Jump to content
Not connected, Your IP: 3.219.31.204
Staff

LINUX new software: AirVPN Suite 1.0 beta

Recommended Posts

@staff 
The README.md file on beta 2 is still showing :
Version 1.0.0 Beta 1 - Release date 18 November 2020

Only a minor point but it doesn't help on the fault finding for users looking for accurate information without being confused.

Share this post


Link to post
@pjnsmb

Hello and thanks! Documentation remains the one you see. It will be updated when possible and anyway not later than stable version release date. At the moment it is perfectly valid for beta 2 version, you can rely on it safely.

Kind regards
 

Share this post


Link to post

@staff
Further to my post on 21st November and after using the uninstall.sh provided in beta 2 to get a clean install of beta 2 I am still getting on boot :

Nov 28 11:46:02 desktop systemd[1]: Started AirVPN Bluetit Daemon.
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mSuccessfully connected to D-Bus
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mReading run control directives from file /etc/airvpn/bluetit.rc


################Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mIPv6 is not available in this system#################


Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mSystem country set to GB by Bluetit policy.
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mBluetit successfully initialized and ready
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mAirVPN Manifest updater thread started
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mAirVPN Manifest update interval is 15 minutes
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mUpdating AirVPN Manifest
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mAirVPN Manifest successfully retrieved from server


I am still having to restart bluetit.service to get IPv6 available to continue on to getting goldcrest working.

 

Share this post


Link to post
On 11/28/2020 at 12:38 AM, OpenSourcerer said:

IPv6 detection error is fixed


Hello!

That's strange because absolutely nothing changed in IPv6 detection between internal beta 1, beta 1 and beta 2. Let us know if the problem re-appears.
 
Quote

v6 routes are still not applied, leading to IPv6 leaks if NetLock is off. IPv6 rc values and console arguments only cause Bluetit to connect via v6.


Are IPv6 routes pushed by VPN servers and the push is ignored, or are IPv6 routes not pushed at all? Is 6to4 option on?

Can we see the log and the settings pertaining to the 2nd problem. i.e.connection over IPv6 when IPv4 is expected? The expected behavior by Bluetit is: connect in IPv6 whenever user employs IPv6 remote addresses or options in Goldcrest, except when 6to4 option is active, in which case, if possible, connect  in IPv4 and tunnel IPv6 over IPv4.

Kind regards


 

Share this post


Link to post
19 minutes ago, Staff said:

Are IPv6 routes pushed by VPN servers and the push is ignored, or are IPv6 routes not pushed at all? Is 6to4 option on?


There are no v6 routes pulled, except for the explicit v6 route to the server itself being set, see goldcrest.log.
Tried "air-ipv6=on, ipv6=off", vice versa and both on.
goldcrest.rc

goldcrest.log
goldcrest.iproute2.log

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
@OpenSourcerer

OK! That's expected behavior. You need to set air-6to4 to on and connect in IPv4 if you wish IPv6 over IPv4. Please check and verify whether everything is OK.

Explanation: since 2016 or 2017 our VPN servers are customized to push IPv6 routes only if client sends a user variable IPV6 containing value yes. Otherwise no IPv6 routes are pushed: that's necessary indeed, in order to avoid older OpenVPN versions numerous bugs on IPv6 and also make IPv4 connections possible to those systems which do not support IPv6, otherwise any OpenVPN version older than 2.5 would invoke "ip route" or "route" commands which would fail and cause OpenVPN to exit immediately.

Insofar, a client must include directive setenv UV_IPV6=yes for OpenVPN to get IPv6 push and tunnel IPv6 over IPv4 (see also Configuration Generator generated profiles). Bluetit and Hummingbird will have OpenVPN3 library set IPV6 variable to yes only when air-6to4 is on and by default it is off. We are considering to change 6to4 to on by default, if IPv6 is detected as supported by the system.

Kind regards
 

Share this post


Link to post
3 minutes ago, Staff said:

OK! That's expected behavior. You need to set air-6to4 to on and connect in IPv4 if you wish IPv6 over IPv4. Please check and verify whether everything is OK.


I did not wish v6 over v4 as the option implied, I wished a similar behavior to the confs I use with vanilla OpenVPN. But you were right, -B/--air-6to4 does pull the desired routes. Unfortunately, this bit of information is not in the manual so I assumed -B forces a v4 connection and I didn't pay any more attention to it.
 
13 minutes ago, Staff said:

We are consideringto change 6to4 to on by default, if IPv6 is detected.


I'd appreciate such a change and also the possibility of configuring it with rc. Seems like it's not in the current beta. Generated a fresh rc to check, 6to4 option is missing. Manually adding it does not work:

# goldcrest -O
2020-11-30 12:08:39 Reading run control directives from file /root/.config/goldcrest.rc
2020-11-30 12:08:39 Error while parsing /root/.config/goldcrest.rc file. Unknown directive air-6to4. Exiting.

.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
2 hours ago, OpenSourcerer said:

I did not wish v6 over v4 as the option implied, I wished a similar behavior to the confs I use with vanilla OpenVPN. But you were right, -B/--air-6to4 does pull the desired routes. Unfortunately, this bit of information is not in the manual so I assumed -B forces a v4 connection and I didn't pay any more attention to it.
 
I'd appreciate such a change and also the possibility of configuring it with rc. Seems like it's not in the current beta. Generated a fresh rc to check, 6to4 option is missing. Manually adding it does not work:

# goldcrest -O
2020-11-30 12:08:39 Reading run control directives from file /root/.config/goldcrest.rc
2020-11-30 12:08:39 Error while parsing /root/.config/goldcrest.rc file. Unknown directive air-6to4. Exiting.

.

Thanks!

For that purpose, in vanilla OpenVPN you need as usual setenv UV_IPV6=yes - in AirVPN servers only of course - since when we started to support IPv6 fully.

We failed to reproduce the "unknown directive" error for air-6to4 in goldcrest.rc - can you please check which exact char is after the "4" ? Maybe it is a parsing problem with blanks. The parser expects either \n , \t, \v or blank space.

Kind regards

 

Share this post


Link to post
1 hour ago, Staff said:

can you please check which exact char is after the "4" ?


I checked with hexdump. I used some spaces after it (ASCII 0x20), so I changed that to two tabs (0x09) as it is with the other directlves but it still doesn't accept it. I checked the line termination, it's LF (0x0a) exactly as it is before and after the new line. I'm uploading the file here for you to check it yourself.
goldcrest.rc

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
@OpenSourcerer

Hello!

Your air-6to4 directive has an invalid argument, yes: it should be on. The returned error message "Unknown directive" is unexpected: that's another issue under investigation now. Can you confirm that air-6to4 on resolves the issue and tunnels IPv6 over IPv4 when the connection is over IPv4?

Your suggestion during the internal beta testing has been adopted, but not yet implemented in beta 2. Starting from next release, yes - on - 1 - true on one side and no - off - 0 - false on the other side will be treated as equivalent arguments / synonyms by the parser. 👍

Kind regards
 

Share this post


Link to post
1 hour ago, Staff said:

Your air-6to4 directive has an invalid argument, yes: it should be on. The returned error message "Unknown directive" is unexpected: that's another issue under investigation now. Can you confirm that air-6to4 on resolves the issue and tunnels IPv6 over IPv4 when the connection is over IPv4?


Changed to on, same error message. Then, partly out of desperation, tried changing the line of this parameter, first putting it to the very bottom, still no. Put it on the line where air-server was with air-server below it, still no. Does my rc file work with your installation?
Otherwise, I'm out of ideas here. 😕

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Dell XPS 9365 13" laptop. Fedora 33 Cinnamon desktop x64

[pc-user@localhost AirVPN-Suite]$ pwd
/home/pc-user/AirVPN-Suite

[pc-user@localhost AirVPN-Suite]$ su -
Password:

[root@localhost ~]# ll
total 8
-rw-------. 1 root root 1117 Nov 19 10:24 anaconda-ks.cfg
-rw-r--r--. 1 root root 1222 Nov 19 10:29 initial-setup-ks.cfg

[root@localhost ~]# cd /home/pc-user/AirVPN-Suite

[root@localhost AirVPN-Suite]# ll
total 10868
-r--------. 1 pc-user pc-user 7987200 Dec  2 14:11 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar-2
-rw-r--r--. 1 pc-user pc-user 3063350 Dec  2 14:01 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar.gz
drwxr-xr-x. 1 pc-user pc-user      54 Oct 28 21:37 bin
drwxr-xr-x. 1 pc-user pc-user      50 Oct 28 20:01 etc
-rwxr-xr-x. 1 pc-user pc-user    5695 Nov 23 21:07 install.sh
-rw-------. 1 pc-user pc-user   62517 Nov 22 19:05 README.md
-rwxr-xr-x. 1 pc-user pc-user    3834 Nov 23 21:11 uninstall.sh
[root@localhost AirVPN-Suite]#

[root@localhost AirVPN-Suite]# ldd bin/bluetit
    linux-vdso.so.1 (0x00007ffe26c78000)
    libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007fb3ae02d000)
    libxml2.so.2 => /lib64/libxml2.so.2 (0x00007fb3adea2000)
    libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fb3ade06000)
    libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fb3adb1a000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fb3adb13000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fb3ad92b000)
    libm.so.6 => /lib64/libm.so.6 (0x00007fb3ad7e3000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fb3ad7c8000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb3ad7a6000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fb3ad5db000)
    libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fb3ad51f000)
    libz.so.1 => /lib64/libz.so.1 (0x00007fb3ad505000)
    liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fb3ad4d7000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fb3ae666000)
    librt.so.1 => /lib64/librt.so.1 (0x00007fb3ad4cc000)
    libzstd.so.1 => /lib64/libzstd.so.1 (0x00007fb3ad416000)
    liblz4.so.1 => /lib64/liblz4.so.1 (0x00007fb3ad3f8000)
    libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007fb3ad2d3000)
    libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fb3ad2b0000)

[root@localhost AirVPN-Suite]# echo $?
0

[root@localhost AirVPN-Suite]# ldd bin/goldcrest
    linux-vdso.so.1 (0x00007fffac7b8000)
    libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007fa5dcc4f000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fa5dca67000)
    libm.so.6 => /lib64/libm.so.6 (0x00007fa5dc921000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fa5dc906000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa5dc8e4000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fa5dc719000)
    libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fa5dc65b000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fa5dced6000)
    librt.so.1 => /lib64/librt.so.1 (0x00007fa5dc650000)
    liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fa5dc624000)
    libzstd.so.1 => /lib64/libzstd.so.1 (0x00007fa5dc56e000)
    liblz4.so.1 => /lib64/liblz4.so.1 (0x00007fa5dc550000)
    libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007fa5dc42b000)
    libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fa5dc408000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fa5dc401000)

[root@localhost AirVPN-Suite]# ldd bin/hummingbird
    linux-vdso.so.1 (0x00007ffcac5ac000)
    libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f0a4831e000)
    libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f0a48032000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f0a4802b000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f0a47e43000)
    libm.so.6 => /lib64/libm.so.6 (0x00007f0a47cfd000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f0a47ce2000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0a47cbe000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f0a47af3000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f0a47ad9000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f0a4894b000)

[root@localhost AirVPN-Suite]# ll
total 10868
-r--------. 1 pc-user pc-user 7987200 Dec  2 14:11 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar-2
-rw-r--r--. 1 pc-user pc-user 3063350 Dec  2 14:01 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar.gz
drwxr-xr-x. 1 pc-user pc-user      54 Oct 28 21:37 bin
drwxr-xr-x. 1 pc-user pc-user      50 Oct 28 20:01 etc
-rwxr-xr-x. 1 pc-user pc-user    5695 Nov 23 21:07 install.sh
-rw-------. 1 pc-user pc-user   62517 Nov 22 19:05 README.md
-rwxr-xr-x. 1 pc-user pc-user    3834 Nov 23 21:11 uninstall.sh
 
[root@localhost AirVPN-Suite]# sh ./install.sh

AirVPN suite installation script

Do you want to install AirVPN Suite? [y/n] y

System is using systemd

Installing bluetit to /sbin
Installing goldcrest to /usr/local/bin
Installing hummingbird to /usr/local/bin
Installing bluetit configuration files
Installing D-Bus configuration files
Installing systemd bluetit.service unit

Do you want to enable bluetit.service unit? [y/n] y
Created symlink /etc/systemd/system/multi-user.target.wants/bluetit.service → /etc/systemd/system/bluetit.service.
Bluetit service enabled

Do you want to start Bluetit service now? [y/n] y
Bluetit service started

Do you want to create airvpn user? [y/n] y
Please set a password for user airvpn
Changing password for user airvpn.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
Sorry, passwords do not match.
passwd: Authentication token manipulation error

User airvpn added to group airvpn

Done.

[root@localhost AirVPN-Suite]# passwd airvpn
Changing password for user airvpn.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@localhost AirVPN-Suite]#

[pc-user@localhost AirVPN-Suite]$ goldcrest -O
2020-12-02 19:38:19 Reading run control directives from file /home/pc-user/.config/goldcrest.rc
Goldcrest 1.0.0 Beta 2 - 27 November 2020

2020-12-02 19:38:19 Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 November 2020
2020-12-02 19:38:19 OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
2020-12-02 19:38:19 Bluetit is connected to VPN


Use goldcrest -O

------------------------------------------------------------------------------------------------------------------------------------------------------

We started the bluetit service, put the airvpn username and password into goldcrest.rc, and ran "goldcrest -O". The VPN was set up correctly, confirmed in the browser. We restarted the laptop, and noticed that the service did not start:

[pc-user@localhost ~]$ systemctl status bluetit
● bluetit.service - AirVPN Bluetit Daemon
     Loaded: loaded (/etc/systemd/system/bluetit.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Wed 2020-12-02 19:47:23 AEDT; 3min 56s ago
    Process: 640 ExecStart=/sbin/bluetit (code=exited, status=1/FAILURE)
        CPU: 9ms

Dec 02 19:47:23 localhost.localdomain systemd[1]: Starting AirVPN Bluetit Daemon...
Dec 02 19:47:23 localhost.localdomain bluetit[640]: Starting Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 Nov>
Dec 02 19:47:23 localhost.localdomain bluetit[640]: OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
Dec 02 19:47:23 localhost.localdomain bluetit[640]: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
Dec 02 19:47:23 localhost.localdomain bluetit[640]: Bluetit is already running or did not exit gracefully on its last>
Dec 02 19:47:23 localhost.localdomain systemd[1]: bluetit.service: Control process exited, code=exited, status=1/FAIL>
Dec 02 19:47:23 localhost.localdomain systemd[1]: bluetit.service: Failed with result 'exit-code'.
Dec 02 19:47:23 localhost.localdomain systemd[1]: Failed to start AirVPN Bluetit Daemon.

We deleted the lock file, and then it did start. In my opinion, a normal way to do a lock file is to write the PID to a file in /run and to check whether a process with that PID is running. So if the system crashes, the PID is not present and the service can start.

Then we tried goldcrest -O and goldcrest --recover-network, which failed:

[pc-user@localhost ~]$ sudo goldcrest --recover-network
2020-12-02 19:57:09 Reading run control directives from file /root/.config/goldcrest.rc
Goldcrest 1.0.0 Beta 2 - 27 November 2020

2020-12-02 19:57:09 Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 November 2020
2020-12-02 19:57:09 OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
2020-12-02 19:57:09 It seems Bluetit did not exit gracefully or has been killed.
Your system may not be working properly and your network connection may not work
as expected. To recover your network settings, run this program again and use
the "--recover-network" option.

Even when we run it with --recover-network, it is still asking for me to run it with --recover-network.

Questions for  AirVPN

1. Why is  "goldcrest - 0" exiting?

2. How to shutdown VPN correctly?

thanks to everyone


 

airvpn-installation-log.txt notes for airvpn.txt

Share this post


Link to post

Hello

Here is my configuration :

Raspberry Pi 3 Model B+
Raspbian 10.6 with last updates
Using Sysctl

I am using Hummingbird since it was delivered with no problems


After installation of AirVPN-Suite-Linux-armv7l-1.0.tar.gz Beta 2:

I have sometimes problems to start Bluetit when serice is enable

Using cipher dans Bluetit.rc  is not working, but working dans goldcrest.rc

The option --recover-network is not working for me.

I have notice this in the log : "EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"

Feature request : possibility to choose the place of goldcrest.rc

I use the following configuration :

---------
bluetit.rc
---------
airwhitecountrylist        GB
country                    FR
proto                    udp
port                    443
ncpdisable                no
networklock                off

---------
goldcrest.rc
---------
cipher        CHACHA20-POLY1305

---------
Script started as a service
---------
# Lancement OpenVpn AirVpn

if [ -e /etc/airvpn/bluetit.lock ]
then
    rm /etc/airvpn/bluetit.lock
    # goldcrest --recover-network
fi

if [ -e /etc/airvpn/resolv.conf.airvpnbackup ]
then
    mv -f /etc/airvpn/resolv.conf.airvpnbackup /etc/resolv.conf
fi

systemctl start bluetit >> /var/log/openvpn/airvpn.log 2>&1

sleep 5
goldcrest --air-connect --air-user xxx --air-password yyy >> /var/log/openvpn/airvpn.log 2>&1
---------

Thanks for the work you do
Best regards

Christophe

 

Share this post


Link to post
@john roberts

Hello and thank you very much for your tests!
 
Quote


1. Why is  "goldcrest - 0" exiting?


Because the daemon, Bluetit, is not running.Goldcrest is just a client. We see that you run it with root privileges, therefore you destroy a part of the security model created with the new architecture. Please consider not to do so.
 
Quote


2. How to shutdown VPN correctly?


There is no special procedure, ideally. Even a brutal reboot is fine and must not create the problem you experience. We are trying to reproduce it in Fedora 33. Can you please tell us exactly what you do to reproduce the problem, including how you shut down the system exactly, step by step? We ask because we failed to reproduce the issue in Fedora 33 even by trying a brutal "reboot" from a root terminal inside a Desktop Manager.
 
Quote


We deleted the lock file, and then it did start. In my opinion, a normal way to do a lock file is to write the PID to a file in /run and to check whether a process with that PID is running. So if the system crashes, the PID is not present and the service can start.


That would not work in our case. We want to maintain the lock file because Bluetit must NOT start if its previous exit was abnormal. We are talking about firewall rules, DNS settings and routing tables here, so it is expected that the superuser intervenes manually in such cases, no automatic solution is proposed. The only automatic fix is --recover-network aimed at rescuing previouis firewall rules and DNS settings. Then the superuser must remove manually the lock file after she has ascertained that anything else is fine, for example that no other Bluetit instance is running for real.
 
Quote


Even when we run it with --recover-network, it is still asking for me to run it with --recover-network.


Yes, we will clarify it in the next documentation version. Also remember that Goldcrest can NOT do --recover-network or anything else, when Bluetit is not running.

We are looking forward to hearing from you about the reboot procedure you follow to help us reproduce the issue in Fedora 33.

Thanks again!

Kind regards

 

Share this post


Link to post
@clebretonfr

Thank you very much for your tests and for the great feedback!

We are investigating the issue at system start you have reported in our Raspberry systems.

The Data Channel ciphers you specify in bluetit.rc are those which are allowed by the daemon, thus they are a set enforced by the superuser. The Goldcrest user can then pick any cipher inside that set. Have you noticed some discrepancy from the expected behavior?
 
Quote

I have notice this in the log : "EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"


This is a server side problem which we will have to face sooner or later. It is not relevant anyway at this stage.



Kind regards

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...