Jump to content
Not connected, Your IP: 3.236.124.56
Stack of computer parts

bluetit.service wont connect on its own, manual connection via goldcrest --air-connect works fine

Recommended Posts

I am running Debian 11 using NetworkManager and connecting via a wwan card
AirVPN Suite 1.1.0 (latest)

Bluetit used to start up just fine at boot but lately it seems to hang just after retrieving the server manifest. It will remain this way indefinitely. While this happens network lock does not work and I can browse clear-net unwittingly.

This is the output from syslog under normal startup where it wont work

Jul 14 07:53:03 Dell bluetit: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
Jul 14 07:53:03 Dell systemd[1]: bluetit.service: Can't open PID file /etc/airvpn/bluetit.lock (yet?) after start: Operation not permitted
Jul 14 07:53:03 Dell bluetit: Bluetit daemon started with PID 2635
Jul 14 07:53:03 Dell bluetit: External network is reachable via gateway xxx.xxx.xxx.xxx through interface wwan0
Jul 14 07:53:03 Dell bluetit: Successfully connected to D-Bus
Jul 14 07:53:03 Dell bluetit: Reading run control directives from file /etc/airvpn/bluetit.rc
Jul 14 07:53:03 Dell bluetit: IPv6 is not available in this system
Jul 14 07:53:03 Dell bluetit: Bluetit successfully initialized and ready
Jul 14 07:53:03 Dell systemd[1]: Started AirVPN Bluetit Daemon.
Jul 14 07:53:03 Dell bluetit: Requesting network IP and country to AirVPN ipleak.net via secure connection
Jul 14 07:53:09 Dell bluetit: Network IP: xxx.xxx.xxx.xxx
Jul 14 07:53:09 Dell bluetit: System country: xx
Jul 14 07:53:09 Dell bluetit: Starting AirVPN boot connection
Jul 14 07:53:09 Dell bluetit: AirVPN Manifest updater thread started
Jul 14 07:53:09 Dell bluetit: AirVPN Manifest update interval is 15 minutes
Jul 14 07:53:09 Dell bluetit: AirVPN Manifest update suspended: AirVPN boot connection initialization in progress
Jul 14 07:53:09 Dell bluetit: Updating AirVPN Manifest
Jul 14 07:53:09 Dell bluetit: Network filter and lock are using iptables-legacy
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module iptable_filter
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module iptable_nat
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module iptable_mangle
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module iptable_security
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module iptable_raw
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module ip6table_filter
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module ip6table_nat
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module ip6table_mangle
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module ip6table_security
Jul 14 07:53:09 Dell bluetit: Successfully loaded kernel module ip6table_raw
Jul 14 07:53:09 Dell bluetit: Network filter successfully initialized
Jul 14 07:53:09 Dell bluetit: Session network filter and lock successfully enabled
Jul 14 07:53:09 Dell bluetit: AirVPN bootstrap servers are now allowed to pass through the network filter
Jul 14 07:53:09 Dell bluetit: Waiting for a valid AirVPN Manifest to be available
Jul 14 07:53:29 Dell bluetit: ERROR: Cannot start AirVPN Connection. AirVPN Manifest not available.
Jul 14 07:53:40 Dell bluetit: AirVPN Manifest successfully retrieved from server
Jul 14 07:56:24 Dell NetworkManager[626]: <info>  [1626274584.1521] device (wlp1s0): set-hw-addr: set MAC address to xx:xx:xx:xx:xx (scanning)
Jul 14 07:56:24 Dell NetworkManager[626]: <info>  [1626274584.2078] device (wlp1s0): supplicant interface state: inactive -> disconnected
Jul 14 07:56:24 Dell NetworkManager[626]: <info>  [1626274584.2078] device (p2p-dev-wlp1s0): supplicant management interface state: inactive -> disconnected
Jul 14 07:56:24 Dell NetworkManager[626]: <info>  [1626274584.2094] device (wlp1s0): supplicant interface state: disconnected -> inactive
Jul 14 07:56:24 Dell NetworkManager[626]: <info>  [1626274584.2095] device (p2p-dev-wlp1s0): supplicant management interface state: disconnected -> inactive

Share this post


Link to post

sorry I hit post too early
This is the startup when I use goldcrest manually

Jul 14 07:56:31 Dell bluetit: Requested method "version"
Jul 14 07:56:31 Dell bluetit: Requested method "openvpn_info"
Jul 14 07:56:31 Dell bluetit: Requested method "bluetit_status -> Bluetit is ready"
Jul 14 07:56:31 Dell bluetit: Requested method "reset_bluetit_options -> Bluetit options successfully reset"
Jul 14 07:56:32 Dell bluetit: Requested method "set_options: air-user (U) -> username"
Jul 14 07:56:32 Dell bluetit: Requested method "set_options: air-password (P) -> ************"
Jul 14 07:56:32 Dell bluetit: Requested method "set_options: air-connect (O)"
Jul 14 07:56:32 Dell bluetit: Requested method "airvpn_start_connection"
Jul 14 07:56:32 Dell bluetit: OpenVPN3 connection successfully started
Jul 14 07:56:32 Dell bluetit: Network filter and lock are using iptables-legacy
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module iptable_filter
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module iptable_nat
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module iptable_mangle
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module iptable_security
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module iptable_raw
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module ip6table_filter
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module ip6table_nat
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module ip6table_mangle
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module ip6table_security
Jul 14 07:56:32 Dell bluetit: Successfully loaded kernel module ip6table_raw
Jul 14 07:56:32 Dell bluetit: Network filter successfully initialized
Jul 14 07:56:32 Dell bluetit: Session network filter and lock successfully enabled
Jul 14 07:56:32 Dell bluetit: AirVPN bootstrap servers are now allowed to pass through the network filter
Jul 14 07:56:32 Dell bluetit: Logging in AirVPN user username
Jul 14 07:57:03 Dell bluetit: AirVPN user username successfully logged in
Jul 14 07:57:03 Dell bluetit: Selected user key: New device
Jul 14 07:57:03 Dell bluetit: Auto quick connection mode enabled
Jul 14 07:57:03 Dell bluetit: Loading connection schemes from /etc/airvpn/connection_sequence.csv
Jul 14 07:57:03 Dell bluetit: Starting quick connection to AirVPN server Sualocin, Toronto, Ontario (Canada)
Jul 14 07:57:03 Dell bluetit: Trying protocol UDP, port 443, IP entry 3
Jul 14 07:57:03 Dell bluetit: Starting VPN Connection
Jul 14 07:57:03 Dell bluetit: OpenVPN3 client successfully created and initialized.
Jul 14 07:57:03 Dell bluetit: TUN persistence is enabled by Bluetit policy
Jul 14 07:57:03 Dell bluetit: TUN persistence is enabled.
Jul 14 07:57:03 Dell bluetit: TLS minumum version set to 'tls_1_2' by Bluetit policy
Jul 14 07:57:03 Dell bluetit: Successfully set OpenVPN3 client configuration
Jul 14 07:57:03 Dell bluetit: Starting OpenVPN3 connection thread
Jul 14 07:57:03 Dell bluetit: Connection statistics updater thread started
Jul 14 07:57:03 Dell bluetit: OpenVPN core 3.7 AirVPN linux x86_64 64-bit
Jul 14 07:57:03 Dell bluetit: Frame=512/2048/512 mssfix-ctrl=1250
Jul 14 07:57:03 Dell bluetit: UNUSED OPTIONS#0126 [resolv-retry] [infinite]#0127 [nobind]#0128 [persist-key]#0129 [persist-tun]#01210 [auth-nocache]#01211 [verb] [3]#01212 [explicit-exit-notify] [5]
Jul 14 07:57:03 Dell bluetit: EVENT: RESOLVE
Jul 14 07:57:03 Dell bluetit: WARNING: NetworkManager is running on this system and may interfere with DNS management and cause DNS leaks
Jul 14 07:57:03 Dell bluetit: Local IPv4 address ipaddy
Jul 14 07:57:03 Dell bluetit: Local interface enp0s31f6
Jul 14 07:57:03 Dell bluetit: Local interface wwan0
Jul 14 07:57:03 Dell bluetit: Local interface wlp1s0
Jul 14 07:57:03 Dell bluetit: Setting up network filter and lock
Jul 14 07:57:03 Dell bluetit: Allowing system DNS 1.1.1.1 to pass through the network filter
Jul 14 07:57:03 Dell bluetit: Allowing system DNS 1.0.0.1 to pass through the network filter
Jul 14 07:57:03 Dell bluetit: Adding IPv4 server 184.75.221.45 to network filter
Jul 14 07:57:03 Dell bluetit: Network filter and lock successfully activated
Jul 14 07:57:03 Dell bluetit: Contacting ipaddy:443 via UDP
Jul 14 07:57:03 Dell bluetit: EVENT: WAIT
Jul 14 07:57:03 Dell bluetit: net_route_best_gw query IPv4: ipaddy/32
Jul 14 07:57:03 Dell bluetit: sitnl_route_best_gw result: via 10.102.239.45 dev wwan0
Jul 14 07:57:03 Dell bluetit: net_route_add: ipaddy/32 via 10.102.239.45 dev wwan0 table 0 metric 0
Jul 14 07:57:03 Dell bluetit: Connecting to [ipaddy]:443 (ipaddy) via UDPv4
Jul 14 07:57:03 Dell bluetit: EVENT: CONNECTING
Jul 14 07:57:03 Dell bluetit: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
Jul 14 07:57:03 Dell bluetit: Peer Info:#012IV_VER=3.7 AirVPN#012IV_PLAT=linux#012IV_NCP=2#012IV_TCPNL=1#012IV_PROTO=30#012IV_CIPHERS=AES-256-GCM#012IV_LZO_STUB=1#012IV_COMP_STUB=1#012IV_COMP_STUBv2=1#012UV_IPV6=no#012IV_GUI_VER=Bluetit - AirVPN OpenVPN 3 Service 1.1.0#012IV_SSL=OpenSSL 1.1.0l  10 Sep 2019#012
Jul 14 07:57:03 Dell bluetit: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1
Jul 14 07:57:03 Dell bluetit: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Sualocin/emailAddress=info@airvpn.org, signature: RSA-SHA512
Jul 14 07:57:04 Dell bluetit: SSL Handshake: peer certificate: CN=Sualocin, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD#012
Jul 14 07:57:04 Dell bluetit: Session is ACTIVE
Jul 14 07:57:04 Dell bluetit: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
Jul 14 07:57:04 Dell bluetit: EVENT: GET_CONFIG
Jul 14 07:57:04 Dell bluetit: Sending PUSH_REQUEST to server...
Jul 14 07:57:04 Dell bluetit: OPTIONS:#0120 [comp-lzo] [no]#0121 [redirect-gateway] [def1] [bypass-dhcp]#0122 [dhcp-option] [DNS] [10.30.194.1]#0123 [route-gateway] [10.30.194.1]#0124 [topology] [subnet]#0125 [ping] [10]#0126 [ping-restart] [60]#0127 [ifconfig] [10.30.194.8] [255.255.255.0]#0128 [peer-id] [1]#0129 [cipher] [AES-256-GCM]#012
Jul 14 07:57:04 Dell bluetit: PROTOCOL OPTIONS:#012  cipher: AES-256-GCM#012  digest: NONE#012  ncp enabled: yes#012  key-derivation: OpenVPN PRF#012  compress: LZO_STUB#012  peer ID: 1#012  control channel: tls-crypt enabled
Jul 14 07:57:04 Dell bluetit: EVENT: ASSIGN_IP
Jul 14 07:57:04 Dell bluetit: VPN Server has pushed IPv4 DNS server 10.30.194.1
Jul 14 07:57:04 Dell bluetit: Setting pushed IPv4 DNS server 10.30.194.1 in resolv.conf
Jul 14 07:57:04 Dell kernel: [ 1706.354777] tun: Universal TUN/TAP device driver, 1.6
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.7878] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/6)
Jul 14 07:57:04 Dell bluetit: net_iface_mtu_set: mtu 1500 for tun0
Jul 14 07:57:04 Dell bluetit: net_iface_up: set tun0 up
Jul 14 07:57:04 Dell bluetit: net_addr_add: 10.30.194.8/24 brd 10.30.194.255 dev tun0
Jul 14 07:57:04 Dell bluetit: net_route_add: 0.0.0.0/1 via 10.30.194.1 dev tun0 table 0 metric 0
Jul 14 07:57:04 Dell bluetit: net_route_add: 128.0.0.0/1 via 10.30.194.1 dev tun0 table 0 metric 0
Jul 14 07:57:04 Dell bluetit: TunPersist: saving tun context:#012Session Name: ipaddy#012Layer: OSI_LAYER_3#012Remote Address: ipaddy#012Tunnel Addresses:#012  ipaddy/24 -> ipaddy#012Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 ]#012Block IPv6: no#012Add Routes:#012Exclude Routes:#012DNS Servers:#012  ipaddy#012Search Domains:#012
Jul 14 07:57:04 Dell bluetit: Connected via tun
Jul 14 07:57:04 Dell bluetit: LZO-ASYM init swap=0 asym=1
Jul 14 07:57:04 Dell bluetit: Comp-stub init swap=0
Jul 14 07:57:04 Dell bluetit: EVENT: CONNECTED ipaddy via /UDPv4 on tun/ipaddy / gw=[ipaddy/]
Jul 14 07:57:04 Dell bluetit: Connected to AirVPN server Sualocin, Toronto, Ontario (Canada)
Jul 14 07:57:04 Dell bluetit: Server has pushed its own DNS. Removing system DNS from network filter.
Jul 14 07:57:04 Dell systemd-udevd[2754]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jul 14 07:57:04 Dell bluetit: System DNS 1.1.1.1 is now rejected by the network filter
Jul 14 07:57:04 Dell bluetit: System DNS 1.0.0.1 is now rejected by the network filter
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8032] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8095] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8109] device (tun0): Activation: starting connection 'tun0' (76a76c40-75eb-4a4e-9717-0d785256b24f)
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8111] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8116] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8120] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8123] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
Jul 14 07:57:04 Dell dbus-daemon[625]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8' (uid=0 pid=626 comm="/usr/sbin/NetworkManager --no-daemon ")
Jul 14 07:57:04 Dell systemd[1]: Starting Network Manager Script Dispatcher Service...
Jul 14 07:57:04 Dell dbus-daemon[625]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jul 14 07:57:04 Dell systemd[1]: Started Network Manager Script Dispatcher Service.
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8298] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8301] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Jul 14 07:57:04 Dell NetworkManager[626]: <info>  [1626274624.8314] device (tun0): Activation: successful, device activated.
Jul 14 07:57:15 Dell systemd[1]: NetworkManager-dispatcher.service: Succeeded.
Jul 14 07:57:18 Dell bluetit: ERROR: KEY_STATE_ERROR
 

 

Share this post


Link to post

It seems there is some breakdown where bluetit cannot connect but goldcrest can which is a bit strange.

I reinstalled AirVPN-Suite and added info to bluetit.rc piece by piece. Seems if I leave 'airconnectatboot' commented out bluetit.service will output:

Waiting for a valid AirVPN Manifest to be available
AirVPN Manifest successfully retrieved from server



It will then sit here and do nothing with that manifest(username and password are entered into bluetit.rc)

With something entered for airconnectatboot (I was using 'quick') bluetit outputs to syslog: but it also wont ever connect
 

Waiting for a valid AirVPN Manifest to be available
ERROR: Cannot start AirVPN Connection. AirVPN Manifest not available.
AirVPN Manifest successfully retrieved from server

Share this post


Link to post
sudo chown -R airvpn:airvpn /etc/airvpn/
sudo chmod -R 0600 /etc/airvpn/

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

It randomly started working on its own again. There wasn't any updates to the system or really any changes made.

It did connect with WiFi and ethernet but the primary use of this system is with its wwan connection so I tried hard resetting the modem through AT commands, which has helped in the past with other issues but that didn't change anything

I tried different geographic locations to remove any influence by the cell towers I am frequently near. Bluetit did not connect at my primary work location or home, connecting manually via goldcrest did continue to work. I tried in a different city and bluetit connected right away, and now continues to work fine both at home and my work site. I do not live in a blatantly hostile country so I am not sure worrying about the towers is really a thing.

At this point it seems random?

I checked folder permissions and ls -l  /etc/airvpn returns. Should I change this to the airvpn user? and it appears the permissions are wrong(these aren't 0600 permissions I don't think)

-rw-rw---- 1 root root 121400 Jul 16 05:47 airvpn-manifest.xml
-rw-r----- 1 root root      4 Jul 16 05:46 bluetit.lock
-rw-rw---- 1 root root   2133 Jul 14 12:15 bluetit.rc
-rw-rw---- 1 root root   1439 Jul 14 11:52 connection_priority.txt
-rw-rw---- 1 root root     48 Jul 14 11:52 connection_sequence.csv
-rw-rw---- 1 root root   1743 Jul 14 11:52 country_continent.csv
-rw-rw---- 1 root root   3730 Jul 14 11:52 country_names.csv
-rw-rw-rw- 1 root root    975 Jul 16 05:47 ip6tables-save.txt
-rw-rw-rw- 1 root root    990 Jul 16 05:47 iptables-save.txt
-rw-r--r-- 1 root root     91 Jul 16 05:47 resolv.conf.airvpnbackup
-rw-rw-rw- 1 root root     28 Jul 16 05:47 systemdns.airvpnbackup

Share this post


Link to post

Could be this:

Staff writes about a bootstrap server timeout, though the thread is about the authorization check being delayed; could be the same source of issue.
Glad it's solved for now. :)
 

Quote
I checked folder permissions and ls -l  /etc/airvpn returns. Should I change this to the airvpn user? and it appears the permissions are wrong(these aren't 0600 permissions I don't think)


The install script bundled with the suite should chown the directory airvpn:airvpn and chmod it 0600. Same is doing the PKGBUILD on AUR.
Just noticed, this should be 0660. Although, what's the point in chowning that if Bluetit is run as root, anyway?


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

I don't think it was the bootstrap error you linked to. I let it sit there for an hour just to check that theory and it never connected. Its happened with eddie before so I sort of hoped it was that, especially with the lack of any other information in the logs pointing to some other issue.
 

Quote
Just noticed, this should be 0660. Although, what's the point in chowning that if Bluetit is run as root, anyway?

For this, I am not really sure either. Since I had to install it as root and it runs at boot I think any nefarious thing it could do would be done already. I kind of wonder why it wants the airvpn user to even be created if its just running as root in the first place. Ill try chaning it to airvpn:airvpn and see what happens.

Share this post


Link to post
@Stack of computer parts

Hello!

Very strange issue indeed, and it's also stranger that it solved "by itself". If it re-occurs, please take all log and configuration files and open a ticket.
Quote

kind of wonder why it wants the airvpn user to even be created if its just running as root in the first place. Ill try chaning it to airvpn:airvpn and see what happens.


This is a question that's ignominious for any UNIX administrator, let's pretend it was born during a momentary lapse of reason or some nefarious Windows-ish influence 😀

Joking apart: Bluetit is a daemon and runs with high privileges to modify your inner system settings (routing table, kernel packet filtering table...).

By default policy, Bluetit accepts commands from clients that are run by any user in the airvpn group. Creation of airvpn user in the airvpn group is an additional comfort provided by the installer. It allows superusers to have fine grained selection according to the most classical and robust UNIX permission model (remember CUPS, X server and other tons of daemons permission scheme? same thing).

For example, nowadays many Linux users routinely log into their machines with a user that can also gain all the root privileges, and they might like to NOT allow this user to send commands to Bluetit for trivial security reasons. They can do so simply by not adding their regular login user to the airvpn group. Another good, very similar example is having users that can not gain root privileges but can send commands to Bluetit.

Of course the above is the default permission scheme set up by the installer and the provided files, nothing prevents a superuser to change it and adopt a different one.

Kind regards


 

Share this post


Link to post
Quote
Windows-ish influence
Its this.

My regular user cant use sudo or escalate to root and you cant log in as a root user. I have to become root in terminal via su, which I believe is the proper way of doing it.

For future logging if this happens again, is there a way of getting more verbosity from bluetit or the other airvpn suite stuff?

Share this post


Link to post
1 hour ago, Stack of computer parts said:
Its this.

My regular user cant use sudo or escalate to root and you cant log in as a root user. I have to become root in terminal via su, which I believe is the proper way of doing it.

Hello!

Of course every security model can have different approaches and settings, but in general this approach of yours is very good. "sudo" is sometimes (frequently?) used improperly in Linux and can potentially do more harm than good.

Now imagine that you, the superuser, wants to give some other user (even your regular user, for example) the privilege to drive Bluetit (which performs even root actions, such as changing network) but not any other root privilege. With the current permission model, you can do it swiftly and comfortably. Without the airvpn group, you would be blocked and you should implement the current permission model by hand by yourself, which would be a very inelegant flaw of ours, the daemon developers and distributors.

Even in your system, therefore, the default configuration is more comfortable for you, should any more refined need arise.
 
Quote

For future logging if this happens again, is there a way of getting more verbosity from bluetit or the other airvpn suite stuff?


No, it's already set to maximum verbosity, and such setting can't be modified in the current release, it's a gabby daemon. 😋

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...