetLock. And since we call the script as root, sudo wouldn't be needed.

All in all:

#!/usr/bin/env sh

# Script launches process in screen background. On some distribution, it must first be installed with a package manager.
# To reattach: 'sudo screen -r'. For more, 'man screen'.

# Original author uses some files with this script:
# vpn/safe - All non 14 eyes and close
# vpn/toofar - All non 14 eyes and too far
# vpn/14eyes - All 14 eyes that should never be touched

# Check if screen is installed
screen -v 2>/dev/null
if [ $? -eq 127 ]; then
  echo "Screen doesn't seem to be installed. Exiting."
  exit 1
fi

# Check if you are root
if [[ $(whoami) != 'root' ]]; then
  sudo $0
  exit 0
fi

# Kill all hummingbird instances. Softly first...
[ $(pgrep hummingbird) ] && pkill -15 hummingbird
[ $(pgrep hummingbird) ] && pkill -9 hummingbird

# Make sure it isn't locked before starting
hummingbird --recover-network

if [[ $1 == '' ]]; then
  # Randomise
  vpn=$(find ~/vpn/safe -type f -name '*.ovpn' | shuf -n 1)
else
  vpn=$1
fi

# Start in the background
echo "Connecting to: $(basename $vpn)"
screen -d -m hummingbird --persist-tun $vpn

[farquaad 14]

@giganerd
I did do a few assumptions.

• I copied the binary to /usr/local/bin, I should have mentioned it.
• There is a coreutils on brew so using shuf will also work on the Mac. One step closer to Linux.
• Good catch on screen. This was tested on a Mac but yes, Debian comes without so why not test it and try and make it work there too. Using which might be cleaner
• I would rather warn that someone is not root rather than prompt for a password and have them wonder why.
• My ~/vpn/safe is nothing more than the list of vpn servers I connect to. An ls would do the trick but I went with find.

find ~/vpn/safe -type f -name '*.ovpn'
/Users/farquaad/vpn/safe/AirVPN_Czech-Republic_TCP-443-Entry3.ovpn
/Users/farquaad/vpn/safe/AirVPN_Switzerland_TCP-443-Entry3.ovpn
/Users/farquaad/vpn/safe/AirVPN_Lithuania_UDP-443-Entry3.ovpn
[...]

• hummingbird preset were indeed meant for me and I didn't think of changing them. Maybe version 2 might allows hummingbird options on the command line.

Thanks for your feedback!
 

#!/usr/bin/env sh

# Script launches process in screen background. To reattach: 'sudo screen -r'. For more, 'man scren'

# The following folder structure contains my ovpn files:
# vpn//safe - All non 14 eyes and close
# vpn//toofar - All non 14 eyes and too far
# vpn//14eyes - All 14 eyes that I should never touch

# Check if screen is installed
if [ ! $(which screen) ]; then
  echo "Screen doesn't seem to be installed. Exiting."
  exit 1
fi

# Check you are root
if [[ $(whoami) != 'root' ]]; then
  echo "You need to be root!"
  exit 1
fi

# Kill all humingbird instances. Softly first...
[ $(pgrep hummingbird) ] && pkill -15 hummingbird
[ $(pgrep hummingbird) ] && pkill -9 hummingbird

# Make sure it isn't locked before starting
hummingbird --recover-network

if [[ $1 == '' ]]; then
  # Randomise
  vpn=$(find ~/vpn/safe -type f -name '*.ovpn' | shuf -n 1)
else
  vpn=$1
fi

# Start in the background
echo "Connecting to: $(basename $vpn)"
screen -d -m hummingbird --persist-tun $vpn

[OpenSourcerer 1435]

1 hour ago, farquaad said:

My ~/vpn/safe is nothing more than the list of vpn servers I connect to. An ls would do the trick but I went with find.

You did it this way because hummingbird doesn't support remote-random yet, am I right?
 

1 hour ago, farquaad said:

I would rather warn that someone is not root rather than prompt for a password and have them wonder why.

Fair enough.
 

1 hour ago, farquaad said:

Using which might be cleaner

I agree.

[inc 3]

Bit of a problem, I was trying to set up some port forwarding on my Microtek router (no vpn) and forgot I was running the vpn on  my pc so closed it ,since then I can now only get online through the vpn and cannot reach the router setup via the browser. I can reach the router through a terminal and the settings look fine running the hummingbird --recover-network command I get

It seems this program has properly exited in its last run and
it has already restored network settings on exit.

ERROR: Backup copy of resolv.conf not found.
ERROR: Backup copy of network filter not found.
I have looked at the network config files and they all look OK any ideas where to look next I will probably do a hard reset of the router and try a reinstall of the OS next but that will be a last resort.

[OpenSourcerer 1435]

iptables -F

[inc 3]

Thanks, no change, the iptables files look ok, I don't use them on the pc

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them

[inc 3]

Solved,  got into the routerOS  via the terminal and eventually worked out how to disable the NAT settings I had been working on when the problem occurred and it all seems to be back to normal.

[muelli 2]

Something is really wrong with the "hummingbird" client. It is eating 100% CPU @<40mbit on my celeron J1900 with CHACHA20:POLY1305 cipher.
Openvpn 2.4 can crunch around 200MBit on this CPU with AES256 cipher.... so there must be some error somewhere....

[Staff 9972]

@muelli

Hello!

We have not observed the behavior on our testing machines and it has never been reported before, so it needs to be investigated from scratch. What is your exact Linux distribution? What is the CPU usage if you use AES-CBC and AES-GCM?

Kind regards
 

[muelli 2]

@Staff
LInux flavor: Ubuntu 18.04.3 LTS, 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

CPU (Celeron J1900) usage:
OpenVPN3, AES-256-CBC, 97% @200Mbit
OpenVPN3, AES-256-GCM, 98% @200Mbit

Hummingbird 1.0.2, AES-256-CBC, 100% @52Mbit
Hummingbird 1.0.2, AES-256-GCM, 100% @45Mbit
Hummingbird 1.0.2, CHACHA20-POLY1305, 100% @35Mbit

 

[Staff 9972]

@muelli

Thanks.

We failed to reproduce it, but it must be said that we don't have a Celeron at all. Does anybody else observe a 100% CPU load, or anyway high CPU load? If so, at what throughput?

Kind regards
 

[muelli 2]

@Staff
This particular Intel CPU has no AES-NI, so that was the reason for testing ChaCha20.
Maybe you find a x86 CPU in your lab without AES-NI as well to test?

[Staff 9972]

18 minutes ago, muelli said:

@Staff
This particular Intel CPU has no AES-NI, so that was the reason for testing ChaCha20.
Maybe you find a x86 CPU in your lab without AES-NI as well to test?

Not even one unfortunately... but we have a plethora of ARM processors. Another very weird occurrence in your case is that you have LESS throughput with CHACHA20 than with AES, which is unexpected indeed on a non-AES-NI supporting system. Actually we observe the opposite on ARM based devices (better throughput and longer battery life). Let's see whether somebody else can report from some similar system.
 

Quote

OpenVPN3, AES-256-CBC, 97% @200Mbit
OpenVPN3, AES-256-GCM, 98% @200Mbit

EDIT: how do you use OpenVPN 3 library in your system? We see a huge boost when compared to Hummingbird, it could be a good starting point to check various things.

Kind regards
 

[muelli 2]

@Staff
Not sure what you mean about how I use the openvpn3 library. I am using the official openvpn repo described here:
https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux

The linked libs for my openvpn3 binary from this repo are:

    linux-vdso.so.1 (0x00007ffc5e1f4000)
    libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f08f745a000)
    libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f08f6f8f000)
    libgio-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 (0x00007f08f6bf0000)
    libgobject-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 (0x00007f08f699c000)
    libglib-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007f08f6685000)
    libjsoncpp.so.1 => /usr/lib/x86_64-linux-gnu/libjsoncpp.so.1 (0x00007f08f6453000)
    liblz4.so.1 => /usr/lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f08f6237000)
    libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f08f5eae000)
    libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f08f5c96000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f08f5a77000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f08f5686000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f08f5482000)
    libgmodule-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 (0x00007f08f527e000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f08f5061000)
    libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f08f4e39000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f08f4c1e000)
    libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x00007f08f49ca000)
    libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f08f47c2000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f08f4550000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f08f41b2000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f08f7a62000)
    libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007f08f3f65000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f08f3d5d000)
    libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f08f3b56000)

If you need another information, pls elaborate

[snrtd 0]

I get 100 % CPU usage at around 20 MBytes/s with CHACHA20; with AES-256-GCM I get 100 % usage at around 40 MBytes/s. Is that to be expected on a i5-7200U CPU @ 2.5 GHz?