Linux: AirVPN Suite 1.3.0 available

[Staff 9972]

Hello!

We're very glad to inform you that AirVPN Suite version 1.3.0 is now available. This release prepares the road to AirVPN Suite 2, where brand new features are being implemented. 1.3.0 addresses and fixes many regressions inherited from the OpenVPN3 library main branch causing critical errors with various directives and breaking the parser. The Network Lock has been extensively rewritten to solve some minor problems related to nft. Other bugs have been fixed. Please see the changelog for a complete list of changes.
 

The suite includes:

• Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap
• Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers
• Hummingbird: lightweight and standalone binary for generic OpenVPN server connections

 

What's new in 1.3.0

• Packages are available both for OpenSSL 3 and OpenSSL 1.1.x (legacy). Pick one according to the version you have in your system. If in doubt, run

  openssl version

  command from a terminal to see whether you have 1.x or 3.x version
• to solve problems specifically related to name resolutions, domain names included in OpenVPN profile "remote" directives are resolved before submitting them to OpenVPN3-AirVPN
• AirVPN server provided by the client is now properly checked against country's white and black lists
• Bluetit's run control directive allowuservpnprofiles has been added to let root user control whether external profiles must be allowed or rejected
• different implementations preparing for WireGuard support planned in version 2
• NetFilter class has been re-designed to offer a faster and more robust persistent Network Lock when needed
• added connection statistics to the system log when raising "event_disconnected"

Please check the changelog or detailed information.

AirVPN Suite is free and open source software released under GPLv3. Source code is available here:
https://gitlab.com/AirVPN/AirVPN-Suite

Download page:
https://airvpn.org/linux/suite/

User's manual:
https://airvpn.org/suite/readme/

Bluetit Developer's reference manual:
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/docs/Bluetit-Developers-Reference-Manual.pdf

Some notes:

• for Raspberry Pi OS 64 bit pick the ARM 64 bit legacy package, because Raspberry Pi OS 64 bit is based on Debian 11 and uses OpenSSL 1.1.x by default.
• for Raspbian operating system and other 32 bit ARM systems, including Raspberry Pi OS 32 bit, pick the ARM 32 bit legacy package
• for Ubuntu 22 for Raspberry, pick ARM 64 bit mainline package (not legacy)
• if you run some i686 Linux let us know. You can still run AirVPN Suite 1.10 but if we have requests we can prepare a package for abandoned systems. Link to AirVPN Suite 1.1.0 for i686: https://eddie.website/repository/AirVPN-Suite/1.1/AirVPN-Suite-i686-1.1.0.tar.gz sha256 checksum: 6454cafc860ccc89da5da933c5bed279b1e1534a750f4423e6937e4fb84779e1

Kind regards & Datalove
AirVPN Staff

[183aTr78f9o 20]

Looks like there's something wrong with x86_64 legacy variant?

I'm running Gentoo and I have openssl 1.1.1u installed. After updating from 1.2.1 to 1.3.0, I'm getting the following error when the install script tries to start bluetit.service:
 

gentoo systemd[1]: Starting bluetit.service...
gentoo bluetit[264282]: /sbin/bluetit: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
gentoo systemd[1]: bluetit.service: Control process exited, code=exited, status=127/n/a
gentoo systemd[1]: bluetit.service: Failed with result 'exit-code'.
gentoo systemd[1]: Failed to start bluetit.service.

Downgrading to 1.2.1 solves the issue.

I updated from 1.2.1 to 1.3.0 on my Arch Linux install (which has openssl 3.1.1-1) with the non-legacy variant just fine.

[Staff 9972]

@183aTr78f9o

Hello!

We apologize, it's a problem in the developer's build process affecting the legacy packages we have been given for production. You can expect fixed packages today.

EDIT: if you urgently need a legacy package not affected by the "building bug", you can get it from GitLab https://gitlab.com/AirVPN/AirVPN-Suite/-/tree/master/binary
EDIT 2023-06-07: new packages have been uploaded, problem fixed.

Kind regards
 

[revsplus 8]

I can confirm that in Fedora and Debian the parsing problems with unknown directives, link-mtu and more than one pull-filter have been resolved in the new library. Apparently they still affect the main branch but not your fork. Do you have an ETA for Suite 2 public testing? Do you have an ETA for a BSD version you talked about last year?

[Staff 9972]

23 hours ago, revsplus said:

I can confirm that in Fedora and Debian the parsing problems with unknown directives, link-mtu and more than one pull-filter have been resolved in the new library. Apparently they still affect the main branch but not your fork. Do you have an ETA for Suite 2 public testing? Do you have an ETA for a BSD version you talked about last year?

Hello and thank you!

We do not have an ETA for a *BSD version, we're very sorry. A first preview of AirVPN Suite version 2 is loosely planned for the end of June, but don't take it for granted.

Kind regards
 

[OpenSourcerer 1435]

I appear to have some difficulties building the v1.3.0 suite on Arch Linux. It aborts when processing the wireguard.h include:

In Datei, eingebunden von src/include/bluetit.hpp:27,
                von src/bluetit.cpp:45:
src/include/wireguardclient.hpp:29:10: schwerwiegender Fehler: wireguard.h: Datei oder Verzeichnis nicht gefunden
  29 | #include "wireguard.h"
     |          ^~~~~~~~~~~~~
Kompilierung beendet

But this is part of the Linux headers which are installed, so I cannot help but feel a bit confused by that:

$ pacman -Fl linux-headers|grep wireguard.h
linux-headers usr/lib/modules/6.3.6-arch1-1/build/include/uapi/linux/wireguard.h

$ pacman -Ss linux-headers
core/linux-headers 6.3.6.arch1-1 [Installiert]

.

[Staff 9972]

@OpenSourcerer

Hello!

Your build fails because the file wireguard.h is not found. Note how it is delimited by double quotes, and not angular brackets, meaning that it is a local inclusion file. You can find it here:
https://git.zx2c4.com/wireguard-tools/tree/contrib/embeddable-wg-library

Kind regards
 

[OpenSourcerer 1435]

Thank you, I found it in wireguard-tools in an unusual location.

$ pacman -Fl wireguard-tools|grep wireguard.h
wireguard-tools usr/share/wireguard-tools/examples/embeddable-wg-library/wireguard.h

Package updated in AUR.

Now, another problem: hummingbird depends on btcommon.h which is not in the includes:

src/airvpntools.cpp:39:10: schwerwiegender Fehler: include/btcommon.h: Datei oder Verzeichnis nicht gefunden
  39 | #include "include/btcommon.h"
     |          ^~~~~~~~~~~~~~~~~~~~
Kompilierung beendet.

This looks very much like a copy-paste error, in that some code from the suite found its way into hummingbird but the dependency on bluetit was not cleared.

[Staff 9972]

@OpenSourcerer
 

Quote

Package updated in AUR.

Great!
 

Quote

Now, another problem: hummingbird depends on btcommon.h which is not in the includes:

src/airvpntools.cpp:39:10: schwerwiegender Fehler: include/btcommon.h: Datei oder Verzeichnis nicht gefunden
  39 | #include "include/btcommon.h"
     |          ^~~~~~~~~~~~~~~~~~~~
Kompilierung beendet.

This looks very much like a copy-paste error, in that some code from the suite found its way into hummingbird but the dependency on bluetit was not cleared.

 

It looks good... Hummingbird is part of the AirVPN Suite. btcommon.h is needed to verify whether Bluetit is running or not and it is in the "includes" as far as we can see.

Kind regards
 

[OpenSourcerer 1435]

I mean hummingbird. No such lib in includes. https://gitlab.com/AirVPN/hummingbird/-/tree/master/src/include

[Staff 9972]

@OpenSourcerer

Hello!
 

Quote

Quote

Hummingbird is part of the AirVPN Suite. btcommon.h is needed to verify whether Bluetit is running or not and it is in the "includes" as far as we can see.

I mean hummingbird.

Sure, we meant Hummingbird too. In other words, btcommon.h is needed to verify whether Bluetit is running or not and it is in the "includes", as Hummingbird is part of the Suite. We understand that a separate repository for Hummingbird alone causes this confusion, so we'll give green light to delete it (to be honest, the developer already asked for its deletion repeatedly, time to comply we guess ).

Kind regards
 

[colorman 26]

On openSUSE 15.5 this problem with the package AirVPN-Suite-x86_64-1.3.0.tar.gz.
The version glibc: 2.31 now on 15.5

@Localhost:/usr/local/bin> ./goldcrest AirVPN_Netherlands_UDP-443-Entry3.ovpn
./goldcrest: /lib64/libc.so.6: version `GLIBC_2.32' not found (required by ./goldcrest)
./goldcrest: /lib64/libc.so.6: version `GLIBC_2.33' not found (required by ./goldcrest)
./goldcrest: /lib64/libc.so.6: version `GLIBC_2.34' not found (required by ./goldcrest)

When use legacy version this problem:

think this is it:Bluetit's run control directive allowuservpnprofiles has been added to let root user control whether external profiles must be allowed or rejected
need help with this.....

@Localhost:/usr/local/bin> ./goldcrest AirVPN_Netherlands_UDP-443-Entry3.ovpn
Goldcrest - AirVPN Bluetit Client 1.3.0 - 1 June 2023

2023-06-16 11:21:22 Reading run control directives from file /home/gerrit/.config/goldcrest.rc
2023-06-16 11:21:22 Bluetit - AirVPN OpenVPN3 Service 1.3.0 - 1 June 2023
2023-06-16 11:21:22 OpenVPN core 3.8.4 AirVPN linux x86_64 64-bit
2023-06-16 11:21:22 Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
2023-06-16 11:21:23 OpenSSL 3.0.8 7 Feb 2023
2023-06-16 11:21:23 Bluetit is ready
2023-06-16 11:21:23 Bluetit options successfully reset
2023-06-16 11:21:23 ERROR: User VPN profiles are disabled by Bluetit policy

 

[Staff 9972]

@colorman

Hello!

The error you get with the mainline version is correct. Unfortunately your distribution is based on a glibc released on February 2020. No worries though, as you can see you can run the legacy version. On the AirVPN Suite user's manual you can find how to use the option which probably you need to modify:

Quote

allowuservpnprofiles: (on/off) Allow Bluetit's clients (therefore, users) to provide custom VPN profiles. Default: off

Enter it in the Bluetit's run control file which you can edit with any text editor and root privileges, then restart Bluetit. Example to turn it on:

allowuservpnprofiles on

Kind regards

 

[colorman 26]

1 hour ago, Staff said:

@colorman
Enter it in the Bluetit's run control file which you can edit with any text editor and root privileges, then restart Bluetit. Example to turn it on:

allowuservpnprofiles on

Kind regards

 

worked, thanks for the explanation Staff

[cheapsheep 6]

Hi @Staff,

thanks for the update. The networklockpersist directive does now fully work on sudden crashes/reboots. No more leaks.

However, i have noticed that upon reconnection the firewall rules do not get updated properly -- although being able to (re)connect successfully. 
Further, the resolv.conf does not get updated: The old nameserver is not removed. The new one only gets appended to the resolv.conf.

Thus, the bluetit.service has to be restarted manually which fixed both problems.

Regards

[Quallian 26]

After I read of Eddie versioning system 🤮 ... I decided to try the Suite on some Linux distributions (VM of Ubuntu, for example). Very nice suite, very nice architecture when used with Bluetit and Goldcrest. ✌️ Pity that WireGuard is not supported, hopefully you will implement it sooner than later.

I have Bluetit configured to start and connect during the system startup and therefore I put my credentials in bluetit.rc. When I completely stop Bluetit daemon, the global system DNS settings are restored correctly, while the interface DNS settings are lost. Not an issue in my case (in the meantime I got rid of systemd-resolved so no more this problem exists) but probably something to fix, I just wanted to make you aware.

Another problem, a more serious one perhaps, is that it's not possible for Bluetit or Hummingbird to restore resolv.conf when it's linked improperly because of an old systemd bug. I know that's a third party bug, but since systemd now plagues 80% of distributions, and this bug has infected Ubuntu and its derivatives, please consider to implement some workaround. I know that it would fix a problem created by third party stupidity, but if you wait for a fix from systemd and/or Ubuntu devs, you might well wait forever. The problem is that /etc/resolv.conf links to ../run/something - meaning that they declare a relative path for a symlink. To boldly go where no genius had gone before... and then the resolv.conf backup file moved/renamed by Hummingbird or Bluetit is at another directory tree depth. When the backup file should be restored, disaster strikes because of the relative path.

P.S. Incredible documentation!!! 🌟🌟🌟🌟🌟

[qitorin 1]

I still have linux i686 hardware in use, could it be possible to make latest suite available for download? 

 

[Staff 9972]

6 hours ago, qitorin said:

I still have linux i686 hardware in use, could it be possible to make latest suite available for download?

Hello!

If you can build it by yourself according to the instructions you can find here:
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/README.md?ref_type=heads#building-airvpn-suite-from-sources

you will end up having a finely tuned version perfectly fit for your system. If you have issues just let us know, we will assist you.

Kind regards
 

[colorman 26]

Update: found it ☺️



Hello,

I'm at a loss as to how I was supposed to solve this again?
Thank you for the assistance.

ERROR: User VPN profiles are disabled by Bluetit policy

Gerrit Jan

 

[zebulon 0]

Hi,

There is an issue when building from git source on Linux:
A test is failing: test_suite_x509parse .............................................. FAIL.
Thanks a lot for suggestions.

[Staff 9972]

18 hours ago, zebulon said:

Hi,

There is an issue when building from git source on Linux:
A test is failing: test_suite_x509parse .............................................. FAIL.
Thanks a lot for suggestions.

Hello!

mbedTLS does not support x509. It's not needed by the Suite but maybe the linker enters the error state anyway, or maybe the mbedTLS libraries and include files are misaligned in your system. Can you please try with OpenSSL (which is the default setting)? Please set SSL_LIB_TYPE variable to OPENSSL:

SSL_LIB_TYPE=OPENSSL

in the following scripts:
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/build-bluetit.sh?ref_type=heads
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/build-bluetit-static.sh?ref_type=heads

Kind regards
 

[zebulon 0]

1 hour ago, Staff said:

Hello!

mbedTLS does not support x509. It's not needed by the Suite but maybe the linker enters the error state anyway, or maybe the mbedTLS libraries and include files are misaligned in your system. Can you please try with OpenSSL (which is the default setting)? Please set SSL_LIB_TYPE variable to OPENSSL: 

SSL_LIB_TYPE=OPENSSL

in the following scripts:
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/build-bluetit.sh?ref_type=heads
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/build-bluetit-static.sh?ref_type=heads

Kind regards
 

Hi, many thanks for your input.
This problem is part of an archlinux PKGBUILD (https://aur.archlinux.org/packages/airvpn-suite), which sources both the gitlab repo for AirVPM-Suite and the github repo for openvpn3-airvpn. I will return to the maintainer with the info.

EDIT: I just checked, the SSL_LIB_TYPE=OPENSSL is already set in the original files.
Actually the fail is only one of many tests:

test_suite_shax ................................................... PASS
test_suite_ssl .................................................... PASS
test_suite_timing ................................................. PASS
test_suite_version ................................................ PASS
test_suite_x509parse .............................................. FAIL
test_suite_x509write .............................................. PASS
test_suite_xtea ................................................... PASS
------------------------------------------------------------------------
FAILED (104 suites, 15281 tests run)
make[1]: *** [Makefile:166: check] Error 1

Any idea of what we are doing wrong?

[Staff 9972]

51 minutes ago, zebulon said:

Any idea of what we are doing wrong?

Hello!

All of those "test_suite_*" tests are related to mbedTLS library suite. Let's wait for the maintainer's reply, or you can rely on the official repository. Note that we are going to move your and our messages on to the AirVPN Suite 1.3 thread in the next hours, because this is the thread dedicated to 2.0.0 public testing. Direct link:
https://airvpn.org/forums/topic/56375-linux-airvpn-suite-130-available/

Kind regards
 

[zebulon 0]

16 minutes ago, Staff said:

Hello!

All of those "test_suite_*" tests are related to mbedTLS library suite. Let's wait for the maintainer's reply, or you can rely on the official repository. Note that we are going to move your and our messages on to the AirVPN Suite 1.3 thread in the next hours, because this is the thread dedicated to 2.0.0 public testing. Direct link:
https://airvpn.org/forums/topic/56375-linux-airvpn-suite-130-available/

Kind regards
 

Oh apologies for that. I assumed that this was the correct thread since the archlinux package uses the gitlab latest sources.