Linux: AirVPN Suite 1.1.0 beta available

air2157

Further to my previous post, 1.1.0 beta 2 goldcrest has the same problem trying to run over TCP. (BTW, forgot to add that I'm on x86_64)

hummingbird correctly chooses TCP.

Both goldcrest and hummingbird do not honour (at least) the "comp-lzo no" or "auth SHA512" directives.

goldcrest:

2021-04-03 19:55:46 EVENT: CONNECTING
2021-04-03 19:55:46 Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
2021-04-03 19:55:46 Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2
IV_SSL=OpenSSL 1.1.0l  10 Sep 2019

hummingbird:

Sat Apr  3 20:00:35.929 2021 EVENT: CONNECTING
Sat Apr  3 20:00:35.930 2021 Tunnel Options:V4,dev-type tun,link-mtu 1524,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
Sat Apr  3 20:00:35.930 2021 Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Hummingbird - AirVPN OpenVPN 3 Client 1.1.2 Beta 2
IV_SSL=OpenSSL 1.1.0l  10 Sep 2019

Staff

@air2157

Hello!

Thanks for your tests.

Some information you need to consider for a preliminary check:

bluetit.rc directives overrde Goldcrest options, Goldrect configuraiton file directives, and profile directives
Goldcrest command line options override Goldcrest configuration file and ovpn profile

That said, the tiny log excerpts you publish do not help. Please send us complete log, especially by Bluetit, and make sure you don't cut entries. Try also directive proto tcp in place of proto tcp-client.

From a shell with root privileges (or you can use sudo if you have it installed) in a systemd based system you can print the whole Bluetit log with the following command:

journalctl | grep bluetit

Please edit any personal information if necessary and publish integrally.

Quote

Both goldcrest and hummingbird do not honour (at least) the "comp-lzo no" or "auth SHA512" directives.

comp-lzo no behavior in OpenPVN3 is under out attention already. We have fixed several disconcerting bugs from OpenVPN 3 main branch into our fork. Please be patient, if it comes out that it's another bug, we will fix it too.

auth behavior seems fine, though. What is the anomaly you detect? Before you answer, make sure that you understand how auth directive works (check in https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/). Remember that auth does not affect AEAD ciphers in the Data Channel and does not affect tls-crypt based connections. Furthermore, compare with the tls-ciphers and data-cipher directives in our servers reported here below (you can see them by clicking any server name in the server monitor (https://airvpn.org/status):

Ciphers TLS:	TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA
Ciphers Data:	CHACHA20-POLY1305 AES-256-GCM AES-256-CBC AES-192-GCM AES-192-CBC AES-128-GCM AES-128-CBC

Kind regards

air2157

3 hours ago, Staff said:

bluetit.rc directives overrde Goldcrest options, Goldrect configuraiton file directives, and profile directives

Default, as installed.

3 hours ago, Staff said:

Goldcrest command line options override Goldcrest configuration file and ovpn profile

No command line options used. Just "sudo goldcrest <config-file>" /root/goldcrest.rc is default, ie as instaled.

3 hours ago, Staff said:

Try also directive proto tcp in place of proto tcp-client.

Already mentioned. But now "proto tcp". No change.

3 hours ago, Staff said:

journalctl | grep bluetit

Apr 04 13:56:40 air-eur bluetit[797]: Requested method "version"
Apr 04 13:56:40 air-eur bluetit[797]: Requested method "openvpn_info"
Apr 04 13:56:40 air-eur bluetit[797]: Requested method "bluetit_status -> Bluetit is ready"
Apr 04 13:56:40 air-eur bluetit[797]: Requested method "reset_bluetit_options -> Bluetit options successfully reset"
Apr 04 13:56:40 air-eur bluetit[797]: Requested method "set_openvpn_profile -> OK"
Apr 04 13:56:40 air-eur bluetit[797]: Requested method "start_connection"
Apr 04 13:56:40 air-eur bluetit[797]: OpenVPN3 connection successfully started
Apr 04 13:56:40 air-eur bluetit[797]: Network filter and lock are using iptables-legacy
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_filter
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_nat
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_mangle
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_security
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module iptable_raw
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_filter
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_nat
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_mangle
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_security
Apr 04 13:56:40 air-eur bluetit[797]: Successfully loaded kernel module ip6table_raw
Apr 04 13:56:40 air-eur bluetit[797]: Network filter successfully initialized
Apr 04 13:56:40 air-eur bluetit[797]: Starting VPN Connection
Apr 04 13:56:41 air-eur bluetit[797]: OpenVPN3 client successfully created and initialized.
Apr 04 13:56:41 air-eur bluetit[797]: TUN persistence is enabled.
Apr 04 13:56:41 air-eur bluetit[797]: Successfully set OpenVPN3 client configuration
Apr 04 13:56:41 air-eur bluetit[797]: Starting OpenVPN3 connection thread
Apr 04 13:56:41 air-eur bluetit[797]: OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
Apr 04 13:56:41 air-eur bluetit[797]: Connection statistics updater thread started
Apr 04 13:56:41 air-eur bluetit[797]: Frame=512/2048/512 mssfix-ctrl=1250
Apr 04 13:56:41 air-eur bluetit[797]: UNUSED OPTIONS
                                      0 [script-security] [2]
                                      4 [resolv-retry] [infinite]
                                      5 [nobind]
                                      6 [persist-key]
                                      7 [persist-tun]
                                      8 [auth-nocache]
                                      9 [route-delay] [5]
                                      10 [verb] [4]
Apr 04 13:56:41 air-eur bluetit[797]: EVENT: RESOLVE
Apr 04 13:56:41 air-eur bluetit[797]: Local IPv4 address 10.137.0.77
Apr 04 13:56:41 air-eur bluetit[797]: Local IPv6 address fe80::216:3eff:fe5e:6c00
Apr 04 13:56:41 air-eur bluetit[797]: Local interface eth0
Apr 04 13:56:41 air-eur bluetit[797]: Setting up network filter and lock
Apr 04 13:56:41 air-eur bluetit[797]: Allowing system DNS 10.139.1.1 to pass through the network filter
Apr 04 13:56:41 air-eur bluetit[797]: Allowing system DNS 10.139.1.2 to pass through the network filter
Apr 04 13:56:41 air-eur bluetit[797]: Resolved server europe3.vpn.airdns.org into IPv4 128.127.104.82
Apr 04 13:56:41 air-eur bluetit[797]: Adding IPv4 server 128.127.104.82 to network filter
Apr 04 13:56:41 air-eur bluetit[797]: Network filter and lock successfully activated
Apr 04 13:56:41 air-eur bluetit[797]: Contacting 128.127.104.82:443 via UDP
Apr 04 13:56:41 air-eur bluetit[797]: EVENT: WAIT
Apr 04 13:56:41 air-eur bluetit[797]: net_route_best_gw query IPv4: 128.127.104.82/32
Apr 04 13:56:41 air-eur bluetit[797]: sitnl_route_best_gw result: via 10.137.0.5 dev eth0
Apr 04 13:56:41 air-eur bluetit[797]: net_route_add: 128.127.104.82/32 via 10.137.0.5 dev eth0 table 0 metric 0
Apr 04 13:56:41 air-eur bluetit[797]: Connecting to [europe3.vpn.airdns.org]:443 (128.127.104.82) via UDPv4
Apr 04 13:56:41 air-eur bluetit[797]: EVENT: CONNECTING
Apr 04 13:56:41 air-eur bluetit[797]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
Apr 04 13:56:41 air-eur bluetit[797]: Peer Info:
                                      IV_VER=3.6.6 AirVPN
                                      IV_PLAT=linux
                                      IV_NCP=2
                                      IV_TCPNL=1
                                      IV_PROTO=30
                                      IV_CIPHERS=AES-256-GCM
                                      IV_LZO_STUB=1
                                      IV_COMP_STUB=1
                                      IV_COMP_STUBv2=1
                                      UV_IPV6=no
                                      IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2
                                      IV_SSL=OpenSSL 1.1.0l  10 Sep 2019
Apr 04 13:56:42 air-eur bluetit[797]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
Apr 04 13:56:42 air-eur bluetit[797]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Ain/emailAddress=info@airvpn.org, signature: RSA-SHA512
Apr 04 13:56:42 air-eur bluetit[797]: SSL Handshake: peer certificate: CN=Ain, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
Apr 04 13:56:42 air-eur bluetit[797]: Session is ACTIVE
Apr 04 13:56:42 air-eur bluetit[797]: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
Apr 04 13:56:42 air-eur bluetit[797]: EVENT: GET_CONFIG
Apr 04 13:56:42 air-eur bluetit[797]: Sending PUSH_REQUEST to server...
Apr 04 13:56:42 air-eur bluetit[797]: OPTIONS:
                                      0 [comp-lzo] [no]
                                      1 [redirect-gateway] [def1] [bypass-dhcp]
                                      2 [dhcp-option] [DNS] [10.64.102.1]
                                      3 [route-gateway] [10.64.102.1]
                                      4 [topology] [subnet]
                                      5 [ping] [10]
                                      6 [ping-restart] [60]
                                      7 [ifconfig] [10.64.102.242] [255.255.255.0]
                                      8 [peer-id] [2]
                                      9 [cipher] [AES-256-GCM]
Apr 04 13:56:42 air-eur bluetit[797]: PROTOCOL OPTIONS:
                                        cipher: AES-256-GCM
                                        digest: NONE
                                        ncp enabled: yes
                                        key-derivation: OpenVPN PRF
                                        compress: LZO_STUB
                                        peer ID: 2
                                        control channel: tls-crypt enabled
Apr 04 13:56:42 air-eur bluetit[797]: EVENT: ASSIGN_IP
Apr 04 13:56:42 air-eur bluetit[797]: VPN Server has pushed IPv4 DNS server 10.64.102.1
Apr 04 13:56:43 air-eur bluetit[797]: Setting pushed IPv4 DNS server 10.64.102.1 in resolv.conf
Apr 04 13:56:43 air-eur bluetit[797]: net_iface_mtu_set: mtu 1500 for tun0
Apr 04 13:56:43 air-eur bluetit[797]: net_iface_up: set tun0 up
Apr 04 13:56:43 air-eur bluetit[797]: net_addr_add: 10.64.102.242/24 brd 10.64.102.255 dev tun0
Apr 04 13:56:43 air-eur bluetit[797]: net_route_add: 0.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0
Apr 04 13:56:43 air-eur bluetit[797]: net_route_add: 128.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0
Apr 04 13:56:43 air-eur bluetit[797]: TunPersist: saving tun context:
                                      Session Name: europe3.vpn.airdns.org
                                      Layer: OSI_LAYER_3
                                      Remote Address: 128.127.104.82
                                      Tunnel Addresses:
                                        10.64.102.242/24 -> 10.64.102.1
                                      Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 ]
                                      Block IPv6: no
                                      Add Routes:
                                      Exclude Routes:
                                      DNS Servers:
                                        10.64.102.1
                                      Search Domains:
Apr 04 13:56:43 air-eur bluetit[797]: Connected via tun
Apr 04 13:56:43 air-eur bluetit[797]: LZO-ASYM init swap=0 asym=1
Apr 04 13:56:43 air-eur bluetit[797]: Comp-stub init swap=0
Apr 04 13:56:43 air-eur bluetit[797]: EVENT: CONNECTED europe3.vpn.airdns.org:443 (128.127.104.82) via /UDPv4 on tun/10.64.102.242/ gw=[10.64.102.1/]
Apr 04 13:56:43 air-eur bluetit[797]: Server has pushed its own DNS. Removing system DNS from network filter.
Apr 04 13:56:43 air-eur bluetit[797]: System DNS 10.139.1.1 is now rejected by the network filter
Apr 04 13:56:43 air-eur bluetit[797]: System DNS 10.139.1.2 is now rejected by the network filter
Apr 04 13:56:46 air-eur bluetit[797]: Requested method "bluetit_status -> Bluetit is connected to VPN"
Apr 04 13:56:46 air-eur bluetit[797]: Requested method "stop_connection"
Apr 04 13:56:46 air-eur bluetit[797]: Stopping OpenVPN3 connection thread
Apr 04 13:56:46 air-eur bluetit[797]: Connection statistics updater thread finished
Apr 04 13:56:46 air-eur bluetit[797]: net_route_del: 128.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0
Apr 04 13:56:46 air-eur bluetit[797]: net_route_del: 0.0.0.0/1 via 10.64.102.1 dev tun0 table 0 metric 0
Apr 04 13:56:46 air-eur bluetit[797]: net_addr_del: 10.64.102.242/24 dev tun0
Apr 04 13:56:46 air-eur bluetit[797]: net_iface_mtu_set: mtu 1500 for tun0
Apr 04 13:56:46 air-eur bluetit[797]: net_iface_up: set tun0 down
Apr 04 13:56:46 air-eur bluetit[797]: net_route_del: 128.127.104.82/32 via 10.137.0.5 dev eth0 table 0 metric 0
Apr 04 13:56:46 air-eur bluetit[797]: EVENT: DISCONNECTED
Apr 04 13:56:46 air-eur bluetit[797]: Successfully restored DNS settings
Apr 04 13:56:47 air-eur bluetit[797]: Network filter successfully restored
Apr 04 13:56:47 air-eur bluetit[797]: OpenVPN3 connection thread finished
Apr 04 13:56:47 air-eur bluetit[797]: OpenVPN3 connection thread successfully terminated

3 hours ago, Staff said:

auth behavior seems fine, though. What is the anomaly you detect?

The config file option is "auth SHA512". The log shows "auth [null-digest]. Unfortunately, setting verbosity 4 provided no more detail, so it's difficult to say which HMAC, if any, it's using. By contrast OpenVPN 2.4.7 (Debian) in verb 4 shows:

Sun Apr  4 14:15:08 2021 us=897579   authname = 'SHA512'

HTH

Staff

@air2157

Hello!

The Bluetit log is strangely cut and the missing part is exactly what we need to see to understand what options Bluetit receives from Goldcrest. Please try again, we need a complete log. The cut part is about the initial dozen entries just before the following one:

Apr 04 13:56:40 air-eur bluetit[797]: Requested method "version"

What we can see from the log is that the auth behavior is perfect, no problems here, while comp-lzo no doubts remain. We will investigate the issue.

In the meantime, if you urgently need a TCP connection (but of course use UDP whenever possible), bypass the configuration file by forcing TCP mode by Goldcrest command line or Bluetit configuration file.

As a side note (totally unrelated to the current matter anyway), we see that you run Goldcrest with root privileges, so you discard an important part of the client-daemon security model. You might like to avoid unnecessary privileges to Goldcrest and run Goldcrest from any user in the airvpn group.

Kind regards

air2157

I guess you mean this bit:

Apr 04 13:51:03 air-eur bluetit[756]: Starting Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2 - 2 April 2021
Apr 04 13:51:03 air-eur bluetit[756]: OpenVPN core 3.6.6 AirVPN linux x86_64 64-bit
Apr 04 13:51:03 air-eur bluetit[756]: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
Apr 04 13:51:03 air-eur bluetit[797]: Bluetit daemon started with PID 797
Apr 04 13:51:03 air-eur bluetit[797]: External network is reachable via gateway 10.137.0.5 through interface eth0
Apr 04 13:51:03 air-eur bluetit[797]: Successfully connected to D-Bus
Apr 04 13:51:03 air-eur bluetit[797]: Reading run control directives from file /etc/airvpn/bluetit.rc
Apr 04 13:51:03 air-eur bluetit[797]: IPv6 is available in this system
Apr 04 13:51:03 air-eur bluetit[797]: Bluetit successfully initialized and ready
Apr 04 13:51:03 air-eur bluetit[797]: Requesting network IP and country to AirVPN ipleak.net via secure connection
Apr 04 13:51:05 air-eur bluetit[797]: Network IP: XX.XX.XX.XX
Apr 04 13:51:05 air-eur bluetit[797]: System country: XX
Apr 04 13:51:05 air-eur bluetit[797]: AirVPN Manifest updater thread started
Apr 04 13:51:05 air-eur bluetit[797]: AirVPN Manifest update interval is 15 minutes
Apr 04 13:51:05 air-eur bluetit[797]: Updating AirVPN Manifest

Goldcrest will (does) run as a systemd service in a secured VM that will become my local gateway, so root access will make no odds either way. Nevertheless, I'll probably run goldcrest with reduced privileges, but one step at a time...

For now, I'm just trying things out. If I need TCP -- and I usually do, because of ISP restrictions -- I can stay with OpenVPN.

sooprtruffaut

Hello,

I'm having trouble with Bluetit. I'm on X86_64. When using Bluetit to start a connection at boot, everything starts and runs as normal. However, eventually it will break with the following error:

TUN write exception: write_some: Input/output error
ERROR: TUN_WRITE_ERROR

I'm not sure if it's a bug or a problem with the configuration I'm using in the bluetit.rc file.

Let me know if you need any logs.

Thanks

PS: This is a problem I noticed in the Beta1 release, as well.

pjnsmb

Hello @Staff

Regarding -
Bluetit now waits for the system to set up properly gateway and gateway interface. Therefore, even when launched by some init system prematurely during bootstrap, and in any other circumstance, Bluetit can autonomously decide when it's time to proceed, as soon as the network link is up, avoiding errors due to network unavailability

Beta 2 seems better for me regarding my posts from 15th March on beta 1 startup but :

1. Upon bootup on an unaltered bluetit.rc file I still get :

systemctl status bluetit still shows the line -desktop bluetit[3127]: ERROR: Cannot detect system location: Cannot resolve ipleak.net

2. Upon systemctl restart bluetit bluetit then shows the lines :

desktop bluetit[13260]: Requesting network IP and country to AirVPN ipleak.net via secure connection
Apr 04 07:19:28 desktop bluetit[13260]: Network IP: 2a02:c7f:cc09:d900:e8e0:78ab:dbaa:b120
Apr 04 07:19:28 desktop bluetit[13260]: System country: GB
Apr 04 07:19:28 desktop bluetit[13260]: AirVPN Manifest updater thread started

so I have a successful connection on restart of bluetit

3. If I enter GB as a country code into bluetit.rc on bootup I get :

top bluetit[3179]: Successfully connected to D-Bus
Apr 05 06:36:51 desktop bluetit[3179]: Reading run control directives from file /etc/airvpn/bluetit.rc
Apr 05 06:36:51 desktop bluetit[3179]: IPv6 is available in this system
Apr 05 06:36:51 desktop bluetit[3179]: System country set to GB by Bluetit policy.
Apr 05 06:36:51 desktop bluetit[3179]: Bluetit successfully initialized and ready
Apr 05 06:36:51 desktop bluetit[3179]: AirVPN Manifest updater thread started

so I have a successful connection on bootup.

hope this is clear and helps................

Staff

Hello!

@sooprtruffaut

What is your Linux distribution name and exact version? When you get the error can you please check whether the tun network interface is still up? According to your distribution you might enter from a shell the command ifconfig or ip a .

@pjnsmb

Your system can't (at the moment of the error) resolve names. Eddie checks whether the network is up by looking for a valid gateway, it does not check whether nameservers are set and/or work, and it will not enforce a Network Lock exception, not even to resolve ipleak.net, during bootstrap. Implementing such a function is very questionable, because it would require a query to the external world as soon as the network is up, which might not be what the administrator wants when she sets permanent network lock.

Resolve the issue easily either by forcing your country in the bluetit.rc as you already did (recommended solution) or by having ipleak.net resolved by the /etc/hosts file. In general setting the proper country in bluetit.rc is recommended because you won't depend anymore on ipleak.net and at the same time you will not need another entry in hosts .

Everybody running OSMC, Raspbian or any other 32 bit Linux: you do not have crashes anymore, right? We already have a few confirmations that the problem is resolved, but we'd love hearing from you as well.

Kind regards

tOjO

@Staff, I tested the beta 2 after an uninstall of beta 1 and the bluetit daemon hasn't crashed anymore when the bandwidth is on high load.

The problem seems indeed to be resolved. Well done ! 😉

Grts,
Tom

air2157

5 hours ago, pjnsmb said:

Upon bootup on an unaltered bluetit.rc file I still get :

systemctl status bluetit still shows the line -desktop bluetit[3127]: ERROR: Cannot detect system location: Cannot resolve ipleak.net

That sounds like either the network isn't fully working or DNS is not yet fully working before bluetit starts.

You can try a hacky "ExecStartPre=/bin/sleep 5" to the /etc/systemd/system/bluetit.service file. That will delay the start of bluetit for 5 seconds.

Reboot and see if it helps.

Staff

On 4/3/2021 at 9:06 PM, air2157 said:

Further to my previous post, 1.1.0 beta 2 goldcrest has the same problem trying to run over TCP. (BTW, forgot to add that I'm on x86_64)

Hello!

Bluetit settings can't be overridden by a profile. The logic behind it is that a profile can be used by anyone in the airvpn group, while bluetit.rc is strictly reserved to root.

If not otherwise specified either in Bluetit configuration file, Goldcrest command line options, or Goldcrest configuration file, proto is set to UDP and port to 443. Change them according to your preferences, for example when you invoke Goldcrest (options --proto and --port in this case), or specify the options in goldcrest.rc (while an airvpn group user can bypass goldcrest.rc settings, she can't bypass bluetit.rc settings, except the default ones) . Also remember that Bluetit is fully integrated with AirVPN, so you don't need ovpn profiles/configuration files.

Kind regards

air2157

Thank you for your reply.

35 minutes ago, Staff said:

Bluetit settings can't be overridden by a profile. The logic behind it is that a profile can be used by anyone in the airvpn group, while bluetit.rc is strictly reserved to root.

As I have mentioned on several occasions, bluetit.rc contains no settings (ie all settings except bootstrap servers and RSA parameters are commented out . So, this part doesn't seem to be relevant to my problem, since all bluetit settings are default.

35 minutes ago, Staff said:

If not otherwise specified either in Bluetit configuration file, Goldcrest command line options, or Goldcrest configuration file, proto is set to UDP and port to 443.

This is the crux of the problem. proto is not explicitly set either in bluetit.rc or in goldcrest.rc. However, it is explicitly specified in the configuration file, air-eur.conf -- as proto tcp (or proto tcp-client) .

So are you saying that when I run goldcrest air-eur.conf, goldcrest will actually ignore some -- but clearly not all -- of the settings in the OpenVPN configuration file, even though they are not explicitly set in either bluetit.rc or goldcrest.rc?

Staff

2 minutes ago, air2157 said:

So are you saying that when I run goldcrest air-eur.conf, goldcrest will actually ignore some -- but clearly not all -- of the settings in the OpenVPN configuration file, even though they are not explicitly set in either bluetit.rc or goldcrest.rc?

Hello!

Exactly.

Kind regards

air2157

6 minutes ago, Staff said:

Exactly.

Really? Is this documented anywhere, including which settings are honoured / ignored?

With respect, this is not a sensible approach. If a setting is not specified in either bluetit.rc or goldcrest.rc, the setting in the OpenVPN configuration file should be honoured. To selectively ignore some settings from the .ovpn files makes little sense.

Staff

2 hours ago, air2157 said:

Really? Is this documented anywhere, including which settings are honoured / ignored?

Hello!

In the documentation you find all the Bluetit options with their default value, and it is explained that Bluetit configuration file overrides anything coming from Goldcrest or any other client: https://airvpn.org/suite/readme/#run-control-file

However, "proto" and "port" default values are reported as "empty" and this is a mistake, as they are respectively "udp" and "443". We will fix this soon, we apologize if it created confusion.

Quote

With respect, this is not a sensible approach. If a setting is not specified in either bluetit.rc or goldcrest.rc, the setting in the OpenVPN configuration file should be honoured. To selectively ignore some settings from the .ovpn files makes little sense.

In general, the profile (as well as Goldcrest options) can be created and enforced by airvpn group users, while bluetit.rc is exclusive root competence, so the final word must come from bluetit.rc, that plays the watchdog role, coherently with the access model of a client/daemon architecture in UNIX (further improved by D-Bus in this case).

Therefore, the system administrator can have at the same time both a fine grained control over access to a sensitive service which modifies extremely important system parts (gateway, DNS, firewall rules, routing table, virtual network interface) and additional security against some types of attacks aimed at the user(s) who can launch Goldcrest. We consider it as a very sensible and proper approach.

If you prefer a "root or nothing" approach then you don't need a client, a daemon and an access policy via D-Bus. We offer the simpler Hummingbird, which can be run by root only, needs a profile but adds important features not offered by OpenVPN, in particular refined DNS handling covering all the numerous DNS "modes" available in Linux, and Network Lock supporting the major Linux firewalls.

Kind regards

sooprtruffaut

Hello,

23 hours ago, Staff said:

What is your Linux distribution name and exact version? When you get the error can you please check whether the tun network interface is still up? According to your distribution you might enter from a shell the command ifconfig or ip a .

I'll answer the question about the tun0 when my system produces the error again! This is the longest it's gone without any issue.
As for the distro, it's Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-70-generic x86_64)

UPDATE
Error finally happened again. Here's the log:

Apr 06 15:56:07 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
Apr 06 15:56:07 dockerbox bluetit[42995]: Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2
IV_SSL=OpenSSL 1.1.0l 10 Sep 2019
Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512
Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR
Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT
Apr 06 15:57:08 dockerbox bluetit[42995]: ERROR: KEY_STATE_ERROR

Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR
Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT
Apr 06 15:58:09 dockerbox bluetit[42995]: ERROR: KEEPALIVE_TIMEOUT
Apr 06 15:58:09 dockerbox bluetit[42995]: Session invalidated: KEEPALIVE_TIMEOUT
Apr 06 15:58:09 dockerbox bluetit[42995]: Client terminated, restarting in 2000 ms...
Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_up: set tun0 down
Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RECONNECTING
Apr 06 15:58:11 dockerbox bluetit[42995]: Successfully restored DNS settings
Apr 06 15:58:11 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings
Apr 06 15:58:11 dockerbox bluetit[42995]: ERROR: N_RECONNECT
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RESOLVE
Apr 06 15:58:11 dockerbox bluetit[42995]: Contacting 79.142.69.162:443 via UDP
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: WAIT
Apr 06 15:58:11 dockerbox bluetit[42995]: Connecting to [79.142.69.162]:443 (79.142.69.162) via UDPv4
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: CONNECTING
Apr 06 15:58:11 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
Apr 06 15:58:11 dockerbox bluetit[42995]: Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2
IV_SSL=OpenSSL 1.1.0l 10 Sep 2019
Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512
Apr 06 15:58:12 dockerbox bluetit[42995]: SSL Handshake: peer certificate: CN=Xuange, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
Apr 06 15:58:12 dockerbox bluetit[42995]: Session is ACTIVE
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: GET_CONFIG
Apr 06 15:58:12 dockerbox bluetit[42995]: Sending PUSH_REQUEST to server...
Apr 06 15:58:12 dockerbox bluetit[42995]: OPTIONS:
0 [comp-lzo] [no]
1 [redirect-gateway] [def1] [bypass-dhcp]
2 [dhcp-option] [DNS] [10.10.22.1]
3 [route-gateway] [10.10.22.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [60]
7 [ifconfig] [10.10.22.16] [255.255.255.0]
8 [peer-id] [3]
9 [cipher] [AES-256-GCM]
Apr 06 15:58:12 dockerbox bluetit[42995]: PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
ncp enabled: no
key-derivation: OpenVPN PRF
compress: LZO_STUB
peer ID: 3
control channel: tls-crypt enabled
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: ASSIGN_IP
Apr 06 15:58:12 dockerbox bluetit[42995]: VPN Server has pushed IPv4 DNS server 10.10.22.1
Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 in resolv.conf
Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface enp0s31f6 via systemd-resolved

Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth33b19d1
Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface vethdbd6ab6 via systemd-resolved
Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth2f7f02e
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 up
Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_add: 10.10.22.16/24 brd 10.10.22.255 dev tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: Cannot assign requested address (-99)
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 down
Apr 06 15:58:12 dockerbox bluetit[42995]: Connected via tun
Apr 06 15:58:12 dockerbox bluetit[42995]: LZO-ASYM init swap=0 asym=1
Apr 06 15:58:12 dockerbox bluetit[42995]: Comp-stub init swap=0
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: CONNECTED 79.142.69.162:443 (79.142.69.162) via /UDPv4 on tun/10.10.22.16/ gw=[10.10.22.1/]
Apr 06 15:58:12 dockerbox bluetit[42995]: Connected to AirVPN server Xuange, Zurich (Switzerland)
Apr 06 15:58:13 dockerbox bluetit[42995]: DBusConnectorException: DBusConnector: not primary owner (2)
Apr 06 15:58:13 dockerbox bluetit[42995]: Stopping OpenVPN3 connection thread
Apr 06 15:58:13 dockerbox bluetit[42995]: Connection statistics updater thread finished
Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3)
Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3)
Apr 06 15:58:13 dockerbox bluetit[42995]: net_addr_del: 10.10.22.16/24 dev tun0
Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_up: set tun0 down
Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0
Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3)
Apr 06 15:58:13 dockerbox bluetit[42995]: Error while executing NetlinkRoute4(add: 0) tun0: -3
Error while executing NetlinkRoute4(add: 0) tun0: -3
Error while executing NetlinkRoute4(add: 0) enp0s31f6: -3
Apr 06 15:58:13 dockerbox bluetit[42995]: EVENT: DISCONNECTED
Apr 06 15:58:13 dockerbox bluetit[42995]: Successfully restored DNS settings
Apr 06 15:58:13 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings
Apr 06 15:58:13 dockerbox bluetit[42995]: OpenVPN3 connection thread finished
Apr 06 15:58:13 dockerbox bluetit[42995]: Logging out AirVPN user sooprtruffaut
Apr 06 15:58:13 dockerbox bluetit[42995]: AirVPN Manifest updater thread finished
Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Main process exited, code=exited, status=1/FAILURE
Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Failed with result 'exit-code'.

Tun0 does not stay up after this error occurs. Edited ... by sooprtruffaut
Added error log

pjnsmb

17 hours ago, air2157 said:

That sounds like either the network isn't fully working or DNS is not yet fully working before bluetit starts.

You can try a hacky "ExecStartPre=/bin/sleep 5" to the /etc/systemd/system/bluetit.service file. That will delay the start of bluetit for 5 seconds.

Reboot and see if it helps.

@air2157
thanks for the tip, I was aware of it already and had tried it without success before posting .
cheers

air2157

@Staff

Once again, thank you for your detailed reply.

Unfortunately, we seem to be at cross purposes. I fully understand that if bluetit.rc contains a setting, it cannot be overridden by a client process. The logical extension of this is that if bluetit.rc does not contain a setting, then it should be possible for a client process (ie goldcrest) to override (all of) the default settings. What we actually see is that this is not always the case.

I appreciate that you have put a lot of work into the bluetit / goldcrest system but, given its apparently inconsistent approach to settings, I'll move my testing to Hummingbird. Nevertheless, thank you for your efforts.

Staff

23 hours ago, air2157 said:

@Staff

Once again, thank you for your detailed reply.

Unfortunately, we seem to be at cross purposes. I fully understand that if bluetit.rc contains a setting, it cannot be overridden by a client process. The logical extension of this is that if bluetit.rc does not contain a setting, then it should be possible for a client process (ie goldcrest) to override (all of) the default settings. What we actually see is that this is not always the case.

Hello!

Thank YOU for your testing. Let's clarify a thing that you wrongly assumed, especially for the readers.

Contrarily to what you say, it is possible "for a client process (ie goldcrest) to override (all of) the default settings", when such settings are not specified in bluetit.rc.. In other words, Goldcrest settings can override Bluetit default settings when they (Bluetit's) are omitted in bluetit.rc.

What it's not possible is a totally different thing, i.e. overriding Bluetit and Goldcrest settings via an OpenVPN profile. For example, if you invoke Goldcrest with --proto option, or you specify it in goldcrest.rc, you can pick between udp and tcp. Bluetit will connect accordingly, if bluetit.rc does not include any proto directive.

Kind regards

sooprtruffaut

On 4/6/2021 at 10:34 AM, sooprtruffaut said:

Hello,

I'll answer the question about the tun0 when my system produces the error again! This is the longest it's gone without any issue.
As for the distro, it's Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-70-generic x86_64)

UPDATE
Error finally happened again. Here's the log:

Apr 06 15:56:07 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
Apr 06 15:56:07 dockerbox bluetit[42995]: Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2
IV_SSL=OpenSSL 1.1.0l 10 Sep 2019
Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
Apr 06 15:56:08 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512
Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR
Apr 06 15:57:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT
Apr 06 15:57:08 dockerbox bluetit[42995]: ERROR: KEY_STATE_ERROR

Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: KEV_NEGOTIATE_ERROR
Apr 06 15:58:07 dockerbox bluetit[42995]: ERROR: HANDSHAKE_TIMEOUT
Apr 06 15:58:09 dockerbox bluetit[42995]: ERROR: KEEPALIVE_TIMEOUT
Apr 06 15:58:09 dockerbox bluetit[42995]: Session invalidated: KEEPALIVE_TIMEOUT
Apr 06 15:58:09 dockerbox bluetit[42995]: Client terminated, restarting in 2000 ms...
Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:09 dockerbox bluetit[42995]: net_iface_up: set tun0 down
Apr 06 15:58:09 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RECONNECTING
Apr 06 15:58:11 dockerbox bluetit[42995]: Successfully restored DNS settings
Apr 06 15:58:11 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings
Apr 06 15:58:11 dockerbox bluetit[42995]: ERROR: N_RECONNECT
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: RESOLVE
Apr 06 15:58:11 dockerbox bluetit[42995]: Contacting 79.142.69.162:443 via UDP
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: WAIT
Apr 06 15:58:11 dockerbox bluetit[42995]: Connecting to [79.142.69.162]:443 (79.142.69.162) via UDPv4
Apr 06 15:58:11 dockerbox bluetit[42995]: EVENT: CONNECTING
Apr 06 15:58:11 dockerbox bluetit[42995]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
Apr 06 15:58:11 dockerbox bluetit[42995]: Peer Info:
IV_VER=3.6.6 AirVPN
IV_PLAT=linux
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
UV_IPV6=no
IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0 Beta 2
IV_SSL=OpenSSL 1.1.0l 10 Sep 2019
Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
Apr 06 15:58:12 dockerbox bluetit[42995]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512
Apr 06 15:58:12 dockerbox bluetit[42995]: SSL Handshake: peer certificate: CN=Xuange, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
Apr 06 15:58:12 dockerbox bluetit[42995]: Session is ACTIVE
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: GET_CONFIG
Apr 06 15:58:12 dockerbox bluetit[42995]: Sending PUSH_REQUEST to server...
Apr 06 15:58:12 dockerbox bluetit[42995]: OPTIONS:
0 [comp-lzo] [no]
1 [redirect-gateway] [def1] [bypass-dhcp]
2 [dhcp-option] [DNS] [10.10.22.1]
3 [route-gateway] [10.10.22.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [60]
7 [ifconfig] [10.10.22.16] [255.255.255.0]
8 [peer-id] [3]
9 [cipher] [AES-256-GCM]
Apr 06 15:58:12 dockerbox bluetit[42995]: PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
ncp enabled: no
key-derivation: OpenVPN PRF
compress: LZO_STUB
peer ID: 3
control channel: tls-crypt enabled
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: ASSIGN_IP
Apr 06 15:58:12 dockerbox bluetit[42995]: VPN Server has pushed IPv4 DNS server 10.10.22.1
Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 in resolv.conf
Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface enp0s31f6 via systemd-resolved

Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth33b19d1
Apr 06 15:58:12 dockerbox bluetit[42995]: Setting pushed IPv4 DNS server 10.10.22.1 for interface vethdbd6ab6 via systemd-resolved
Apr 06 15:58:12 dockerbox bluetit[42995]: ERROR systemd-resolved: Failed to add DNS server 10.10.22.1 for interface veth2f7f02e
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 up
Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_add: 10.10.22.16/24 brd 10.10.22.255 dev tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_add: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_addr_del: 10.10.22.2/24 dev tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: Cannot assign requested address (-99)
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:12 dockerbox bluetit[42995]: net_iface_up: set tun0 down
Apr 06 15:58:12 dockerbox bluetit[42995]: Connected via tun
Apr 06 15:58:12 dockerbox bluetit[42995]: LZO-ASYM init swap=0 asym=1
Apr 06 15:58:12 dockerbox bluetit[42995]: Comp-stub init swap=0
Apr 06 15:58:12 dockerbox bluetit[42995]: EVENT: CONNECTED 79.142.69.162:443 (79.142.69.162) via /UDPv4 on tun/10.10.22.16/ gw=[10.10.22.1/]
Apr 06 15:58:12 dockerbox bluetit[42995]: Connected to AirVPN server Xuange, Zurich (Switzerland)
Apr 06 15:58:13 dockerbox bluetit[42995]: DBusConnectorException: DBusConnector: not primary owner (2)
Apr 06 15:58:13 dockerbox bluetit[42995]: Stopping OpenVPN3 connection thread
Apr 06 15:58:13 dockerbox bluetit[42995]: Connection statistics updater thread finished
Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 128.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3)
Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 0.0.0.0/1 via 10.10.22.1 dev tun0 table 0 metric 0
Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3)
Apr 06 15:58:13 dockerbox bluetit[42995]: net_addr_del: 10.10.22.16/24 dev tun0
Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_mtu_set: mtu 1500 for tun0
Apr 06 15:58:13 dockerbox bluetit[42995]: net_iface_up: set tun0 down
Apr 06 15:58:13 dockerbox bluetit[42995]: net_route_del: 79.142.69.162/32 via 192.168.1.254 dev enp0s31f6 table 0 metric 0
Apr 06 15:58:13 dockerbox bluetit[42995]: sitnl_send: rtnl: generic error: No such process (-3)
Apr 06 15:58:13 dockerbox bluetit[42995]: Error while executing NetlinkRoute4(add: 0) tun0: -3
Error while executing NetlinkRoute4(add: 0) tun0: -3
Error while executing NetlinkRoute4(add: 0) enp0s31f6: -3
Apr 06 15:58:13 dockerbox bluetit[42995]: EVENT: DISCONNECTED
Apr 06 15:58:13 dockerbox bluetit[42995]: Successfully restored DNS settings
Apr 06 15:58:13 dockerbox bluetit[42995]: Restoring systemd-resolved DNS settings
Apr 06 15:58:13 dockerbox bluetit[42995]: OpenVPN3 connection thread finished
Apr 06 15:58:13 dockerbox bluetit[42995]: Logging out AirVPN user sooprtruffaut
Apr 06 15:58:13 dockerbox bluetit[42995]: AirVPN Manifest updater thread finished
Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Main process exited, code=exited, status=1/FAILURE
Apr 06 15:58:13 dockerbox systemd[1]: bluetit.service: Failed with result 'exit-code'.

Tun0 does not stay up after this error occurs.

Hello,

As a follow up to this my previous post, doing some research about tun i/o errors, when this occurs with openvpn, it seems to be related to compression. I reverted to the default setting, which I believe is "compress no" and will continue to monitor.

Staff

On 4/4/2021 at 3:23 PM, air2157 said:

The config file option is "auth SHA512". The log shows "auth [null-digest]. Unfortunately, setting verbosity 4 provided no more detail, so it's difficult to say which HMAC, if any, it's using. By contrast OpenVPN 2.4.7 (Debian) in verb 4 shows:

Hello!

That's expected. Remember the auth directive scope as we underlined in a previous message: it does not apply to AEAD ciphers, in the Data Channel (~~and we use only AEAD ciphers~~ fix: not true, we still support AES-CBC). In the Control Channel, it applies only to TLS Auth (not to TLS Crypt according to documentation) and (obviously) only when compatible with the tls-ciphers list (check both data-ciphers and tls-ciphers set on servers in our previous message).

To check the digest, see the rest of the log pertaining to Control Channel cipher and Data Channel cipher in IANA convention.

Unfortunately a working verbosity option is not implemented in OpenVPN3, maybe one day we'll implement it in our fork.

Kind regards

air2157

@Staff

I'd totally forgotten that AES-GCM included the HMAC (auth) function. D'oh! Thanks for putting me straight.

I was unaware that OpenVPN3 doesn't have a verbosity option.. That's a shame, though anything above verb 4 is usually well above my pay grade.

My testing of Hummingbird is still proceeding...

All the best.

Staff

Hello!

AirVPN Suite 1.1.0 RC 1 is now available. No news from beta 2, it's just for development cycle consistency and coherency. URLs in initial post have been updated.

Kind regards

air2157

I'm having problems with Hummingbird. My idea is to have a common TCP/443 .ovpn config file and specify the server on the command line. Here's the .ovpn config file (which, incidentally, works fine without any overrides):

client
dev tun
remote bg3.all.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
push-peer-info
setenv UV_IPV6 no
remote-cert-tls server
cipher AES-256-GCM
comp-lzo no
proto tcp

With server and port override:

user@air-eur:~$ sudo hummingbird --server europe3.vpn.airdns.org  --port 443  /etc/airvpn/tcp_443.ovpn
Hummingbird - AirVPN OpenVPN 3 Client 1.1.2 RC 1 - 7 April 2021

Thu Apr  8 19:34:39.716 2021 System and service manager in use is systemd
Thu Apr  8 19:34:39.736 2021 Network filter and lock are using iptables-legacy
Thu Apr  8 19:34:39.750 2021 Successfully loaded kernel module iptable_filter
Thu Apr  8 19:34:39.778 2021 Successfully loaded kernel module iptable_nat
Thu Apr  8 19:34:39.796 2021 Successfully loaded kernel module iptable_mangle
Thu Apr  8 19:34:39.816 2021 Successfully loaded kernel module iptable_security
Thu Apr  8 19:34:39.837 2021 Successfully loaded kernel module iptable_raw
Thu Apr  8 19:34:39.863 2021 Successfully loaded kernel module ip6table_filter
Thu Apr  8 19:34:39.888 2021 Successfully loaded kernel module ip6table_nat
Thu Apr  8 19:34:39.899 2021 Successfully loaded kernel module ip6table_mangle
Thu Apr  8 19:34:39.909 2021 Successfully loaded kernel module ip6table_security
Thu Apr  8 19:34:39.918 2021 Successfully loaded kernel module ip6table_raw
ERROR: eval config error: ERR_PROFILE_GENERIC: option_error: error parsing protocol: tcp-client

If I comment out the remote bg3.all.vpn.airdns.org line, it segfaults:

user@air-eur:~$ sudo hummingbird --server europe3.vpn.airdns.org  --port 443  /etc/airvpn/tcp_443.ovpn
Hummingbird - AirVPN OpenVPN 3 Client 1.1.2 RC 1 - 7 April 2021

Thu Apr  8 19:42:18.195 2021 System and service manager in use is systemd
Segmentation fault

jrredho

Hey All,

I'm uncertain it this is the correct place, given all of the detailed beta testing going on among you super-savvy folks, but has anyone besides me noticed the massive CPU consumption differences between the various clients?

In particular, when I run bluetit (from AirVPN Suite beta 1.1) on my up-to-date Fedora f33 x86_64 system, Bluetit is using something like 8% of my CPU; the eddie client, 1%; and, finally, the eddie-cli client, 0.1%. (Both of the latter utilities are using the latest hummingbird client.) At least that's what I gleaned from looking at htop while running them each in freshly booted conditions doing simple web browsing.

Am I hallucinating? Has anyone who's more technically proficient done a formal comparison?

Thanks (and apologies if this is the wrong place for this post)!

cheers,
john

Linux: AirVPN Suite 1.1.0 beta available

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post