Problems after upgrading to latest stable Eddie

[sarum4n 4]

Long time Linux user here.

Now, since I started using AirVPN's services (about 2015), I configured Eddie to run at startup in cli-mode and, taking advantage of both up.sh and down.sh scripts, called as OpenVPN custom directives, and other custom udevd scripts, I made my 24/7 server to always use common eth0 connection (the non-VPN one, to make it simple) except for some specific daemons running on the machine (daemons which, instead, run on tun0 interface and therefore on VPN).

Today, I had the very bad idea to upgrade Eddie (I was still using good ole 2.16.3) and to renew the certificate for my device (I had the warning in my AirVPN control panel that it was very outdated).

Consequence is that I cannot use anymore my infrastructure as I could before upgrading, because:
1) latest Eddie uses an encrypted file called "default.profile", instead of traditional plain default.xml;
2) as far as I could understand (alas, after upgrading), Eddie does not anymore support up.sh and down.sh scripts, so my custom directives doing all the routing job are going to heaven.

Long story short, I can connect to VPN, but it does not work as I structured it to work before upgrading and the way it is now, without any splitting, is absolutely useless to me.

I tried downgrading Eddie to good ole 2.16.3, but it doesn't work anymore.

Any idea, please?

[Staff 9751]

@sarum4n

Hello!

Thank you, you're really a long time customer!

1. You can have default.profile not encrypted at all as it was with old Eddie versions. Check the options in "Preferences" windows.
2. Scripts related to events are available, and they are not launched anymore with root privileges. If you need to perform root operations with the scripts launched by Eddie events, you must gain root privileges first. This is an important security feature which is inalienable as the old method was too dangerous and exposed an attack surface vulnerable to privilege escalation from normal user to superuser. In this way such exploit is no more possible.
3. Downgrading to Eddie 2.16.3 is always possible, but the operation is not as swift and automatic as an upgrade. Remember to delete all previous configuration files generated by newer versions first, because upward compatibility is not guaranteed in software. Then uninstall the new version and finally install the older version.

Kind regards
 

[sarum4n 4]

On 6/20/2022 at 8:47 PM, Staff said:

@sarum4n
 

1. You can have default.profile not encrypted at all as it was with old Eddie versions. Check the options in "Preferences" windows.

 I don't use any GUI, so, tell me, how can I use a plain default.profile without GUI, not being able to open any window? Let it be known that there is people out there using only terminal and command-line.

[Staff 9751]

5 hours ago, sarum4n said:

 I don't use any GUI, so, tell me, how can I use a plain default.profile without GUI, not being able to open any window? Let it be known that there is people out there using only terminal and command-line.

Hello!

You need the default option in the command. Check also https://eddie.website/support/cli/

In case you run Linux (your mention of eth0 makes us think of *BSD and Linux) you might like to consider the AirVPN Suite as a total replacement, in particular Goldcrest and Bluetit included in the suite, which will provide you with the maximum flexibility you're looking for and at the same time the security provided by a robust client-server architecture:
https://airvpn.org/suite/readme/

The AirVPN Suite, currently, does not offer a GUI at all and is specifically aimed at those many users who prefer a command line interface over a GUI. However, currently it does not support WireGuard (next version will).

Kind regards
 

[sarum4n 4]

This!
I uninstalled Eddie and switched to AirVPN Suite (whose existence I ignored). I find it so much better than Eddie for headless server like the one I have.
I had to wiggle a bit with ip routes and ip rules, but I could succeed at last.
Please, for future development of the suite do consider to let user opt in configuration file for the route-noexec directive. In my case scenario, I have all inbound and outbound traffic on common network except for some specific daemons, which only transmit and receive on VPN, so I have my custom ip routes and ip rules and I had to circumvent the fact that Bluetit modifies routes on its own at connection without asking.

[Staff 9751]

@sarum4n

Hello!

We're glad to know it! We invite you to follow the "News" forum, so you will be timely informed about any relevant information and news pertaining to AirVPN infrastructure and software. It's a low traffic forum because new topics can be opened only by Staff members.
https://airvpn.org/forums/forum/9-news-and-announcement/

The route-noexec directive is not implemented but you will probably be fine (and have even more flexibility) with pull-filter. Find the documentation about pull-filter in the OpenVPN 2.4 manual as it has been ported in 2021 to OpenVPN3 and OpenVPN3-AirVPN libraries:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

You need an ovpn profile since you can't add custom OpenVPN directives to bluetit.rc or goldcrest.rc files. We will consider the whole matter during the next version development.

Kind regards