Jump to content
Not connected, Your IP:

Linux: AirVPN Suite 1.1.0 released

Recommended Posts


We're very glad to inform you that AirVPN Suite version 1.1.0 for Linux has been released. Check supported systems below

The suite includes:

  • Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap
  • Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers
  • Hummingbird: lightweight and standalone binary for generic OpenVPN server connections

All the software is free and open source, licensed under GPLv3.


What's new in 1.1.0 version


  • full compatibility with OSMC, Open Source Media Center
  • enhanced compatibility with Raspbian
  • persistent Network Lock implementation, useful for example to enforce prompt Network Lock during system bootstrap and prevent traffic leaks caused by processes at bootstrap (**). Use directive networklockpersist in bluetit.rc to enable Network Lock as soon as Bluetit starts, regardless of network status and connection attempts
  • revisited Network Lock logic for additional safety
  • new directives for bluetit.rc: networklockpersist, connectretrymax and aircipher
  • enhanced DNS handling for peculiar systemd-resolved operational modes
  • more rigorous handling of events through semaphore implementation
  • new D-Bus methods for Network Lock aimed at easier control by clients. Developer's documentation will be published soon
  • crash caused by systemd signal flooding has been resolved
  • libcurl crash in OSMC and other systems has been fixed
  • crash in some 32 bit systems has been fixed
  • logical flaw causing Network Lock missed activation in case of account login failure has been fixed
  • various bug fixes
  • see the changelog below for more information and details

Important notes

(**) Ponder the option carefully if your machine needs network sync via NTP or other network services outside the VPN during the bootstrap phase
(***) Fedora 33 and openSUSE 15.2 users beware: we have noticed that in freshly installed Fedora 33 libcurl cannot find CA LetsEncrypt certificates and this will prevent Bluetit from detecting the country from ipleak.net. In this case, you can overcome this bug by using the country directive in bluetit.rc file, therefore avoiding the need to contact ipleak.net web site.

AirVPN Suite changelog


Version 1.1.0 - 4 June 2021

  • [ProMIND] vpnclient.hpp: restoreNetworkSettings() now returns a warning in case backup files are not found
  • [ProMIND] vpnclient.hpp: restoreNetworkSettings() improved restoring management with more cases/scenarios
  • [ProMIND] updated all dependencies and libraries

Version 1.1.0 RC 4 - 14 May 2021

  • [ProMIND] optionparser.cpp: added proper message errors in case of invalid argument and allocation memory error
  • [ProMIND] netfilter.cpp: systemBackupExists() now evaluate every firewall mode backup file name
  • [ProMIND] netfilter.cpp: restore() now check for every firewall mode backup and restore it accordingly
  • [ProMIND] netfilter.cpp: IPv6 rules are now allowed or added only in case IPv6 is available in the system

Version 1.1.0 RC 3 - 16 April 2021

  • [ProMIND] Updated to OpenVPN 3.7 AirVPN
  • [ProMIND] vpnclient.hpp: avoid netFilter setup in case NetFilter object is not private
  • [ProMIND] dbusconnector.cpp: fine tuned D-Bus wait cycle in R/W dispatch. Implemented a thread safe wait in order to avoid D-Bus timeout policy

Version 1.1.0 RC 1 - 7 April 2021

  • Release Candidate, no change from Beta 2

Version 1.1.0 Beta 2 - 2 April 2021

  • [ProMIND] localnetwork.cpp: added getDefaultGatewayInterface() method

Version 1.1.0 Beta 1 - 11 March 2021
  • [ProMIND] rcparser.cpp: removed formal list control for STRING type
  • [ProMIND] netfilter.hpp, netfilter.cpp: added functions to set the availability of specific iptables tables in order to properly use available tables only
  • [ProMIND] vpnclient.hpp: onResolveEvent() sets iptables tables according to the loaded modules
  • [ProMIND] vpnclient.hpp: Changed constructor in order to use both private and external NetFilter object
  • [ProMIND] localnetwork.cpp: added getLoopbackInterface(), getLocalIPaddresses() and getLocalInterfaces() methods
  • [ProMIND] airvpntools.cpp: added detectLocation() method to retrieve location data from ipleak.net
  • [ProMIND] airvpnuser.cpp: detectUserLocation() now uses AirVPNTools::detectLocation()
  • [ProMIND] airvpnuser.cpp: loadUserProfile() now correctly sets userProfileErrorDescription in case of network failure
  • [ProMIND] airvpnserverprovider.cpp: added "DEFAULT" rule to getUserConnectionPriority() in case user's country or continent is undefined
  • [ProMIND] airvpnmanifest.cpp: loadManifest() now correctly sets the status STORED in case of network failure
  • [ProMIND] Added Semaphore class
  • [ProMIND] dnsmanager.hpp: method revertAllResolved() renamed to restoreResolved(). Besides reverting all interfaces it now restarts systemd-resolved service as well.
  • [ProMIND] install.sh: improved update/upgrade process

Bluetit changelog

Version 1.1.0 - 4 June 2021
  • [ProMIND] Client option "network-lock" is now forbidden in case persistent network lock is enabled
  • [ProMIND] Avoid network lock initialization in case persistent network lock is enabled and client is requiring an OpenVPN connection from profile
  • [ProMIND] --air-list option now accepts "all" for sub options --air-server and --air-country
  • [ProMIND] AirVPN Manifest update suspended in case Bluetit is in a dirty status
  • [ProMIND] Changed systemd unit in order to prevent the obnoxious SIGKILL signal inappropriately sent before stop timeout completion and for no logical or practical reason when Bluetit is properly and neatly terminating in response to a legal and expected SIGTERM
Version 1.1.0 RC 4 - 14 May 2021
  • [ProMIND] Added directives airipv6 and air6to4 in bluetit.rc
  • [ProMIND] In case it is requested a network recovery, VpnClient object is now initialized with NetFilter::Mode::OFF
  • [ProMIND] In case the requested network lock method is not available, connection is not started
  • [ProMIND] In case system location cannot be determined through ipleak.net, country is now properly set to empty, latitude and longitude to 0.
  • [ProMIND] Persistent network lock is enabled only in case Bluetit status is clean
  • [ProMIND] AirVPN boot connection is started only in case Bluetit status is clean
  • [ProMIND] DNS backup files are now properly evaluated when determining dirty status
  • [ProMIND] Added D-Bus commands "reconnect_connection" and "session_reconnect"

Version 1.1.0 Beta 2 - 2 April 2021
  • [ProMIND] Gateway and gateway interface check at startup. Bluetit won't proceed until both gateway and gateway interface are properly set up by the system
  • [ProMIND] Increased volume and rate data sizes for 32 bit architectures
  • [ProMIND] Added aircipher directive to bluetit.rc
  • [ProMIND] Added maxconnretries directive to bluetit.rc

Version 1.1.0 Beta 1 - 11 March 2021
  • [ProMIND] connection_stats_updater(): now uses server.getEffectiveBandWidth() for AIRVPN_SERVER_BANDWIDTH
  • [ProMIND] added bool shutdownInProgress to control bluetit exit procedure and avoid signal flooding
  • [ProMIND] system location is detected at boot time and eventually propagated to all AirVPN users
  • [ProMIND] Network lock and filter is now enabled and activated before AirVPN login procedure
  • [ProMIND] Added dbus methods "enable_network_lock", "disable_network_lock" and "network_lock_status"
  • [ProMIND] Renamed bluetit.rc directive "airconnectonboot" to "airconnectatboot"
  • [ProMIND] Added bluetit.rc directive "networklockpersist"

Goldcrest changelog

Version 1.1.0 - 4 June 2021

  •  [ProMIND] Production release

Version 1.1.2 RC 4 - 14 May 2021

  • [ProMIND] DNS backup files are now properly evaluated when determining dirty status
  • [ProMIND] ProfileMerge is now constructed by allowing any file extension
  • [ProMIND] Reconnection (SIGUSR2) is now allowed only in case tun persistence is enabled

Version 1.1.2 - 2 April 2021

  • [ProMIND] Updated base classes

Hummingbird changelog

Version 1.1.2 - 4 June 2021

  • [ProMIND] updated all dependencies and libraries

Version 1.1.2 RC 4 - 14 May 2021

  • [ProMIND] DNS backup files are now properly evaluated when determining dirty status
  • [ProMIND] ProfileMerge is now constructed by allowing any file extension
  • [ProMIND] Reconnection (SIGUSR2) is now allowed only in case tun persistence is enabled



The client-daemon architecture offered by Goldcrest and Bluetit combination offers a robust security model and provides system administrators with a fine-grained, very flexible access control.

Bluetit is fully integrated with AirVPN. The daemon is accessed through a D-Bus interface by providing specific methods and interface in order to give full support to OpenVPN connection and AirVPN functionality, including - but not limited to - quick automatic connection to the best AirVPN server for any specific location as well as any AirVPN server or country. Connection during system bootstrap is fully supported as well.


New OpenVPN 3 library features

Hummingbird and Bluetit are linked against a new version of our OpenVPN 3 library which supports directive data-ciphers: it can be used consistently with OpenVPN 2.5 syntax in OpenVPN profiles.

The directive allows OpenVPN 3 based software to negotiate a common Data Channel cipher with the OpenVPN server,, updating therefore our library to ncp-like negotiation with OpenVPN 2 branch. Hummingbird and Bluetit are already linked against the new library version, while Eddie Android edition will be updated in the near future.

The new library also includes a different handling of IV_CIPHERS variable, fixing OpenVPN main branch issues which caused a plethora of problems with OpenVPN 2.5. The implementation, at the same time, takes care of full backward compatibility with OpenVPN versions older than 2.5.

ncp-disable directive, which to date has never been implemented in the main  branch, is still supported, in order to further enhance backward compatibility with both OpenVPN profiles and servers, as well as connection flexibility with servers running older than 2.5 OpenVPN versions.

Please note that if you enforce a specific Data Channel cipher by means of Bluetit configuration file, Hummingbird line option, or Goldcrest configuration file and/or line option, the enforced Data Channel cipher will override data-ciphers profile directive.

Notes on systemd

Users running Linux distributions which are not based on systemd can safely ignore this section.


Superusers of linux-systemd systems must be aware that systemd unit configuration file has been changed in order to circumvent a systemd critical bug which causes two obnoxious SIGKILL signals inappropriately sent before stop timeout completion and for no logical or practical reason when Bluetit is properly and neatly terminating in response to a legal and expected SIGTERM. The only known workaround so far to compensate the bug is forbidding systemd to send SIGKILL to Bluetit. The bug affects at least systemd versions 205, 214, 234, 246, but it might affect other versions too.


In Fedora 33 systemd-resolved comes pre-configured to work in "on-link" mode and network-manager works together with it.

This very peculiar, Windows-like setup kills Linux global DNS handling, causing those DNS leaks which previously occurred only on Windows. Hummingbird and Bluetit take care of preventing the brand new DNS leaks caused by such a setup.

Also note that systemd-resolved comes pre-configured with fallback DNS (Google DNS is a systemd-resolved default fallback DNS, smart choices pile up!) which will be queried if each interface DNS server fails some resolution. In such a case, if and only if you have Network Lock enabled will DNS leaks be prevented.

Supported systems

The suite is currently available for Linux x86-64, i686 (32 bit distributions), arm7l (for example Raspbian, OSMC and other ARM 32 bit based systems) and aarch64 (ARM 64 bit). Both systemd and SysV-style init based systems are supported.

AirVPN Suite is free and open source software licensed under GPLv3.

Overview and main features

AirVPN’s free and open source OpenVPN 3 suite based on AirVPN’s OpenVPN 3 library fork
  • Bluetit: lightweight D-Bus controlled system daemon providing full connectivity to AirVPN servers and generic OpenVPN servers. Ability to connect the system to AirVPN during the bootstrap.
  • Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers
  • Hummingbird: lightweight and standalone client for generic OpenVPN server connection
  • Linux i686, x86-64, arm7l and arm64 (Raspberry) support
  • Full integration with systemd, SysV Style-init and chkconfig
  • No heavy framework required, no GUI
  • Tiny RAM footprint
  • Lightning fast
  • Based on OpenVPN 3 library fork by AirVPN version 3.6.6 with tons of critical bug fixes from the main branch, new cipher support and never seen before features
  • ChaCha20-Poly1305 cipher support on both Control and Data Channel providing great performance boost on ARM, Raspberry PI and any Linux based platform not supporting AES-NI. Note: ChaCha20 support for Android had been already implemented in our free and open source Eddie Android edition
  • Robust leaks prevention through Network Lock based either on iptables, nftables or pf through automatic detection
  • Proper handling of DNS push by VPN servers, working with resolv.conf as well as any operational mode of systemd-resolved additional features

User documentation (*) and source code:


User documentation is also included in an md file in each package.

(*) Developer documentation to create custom software clients for Bluetit will be published in the very near future.

Download page:


Share this post

Link to post


First of all, thank you for this release and all the effort you put into it!

I am currently using bluetit and try to blacklist two AirVPN servers: Server1 and Server2 (using official names of course). As the readme suggests, the directive should be put as a list.
However, bluetit seems to ignore this option since i cannot see anything related to the directive in my logs. Further, i am getting connected to the "blacklisted" server.

airblackserverlist              Server1,Server2
I have also tried "Server1,Server2" and 'Server1,Server2'.
Blacklisting just one server doesn't work either.

What is exactly meant by list? Do i have to create a seperate list (.csv, .xml, .lst, .txt) and refer to it in the .rc file? What am i missing?

Operating System: Ubuntu 21.04
Kernel: Linux 5.11.0-19-generic
Architecture: x86-64

Thanks & Regards

Share this post

Link to post


Thank you for your feedback. Bug reproduced and confirmed, it will be investigated to have a fix in the next release. Your syntax is correct and in your case a list is simply a series of names separated by commas. The list works effectively, but only for "quick" connection mode. In "country" connection mode Bluetit ignores it. You can, in the meantime, have some sort of good workaround by setting boot connection mode to quick and compiling white and black list according to your needs.

Kind regards

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...