Jump to content
Not connected, Your IP: 18.212.120.195
Staff

Linux new software: AirVPN Suite 1.0 beta

Recommended Posts

@staff 
The README.md file on beta 2 is still showing :
Version 1.0.0 Beta 1 - Release date 18 November 2020

Only a minor point but it doesn't help on the fault finding for users looking for accurate information without being confused.

Share this post


Link to post
@pjnsmb

Hello and thanks! Documentation remains the one you see. It will be updated when possible and anyway not later than stable version release date. At the moment it is perfectly valid for beta 2 version, you can rely on it safely.

Kind regards
 

Share this post


Link to post

@staff
Further to my post on 21st November and after using the uninstall.sh provided in beta 2 to get a clean install of beta 2 I am still getting on boot :

Nov 28 11:46:02 desktop systemd[1]: Started AirVPN Bluetit Daemon.
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mSuccessfully connected to D-Bus
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mReading run control directives from file /etc/airvpn/bluetit.rc


################Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mIPv6 is not available in this system#################


Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mSystem country set to GB by Bluetit policy.
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mBluetit successfully initialized and ready
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mAirVPN Manifest updater thread started
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mAirVPN Manifest update interval is 15 minutes
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mUpdating AirVPN Manifest
Nov 28 11:46:02 desktop bluetit[648]: ^[[0;38;5;245m^[[0;38;5;245mAirVPN Manifest successfully retrieved from server


I am still having to restart bluetit.service to get IPv6 available to continue on to getting goldcrest working.

 

Share this post


Link to post
On 11/28/2020 at 12:38 AM, OpenSourcerer said:

IPv6 detection error is fixed


Hello!

That's strange because absolutely nothing changed in IPv6 detection between internal beta 1, beta 1 and beta 2. Let us know if the problem re-appears.
 
Quote

v6 routes are still not applied, leading to IPv6 leaks if NetLock is off. IPv6 rc values and console arguments only cause Bluetit to connect via v6.


Are IPv6 routes pushed by VPN servers and the push is ignored, or are IPv6 routes not pushed at all? Is 6to4 option on?

Can we see the log and the settings pertaining to the 2nd problem. i.e.connection over IPv6 when IPv4 is expected? The expected behavior by Bluetit is: connect in IPv6 whenever user employs IPv6 remote addresses or options in Goldcrest, except when 6to4 option is active, in which case, if possible, connect  in IPv4 and tunnel IPv6 over IPv4.

Kind regards


 

Share this post


Link to post
19 minutes ago, Staff said:

Are IPv6 routes pushed by VPN servers and the push is ignored, or are IPv6 routes not pushed at all? Is 6to4 option on?


There are no v6 routes pulled, except for the explicit v6 route to the server itself being set, see goldcrest.log.
Tried "air-ipv6=on, ipv6=off", vice versa and both on.
goldcrest.rc

goldcrest.log
goldcrest.iproute2.log

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
@OpenSourcerer

OK! That's expected behavior. You need to set air-6to4 to on and connect in IPv4 if you wish IPv6 over IPv4. Please check and verify whether everything is OK.

Explanation: since 2016 or 2017 our VPN servers are customized to push IPv6 routes only if client sends a user variable IPV6 containing value yes. Otherwise no IPv6 routes are pushed: that's necessary indeed, in order to avoid older OpenVPN versions numerous bugs on IPv6 and also make IPv4 connections possible to those systems which do not support IPv6, otherwise any OpenVPN version older than 2.5 would invoke "ip route" or "route" commands which would fail and cause OpenVPN to exit immediately.

Insofar, a client must include directive setenv UV_IPV6=yes for OpenVPN to get IPv6 push and tunnel IPv6 over IPv4 (see also Configuration Generator generated profiles). Bluetit and Hummingbird will have OpenVPN3 library set IPV6 variable to yes only when air-6to4 is on and by default it is off. We are considering to change 6to4 to on by default, if IPv6 is detected as supported by the system.

Kind regards
 

Share this post


Link to post
3 minutes ago, Staff said:

OK! That's expected behavior. You need to set air-6to4 to on and connect in IPv4 if you wish IPv6 over IPv4. Please check and verify whether everything is OK.


I did not wish v6 over v4 as the option implied, I wished a similar behavior to the confs I use with vanilla OpenVPN. But you were right, -B/--air-6to4 does pull the desired routes. Unfortunately, this bit of information is not in the manual so I assumed -B forces a v4 connection and I didn't pay any more attention to it.
 
13 minutes ago, Staff said:

We are consideringto change 6to4 to on by default, if IPv6 is detected.


I'd appreciate such a change and also the possibility of configuring it with rc. Seems like it's not in the current beta. Generated a fresh rc to check, 6to4 option is missing. Manually adding it does not work:

# goldcrest -O
2020-11-30 12:08:39 Reading run control directives from file /root/.config/goldcrest.rc
2020-11-30 12:08:39 Error while parsing /root/.config/goldcrest.rc file. Unknown directive air-6to4. Exiting.

.

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
2 hours ago, OpenSourcerer said:

I did not wish v6 over v4 as the option implied, I wished a similar behavior to the confs I use with vanilla OpenVPN. But you were right, -B/--air-6to4 does pull the desired routes. Unfortunately, this bit of information is not in the manual so I assumed -B forces a v4 connection and I didn't pay any more attention to it.
 
I'd appreciate such a change and also the possibility of configuring it with rc. Seems like it's not in the current beta. Generated a fresh rc to check, 6to4 option is missing. Manually adding it does not work:

# goldcrest -O
2020-11-30 12:08:39 Reading run control directives from file /root/.config/goldcrest.rc
2020-11-30 12:08:39 Error while parsing /root/.config/goldcrest.rc file. Unknown directive air-6to4. Exiting.

.

Thanks!

For that purpose, in vanilla OpenVPN you need as usual setenv UV_IPV6=yes - in AirVPN servers only of course - since when we started to support IPv6 fully.

We failed to reproduce the "unknown directive" error for air-6to4 in goldcrest.rc - can you please check which exact char is after the "4" ? Maybe it is a parsing problem with blanks. The parser expects either \n , \t, \v or blank space.

Kind regards

 

Share this post


Link to post
1 hour ago, Staff said:

can you please check which exact char is after the "4" ?


I checked with hexdump. I used some spaces after it (ASCII 0x20), so I changed that to two tabs (0x09) as it is with the other directlves but it still doesn't accept it. I checked the line termination, it's LF (0x0a) exactly as it is before and after the new line. I'm uploading the file here for you to check it yourself.
goldcrest.rc

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
@OpenSourcerer

Hello!

Your air-6to4 directive has an invalid argument, yes: it should be on. The returned error message "Unknown directive" is unexpected: that's another issue under investigation now. Can you confirm that air-6to4 on resolves the issue and tunnels IPv6 over IPv4 when the connection is over IPv4?

Your suggestion during the internal beta testing has been adopted, but not yet implemented in beta 2. Starting from next release, yes - on - 1 - true on one side and no - off - 0 - false on the other side will be treated as equivalent arguments / synonyms by the parser. 👍

Kind regards
 

Share this post


Link to post
1 hour ago, Staff said:

Your air-6to4 directive has an invalid argument, yes: it should be on. The returned error message "Unknown directive" is unexpected: that's another issue under investigation now. Can you confirm that air-6to4 on resolves the issue and tunnels IPv6 over IPv4 when the connection is over IPv4?


Changed to on, same error message. Then, partly out of desperation, tried changing the line of this parameter, first putting it to the very bottom, still no. Put it on the line where air-server was with air-server below it, still no. Does my rc file work with your installation?
Otherwise, I'm out of ideas here. 😕

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post

Dell XPS 9365 13" laptop. Fedora 33 Cinnamon desktop x64

[pc-user@localhost AirVPN-Suite]$ pwd
/home/pc-user/AirVPN-Suite

[pc-user@localhost AirVPN-Suite]$ su -
Password:

[root@localhost ~]# ll
total 8
-rw-------. 1 root root 1117 Nov 19 10:24 anaconda-ks.cfg
-rw-r--r--. 1 root root 1222 Nov 19 10:29 initial-setup-ks.cfg

[root@localhost ~]# cd /home/pc-user/AirVPN-Suite

[root@localhost AirVPN-Suite]# ll
total 10868
-r--------. 1 pc-user pc-user 7987200 Dec  2 14:11 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar-2
-rw-r--r--. 1 pc-user pc-user 3063350 Dec  2 14:01 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar.gz
drwxr-xr-x. 1 pc-user pc-user      54 Oct 28 21:37 bin
drwxr-xr-x. 1 pc-user pc-user      50 Oct 28 20:01 etc
-rwxr-xr-x. 1 pc-user pc-user    5695 Nov 23 21:07 install.sh
-rw-------. 1 pc-user pc-user   62517 Nov 22 19:05 README.md
-rwxr-xr-x. 1 pc-user pc-user    3834 Nov 23 21:11 uninstall.sh
[root@localhost AirVPN-Suite]#

[root@localhost AirVPN-Suite]# ldd bin/bluetit
    linux-vdso.so.1 (0x00007ffe26c78000)
    libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007fb3ae02d000)
    libxml2.so.2 => /lib64/libxml2.so.2 (0x00007fb3adea2000)
    libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fb3ade06000)
    libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fb3adb1a000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fb3adb13000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fb3ad92b000)
    libm.so.6 => /lib64/libm.so.6 (0x00007fb3ad7e3000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fb3ad7c8000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb3ad7a6000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fb3ad5db000)
    libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fb3ad51f000)
    libz.so.1 => /lib64/libz.so.1 (0x00007fb3ad505000)
    liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fb3ad4d7000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fb3ae666000)
    librt.so.1 => /lib64/librt.so.1 (0x00007fb3ad4cc000)
    libzstd.so.1 => /lib64/libzstd.so.1 (0x00007fb3ad416000)
    liblz4.so.1 => /lib64/liblz4.so.1 (0x00007fb3ad3f8000)
    libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007fb3ad2d3000)
    libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fb3ad2b0000)

[root@localhost AirVPN-Suite]# echo $?
0

[root@localhost AirVPN-Suite]# ldd bin/goldcrest
    linux-vdso.so.1 (0x00007fffac7b8000)
    libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007fa5dcc4f000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fa5dca67000)
    libm.so.6 => /lib64/libm.so.6 (0x00007fa5dc921000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fa5dc906000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa5dc8e4000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fa5dc719000)
    libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fa5dc65b000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fa5dced6000)
    librt.so.1 => /lib64/librt.so.1 (0x00007fa5dc650000)
    liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fa5dc624000)
    libzstd.so.1 => /lib64/libzstd.so.1 (0x00007fa5dc56e000)
    liblz4.so.1 => /lib64/liblz4.so.1 (0x00007fa5dc550000)
    libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007fa5dc42b000)
    libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fa5dc408000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fa5dc401000)

[root@localhost AirVPN-Suite]# ldd bin/hummingbird
    linux-vdso.so.1 (0x00007ffcac5ac000)
    libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f0a4831e000)
    libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f0a48032000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f0a4802b000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f0a47e43000)
    libm.so.6 => /lib64/libm.so.6 (0x00007f0a47cfd000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f0a47ce2000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0a47cbe000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f0a47af3000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f0a47ad9000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f0a4894b000)

[root@localhost AirVPN-Suite]# ll
total 10868
-r--------. 1 pc-user pc-user 7987200 Dec  2 14:11 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar-2
-rw-r--r--. 1 pc-user pc-user 3063350 Dec  2 14:01 AirVPN-Suite-x86_64-1.0.0-Beta-2.tar.gz
drwxr-xr-x. 1 pc-user pc-user      54 Oct 28 21:37 bin
drwxr-xr-x. 1 pc-user pc-user      50 Oct 28 20:01 etc
-rwxr-xr-x. 1 pc-user pc-user    5695 Nov 23 21:07 install.sh
-rw-------. 1 pc-user pc-user   62517 Nov 22 19:05 README.md
-rwxr-xr-x. 1 pc-user pc-user    3834 Nov 23 21:11 uninstall.sh
 
[root@localhost AirVPN-Suite]# sh ./install.sh

AirVPN suite installation script

Do you want to install AirVPN Suite? [y/n] y

System is using systemd

Installing bluetit to /sbin
Installing goldcrest to /usr/local/bin
Installing hummingbird to /usr/local/bin
Installing bluetit configuration files
Installing D-Bus configuration files
Installing systemd bluetit.service unit

Do you want to enable bluetit.service unit? [y/n] y
Created symlink /etc/systemd/system/multi-user.target.wants/bluetit.service → /etc/systemd/system/bluetit.service.
Bluetit service enabled

Do you want to start Bluetit service now? [y/n] y
Bluetit service started

Do you want to create airvpn user? [y/n] y
Please set a password for user airvpn
Changing password for user airvpn.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
Sorry, passwords do not match.
passwd: Authentication token manipulation error

User airvpn added to group airvpn

Done.

[root@localhost AirVPN-Suite]# passwd airvpn
Changing password for user airvpn.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@localhost AirVPN-Suite]#

[pc-user@localhost AirVPN-Suite]$ goldcrest -O
2020-12-02 19:38:19 Reading run control directives from file /home/pc-user/.config/goldcrest.rc
Goldcrest 1.0.0 Beta 2 - 27 November 2020

2020-12-02 19:38:19 Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 November 2020
2020-12-02 19:38:19 OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
2020-12-02 19:38:19 Bluetit is connected to VPN


Use goldcrest -O

------------------------------------------------------------------------------------------------------------------------------------------------------

We started the bluetit service, put the airvpn username and password into goldcrest.rc, and ran "goldcrest -O". The VPN was set up correctly, confirmed in the browser. We restarted the laptop, and noticed that the service did not start:

[pc-user@localhost ~]$ systemctl status bluetit
● bluetit.service - AirVPN Bluetit Daemon
     Loaded: loaded (/etc/systemd/system/bluetit.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Wed 2020-12-02 19:47:23 AEDT; 3min 56s ago
    Process: 640 ExecStart=/sbin/bluetit (code=exited, status=1/FAILURE)
        CPU: 9ms

Dec 02 19:47:23 localhost.localdomain systemd[1]: Starting AirVPN Bluetit Daemon...
Dec 02 19:47:23 localhost.localdomain bluetit[640]: Starting Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 Nov>
Dec 02 19:47:23 localhost.localdomain bluetit[640]: OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
Dec 02 19:47:23 localhost.localdomain bluetit[640]: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
Dec 02 19:47:23 localhost.localdomain bluetit[640]: Bluetit is already running or did not exit gracefully on its last>
Dec 02 19:47:23 localhost.localdomain systemd[1]: bluetit.service: Control process exited, code=exited, status=1/FAIL>
Dec 02 19:47:23 localhost.localdomain systemd[1]: bluetit.service: Failed with result 'exit-code'.
Dec 02 19:47:23 localhost.localdomain systemd[1]: Failed to start AirVPN Bluetit Daemon.

We deleted the lock file, and then it did start. In my opinion, a normal way to do a lock file is to write the PID to a file in /run and to check whether a process with that PID is running. So if the system crashes, the PID is not present and the service can start.

Then we tried goldcrest -O and goldcrest --recover-network, which failed:

[pc-user@localhost ~]$ sudo goldcrest --recover-network
2020-12-02 19:57:09 Reading run control directives from file /root/.config/goldcrest.rc
Goldcrest 1.0.0 Beta 2 - 27 November 2020

2020-12-02 19:57:09 Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 November 2020
2020-12-02 19:57:09 OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
2020-12-02 19:57:09 It seems Bluetit did not exit gracefully or has been killed.
Your system may not be working properly and your network connection may not work
as expected. To recover your network settings, run this program again and use
the "--recover-network" option.

Even when we run it with --recover-network, it is still asking for me to run it with --recover-network.

Questions for  AirVPN

1. Why is  "goldcrest - 0" exiting?

2. How to shutdown VPN correctly?

thanks to everyone


 

airvpn-installation-log.txt notes for airvpn.txt

Share this post


Link to post

Hello

Here is my configuration :

Raspberry Pi 3 Model B+
Raspbian 10.6 with last updates
Using Sysctl

I am using Hummingbird since it was delivered with no problems


After installation of AirVPN-Suite-Linux-armv7l-1.0.tar.gz Beta 2:

I have sometimes problems to start Bluetit when serice is enable

Using cipher dans Bluetit.rc  is not working, but working dans goldcrest.rc

The option --recover-network is not working for me.

I have notice this in the log : "EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"

Feature request : possibility to choose the place of goldcrest.rc

I use the following configuration :

---------
bluetit.rc
---------
airwhitecountrylist        GB
country                    FR
proto                    udp
port                    443
ncpdisable                no
networklock                off

---------
goldcrest.rc
---------
cipher        CHACHA20-POLY1305

---------
Script started as a service
---------
# Lancement OpenVpn AirVpn

if [ -e /etc/airvpn/bluetit.lock ]
then
    rm /etc/airvpn/bluetit.lock
    # goldcrest --recover-network
fi

if [ -e /etc/airvpn/resolv.conf.airvpnbackup ]
then
    mv -f /etc/airvpn/resolv.conf.airvpnbackup /etc/resolv.conf
fi

systemctl start bluetit >> /var/log/openvpn/airvpn.log 2>&1

sleep 5
goldcrest --air-connect --air-user xxx --air-password yyy >> /var/log/openvpn/airvpn.log 2>&1
---------

Thanks for the work you do
Best regards

Christophe

 

Share this post


Link to post
@john roberts

Hello and thank you very much for your tests!
 
Quote


1. Why is  "goldcrest - 0" exiting?


Because the daemon, Bluetit, is not running.Goldcrest is just a client. We see that you run it with root privileges, therefore you destroy a part of the security model created with the new architecture. Please consider not to do so.
 
Quote


2. How to shutdown VPN correctly?


There is no special procedure, ideally. Even a brutal reboot is fine and must not create the problem you experience. We are trying to reproduce it in Fedora 33. Can you please tell us exactly what you do to reproduce the problem, including how you shut down the system exactly, step by step? We ask because we failed to reproduce the issue in Fedora 33 even by trying a brutal "reboot" from a root terminal inside a Desktop Manager.
 
Quote


We deleted the lock file, and then it did start. In my opinion, a normal way to do a lock file is to write the PID to a file in /run and to check whether a process with that PID is running. So if the system crashes, the PID is not present and the service can start.


That would not work in our case. We want to maintain the lock file because Bluetit must NOT start if its previous exit was abnormal. We are talking about firewall rules, DNS settings and routing tables here, so it is expected that the superuser intervenes manually in such cases, no automatic solution is proposed. The only automatic fix is --recover-network aimed at rescuing previouis firewall rules and DNS settings. Then the superuser must remove manually the lock file after she has ascertained that anything else is fine, for example that no other Bluetit instance is running for real.
 
Quote


Even when we run it with --recover-network, it is still asking for me to run it with --recover-network.


Yes, we will clarify it in the next documentation version. Also remember that Goldcrest can NOT do --recover-network or anything else, when Bluetit is not running.

We are looking forward to hearing from you about the reboot procedure you follow to help us reproduce the issue in Fedora 33.

Thanks again!

Kind regards

 

Share this post


Link to post
@clebretonfr

Thank you very much for your tests and for the great feedback!

We are investigating the issue at system start you have reported in our Raspberry systems.

The Data Channel ciphers you specify in bluetit.rc are those which are allowed by the daemon, thus they are a set enforced by the superuser. The Goldcrest user can then pick any cipher inside that set. Have you noticed some discrepancy from the expected behavior?
 
Quote

I have notice this in the log : "EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"


This is a server side problem which we will have to face sooner or later. It is not relevant anyway at this stage.



Kind regards

 

Share this post


Link to post
Posted ... (edited)

Hello

Configuration :
Raspberry Pi 3 Model B+
Raspbian 10.6 with last updates
Using Sysctl
Using Dnsmasq

I have a problem when i do a cold start of the raspberry :
Dns files are ok with the right IP in resolv.conf
Dnsmasq restart automatiquely when resolv.conf but it is impossible to connect to a site (dig not connecting)
When i stop and restart bluetit and glodcrest, everything is fine.
But maybe, problem is on my configuration

I have noticed an error message in the log :

2020-12-06 08:12:11 sitnl_send: rtnl: generic error: No such process (-3)
2020-12-06 08:12:11 sitnl_send: rtnl: generic error: No such process (-3)
2020-12-06 08:12:11 net_addr_del: 10.5.34.103/24 dev tun0
2020-12-06 08:12:11 sitnl_send: rtnl: generic error: Cannot assign requested address (-99)

Here is the complete log :
 

2020-12-06 08:11:08 Reading run control directives from file /root/.config/goldcrest.rc
Goldcrest 1.0.0 Beta 2 - 27 November 2020

2020-12-06 08:11:08 Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 November 2020
2020-12-06 08:11:08 OpenVPN core 3.6.6 AirVPN linux arm 32-bit
2020-12-06 08:11:08 Bluetit is ready
2020-12-06 08:11:08 Bluetit options successfully reset
2020-12-06 08:11:08 Bluetit successfully set to command line options
2020-12-06 08:11:08 Requesting AirVPN connection to Bluetit
2020-12-06 08:11:08 Logging in AirVPN user xxxxx
2020-12-06 08:11:08 User country set to FR by Bluetit policy.
2020-12-06 08:11:08 AirVPN user xxxxxx successfully logged in
2020-12-06 08:11:08 Auto quick connection mode enabled
2020-12-06 08:11:08 Starting quick connection to AirVPN server Alathfar, Maidenhead (United Kingdom)
2020-12-06 08:11:08 Trying protocol UDP, port 443, IP entry 3
2020-12-06 08:11:08 Negotiable Crypto Parameters (NCP) enabled by Bluetit policy
2020-12-06 08:11:08 CIPHER OVERRIDE: CHACHA20-POLY1305
2020-12-06 08:11:08 Network lock set to 'off' by Bluetit policy
2020-12-06 08:11:08 OpenVPN core 3.6.6 AirVPN linux arm 32-bit
2020-12-06 08:11:08 Frame=512/2048/512 mssfix-ctrl=1250
2020-12-06 08:11:08 UNUSED OPTIONS
6 [resolv-retry] [infinite]
7 [nobind]
8 [persist-key]
9 [persist-tun]
10 [auth-nocache]
11 [verb] [3]
12 [explicit-exit-notify] [5]
2020-12-06 08:11:08 EVENT: RESOLVE
2020-12-06 08:11:08 WARNING: Network filter and lock is disabled
2020-12-06 08:11:08 Contacting 185.103.96.145:443 via UDP
2020-12-06 08:11:08 EVENT: WAIT
2020-12-06 08:11:08 net_route_best_gw query IPv4: 185.103.96.145/32
2020-12-06 08:11:08 sitnl_route_best_gw result: via 192.168.1.1 dev eth0
2020-12-06 08:11:08 net_route_add: 185.103.96.145/32 via 192.168.1.1 dev eth0 table 0 metric 0
2020-12-06 08:11:08 Connecting to [185.103.96.145]:443 (185.103.96.145) via UDPv4
2020-12-06 08:11:09 EVENT: CONNECTING
2020-12-06 08:11:09 Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher CHACHA20-POLY1305,auth [null-digest],keysize 256,key-method 2,tls-client
2020-12-06 08:11:09 Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2
IV_SSL=OpenSSL 1.1.1d  10 Sep 2019

2020-12-06 08:11:09 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
2020-12-06 08:11:09 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Alathfar/emailAddress=info@airvpn.org, signature: RSA-SHA512
2020-12-06 08:11:09 SSL Handshake: peer certificate: CN=Alathfar, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD

2020-12-06 08:11:09 Session is ACTIVE
2020-12-06 08:11:09 EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
2020-12-06 08:11:09 EVENT: GET_CONFIG
2020-12-06 08:11:09 Sending PUSH_REQUEST to server...
2020-12-06 08:11:09 OPTIONS:
0 [comp-lzo] [no]
1 [redirect-gateway] [def1] [bypass-dhcp]
2 [dhcp-option] [DNS] [10.5.34.1]
3 [route-gateway] [10.5.34.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [60]
7 [ifconfig] [10.5.34.103] [255.255.255.0]
8 [peer-id] [0]
9 [cipher] [CHACHA20-POLY1305]

2020-12-06 08:11:09 PROTOCOL OPTIONS:
  cipher: CHACHA20-POLY1305
  digest: NONE
  ncp enabled: no
  key-derivation: OpenVPN PRF
  compress: LZO_STUB
  peer ID: 0
  control channel: tls-crypt enabled
2020-12-06 08:11:09 EVENT: ASSIGN_IP
2020-12-06 08:11:09 VPN Server has pushed IPv4 DNS server 10.5.34.1
2020-12-06 08:11:09 Setting pushed IPv4 DNS server 10.5.34.1 in resolv.conf
2020-12-06 08:11:09 net_iface_mtu_set: mtu 1500 for tun0
2020-12-06 08:11:09 net_iface_up: set tun0 up
2020-12-06 08:11:09 net_addr_add: 10.5.34.103/24 brd 10.5.34.255 dev tun0
2020-12-06 08:11:09 net_route_add: 0.0.0.0/1 via 10.5.34.1 dev tun0 table 0 metric 0
2020-12-06 08:11:09 net_route_add: 128.0.0.0/1 via 10.5.34.1 dev tun0 table 0 metric 0
2020-12-06 08:11:09 Connected via tun
2020-12-06 08:11:09 LZO-ASYM init swap=0 asym=1
2020-12-06 08:11:09 Comp-stub init swap=0
2020-12-06 08:11:09 EVENT: CONNECTED 185.103.96.145:443 (185.103.96.145) via /UDPv4 on tun/10.5.34.103/ gw=[10.5.34.1/]
2020-12-06 08:11:09 Connected to AirVPN server Alathfar, Maidenhead (United Kingdom)
2020-12-06 08:12:09 ERROR: KEEPALIVE_TIMEOUT
2020-12-06 08:12:09 Session invalidated: KEEPALIVE_TIMEOUT
2020-12-06 08:12:09 Client terminated, restarting in 2000 ms...
2020-12-06 08:12:09 net_route_del: 128.0.0.0/1 via 10.5.34.1 dev tun0 table 0 metric 0
2020-12-06 08:12:09 net_route_del: 0.0.0.0/1 via 10.5.34.1 dev tun0 table 0 metric 0
2020-12-06 08:12:09 net_addr_del: 10.5.34.103/24 dev tun0
2020-12-06 08:12:09 net_iface_mtu_set: mtu 1500 for tun0
2020-12-06 08:12:09 net_iface_up: set tun0 down
2020-12-06 08:12:09 net_route_del: 185.103.96.145/32 via 192.168.1.1 dev eth0 table 0 metric 0
2020-12-06 08:12:11 EVENT: RECONNECTING
2020-12-06 08:12:11 Successfully restored DNS settings
2020-12-06 08:12:11 ERROR: N_RECONNECT
2020-12-06 08:12:11 EVENT: RESOLVE
2020-12-06 08:12:11 WARNING: Network filter and lock is disabled
2020-12-06 08:12:11 Contacting 185.103.96.145:443 via UDP
2020-12-06 08:12:11 EVENT: WAIT
2020-12-06 08:12:11 Connecting to [185.103.96.145]:443 (185.103.96.145) via UDPv4
2020-12-06 08:12:11 EVENT: CONNECTING
2020-12-06 08:12:11 Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher CHACHA20-POLY1305,auth [null-digest],keysize 256,key-method 2,tls-client
2020-12-06 08:12:11 Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2
IV_SSL=OpenSSL 1.1.1d  10 Sep 2019

2020-12-06 08:12:11 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
2020-12-06 08:12:11 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Alathfar/emailAddress=info@airvpn.org, signature: RSA-SHA512
2020-12-06 08:12:11 SSL Handshake: peer certificate: CN=Alathfar, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD

2020-12-06 08:12:11 Session is ACTIVE
2020-12-06 08:12:11 EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
2020-12-06 08:12:11 EVENT: GET_CONFIG
2020-12-06 08:12:11 Sending PUSH_REQUEST to server...
2020-12-06 08:12:11 OPTIONS:
0 [comp-lzo] [no]
1 [redirect-gateway] [def1] [bypass-dhcp]
2 [dhcp-option] [DNS] [10.5.42.1]
3 [route-gateway] [10.5.42.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [60]
7 [ifconfig] [10.5.42.53] [255.255.255.0]
8 [peer-id] [0]
9 [cipher] [CHACHA20-POLY1305]

2020-12-06 08:12:11 PROTOCOL OPTIONS:
  cipher: CHACHA20-POLY1305
  digest: NONE
  ncp enabled: no
  key-derivation: OpenVPN PRF
  compress: LZO_STUB
  peer ID: 0
  control channel: tls-crypt enabled
2020-12-06 08:12:11 EVENT: ASSIGN_IP
2020-12-06 08:12:11 VPN Server has pushed IPv4 DNS server 10.5.42.1
2020-12-06 08:12:11 Setting pushed IPv4 DNS server 10.5.42.1 in resolv.conf
2020-12-06 08:12:11 net_iface_mtu_set: mtu 1500 for tun0
2020-12-06 08:12:11 net_iface_up: set tun0 up
2020-12-06 08:12:11 net_addr_add: 10.5.42.53/24 brd 10.5.42.255 dev tun0
2020-12-06 08:12:11 net_route_add: 0.0.0.0/1 via 10.5.42.1 dev tun0 table 0 metric 0
2020-12-06 08:12:11 net_route_add: 128.0.0.0/1 via 10.5.42.1 dev tun0 table 0 metric 0
2020-12-06 08:12:11 net_route_del: 128.0.0.0/1 via 10.5.34.1 dev tun0 table 0 metric 0
2020-12-06 08:12:11 sitnl_send: rtnl: generic error: No such process (-3)
2020-12-06 08:12:11 sitnl_send: rtnl: generic error: No such process (-3)
2020-12-06 08:12:11 net_addr_del: 10.5.34.103/24 dev tun0
2020-12-06 08:12:11 sitnl_send: rtnl: generic error: Cannot assign requested address (-99)
2020-12-06 08:12:11 net_iface_mtu_set: mtu 1500 for tun0
2020-12-06 08:12:11 net_iface_up: se

Thanks you
Best regards

Christophe

Edited ... by OpenSourcerer
Apply LOG format to logs

Share this post


Link to post
@clebretonfr

Hello!

Please consider that dnsmasq is not supported by Blutetit or Hummingbird. If you use it, DNS resolution is up to you exclusively. If DNS queries do not reach a third party DNS server, an option to consider is that the third party DNS rejects queries from AirVPN server(s).

About the problem at cold start, it will be investigated, thank you for your report!

Kind regards
 

Share this post


Link to post
Posted ... (edited)

I've just gone through a vanilla install of the new suite but I can't connect to any AirVPN servers.

When I try to connect I don't seem to see any AirVPN servers.

Configuration :
Raspberry Pi 4 Model B Rev 1.2
Raspbian 10.6 with last updates

Using Sysctl
 

airvpn@pidown:~ $ goldcrest --air-connect

2020-12-07 14:07:03 Reading run control directives from file /home/airvpn/.goldcrest.rc
Goldcrest 1.0.0 Beta 2 - 27 November 2020

2020-12-07 14:07:03 Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 2 - 27 November 2020
2020-12-07 14:07:03 OpenVPN core 3.6.6 AirVPN linux arm 32-bit
2020-12-07 14:07:03 Bluetit is ready
2020-12-07 14:07:03 Bluetit options successfully reset
2020-12-07 14:07:03 Bluetit successfully set to command line options
2020-12-07 14:07:03 Requesting AirVPN connection to Bluetit
2020-12-07 14:07:03 Logging in AirVPN user dL4l7dY6
2020-12-07 14:07:03 Requesting user IP and country to AirVPN ipleak.net via secure connection
2020-12-07 14:07:03 User IP: <my_ip>
2020-12-07 14:07:03 User country: GB
2020-12-07 14:07:03 AirVPN user dL4l7dY6 successfully logged in
2020-12-07 14:07:03 Auto quick connection mode enabled
2020-12-07 14:07:03 Starting quick connection to AirVPN server Orion, Alblasserdam (Netherlands)
2020-12-07 14:07:03 Trying protocol UDP, port 443, IP entry 3
2020-12-07 14:07:03 AirVPNUser::getOpenVPNProfile(): Wrong profile name <my_key>
2020-12-07 14:07:03 AirVPN server Orion does not exist

goldcrest.rc is pretty generic:
 
airvpn@pidown:~ $ cat .goldcrest.rc
#
# goldcrest runcontrol file
#

# air-server            <server_name>
# air-tls-mode          <auto|auth|crypt>
# air-ipv6              on
air-user                dL4l7dY6
air-password            <my_pass>
air-key                 <my_key>:w!
# cipher                <cipher_name>
# proto                 <udp|tcp>
# server                <server_ip|server_url>
# port                  <port>
# tcp-queue-limit       <n>
# ncp-disable           <yes|no>
# network-lock          <on|iptables|nftables|pf|off>
# ignore-dns-push       <yes|no>
# ipv6                  default
# timeout               <seconds>
# compress              <yes|no|asym>
# proxy-host            <host_ip|host_url>
# proxy-port            <port>
# proxy-username        <proxy_username>
# proxy-password        <proxy_password>
# proxy-basic           <yes|no>
# alt-proxy             <yes|no>
# persist-tun           <on|off>

Any ideas or hints?

Thanks

D Edited ... by dL4l7dY6
Added system config details

Share this post


Link to post
@dL4l7dY6

Hello and thank you for your tests and report!

Orion does exist so the error message is surely wrong. Maybe it is triggered by a wrong key name, can you please make sure that the key name (in goldcrest.rc option "air-key") matches exactly the "device" name in your control panel (i.e. "Default")? What happens if you don't specify any key in goldcrest.rc?

The suite log entry calls "profile" what your account control panel calls "device", according to the label picked in Eddie Android edition (not to be confused with an "OpenVPN profile", which is a configuration file). In reality "profiles" and "devices" in this context are all labels for client certificate/key pairs, and the suite correctly defines them as "keys" in the options..

We will work to make labels more coherent between Bluetit, the website and Eddie., and avoid calling them "profiles" to prevent confusion with OpenVPN profiles. Bluetit and Golcrest already avoid "profile" label, what you see in the log must be some "remainder" in logging. :)

Please keep us posted.


Kind regards
 

Share this post


Link to post
Posted ... (edited)
18 hours ago, Staff said:
@dL4l7dY6

Hello and thank you for your tests and report!

Orion does exist so the error message is surely wrong. Maybe it is triggered by a wrong key name, can you please make sure that the key name (in goldcrest.rc option "air-key") matches exactly the "device" name in your control panel (i.e. "Default")? What happens if you don't specify any key in goldcrest.rc?

The suite log entry calls "profile" what your account control panel calls "device", according to the label picked in Eddie Android edition (not to be confused with an "OpenVPN profile", which is a configuration file). In reality "profiles" and "devices" in this context are all client certificate/key pairs, and the suite correctly defines them as "keys" in the options..

We will work to make labels more coherent between Bluetit, the website and Eddie., and avoid calling them "profiles" to prevent confusion with OpenVPN profiles. Bluetit and Golcrest already avoid "profile" label, what you see in the log must be some "remainder" in logging. :)

Please keep us posted.


Kind regards
 

Thanks,

I changed the air-key in .goldcrest.rc to be "Default" and it works. I fully support renaming that entry :)

I also seem to have doubled my download speed:

Hummingbird 1.1.0:

 
airvpn@pidown:~ $ speedtest

   Speedtest by Ookla

     Server: PhoenixNAP Global IT Services - Amsterdam (id = 28922)
        ISP: Global Layer B.V.
    Latency:    25.42 ms   (2.18 ms jitter)
   Download:    40.06 Mbps (data used: 48.3 MB)
     Upload:    19.41 Mbps (data used: 25.0 MB)
Packet Loss:     0.0%

AirVPN Suite
airvpn@pidown:~ $ speedtest

   Speedtest by Ookla

     Server: LeaseWeb - Haarlem (id = 3587)
        ISP: Global Layer B.V.
    Latency:    26.32 ms   (1.42 ms jitter)
   Download:    64.93 Mbps (data used: 117.3 MB)
     Upload:    19.91 Mbps (data used: 10.2 MB)
Packet Loss:     0.0%
 

Although that's possibly down to config.

Thanks again

D Edited ... by dL4l7dY6

Share this post


Link to post

Hello!

We're very glad to inform you that AirVPN Suite 1.0.0 Beta 3 has just been released. It fixes every bug found and reported in this thread so far. Please feel free to verify!

Download URLs in the first message have been updated and now link to Beta 3.

Please feel free to download and keep testing, thank you!

Kind regards
 

Share this post


Link to post

I have two issues, first when I quit goldcrest with Ctrl-C, it hangs and won't go back to **** @ localhost: / usr / local / bin>

2020-12-12 12:16:48 EVENT: DISCONNECTED
2020-12-12 12:16:48 Successfully restored DNS settings
2020-12-12 12:16:48 Network filter successfully restored
2020-12-12 12:16:48 VPN session terminated


Second, when I shut down the console and then want to restart the console to log in to goldcrest I get this, (restart need)

****@localhost:~> cd /usr/local/bin                                  
****@localhost:/usr/local/bin> ./goldcrest AirVPN_Netherlands_TCP-443-Entry3.ovpn
2020-12-12 12:17:51 Reading run control directives from file /home/****/.config/goldcrest.rc
Goldcrest 1.0.0 Beta 3 - 11 December 2020

2020-12-12 12:17:51 DBusConnectorException: DBusConnector: not primary owner (2)
****@localhost:/usr/local/bin>

 

Share this post


Link to post

I don't even get to connect anymore. --air-ipv6, --ipv6 and --air-6to4 are set to off via rc, but it seemingly uses IPv6 for connection.

$ sudo goldcrest -O
2020-12-12 17:38:56 Reading run control directives from file /root/.config/goldcrest.rc
Goldcrest 1.0.0 Beta 3 - 11 December 2020

2020-12-12 17:38:56 Bluetit - AirVPN OpenVPN 3 Service 1.0.0 Beta 3 - 11 December 2020
2020-12-12 17:38:56 OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
2020-12-12 17:38:56 Bluetit is ready
2020-12-12 17:38:56 Bluetit options successfully reset
2020-12-12 17:38:56 Bluetit successfully set to command line options
2020-12-12 17:38:56 Requesting AirVPN connection to Bluetit
2020-12-12 17:38:56 Logging in AirVPN user OpenSourcerer
2020-12-12 17:38:57 Requesting user IP and country to AirVPN ipleak.net via secure connection
2020-12-12 17:38:57 User IP: 2003::
2020-12-12 17:38:57 User country: DE
2020-12-12 17:38:57 AirVPN user OpenSourcerer successfully logged in
2020-12-12 17:38:57
2020-12-12 17:38:57 Logging out AirVPN user OpenSourcerer
2020-12-12 17:38:57 VPN session terminated

.

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
@OpenSourcerer

Hi,

can you post Bluetit log too, after the issue has occurred? If we remember correctly you run systemd based systems so:
sudo journalctl | grep bluetit

Kind regards
 

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...