air2157 4 Posted ... Further to my previous post, 1.1.0 beta 2 goldcrest has the same problem trying to run over TCP. (BTW, forgot to add that I'm on x86_64) hummingbird correctly chooses TCP. Both goldcrest and hummingbird do not honour (at least) the "comp-lzo no" or "auth SHA512" directives. goldcrest: 2021-04-03 19:55:46 EVENT: CONNECTING 2021-04-03 19:55:46 Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client 2021-04-03 19:55:46 Peer Info: IV_VER=3.6.6 AirVPN IV_PLAT=linux IV_NCP=2 IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 UV_IPV6=no IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 IV_SSL=OpenSSL 1.1.0l 10 Sep 2019 hummingbird: Sat Apr 3 20:00:35.929 2021 EVENT: CONNECTING Sat Apr 3 20:00:35.930 2021 Tunnel Options:V4,dev-type tun,link-mtu 1524,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client Sat Apr 3 20:00:35.930 2021 Peer Info: IV_VER=3.6.6 AirVPN IV_PLAT=linux IV_NCP=2 IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 UV_IPV6=no IV_GUI_VER=Hummingbird - AirVPN OpenVPN 3 Client 1.1.2 Beta 2 IV_SSL=OpenSSL 1.1.0l 10 Sep 2019 Share this post Link to post
Staff 10014 Posted ... @air2157 Hello! Thanks for your tests. Some information you need to consider for a preliminary check: bluetit.rc directives overrde Goldcrest options, Goldrect configuraiton file directives, and profile directives Goldcrest command line options override Goldcrest configuration file and ovpn profile That said, the tiny log excerpts you publish do not help. Please send us complete log, especially by Bluetit, and make sure you don't cut entries. Try also directive proto tcp in place of proto tcp-client. From a shell with root privileges (or you can use sudo if you have it installed) in a systemd based system you can print the whole Bluetit log with the following command: journalctl | grep bluetit Please edit any personal information if necessary and publish integrally. Quote Both goldcrest and hummingbird do not honour (at least) the "comp-lzo no" or "auth SHA512" directives. comp-lzo no behavior in OpenPVN3 is under out attention already. We have fixed several disconcerting bugs from OpenVPN 3 main branch into our fork. Please be patient, if it comes out that it's another bug, we will fix it too.auth behavior seems fine, though. What is the anomaly you detect? Before you answer, make sure that you understand how auth directive works (check in https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/). Remember that auth does not affect AEAD ciphers in the Data Channel and does not affect tls-crypt based connections. Furthermore, compare with the tls-ciphers and data-cipher directives in our servers reported here below (you can see them by clicking any server name in the server monitor (https://airvpn.org/status): Ciphers TLS: TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA Ciphers Data: CHACHA20-POLY1305 AES-256-GCM AES-256-CBC AES-192-GCM AES-192-CBC AES-128-GCM AES-128-CBC Kind regards Share this post Link to post
air2157 4 Posted ... 3 hours ago, Staff said: bluetit.rc directives overrde Goldcrest options, Goldrect configuraiton file directives, and profile directives Default, as installed. 3 hours ago, Staff said: Goldcrest command line options override Goldcrest configuration file and ovpn profile No command line options used. Just "sudo goldcrest <config-file>" /root/goldcrest.rc is default, ie as instaled. 3 hours ago, Staff said: Try also directive proto tcp in place of proto tcp-client. Already mentioned. But now "proto tcp". No change. 3 hours ago, Staff said: journalctl | grep bluetit Apr 04 13:56:40 air-eur bluetit[797]: Requested method "version" Apr 04 13:56:40 air-eur bluetit[797]: Requested method "openvpn_info" Apr 04 13:56:40 air-eur bluetit[797]: Requested method "bluetit_status -> Bluetit is ready" Apr 04 13:56:40 air-eur bluetit[797]: Requested method "reset_bluetit_options -> Bluetit options successfully reset" Apr 04 13:56:40 air-eur bluetit[797]: Requested method "set_openvpn_profile -> OK" Apr 04 13:56:40 air-eur bluetit[797]: Requested method "start_connection" Apr 04 13:56:40 air-eur bluetit[797]: OpenVPN3 connection successfully started Apr 04 13:56:40 air-eur bluetit[797]: Network filter and lock are using iptables-legacy Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_filter Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_nat Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_mangle Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_security Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_raw Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_filter Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_nat Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_mangle Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_security Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_raw Apr 04 13:56:40 air-eur bluetit[797]: Network filter successfully initialized Apr 04 13:56:40 air-eur bluetit[797]: Starting VPN Connection Apr 04 13:56:41 air-eur bluetit[797]: OpenVPN3 client successfully created and initialized. Apr 04 13:56:41 air-eur bluetit[797]: TUN persistence is enabled. Apr 04 13:56:41 air-eur bluetit[797]: Successfully set OpenVPN3 client configuration Apr 04 13:56:41 air-eur bluetit[797]: Starting OpenVPN3 connection thread Apr 04 13:56:41 air-eur bluetit[797]: OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit Apr 04 13:56:41 air-eur bluetit[797]: Connection statistics updater thread started Apr 04 13:56:41 air-eur bluetit[797]: Frame=512/2048/512 mssfix-ctrl=1250 Apr 04 13:56:41 air-eur bluetit[797]: UNUSED OPTIONS 0 [script-security] [2] 4 [resolv-retry] [infinite] 5 [nobind] 6 [persist-key] 7 [persist-tun] 8 [auth-nocache] 9 [route-delay] [5] 10 [verb] [4] Apr 04 13:56:41 air-eur bluetit[797]: EVENT: RESOLVE Apr 04 13:56:41 air-eur bluetit[797]: Local IPv4 address 10.137.0.77 Apr 04 13:56:41 air-eur bluetit[797]: Local IPv6 address fe80::216:3eff:fe5e:6c00 Apr 04 13:56:41 air-eur bluetit[797]: Local interface eth0 Apr 04 13:56:41 air-eur bluetit[797]: Setting up network filter and lock Apr 04 13:56:41 air-eur bluetit[797]: Allowing system DNS 10.139.1.1 to pass through the network filter Apr 04 13:56:41 air-eur bluetit[797]: Allowing system DNS 10.139.1.2 to pass through the network filter Apr 04 13:56:41 air-eur bluetit[797]: Resolved server europe3.vpn.airdns.org into IPv4 128.127.104.82 Apr 04 13:56:41 air-eur bluetit[797]: Adding IPv4 server 128.127.104.82 to network filter Apr 04 13:56:41 air-eur bluetit[797]: Network filter and lock successfully activated Apr 04 13:56:41 air-eur bluetit[797]: Contacting 128.127.104.82:443 via UDP Apr 04 13:56:41 air-eur bluetit[797]: EVENT: WAIT Apr 04 13:56:41 air-eur bluetit[797]: net_route_best_gw query IPv4: 128.127.104.82/32 Apr 04 13:56:41 air-eur bluetit[797]: sitnl_route_best_gw result: via 10.137.0.5 dev eth0 Apr 04 13:56:41 air-eur bluetit[797]: net_route_add: 128.127.104.82/32 via 10.137.0.5 dev eth0 table 0 metric 0 Apr 04 13:56:41 air-eur bluetit[797]: Connecting to [europe3.vpn.airdns.org]:443 (128.127.104.82) via UDPv4 Apr 04 13:56:41 air-eur bluetit[797]: EVENT: CONNECTING Apr 04 13:56:41 air-eur bluetit[797]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client Apr 04 13:56:41 air-eur bluetit[797]: Peer Info: IV_VER=3.6.6 AirVPN IV_PLAT=linux IV_NCP=2 IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 UV_IPV6=no IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 IV_SSL=OpenSSL 1.1.0l 10 Sep 2019 Apr 04 13:56:42 air-eur bluetit[797]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1 Apr 04 13:56:42 air-eur bluetit[797]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Ain/emailAddress=info@airvpn.org, signature: RSA-SHA512 Apr 04 13:56:42 air-eur bluetit[797]: SSL Handshake: peer certificate: CN=Ain, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD Apr 04 13:56:42 air-eur bluetit[797]: Session is ACTIVE Apr 04 13:56:42 air-eur bluetit[797]: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future Apr 04 13:56:42 air-eur bluetit[797]: EVENT: GET_CONFIG Apr 04 13:56:42 air-eur bluetit[797]: Sending PUSH_REQUEST to server... Apr 04 13:56:42 air-eur bluetit[797]: OPTIONS: 0 [comp-lzo] [no] 1 [redirect-gateway] [def1] [bypass-dhcp] 2 [dhcp-option] [DNS] [10.64.102.1] 3 [route-gateway] [10.64.102.1] 4 [topology] [subnet] 5 [ping] [10] 6 [ping-restart] [60] 7 [ifconfig] [10.64.102.242] [255.255.255.0] 8 [peer-id] [2] 9 [cipher] [AES-256-GCM] Apr 04 13:56:42 air-eur bluetit[797]: PROTOCOL OPTIONS: cipher: AES-256-GCM digest: NONE ncp enabled: yes key-derivation: OpenVPN PRF compress: LZO_STUB peer ID: 2 control channel: tls-crypt enabled Apr 04 13:56:42 air-eur bluetit[797]: EVENT: ASSIGN_IP Apr 04 13:56:42 air-eur bluetit[797]: VPN Server has pushed IPv4 DNS server 10.64.102.1 Apr 04 13:56:43 air-eur bluetit[797]: Setting pushed IPv4 DNS server 10.64.102.1 in resolv.conf Apr 04 13:56:43 air-eur bluetit[797]: net_iface_mtu_set: mtu 1500 for tun0 Apr 04 13:56:43 air-eur bluetit[797]: net_iface_up: set tun0 up Apr 04 13:56:43 air-eur bluetit[797]: net_addr_add: 10.64.102.242/24 brd 10.64.102.255 dev tun0 Apr 04 13:56:43 air-eur bluetit[797]: net_route_add: 0.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0 Apr 04 13:56:43 air-eur bluetit[797]: net_route_add: 128.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0 Apr 04 13:56:43 air-eur bluetit[797]: TunPersist: saving tun context: Session Name: europe3.vpn.airdns.org Layer: OSI_LAYER_3 Remote Address: 128.127.104.82 Tunnel Addresses: 10.64.102.242/24 -> 10.64.102.1 Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 ] Block IPv6: no Add Routes: Exclude Routes: DNS Servers: 10.64.102.1 Search Domains: Apr 04 13:56:43 air-eur bluetit[797]: Connected via tun Apr 04 13:56:43 air-eur bluetit[797]: LZO-ASYM init swap=0 asym=1 Apr 04 13:56:43 air-eur bluetit[797]: Comp-stub init swap=0 Apr 04 13:56:43 air-eur bluetit[797]: EVENT: CONNECTED europe3.vpn.airdns.org:443 (128.127.104.82) via /UDPv4 on tun/10.64.102.242/ gw=[10.64.102.1/] Apr 04 13:56:43 air-eur bluetit[797]: Server has pushed its own DNS. Removing system DNS from network filter. Apr 04 13:56:43 air-eur bluetit[797]: System DNS 10.139.1.1 is now rejected by the network filter Apr 04 13:56:43 air-eur bluetit[797]: System DNS 10.139.1.2 is now rejected by the network filter Apr 04 13:56:46 air-eur bluetit[797]: Requested method "bluetit_status -> Bluetit is connected to VPN" Apr 04 13:56:46 air-eur bluetit[797]: Requested method "stop_connection" Apr 04 13:56:46 air-eur bluetit[797]: Stopping OpenVPN3 connection thread Apr 04 13:56:46 air-eur bluetit[797]: Connection statistics updater thread finished Apr 04 13:56:46 air-eur bluetit[797]: net_route_del: 128.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0 Apr 04 13:56:46 air-eur bluetit[797]: net_route_del: 0.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0 Apr 04 13:56:46 air-eur bluetit[797]: net_addr_del: 10.64.102.242/24 dev tun0 Apr 04 13:56:46 air-eur bluetit[797]: net_iface_mtu_set: mtu 1500 for tun0 Apr 04 13:56:46 air-eur bluetit[797]: net_iface_up: set tun0 down Apr 04 13:56:46 air-eur bluetit[797]: net_route_del: 128.127.104.82/32 via 10.137.0.5 dev eth0 table 0 metric 0 Apr 04 13:56:46 air-eur bluetit[797]: EVENT: DISCONNECTED Apr 04 13:56:46 air-eur bluetit[797]: Successfully restored DNS settings Apr 04 13:56:47 air-eur bluetit[797]: Network filter successfully restored Apr 04 13:56:47 air-eur bluetit[797]: OpenVPN3 connection thread finished Apr 04 13:56:47 air-eur bluetit[797]: OpenVPN3 connection thread successfully terminated 3 hours ago, Staff said: auth behavior seems fine, though. What is the anomaly you detect? The config file option is "auth SHA512". The log shows "auth [null-digest]. Unfortunately, setting verbosity 4 provided no more detail, so it's difficult to say which HMAC, if any, it's using. By contrast OpenVPN 2.4.7 (Debian) in verb 4 shows: Sun Apr 4 14:15:08 2021 us=897579 authname = 'SHA512' HTH Share this post Link to post
Staff 10014 Posted ... @air2157 Hello! The Bluetit log is strangely cut and the missing part is exactly what we need to see to understand what options Bluetit receives from Goldcrest. Please try again, we need a complete log. The cut part is about the initial dozen entries just before the following one: Apr 04 13:56:40 air-eur bluetit[797]: Requested method "version" What we can see from the log is that the auth behavior is perfect, no problems here, while comp-lzo no doubts remain. We will investigate the issue. In the meantime, if you urgently need a TCP connection (but of course use UDP whenever possible), bypass the configuration file by forcing TCP mode by Goldcrest command line or Bluetit configuration file. As a side note (totally unrelated to the current matter anyway), we see that you run Goldcrest with root privileges, so you discard an important part of the client-daemon security model. You might like to avoid unnecessary privileges to Goldcrest and run Goldcrest from any user in the airvpn group. Kind regards Share this post Link to post
air2157 4 Posted ... I guess you mean this bit: Apr 04 13:51:03 air-eur bluetit[756]: Starting Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 - 2 April 2021 Apr 04 13:51:03 air-eur bluetit[756]: OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit Apr 04 13:51:03 air-eur bluetit[756]: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved. Apr 04 13:51:03 air-eur bluetit[797]: Bluetit daemon started with PID 797 Apr 04 13:51:03 air-eur bluetit[797]: External network is reachable via gateway 10.137.0.5 through interface eth0 Apr 04 13:51:03 air-eur bluetit[797]: Successfully connected to D-Bus Apr 04 13:51:03 air-eur bluetit[797]: Reading run control directives from file /etc/airvpn/bluetit.rc Apr 04 13:51:03 air-eur bluetit[797]: IPv6 is available in this system Apr 04 13:51:03 air-eur bluetit[797]: Bluetit successfully initialized and ready Apr 04 13:51:03 air-eur bluetit[797]: Requesting network IP and country to AirVPN ipleak.net via secure connection Apr 04 13:51:05 air-eur bluetit[797]: Network IP: XX.XX.XX.XX Apr 04 13:51:05 air-eur bluetit[797]: System country: XX Apr 04 13:51:05 air-eur bluetit[797]: AirVPN Manifest updater thread started Apr 04 13:51:05 air-eur bluetit[797]: AirVPN Manifest update interval is 15 minutes Apr 04 13:51:05 air-eur bluetit[797]: Updating AirVPN Manifest Goldcrest will (does) run as a systemd service in a secured VM that will become my local gateway, so root access will make no odds either way. Nevertheless, I'll probably run goldcrest with reduced privileges, but one step at a time... For now, I'm just trying things out. If I need TCP -- and I usually do, because of ISP restrictions -- I can stay with OpenVPN. Share this post Link to post
sooprtruffaut 5 Posted ... Hello, I'm having trouble with Bluetit. I'm on X86_64. When using Bluetit to start a connection at boot, everything starts and runs as normal. However, eventually it will break with the following error: TUN write exception: write_some: Input/output error ERROR: TUN_WRITE_ERROR I'm not sure if it's a bug or a problem with the configuration I'm using in the bluetit.rc file. Let me know if you need any logs. Thanks PS: This is a problem I noticed in the Beta1 release, as well. Share this post Link to post
pjnsmb 13 Posted ... Hello @Staff Regarding -Bluetit now waits for the system to set up properly gateway and gateway interface. Therefore, even when launched by some init system prematurely during bootstrap, and in any other circumstance, Bluetit can autonomously decide when it's time to proceed, as soon as the network link is up, avoiding errors due to network unavailability Beta 2 seems better for me regarding my posts from 15th March on beta 1 startup but : 1. Upon bootup on an unaltered bluetit.rc file I still get : systemctl status bluetit still shows the line -desktop bluetit[3127]: ERROR: Cannot detect system location: Cannot resolve ipleak.net 2. Upon systemctl restart bluetit bluetit then shows the lines : desktop bluetit[13260]: Requesting network IP and country to AirVPN ipleak.net via secure connection Apr 04 07:19:28 desktop bluetit[13260]: Network IP: 2a02:c7f:cc09:d900:e8e0:78ab:dbaa:b120 Apr 04 07:19:28 desktop bluetit[13260]: System country: GB Apr 04 07:19:28 desktop bluetit[13260]: AirVPN Manifest updater thread startedso I have a successful connection on restart of bluetit 3. If I enter GB as a country code into bluetit.rc on bootup I get : top bluetit[3179]: Successfully connected to D-Bus Apr 05 06:36:51 desktop bluetit[3179]: Reading run control directives from file /etc/airvpn/bluetit.rc Apr 05 06:36:51 desktop bluetit[3179]: IPv6 is available in this system Apr 05 06:36:51 desktop bluetit[3179]: System country set to GB by Bluetit policy. Apr 05 06:36:51 desktop bluetit[3179]: Bluetit successfully initialized and ready Apr 05 06:36:51 desktop bluetit[3179]: AirVPN Manifest updater thread started so I have a successful connection on bootup. hope this is clear and helps................ Hide pjnsmb's signature Hide all signatures regardspjnsmb Share this post Link to post
Staff 10014 Posted ... Hello!@sooprtruffaut What is your Linux distribution name and exact version? When you get the error can you please check whether the tun network interface is still up? According to your distribution you might enter from a shell the command ifconfig or ip a .@pjnsmb Your system can't (at the moment of the error) resolve names. Eddie checks whether the network is up by looking for a valid gateway, it does not check whether nameservers are set and/or work, and it will not enforce a Network Lock exception, not even to resolve ipleak.net, during bootstrap. Implementing such a function is very questionable, because it would require a query to the external world as soon as the network is up, which might not be what the administrator wants when she sets permanent network lock. Resolve the issue easily either by forcing your country in the bluetit.rc as you already did (recommended solution) or by having ipleak.net resolved by the /etc/hosts file. In general setting the proper country in bluetit.rc is recommended because you won't depend anymore on ipleak.net and at the same time you will not need another entry in hosts .Everybody running OSMC, Raspbian or any other 32 bit Linux: you do not have crashes anymore, right? We already have a few confirmations that the problem is resolved, but we'd love hearing from you as well. Kind regards Share this post Link to post
tOjO 1 Posted ... @Staff, I tested the beta 2 after an uninstall of beta 1 and the bluetit daemon hasn't crashed anymore when the bandwidth is on high load. The problem seems indeed to be resolved. Well done ! 😉 Grts, Tom 1 Staff reacted to this Share this post Link to post
air2157 4 Posted ... 5 hours ago, pjnsmb said: Upon bootup on an unaltered bluetit.rc file I still get : systemctl status bluetit still shows the line -desktop bluetit[3127]: ERROR: Cannot detect system location: Cannot resolve ipleak.net That sounds like either the network isn't fully working or DNS is not yet fully working before bluetit starts. You can try a hacky "ExecStartPre=/bin/sleep 5" to the /etc/systemd/system/bluetit.service file. That will delay the start of bluetit for 5 seconds. Reboot and see if it helps. 1 pjnsmb reacted to this Share this post Link to post
Staff 10014 Posted ... On 4/3/2021 at 9:06 PM, air2157 said: Further to my previous post, 1.1.0 beta 2 goldcrest has the same problem trying to run over TCP. (BTW, forgot to add that I'm on x86_64) Hello! Bluetit settings can't be overridden by a profile. The logic behind it is that a profile can be used by anyone in the airvpn group, while bluetit.rc is strictly reserved to root. If not otherwise specified either in Bluetit configuration file, Goldcrest command line options, or Goldcrest configuration file, proto is set to UDP and port to 443. Change them according to your preferences, for example when you invoke Goldcrest (options --proto and --port in this case), or specify the options in goldcrest.rc (while an airvpn group user can bypass goldcrest.rc settings, she can't bypass bluetit.rc settings, except the default ones) . Also remember that Bluetit is fully integrated with AirVPN, so you don't need ovpn profiles/configuration files. Kind regards Share this post Link to post
air2157 4 Posted ... Thank you for your reply. 35 minutes ago, Staff said: Bluetit settings can't be overridden by a profile. The logic behind it is that a profile can be used by anyone in the airvpn group, while bluetit.rc is strictly reserved to root. As I have mentioned on several occasions, bluetit.rc contains no settings (ie all settings except bootstrap servers and RSA parameters are commented out . So, this part doesn't seem to be relevant to my problem, since all bluetit settings are default. 35 minutes ago, Staff said: If not otherwise specified either in Bluetit configuration file, Goldcrest command line options, or Goldcrest configuration file, proto is set to UDP and port to 443. This is the crux of the problem. proto is not explicitly set either in bluetit.rc or in goldcrest.rc. However, it is explicitly specified in the configuration file, air-eur.conf -- as proto tcp (or proto tcp-client) . So are you saying that when I run goldcrest air-eur.conf, goldcrest will actually ignore some -- but clearly not all -- of the settings in the OpenVPN configuration file, even though they are not explicitly set in either bluetit.rc or goldcrest.rc? Share this post Link to post
Staff 10014 Posted ... 2 minutes ago, air2157 said: So are you saying that when I run goldcrest air-eur.conf, goldcrest will actually ignore some -- but clearly not all -- of the settings in the OpenVPN configuration file, even though they are not explicitly set in either bluetit.rc or goldcrest.rc? Hello! Exactly. Kind regards Share this post Link to post
air2157 4 Posted ... 6 minutes ago, Staff said: Exactly. Really? Is this documented anywhere, including which settings are honoured / ignored? With respect, this is not a sensible approach. If a setting is not specified in either bluetit.rc or goldcrest.rc, the setting in the OpenVPN configuration file should be honoured. To selectively ignore some settings from the .ovpn files makes little sense. 1 OpenSourcerer reacted to this Share this post Link to post
Staff 10014 Posted ... 2 hours ago, air2157 said: Really? Is this documented anywhere, including which settings are honoured / ignored? Hello! In the documentation you find all the Bluetit options with their default value, and it is explained that Bluetit configuration file overrides anything coming from Goldcrest or any other client: https://airvpn.org/suite/readme/#run-control-file However, "proto" and "port" default values are reported as "empty" and this is a mistake, as they are respectively "udp" and "443". We will fix this soon, we apologize if it created confusion. Quote With respect, this is not a sensible approach. If a setting is not specified in either bluetit.rc or goldcrest.rc, the setting in the OpenVPN configuration file should be honoured. To selectively ignore some settings from the .ovpn files makes little sense. In general, the profile (as well as Goldcrest options) can be created and enforced by airvpn group users, while bluetit.rc is exclusive root competence, so the final word must come from bluetit.rc, that plays the watchdog role, coherently with the access model of a client/daemon architecture in UNIX (further improved by D-Bus in this case). Therefore, the system administrator can have at the same time both a fine grained control over access to a sensitive service which modifies extremely important system parts (gateway, DNS, firewall rules, routing table, virtual network interface) and additional security against some types of attacks aimed at the user(s) who can launch Goldcrest. We consider it as a very sensible and proper approach. If you prefer a "root or nothing" approach then you don't need a client, a daemon and an access policy via D-Bus. We offer the simpler Hummingbird, which can be run by root only, needs a profile but adds important features not offered by OpenVPN, in particular refined DNS handling covering all the numerous DNS "modes" available in Linux, and Network Lock supporting the major Linux firewalls. Kind regards Share this post Link to post
sooprtruffaut 5 Posted ... (edited) Hello, 23 hours ago, Staff said: What is your Linux distribution name and exact version? When you get the error can you please check whether the tun network interface is still up? According to your distribution you might enter from a shell the command ifconfig or ip a . I'll answer the question about the tun0 when my system produces the error again! This is the longest it's gone without any issue. As for the distro, it's Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-70-generic x86_64) UPDATE Error finally happened again. Here's the log: Apr 06 15:56:07 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client Apr 06 15:56:07 dockerbox bluetit[42995]: Peer Info: IV_VER=3.6.6 AirVPN IV_PLAT=linux IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 UV_IPV6=no IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 IV_SSL=OpenSSL 1.1.0l 10 Sep 2019 Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1 Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512 Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT Apr 06 15:57:08 dockerbox bluetit[42995]: ERROR: KEY_STATE_ERROR Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT Apr 06 15:58:09 dockerbox bluetit[42995]: ERROR: KEEPALIVE_TIMEOUT Apr 06 15:58:09 dockerbox bluetit[42995]: Session invalidated: KEEPALIVE_TIMEOUT Apr 06 15:58:09 dockerbox bluetit[42995]: Client terminated, restarting in 2000 ms... Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_up: set tun0 down Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0 Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RECONNECTING Apr 06 15:58:11 dockerbox bluetit[42995]: Successfully restored DNS settings Apr 06 15:58:11 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings Apr 06 15:58:11 dockerbox bluetit[42995]: ERROR: N_RECONNECT Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RESOLVE Apr 06 15:58:11 dockerbox bluetit[42995]: Contacting 79.142.69.162:443 via UDP Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: WAIT Apr 06 15:58:11 dockerbox bluetit[42995]: Connecting to [79.142.69.162]:443 (79.142.69.162) via UDPv4 Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: CONNECTING Apr 06 15:58:11 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client Apr 06 15:58:11 dockerbox bluetit[42995]: Peer Info: IV_VER=3.6.6 AirVPN IV_PLAT=linux IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 UV_IPV6=no IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 IV_SSL=OpenSSL 1.1.0l 10 Sep 2019 Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1 Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512 Apr 06 15:58:12 dockerbox bluetit[42995]: SSL Handshake: peer certificate: CN=Xuange, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD Apr 06 15:58:12 dockerbox bluetit[42995]: Session is ACTIVE Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: GET_CONFIG Apr 06 15:58:12 dockerbox bluetit[42995]: Sending PUSH_REQUEST to server... Apr 06 15:58:12 dockerbox bluetit[42995]: OPTIONS: 0 [comp-lzo] [no] 1 [redirect-gateway] [def1] [bypass-dhcp] 2 [dhcp-option] [DNS] [10.10.22.1] 3 [route-gateway] [10.10.22.1] 4 [topology] [subnet] 5 [ping] [10] 6 [ping-restart] [60] 7 [ifconfig] [10.10.22.16] [255.255.255.0] 8 [peer-id] [3] 9 [cipher] [AES-256-GCM] Apr 06 15:58:12 dockerbox bluetit[42995]: PROTOCOL OPTIONS: cipher: AES-256-GCM digest: NONE ncp enabled: no key-derivation: OpenVPN PRF compress: LZO_STUB peer ID: 3 control channel: tls-crypt enabled Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: ASSIGN_IP Apr 06 15:58:12 dockerbox bluetit[42995]: VPN Server has pushed IPv4 DNS server 10.10.22.1 Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 in resolv.conf Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface enp0s31f6 via systemd-resolved Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth33b19d1 Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface vethdbd6ab6 via systemd-resolved Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth2f7f02e Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 up Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_add: 10.10.22.16/24 brd 10.10.22.255 dev tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: Cannot assign requested address (-99) Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 down Apr 06 15:58:12 dockerbox bluetit[42995]: Connected via tun Apr 06 15:58:12 dockerbox bluetit[42995]: LZO-ASYM init swap=0 asym=1 Apr 06 15:58:12 dockerbox bluetit[42995]: Comp-stub init swap=0 Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: CONNECTED 79.142.69.162:443 (79.142.69.162) via /UDPv4 on tun/10.10.22.16/ gw=[10.10.22.1/] Apr 06 15:58:12 dockerbox bluetit[42995]: Connected to AirVPN server Xuange, Zurich (Switzerland) Apr 06 15:58:13 dockerbox bluetit[42995]: DBusConnectorException: DBusConnector: not primary owner (2) Apr 06 15:58:13 dockerbox bluetit[42995]: Stopping OpenVPN3 connection thread Apr 06 15:58:13 dockerbox bluetit[42995]: Connection statistics updater thread finished Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3) Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3) Apr 06 15:58:13 dockerbox bluetit[42995]: net_addr_del: 10.10.22.16/24 dev tun0 Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_up: set tun0 down Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0 Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3) Apr 06 15:58:13 dockerbox bluetit[42995]: Error while executing NetlinkRoute4(add: 0) tun0: -3 Error while executing NetlinkRoute4(add: 0) tun0: -3 Error while executing NetlinkRoute4(add: 0) enp0s31f6: -3 Apr 06 15:58:13 dockerbox bluetit[42995]: EVENT: DISCONNECTED Apr 06 15:58:13 dockerbox bluetit[42995]: Successfully restored DNS settings Apr 06 15:58:13 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings Apr 06 15:58:13 dockerbox bluetit[42995]: OpenVPN3 connection thread finished Apr 06 15:58:13 dockerbox bluetit[42995]: Logging out AirVPN user sooprtruffaut Apr 06 15:58:13 dockerbox bluetit[42995]: AirVPN Manifest updater thread finished Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Main process exited, code=exited, status=1/FAILURE Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Failed with result 'exit-code'. Tun0 does not stay up after this error occurs. Edited ... by sooprtruffaut Added error log Share this post Link to post
pjnsmb 13 Posted ... 17 hours ago, air2157 said: That sounds like either the network isn't fully working or DNS is not yet fully working before bluetit starts. You can try a hacky "ExecStartPre=/bin/sleep 5" to the /etc/systemd/system/bluetit.service file. That will delay the start of bluetit for 5 seconds. Reboot and see if it helps. @air2157 thanks for the tip, I was aware of it already and had tried it without success before posting . cheers Hide pjnsmb's signature Hide all signatures regardspjnsmb Share this post Link to post
air2157 4 Posted ... @Staff Once again, thank you for your detailed reply. Unfortunately, we seem to be at cross purposes. I fully understand that if bluetit.rc contains a setting, it cannot be overridden by a client process. The logical extension of this is that if bluetit.rc does not contain a setting, then it should be possible for a client process (ie goldcrest) to override (all of) the default settings. What we actually see is that this is not always the case. I appreciate that you have put a lot of work into the bluetit / goldcrest system but, given its apparently inconsistent approach to settings, I'll move my testing to Hummingbird. Nevertheless, thank you for your efforts. Share this post Link to post
Staff 10014 Posted ... 23 hours ago, air2157 said: @Staff Once again, thank you for your detailed reply. Unfortunately, we seem to be at cross purposes. I fully understand that if bluetit.rc contains a setting, it cannot be overridden by a client process. The logical extension of this is that if bluetit.rc does not contain a setting, then it should be possible for a client process (ie goldcrest) to override (all of) the default settings. What we actually see is that this is not always the case. Hello! Thank YOU for your testing. Let's clarify a thing that you wrongly assumed, especially for the readers. Contrarily to what you say, it is possible "for a client process (ie goldcrest) to override (all of) the default settings", when such settings are not specified in bluetit.rc.. In other words, Goldcrest settings can override Bluetit default settings when they (Bluetit's) are omitted in bluetit.rc. What it's not possible is a totally different thing, i.e. overriding Bluetit and Goldcrest settings via an OpenVPN profile. For example, if you invoke Goldcrest with --proto option, or you specify it in goldcrest.rc, you can pick between udp and tcp. Bluetit will connect accordingly, if bluetit.rc does not include any proto directive. Kind regards Share this post Link to post
sooprtruffaut 5 Posted ... On 4/6/2021 at 10:34 AM, sooprtruffaut said: Hello, I'll answer the question about the tun0 when my system produces the error again! This is the longest it's gone without any issue. As for the distro, it's Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-70-generic x86_64) UPDATE Error finally happened again. Here's the log: Apr 06 15:56:07 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client Apr 06 15:56:07 dockerbox bluetit[42995]: Peer Info: IV_VER=3.6.6 AirVPN IV_PLAT=linux IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 UV_IPV6=no IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 IV_SSL=OpenSSL 1.1.0l 10 Sep 2019 Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1 Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512 Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT Apr 06 15:57:08 dockerbox bluetit[42995]: ERROR: KEY_STATE_ERROR Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT Apr 06 15:58:09 dockerbox bluetit[42995]: ERROR: KEEPALIVE_TIMEOUT Apr 06 15:58:09 dockerbox bluetit[42995]: Session invalidated: KEEPALIVE_TIMEOUT Apr 06 15:58:09 dockerbox bluetit[42995]: Client terminated, restarting in 2000 ms... Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_up: set tun0 down Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0 Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RECONNECTING Apr 06 15:58:11 dockerbox bluetit[42995]: Successfully restored DNS settings Apr 06 15:58:11 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings Apr 06 15:58:11 dockerbox bluetit[42995]: ERROR: N_RECONNECT Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RESOLVE Apr 06 15:58:11 dockerbox bluetit[42995]: Contacting 79.142.69.162:443 via UDP Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: WAIT Apr 06 15:58:11 dockerbox bluetit[42995]: Connecting to [79.142.69.162]:443 (79.142.69.162) via UDPv4 Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: CONNECTING Apr 06 15:58:11 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client Apr 06 15:58:11 dockerbox bluetit[42995]: Peer Info: IV_VER=3.6.6 AirVPN IV_PLAT=linux IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 UV_IPV6=no IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 IV_SSL=OpenSSL 1.1.0l 10 Sep 2019 Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1 Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512 Apr 06 15:58:12 dockerbox bluetit[42995]: SSL Handshake: peer certificate: CN=Xuange, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD Apr 06 15:58:12 dockerbox bluetit[42995]: Session is ACTIVE Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: GET_CONFIG Apr 06 15:58:12 dockerbox bluetit[42995]: Sending PUSH_REQUEST to server... Apr 06 15:58:12 dockerbox bluetit[42995]: OPTIONS: 0 [comp-lzo] [no] 1 [redirect-gateway] [def1] [bypass-dhcp] 2 [dhcp-option] [DNS] [10.10.22.1] 3 [route-gateway] [10.10.22.1] 4 [topology] [subnet] 5 [ping] [10] 6 [ping-restart] [60] 7 [ifconfig] [10.10.22.16] [255.255.255.0] 8 [peer-id] [3] 9 [cipher] [AES-256-GCM] Apr 06 15:58:12 dockerbox bluetit[42995]: PROTOCOL OPTIONS: cipher: AES-256-GCM digest: NONE ncp enabled: no key-derivation: OpenVPN PRF compress: LZO_STUB peer ID: 3 control channel: tls-crypt enabled Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: ASSIGN_IP Apr 06 15:58:12 dockerbox bluetit[42995]: VPN Server has pushed IPv4 DNS server 10.10.22.1 Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 in resolv.conf Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface enp0s31f6 via systemd-resolved Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth33b19d1 Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface vethdbd6ab6 via systemd-resolved Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth2f7f02e Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 up Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_add: 10.10.22.16/24 brd 10.10.22.255 dev tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: Cannot assign requested address (-99) Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 down Apr 06 15:58:12 dockerbox bluetit[42995]: Connected via tun Apr 06 15:58:12 dockerbox bluetit[42995]: LZO-ASYM init swap=0 asym=1 Apr 06 15:58:12 dockerbox bluetit[42995]: Comp-stub init swap=0 Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: CONNECTED 79.142.69.162:443 (79.142.69.162) via /UDPv4 on tun/10.10.22.16/ gw=[10.10.22.1/] Apr 06 15:58:12 dockerbox bluetit[42995]: Connected to AirVPN server Xuange, Zurich (Switzerland) Apr 06 15:58:13 dockerbox bluetit[42995]: DBusConnectorException: DBusConnector: not primary owner (2) Apr 06 15:58:13 dockerbox bluetit[42995]: Stopping OpenVPN3 connection thread Apr 06 15:58:13 dockerbox bluetit[42995]: Connection statistics updater thread finished Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3) Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0 Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3) Apr 06 15:58:13 dockerbox bluetit[42995]: net_addr_del: 10.10.22.16/24 dev tun0 Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0 Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_up: set tun0 down Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0 Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3) Apr 06 15:58:13 dockerbox bluetit[42995]: Error while executing NetlinkRoute4(add: 0) tun0: -3 Error while executing NetlinkRoute4(add: 0) tun0: -3 Error while executing NetlinkRoute4(add: 0) enp0s31f6: -3 Apr 06 15:58:13 dockerbox bluetit[42995]: EVENT: DISCONNECTED Apr 06 15:58:13 dockerbox bluetit[42995]: Successfully restored DNS settings Apr 06 15:58:13 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings Apr 06 15:58:13 dockerbox bluetit[42995]: OpenVPN3 connection thread finished Apr 06 15:58:13 dockerbox bluetit[42995]: Logging out AirVPN user sooprtruffaut Apr 06 15:58:13 dockerbox bluetit[42995]: AirVPN Manifest updater thread finished Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Main process exited, code=exited, status=1/FAILURE Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Failed with result 'exit-code'. Tun0 does not stay up after this error occurs. Hello, As a follow up to this my previous post, doing some research about tun i/o errors, when this occurs with openvpn, it seems to be related to compression. I reverted to the default setting, which I believe is "compress no" and will continue to monitor. Share this post Link to post
Staff 10014 Posted ... On 4/4/2021 at 3:23 PM, air2157 said: The config file option is "auth SHA512". The log shows "auth [null-digest]. Unfortunately, setting verbosity 4 provided no more detail, so it's difficult to say which HMAC, if any, it's using. By contrast OpenVPN 2.4.7 (Debian) in verb 4 shows: Hello! That's expected. Remember the auth directive scope as we underlined in a previous message: it does not apply to AEAD ciphers, in the Data Channel (and we use only AEAD ciphers fix: not true, we still support AES-CBC). In the Control Channel, it applies only to TLS Auth (not to TLS Crypt according to documentation) and (obviously) only when compatible with the tls-ciphers list (check both data-ciphers and tls-ciphers set on servers in our previous message). To check the digest, see the rest of the log pertaining to Control Channel cipher and Data Channel cipher in IANA convention. Unfortunately a working verbosity option is not implemented in OpenVPN3, maybe one day we'll implement it in our fork. Kind regards Share this post Link to post
air2157 4 Posted ... @Staff I'd totally forgotten that AES-GCM included the HMAC (auth) function. D'oh! Thanks for putting me straight. I was unaware that OpenVPN3 doesn't have a verbosity option.. That's a shame, though anything above verb 4 is usually well above my pay grade. My testing of Hummingbird is still proceeding... All the best. Share this post Link to post
Staff 10014 Posted ... Hello! AirVPN Suite 1.1.0 RC 1 is now available. No news from beta 2, it's just for development cycle consistency and coherency. URLs in initial post have been updated. Kind regards Share this post Link to post
air2157 4 Posted ... I'm having problems with Hummingbird. My idea is to have a common TCP/443 .ovpn config file and specify the server on the command line. Here's the .ovpn config file (which, incidentally, works fine without any overrides): client dev tun remote bg3.all.vpn.airdns.org 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache route-delay 5 verb 3 push-peer-info setenv UV_IPV6 no remote-cert-tls server cipher AES-256-GCM comp-lzo no proto tcp With server and port override: user@air-eur:~$ sudo hummingbird --server europe3.vpn.airdns.org --port 443 /etc/airvpn/tcp_443.ovpn Hummingbird - AirVPN OpenVPN 3 Client 1.1.2 RC 1 - 7 April 2021 Thu Apr 8 19:34:39.716 2021 System and service manager in use is systemd Thu Apr 8 19:34:39.736 2021 Network filter and lock are using iptables-legacy Thu Apr 8 19:34:39.750 2021 Successfully loaded kernel module iptable_filter Thu Apr 8 19:34:39.778 2021 Successfully loaded kernel module iptable_nat Thu Apr 8 19:34:39.796 2021 Successfully loaded kernel module iptable_mangle Thu Apr 8 19:34:39.816 2021 Successfully loaded kernel module iptable_security Thu Apr 8 19:34:39.837 2021 Successfully loaded kernel module iptable_raw Thu Apr 8 19:34:39.863 2021 Successfully loaded kernel module ip6table_filter Thu Apr 8 19:34:39.888 2021 Successfully loaded kernel module ip6table_nat Thu Apr 8 19:34:39.899 2021 Successfully loaded kernel module ip6table_mangle Thu Apr 8 19:34:39.909 2021 Successfully loaded kernel module ip6table_security Thu Apr 8 19:34:39.918 2021 Successfully loaded kernel module ip6table_raw ERROR: eval config error: ERR_PROFILE_GENERIC: option_error: error parsing protocol: tcp-client If I comment out the remote bg3.all.vpn.airdns.org line, it segfaults: user@air-eur:~$ sudo hummingbird --server europe3.vpn.airdns.org --port 443 /etc/airvpn/tcp_443.ovpn Hummingbird - AirVPN OpenVPN 3 Client 1.1.2 RC 1 - 7 April 2021 Thu Apr 8 19:42:18.195 2021 System and service manager in use is systemd Segmentation fault 1 Staff reacted to this Share this post Link to post
jrredho 0 Posted ... Hey All, I'm uncertain it this is the correct place, given all of the detailed beta testing going on among you super-savvy folks, but has anyone besides me noticed the massive CPU consumption differences between the various clients? In particular, when I run bluetit (from AirVPN Suite beta 1.1) on my up-to-date Fedora f33 x86_64 system, Bluetit is using something like 8% of my CPU; the eddie client, 1%; and, finally, the eddie-cli client, 0.1%. (Both of the latter utilities are using the latest hummingbird client.) At least that's what I gleaned from looking at htop while running them each in freshly booted conditions doing simple web browsing. Am I hallucinating? Has anyone who's more technically proficient done a formal comparison? Thanks (and apologies if this is the wrong place for this post)! cheers, john Share this post Link to post