Jump to content
Not connected, Your IP: 3.17.187.35
Staff

Linux: AirVPN Suite 2.0.0 beta available

Recommended Posts

Hello!


We're very glad to inform you that AirVPN Suite version 2.0.0 alpha 1  is now available.
UPDATE 2023-11-24: version 2.0.0 alpha 2 is now available.
UPDATE 2024-05-14: version 2.0.0 beta 1 is now available.

AirVPN Suite 2.0.0 introduces AirVPN's exclusive per app traffic splitting system as well as some bug fixes, revised code in order to pave the way towards the final and stable release, WireGuard support, and the latest OpenVPN3-AirVPN 3.9 library. Please see the respective changelogs for a complete list of preliminary changes for each component of the suite. If you feel adventurous and you wish to test this beta version, please feel free to report any glitch, bug and problem in this very thread.

 

The 2.0.0 Beta 1 Suite includes:

  • Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN and WireGuard servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap
  • Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN and WireGuard servers
  • Hummingbird: lightweight and standalone binary for generic OpenVPN and WireGuard server connections
  • Cuckoo: traffic split manager, granting full access and functionality to AirVPN's traffic split infrastructure

WARNING: this is beta software in its development stage and may have bugs which may also cause critical and unstable conditions. This software is used at the whole risk of the user and it is strongly advised not to use it in production or critical systems or environments.


WireGuard support
 

WireGuard support is now available in Bluetit and Hummingbird. OpenVPN or WireGuard selection is controlled by Bluetit run control file option airvpntype or by Goldcrest option -f  (short for --air-vpn-type). Possible values: openvpn, wireguard. Default: openvpn. The option is documented in the 1.3.0 manual as well.

Bluetit run control file (/etc/airvpn/bluetit.rc) option:

airvpntype: (string) VPN type to be used for AirVPN connections. Possible values: wireguard, openvpn. Default: openvpn

Goldcrest option:

--air-vpn-type, -f : VPN type for AirVPN connection <wireguard|openvpn>
 


Suspend and resume services for systemd based systems


For your comfort, the installation script can create suspend and resume services in systemd based systems, according to your preferences. allowing a more proper management of VPN connections when the system is suspended and resumed. The network connection detection code has also been rewritten to provide more appropriate behaviour.

 

Asynchronous mode


A new asynchronous mode (off by default) is supported by Bluetit and Goldcrest, allowing asynchronous connections. Network Lock can be used accordingly in asynchronous connections. Please consult the readme.md file included in every tarball for more information and details.
 

Word completion on bash and zsh


Auto completion is now available by pressing the TAB key when entering any Goldcrest or Hummingbird option and filename on a bash or zsh interpreter. Auto completion files are installed automatically by the installation script.

 

AirVPN's VPN traffic splitting


AirVPN Suite version 2.0.0 introduces traffic splitting by using a dedicated network namespace, therefore completely separating the VPN traffic from unencrypted and "out of the tunnel" traffic. The VPN traffic is carried out in the default (main) namespace, ensuring all system data and traffic to be encrypted and tunneled into the VPN by default. No clear and unencrypted data are allowed to pass through the default namespace.
Any optional unencrypted data or clear network traffic must be explicitly requested by an authorized user with the right to run cuckoo, the AirVPN traffic split manager tool.

AirVPN's traffic splitting is enabled and controlled by Bluetit and by means of run control directives. The system has been created in order to minimize any tedious or extensive configuration, even to the minimal point of telling Bluetit to enable traffic splitting with no other setting.

In order to enable and control AirVPN's traffic splitting, the below new run control directives for /etc/airvpn/bluetit.rc have been introduced:
  • allowtrafficsplitting: (on/off) enable or disable traffic splitting (unencrypted and out of the tunnel traffic) Default: off
  • trafficsplitnamespace: (string) name of Linux network namespace dedicated to traffic splitting. Default: aircuckoo
  • trafficsplitinterface: (string) name of the physical network interface to be used for traffic splitting. All the unencrypted and out of the tunnel data will pass through the specified network device/interface. In case this directive is not used and unspecified, Bluetit will automatically use the main network interface of the system and connected to the default gateway. Default: unspecified
  • trafficsplitnamespaceinterface: (string) name of the virtual network interface to be associated to the Linux network namespace dedicated to traffic splitting. Default: ckveth0
  • trafficsplitipv4: (IPv4 address|auto) IPv4 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv4 address belonging to the system's host sub-network (/24) Default: auto
  • trafficsplitipv6: (IPv6 address|auto) IPv6 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv6 address belonging to the system's host sub-network (/64) Default: auto
  • trafficsplitfirewall: (on/off) enable or disable the firewall in Linux network namespace dedicated to traffic splitting. The firewall is set up with a minimal rule set for a very basic security model. Default: off
AirVPN's traffic splitting is designed in order to minimize any further configuration from the system administrator. To actually enable traffic splitting, it is just needed to set "allowtrafficsplitting" directive to "on" and Bluetit will configure the traffic split namespace with the default options as explained above. When needed, the system administrator can finely tune the traffic splitting service by using the above directives. At this early alpha stage, it is advised not to change the network namespace name but leave it to its default value "aircuckoo" to let cuckoo tool properly work.

 

 

Power and limitations

 

The adopted solution offers a remarkable security bonus in terms of isolation. For example, it gets rid of the dangerous DNS "leaks in" typical of cgroups based traffic splitting solutions. However, the dedicated namespace needs an exclusive IP address. If the system is behind a NAT (connected to a home router for example) this is not a problem, but if the system is not behind any NAT, i.e. it is assigned directly a public IP address, you will need another public IP address for the network namespace dedicated to traffic splitting. You will need to manually set the other public IP address on the trafficsplitipv4 or trafficsplitipv6 directive as the guessing abilities of Bluetit may work only within a private subnet. Please keep this limitation in mind especially if you want to run the Suite with per app traffic splitting on a dedicated or virtual server in some datacenter, as they are most of the times NOT behind any NAT.


 

Introducing Cuckoo, the AirVPN traffic splitting manager tool


Traffic splitting is implemented in AirVPN Suite by using a separate and independent network namespace, directly communicating with the system's default gateway through a virtual interface associated to a physical network interface available in the system. This ensures a true separation of traffic between tunneled and encrypted VPN data from the unencrypted and clear data to be channeled out of the VPN tunnel. The unencrypted traffic will never pass through the default namespace - which is under the VPN control - including, and most importantly, DNS requests.

To generate unencrypted and out of the tunnel traffic, any software having this need must be run inside the traffic split namespace. In order to do so, AirVPN Suite 2.0.0 introduces a new tool meant to be specifically used for this purpose: Cuckoo.
The tool can be used by users belonging to the airvpn group only. It cannot be used by root or any user belonging to the root group.

Additionally, in order to fully use the cuckoo tool, the user must also have special capabilities enabled, notably CAP_SYS_ADMIN, CAP_NET_ADMIN and CAP_NET_RAW. The installation script will set these capabilities to the "airvpn" user only. In case you need to let other users of the airvpn group use the cuckoo tool, you can simply duplicate the corresponding line in /etc/security/capability.conf and adapt it to your needs.
Note that in many distributions all of the above will not be necessary but keep it in mind if you find some issue and please feel free to report it.
At this current alpha stage cuckoo supports "aircuckoo" namespace only, that is the default namespace configured by Bluetit.

This preliminary alpha version does not provide any option and it is meant to simply run an application inside the traffic split namespace only.
The usage is straightforward:
cuckoo program [program options]

 

The traffic split namespace uses its own routing, network channels and DNS. It will not interfere or communicate in any way with the default namespace where the VPN is running and using its own encrypted tunnel. As for DNS, the traffic split namespace will use default system DNS settings.

Programs started with cuckoo are regular Linux processes and, as such, can be managed (that is stopped, interrupted, paused, terminated and killed) by using the usual process control tools. The programs started by cuckoo are assigned to the user who started cuckoo.

As a final note, in order to work properly, the following permissions must be granted to cuckoo and they are always checked at each run.

  • Owner: root

  • Group: airvpn

  • Permissions: -rwsr-xr-x (owner can read, write, execute and setuid; group can read and execute, others can read and execute)

     

Note on Web Browsers

 

Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems. We are investigating this behavior. Brave, Opera and Konqueror are not affected by this problem, but please consider that due to how browser instances are tied to each other, you might get unexpected behavior if you run the same browser in both namespaces from the same user.
For example, if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future apparent instance launched by the same user, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance.
In order to circumvent the issue, at this stage you may tale care to run programs in the aircuckoo namespace via cuckoo only from airvpn account, and programs whose traffic must be tunneled from your ordinary account. In other words, to add security, do not add your ordinary account to the airvpn group if you plan to use traffic splitting, so your ordinary account will not be able to run cuckoo by accident.

EDIT 2024-11-12 --- We aim at resolving most of the above limitations and caveats in the imminent beta 2 version.

 

Download AirVPN Suite 2.0.0 beta 1:

ARM 64 bit:
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-aarch64-2.0.0-beta-1.tar.gz
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-aarch64-2.0.0-beta-1.tar.gz.sha512

ARM 64 bit legacy:
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-aarch64-legacy-2.0.0-beta-1.tar.gz
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-aarch64-legacy-2.0.0-beta-1.tar.gz.sha512

ARM 32 bit:
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-armv7l-2.0.0-beta-1.tar.gz
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-armv7l-2.0.0-beta-1.tar.gz.sha512

ARM 32 bit legacy:
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-armv7l-legacy-2.0.0-beta-1.tar.gz
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-armv7l-legacy-2.0.0-beta-1.tar.gz.sha512

x86-64:
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-x86_64-2.0.0-beta-1.tar.gz
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-x86_64-2.0.0-beta-1.tar.gz.sha512

x86-64 legacy:
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-x86_64-legacy-2.0.0-beta-1.tar.gz
https://eddie.website/repository/AirVPN-Suite/2.0-Beta1/AirVPN-Suite-x86_64-legacy-2.0.0-beta-1.tar.gz.sha512



Changelogs


Changelog for Bluetit

Version 2.0.0 beta 1 - 13 May 2024

- [ProMIND] WireGuard is now the default VPN for AirVPN connection
- [ProMIND] added client option --mtu
- [ProMIND] added run control directive wireguardmtu
- [ProMIND] added mode to client options
- [ProMIND] removed options for unsupported profiles with credentials
- [ProMIND] function check_if_root() renamed to is_root()
- [ProMIND] added is_hummingbird_running() function
- [ProMIND] D-Bus connection methods now check whether hummingbird is running
- [ProMIND] Added server D-Bus keys vpn_status to connection_stats
- [ProMIND] Added D-Bus command "remove_wireguard_device"
- [ProMIND] Added BLUETIT_STATUS_WIREGUARD_DEVICE_EXISTS macro in btcommon.h
- [ProMIND] Added wireguard_device_exists() function
- [ProMIND} bluetit_status(): added check for existing WireGuard devices
- [ProMIND] Added command line option "remove-wireguard-device" to be used in case a crash or unexpected exit and there is a WireGuard device still active
- [ProMIND] Added remove_wireguard_device() function
- [ProMIND] airvpn_server_save(): added check for south and north america continents
- [ProMIND] airvpn_create_profile(): added use_country_fqdn argument
- [ProMIND] Added air-sort and air-rsort options
- [ProMIND] Added air-limit option
- [ProMIND] btcommon.h renamed to btmacro.h
- [ProMIND] Added server D-Bus key load to airvpn_country_info and airvpn_country_list datasets
- [ProMIND] Manifest update interval is now set according to Manifest "next_update" element
- [ProMIND] Added server D-Bus key continent_code and continent_name to airvpn_server_info and airvpn_server_list datasets
- [ProMIND] Fixed bug in formal check for "country" and "aircountry" rc directives
- [ProMIND] Added --async option for asynchronous connections
- [ProMIND] Options --air-info and --air-list can now be used regardless of Bluetit connection status
- [ProMIND] Added function vpn_connection_mode()
- [ProMIND] Added macros VPN_MODE_BOOT, VPN_MODE_SYNCHRONOUS, VPN_MODE_ASYNCHRONOUS and VPN_MODE_DISCONNECTED
- [ProMIND] Added server D-Bus keys airvpn_user_name, airvpn_user_key and vpn_connection_mode to connection_stats dataset

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Version 2.0.0 alpha 2 - 24 November 2023

- [ProMIND] implemented WireGuard connection
- [ProMIND] replaced all OPENVPN_LOG call with Logger::log
- [ProMIND] added function is_country_allowed
- [ProMIND] function start_openvpn_connection renamed to start_vpn_connection()
- [ProMIND] added WireGuard support to start_vpn_connection
- [ProMIND] function stop_openvpn_connection renamed to stop_vpn_connection()
- [ProMIND] added WireGuard support to stop_vpn_connection()
- [ProMIND] D-Bus command set_openvpn_profile renamed to set_vpn_profile in order to support both OpenVPN and WireGuard connections
- [ProMIND] added set_wireguard_profile() function
- [ProMIND] added establish_wireguard_connection() and reconnect_wireguard() functions
- [ProMIND] function reconnect_openvpn() renamed to reconnect_vpn()
- [ProMIND] added WireGuard support to reconnect_vpn()


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Version 2.0.0 alpha 1 - 15 September 2023

- [ProMIND] updated to OpenVPN3 AirVPN 3.9
- [ProMIND] create_daemon(): replaced sprintf with snprintf
- [ProMIND] create_daemon(): replaced sprintf with snprintf
- [ProMIND] airvpn_server_save(): added generator tag
- [ProMIND] airvpn_key_save(): added generator tag
- [ProMIND] added run control directives allowtrafficsplitting, trafficsplitnamespace, trafficsplitinterface, trafficsplitnamespaceinterface, trafficsplitipv4, trafficsplitipv6 and trafficsplitfirewall
- [ProMIND] start_openvpn_connection(): added log display of local interfaces/addresses
- [ProMIND] recover_network(): delete traffic split namespace, in case it does exist.


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Changelog for Cuckoo
Version 2.0.0 beta 1 - 13 May 2024
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Version 2.0.0 alpha 2 - 24 November 2023
- [ProMIND] Minor development maintenance release
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Version 2.0.0 alpha 1 - 15 September 2023
- [ProMIND] Initial alpha development release

Changelog for Goldcrest

Version 2.0.0 beta 1 - 13 May 2024
- [ProMIND] normalization of run control file options with Bluetit's client option macros
- [ProMIND] removed options for unsupported profiles with credentials
- [ProMIND] added auto completion scripts for bash and zsh
- [ProMIND] added support for Bluetit's "remove-wireguard-device" option
- [ProMIND] added support for Bluetit's "air-sort" and "air-limit" options
- [ProMIND] added support for Bluetit's new D-Bus datasets fields
- [ProMIND] added support for Bluetit async option
- [ProMIND] show_connection_stats(): added support for vpn_connection_mode, airvpn_user_name and airvpn_user_key
- [ProMIND] added Bluetit async option in run control file
- [ProMIND] --network-lock option can now be used in async mode (set network lock on and off)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Version 2.0.0 alpha 2 - 24 November 2023
- [ProMIND] show_connection_stats(): added WireGuard support
- [ProMIND] show_connection_stats(): added new 2.0 stat fields
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Version 2.0.0 alpha 1 - 15 September 2023
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Changelog for Hummingbird

Version 2.0.0 beta 1 - 13 May 2024

- [ProMIND] function read_profile() renamed to read_openvpn_profile()
- [ProMIND] function worker_thread() renamed to openvpn_worker_thread()
- [ProMIND] function start_connection_thread() renamed to start_openvpn_connection_thread()
- [ProMIND] added function wireguard_client()
- [ProMIND] added function finalize_connection()
- [ProMIND] added option mode
- [ProMIND] normalized log activity. Added function hblog()
- [ProMIND] function clean_up() renamed to clean_up_and_exit()
- [ProMIND] added function parse_options()
- [ProMIND] added function bluetit_lock_file_exist()
- [ProMIND] init_check(): improved check for Bluetit connection
- [ProMIND] clean_up_and_exit() renamed to cleanup_and_exit()
- [ProMIND] added auto completion scripts for bash and zsh
- [ProMIND] added "remove-wireguard-device" option
- [ProMIND] Added wireguard_device_exists() function


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


Version 2.0.0 alpha 2 - 24 November 2023

- [ProMIND] initial compliance to 2.0 classes and architecture


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


Version 2.0.0 alpha 1 - 15 September 2023

- [ProMIND] updated to OpenVPN3 AirVPN 3.9
- [ProMIND] --eval option prints ClientAPI::EvalConfig.reouteList data


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Changelog for AirVPN Suite

Version 2.0.0 beta 1 - 13 May 2024

- [ProMIND] updated install.sh and uninstall.sh scripts for suspend and resume services

airvpnmanifest

- [ProMIND] searchServer(): pattern is now searched in continent code and name as well


airvpnserver

- [ProMIND] method getContinent() renamed to getContinentCode()
- [ProMIND] method setContinent() renamed to setContinentCode()
- [ProMIND] added method getContinentName()
- [ProMIND] implemented boolean comparison methods for std::sort


airvpnserverprovider

- [ProMIND] getFilteredServerList(): added handling for continents in country white and black lists
- [ProMIND] method compareServerScore() moved to AirVPNServer class


airvpntools

- [ProMIND] added method directoryExists()
- [ProMIND] added method startsWith()
- [ProMIND] method getLoad() renamed to getTrafficLoad()
- [ProMIND] split() fixed bug in case string does not contain delimiter
- [ProMIND] SERVER_READ_TIMEOUT is now set to 15 seconds
- [ProMIND] requestAirVPNDocument(): vector bootServerList is now shuffled before starting the document request


countrycontinent

- [ProMIND] Added method realCountryName()
- [ProMIND] Added constants EARTH, AFRICA, AMERICA, NORTH_AMERICA, SOUTH_AMERICA, ASIA, EUROPE and OCEANIA


dnsmanager

- [ProMIND] All binary paths are now searched at construction time
- [ProMIND] Added DNSManagerException class


execproc.c

- [ProMIND] Added function exec_error_description()
- [ProMIND] Added function exec_cmd_error_description()
- [ProMIND] Added function exec_cmd_args_error_description()


loadmod.c

- [ProMIND] Added function is_module_loaded()


netfilter

- [ProMIND] All binary paths are now searched at construction time
- [ProMIND] Added method isNftUsingIptables()
- [ProMIND] Added iptables-nft support to iptablesSave() and iptablesRestore() methods
- [ProMIND] Added method isPfEnabled()
- [ProMIND] Added methods allowPrivateNetwork() and isPrivateNetworkAllowed()
- [ProMIND] Added local and service IPv6 network classes to the default initialization of netfilter
- [ProMIND] setup(): added optional argument for private network management


network

- [ProMIND] struct Gateway: added isDefault field
- [ProMIND] method scanDefaultGateway() renamed to scanGateway()
- [ProMIND] added method getGatewayFromRouteTable()
- [ProMIND] added method getGateway()
- [ProMIND] removed member defaultGateway
- [ProMIND] added members IPv4Gateway and IPv6Gateway


openvpnclient

- [ProMIND] implemented OpenVpnClient::acc_event() in order to comply to new master specifications. Event is ignored.
- [ProMIND] Added private network option for constructors using a private NetFilter


optionparser

- [ProMIND] added mode to OptionConfig and Option structures
- [ProMIND] added function getOptionsForMode()
- [ProMIND] added function getInvalidOptionsForMode()


trafficsplit

- [ProMIND] added methods removeNamespaceDirectory(), namespaceConfigurationExists(), isDirty() and recover()
- [ProMIND] removed methods removeDefaultNamespaceDirectory(), defaultNamespaceConfigurationExists()
- [ProMIND] added methods getIPv4Gateway(), setIPv4Gateway(), getIPv6Gateway() and setIPv6Gateway()


wireguardclient

- [ProMIND] added method setEndPointPort()
- [ProMIND] added method removeDevice()
- [ProMIND] added methods createInterfaceDevice(), setDeviceConfiguration(), getDeviceList(), changeWgFilesOwnership() ands restoreWgFilesOwnership() (macOS support)
- [ProMIND] Added private network option for constructors using a private NetFilter
- [ProMIND] Implemented event management
- [ProMIND] Improved handshake timeout management


vpnclient

- [ProMIND] Added private network option for constructors using a private NetFilter


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


Version 2.0.0 alpha 2 - 24 November 2023

execproc.c

- [ProMIND] added macros EXEC_MODE_VECTOR, EXEC_MODE_VECTOR_PATH, EXEC_MODE_VECTOR_PATH_ENV and EXEC_MODE_DEFAULT
- [ProMIND] added functions exec_set_mode(), exec_set_environ() and exec_reset()
- [ProMIND] do_execute(): added mode and environment handling
- [ProMIND] execute_process(), execute_process_args(): call exec_reset() before returning
- [ProMIND] get_exec_path(): renamed to exec_get_path() and added an extra argument to specify a colon separated search path

airvpntools

- [ProMIND] method architecture() now uses GCC macros only
- [ProMIND] added method platform()


dnsmanager

- [ProMIND] addAddressToResolvDotConf() now requires IPAddress type


logger

- [ProMIND] added overloaded log metoths for std::ostringstream


network

- [ProMIND] added methods setupInterface(), enableInterface() and setInterfaceMtu()
- [ProMIND] added method setIPAddress() to Interface class
- [ProMIND] scanLocalIpAddresses() renamed to scanLocalInterfaces()
- [ProMIND] Interface: added method getAddressCount()


openvpnclient

- [ProMIND] added inheritance from vpnclient class
- [ProMIND] get_connection_stats(): added timestamp item
- [ProMIND] function openVPNInfo() renamed to getInfo()
- [ProMIND] function openVPNCopyright() renamed to getCopyright()


wireguardclient

- [ProMIND] added inheritance from vpnclient class
- [ProMIND] implemented connection management methods


vpnclient

- [ProMIND] new class


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


Version 2.0.0 alpha 1 - 15 September 2023

- [ProMIND] updated to OpenVPN3 AirVPN 3.9
- [ProMIND] updated install.sh and uninstall.sh scripts
- [ProMIND] updated bluetit.rc template
- [ProMIND] updated nsswitch.conf template
- [ProMIND] added cuckoo tool to the project


airvpntools

- [ProMIND] formatTransferRate(): replaced sprintf with snprintf
- [ProMIND] formatDataVolume(): replaced sprintf with snprintf
- [ProMIND] formatTime(): replaced sprintf with snprintf


execproc.c

- [ProMIND] execute_process(): added stderr redirection to char *error argument
- [ProMIND] do_execute(): renamed parent_pipe and child_pipe to stdin_pipe and stdout_pipe respectively
- [ProMIND] do_execute(): added stderr_pipe array
- [ProMIND] do_execute(): added stderr redirection to char *error argument


localnetwork

- [ProMIND] Class renamed to Network


netfilter

- [ProMIND] translateItemToNFTables(): added dormant flag to table creation
- [ProMIND] added method getSystemFirewallBackend()
- [ProMIND] added TARGET_IPTABLES_LEGACY and TARGET_UNKNOWN members
- [ProMIND] added method itemToCommandRule()


network

- [ProMIND] added method interfaceExists()
- [ProMIND] added overloaded method incrementIpAddress()
- [ProMIND] added new public class Interface
- [ProMIND] removed old interface and IP address collection in favor of class Interface
- [ProMIND] removed methods scanIpAddresses() and scanInterfaces()
- [ProMIND] default gateway is now evaluated at object construction and stored in member defaultGateway
- [ProMIND] struct Gateway member address is now defined as IPAddress
- [ProMIND] added excludeIpAddresses() and worker methods to compute a route by excluding an IP address range
- [ProMIND] added getIpAddressNetmask(), getIpAddressHostmask() and getIpAddressNetwork() methods
- [ProMIND] added internetChecksum() method
- [ProMIND] added getNextUnusedIpAddress() method and worker methods
- [ProMIND] added LocalNetworkException class


openvpnclient

- [ProMIND] profileNeedsResolution(): added check for ClientAPI::EvalConfig.reouteList
- [ProMIND] resolveProfile(): added resolution for ClientAPI::EvalConfig.reouteList
- [ProMIND] onResolveEvent(): removed log display of local interfaces/addresses
- [ProMIND] saveSystemDNS(): replaced deprecated inet_ntoa() with inet_ntop()
- [ProMIND] added new method getSystemDnsTable()


trafficsplit

- [ProMIND] new class


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*





Kind regards & Datalove

AirVPN Staff

Share this post


Link to post

Hi. I'm trying to get up and running but I am having some trouble. please assist.

I have installed the package, the installer created the airvpn user and group, I then ran cuckoo [program] from the airvpn user. I get the following error message 

Cuckoo - AirVPN Traffic Split Manager 2.0.0 alpha 1 - 15 Sep 2023

ERROR: Cannot open network namespace 'aircuckoo': No such file or directory

 

Share this post


Link to post
11 hours ago, jonjon91 said:

Hi. I'm trying to get up and running but I am having some trouble. please assist.

I have installed the package, the installer created the airvpn user and group, I then ran cuckoo [program] from the airvpn user. I get the following error message 


Cuckoo - AirVPN Traffic Split Manager 2.0.0 alpha 1 - 15 Sep 2023

ERROR: Cannot open network namespace 'aircuckoo': No such file or directory

Hello and thank you for your tests!

Can you please make sure that you have the following directive in /etc/airvpn/bluetit.rc
allowtrafficsplitting on
If this is missing you will get that error message. We will make that error message more explicative during the alpha stage. Please let us know whether the problem is caused by the missing directive or not.

Kind regards
 

Share this post


Link to post
On 9/15/2023 at 12:00 PM, Staff said:

Note on DNS and Gecko or Chromium Based Web Browsers


Not that I am into traffic splitting, not at all, but just to test the new Suite I think I would resolve the problem by having split Firefox environments: different datadir, profiles etc. Before I try, do you think it can work? I guess it might be overkill, if someone found a smoother solution let me know...
 

Share this post


Link to post
9 hours ago, Staff said:

Can you please make sure that you have the following directive in /etc/airvpn/bluetit.rc


allowtrafficsplitting on


Yes I have this setting and I am still receiving the same error.

I was also dealing with an issue that airvpn changed the /etc/resolv.config file. I had to delete the file contents and add my DNS to the nameserver to regain internet access 

 

Share this post


Link to post
11 hours ago, jonjon91 said:


Yes I have this setting and I am still receiving the same error.
 


Hello!

Thanks. Thus, it must be a different issue or maybe a bug. Can you tell us your distribution name and version? Can you also please send us the complete Bluetit log? You can see it via journalctl if you are in a systemd based distribution. The following command:
sudo journalctl | grep bluetit > bluetit.log
will store the whole log in bluetit.log file.
 
11 hours ago, jonjon91 said:

I was also dealing with an issue that airvpn changed the /etc/resolv.config file. I had to delete the file contents and add my DNS to the nameserver to regain internet access 


When this other problem occurs, please send us a Bluetit log again as well as the content of the /etc/airvpn directory:
sudo ls -l /etc/airvpn

Kind regards

 

Share this post


Link to post
On 9/19/2023 at 1:40 PM, fsy said:

Not that I am into traffic splitting, not at all, but just to test the new Suite I think I would resolve the problem by having split Firefox environments: different datadir, profiles etc. Before I try, do you think it can work? I guess it might be overkill, if someone found a smoother solution let me know...
 

Hello!

Unfortunately it will not work. We are investigating different issues caused by web browsers. Please check the original announcement, we have changed a part to reflect the matter, we paste it here for readers' comfort and in order to outline the issue:
 

Note on Web Browsers


Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems. We are investigating this behavior. Brave, Opera and Konqueror are not affected by this problem, but please consider that due to how browser instances are tied to each other, you might get unexpected behavior if you run the same browser in both namespaces from the same user.
For example, if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future apparent instance launched by the same user, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance.
In order to circumvent the issue, at this stage you may tale care to run programs in the aircuckoo namespace via cuckoo only from airvpn account, and programs whose traffic must be tunneled from your ordinary account. In other words, to add security, do not add your ordinary account to the airvpn group if you plan to use traffic splitting, so your ordinary account will not be able to run cuckoo by accident.
 
Kind regards
 

Share this post


Link to post

Glad to see this preview. Questions: shall we see a port to FreeBSD of the whole Suite? Can we expect app based traffic splitting on Windows?

Share this post


Link to post
On 9/15/2023 at 12:00 PM, Staff said:

if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future iapparent instance, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance.


Is it just me or is it a severe problem? I mean, if cuckoo just forces an app to run in a specific network namespace with no other process isolation whatsoever then not only browsers but also any program checking whether another instance of itself is already running in order to share resources or opt for delegations will cause all sort of troubles to the unaware user. Was the first instance launched in the root namespace or in the cuckoo namespace? Was another instance running because it started at boot? How the user is supposed to remember and track all the instances and know which programs check for another instance of themselves when starting?

Waiting for developers answers and hoping that, if I'm correct, this unhappy preview is just a bump in the road, after all it's only alpha 1.

Share this post


Link to post
9 hours ago, ARandomGuy said:

Is it just me or is it a severe problem? I mean, if cuckoo just forces an app to run in a specific network namespace with no other process isolation whatsoever then not only browsers but also any program checking whether another instance of itself is already running in order to share resources or opt for delegations will cause all sort of troubles to the unaware user. Was the first instance launched in the root namespace or in the cuckoo namespace? Was another instance running because it started at boot? How the user is supposed to remember and track all the instances and know which programs check for another instance of themselves when starting?

Waiting for developers answers and hoping that, if I'm correct, this unhappy preview is just a bump in the road, after all it's only alpha 1.

Hello and thank you for your tests!

Of course, as you say, this is an early preview, an alpha 1, so we can and we will improve the software. With the understanding the the highest security level is reached only by renouncing to traffic splitting or by splitting traffic only through boosted virtualization via a proper hypervisor, our solution aims at offering a fair balance between a very light implementation and a safe environment. If we pushed on virtualization too much, then the user might as well use directly pushed solutions of non-Linux third-party components and software suites, such as VirtualBox or Docker. It's not in our vision to burden the AirVPN Suite at those levels, as the Suite is thought to remain the most lightweight piece of software we release.

In the current default setup, you have a minimum of two separate login users in any Linux box: airvpn and your usual user. By default, only airvpn can run cuckoo. If you consider not to add your current user to the airvpn group, you can safely rely on the fact that the types of processes you mention launched by your current user will never be affected by processes started by airvpn user and vice-versa. In this way it's almost impossible to cause a confusion by distraction and, for example, using a browser outside the tunnel while you think that it's inside.

It's also obvious that a decent concentration level is always required, but that's required even with full virtualization, because no security model can save you from the distraction to assume wrongly that a specific VM is connected to the VPN while in reality it is not. So nothing new, traffic splitting was, is and will be requiring some attention, no matter how you achieve it. Stay tuned for the alpha 2, we are working on it.

Kind regards
 

Share this post


Link to post
On 9/21/2023 at 11:45 AM, revsplus said:

Glad to see this preview. Questions: shall we see a port to FreeBSD of the whole Suite? Can we expect app based traffic splitting on Windows?


Hello!

We're terribly sorry, the port to FreeBSD is currently frozen. We will re-consider it anyway in the future, but only after the Suite 2 stable version for Linux is released. As far as it pertains to Windows, we will leave the answer to the Eddie Windows edition developer.

Kind regards
 

Share this post


Link to post
13 hours ago, ARandomGuy said:

Is it just me or is it a severe problem? I mean, if cuckoo just forces an app to run in a specific network namespace with no other process isolation whatsoever then not only browsers but also any program checking whether another instance of itself is already running in order to share resources or opt for delegations will cause all sort of troubles to the unaware user.

It is indeed a severe problem and I don't see a way how this could be fixed. If you chose to separate the IPC/storage namespaces too then you'd need to take full control over application settings and how it's launched to ensure separation.
The main vector here are default protocol handlers. Click an http:// link in any other program and your default browser will start in the default namespace, not that other one. What else can you do, intercept all program launches? Linux doesn't have the same concept of matching an ".exe name" as on Windows.
Edit: I just saw that Staff replied. The per-user separation is a reasonable decision here.
= = =
On 9/20/2023 at 6:25 PM, Staff said:

Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems.

I have a similar issue using a custom namespaced setup with Wireguard but in a different way. Firefoxes' DNS lookups inside the namespace will work until the computer goes to sleep. After waking up Firefox will be unable to resolve any hosts until Fx is restarted. I have not tried loading websites per IP, maybe Firefox actually loses all connectivity in this case. Arch Linux.
Just a guess, did you put a per-namespace resolv.conf file where it belongs? Somewhere around mans/arch wiki or systemd text there was a proposal of a standard to have per network namespace resolver configuration. Maybe Firefox when it doesn't run DoH looks at the wrong resolv.conf and tries to contact the local DNS resolver from another namespace.

Share this post


Link to post
16 hours ago, Stalinium said:

I have a similar issue using a custom namespaced setup with Wireguard but in a different way. Firefoxes' DNS lookups inside the namespace will work until the computer goes to sleep. After waking up Firefox will be unable to resolve any hosts until Fx is restarted. I have not tried loading websites per IP, maybe Firefox actually loses all connectivity in this case. Arch Linux.
Just a guess, did you put a per-namespace resolv.conf file where it belongs? Somewhere around mans/arch wiki or systemd text there was a proposal of a standard to have per network namespace resolver configuration. Maybe Firefox when it doesn't run DoH looks at the wrong resolv.conf and tries to contact the local DNS resolver from another namespace.


Hello!

Yes, of course, we take care of both resolv.conf and nsswitch.conf inside the aircuckoo namespace (/etc/netns/aircuckoo/nsswitch.conf) in order to
  1. prevent the feared and dangerous "DNS leaks inside then tunnel" which affect other traffic splitting implementations based on cgroups and
  2. cover various distributions, including systems where systemd-resolved runs.
In our "reversed" traffic splitting implementation, the aircuckoo namespace apps must query the system DNS.
Per network namespace resolver configuration seems an established feature, or do you mean something else with the proposal you mention? Or do you imply that systemd-resolved may cause additional problems we have not taken into account?

For your specific problem, we have no immediate suggestion unfortunately, we would just recommend that you check (for example with Wireshark) what happens to Firefox packets after the system woke up. We're also unsure whether this article may help you, probably not but we link it anyway just in case:
https://philipdeljanov.com/posts/2019/05/31/dns-leaks-with-network-namespaces/

Feel free to keep us posted, and we'll do the same, as the different outcome with / behavior of Firefox in different distributions is under investigation and we need to clarify the issue carefully.

Kind regards
 

Share this post


Link to post
@Staff

At the moment I found a solution I like. I enter desktop environments both with airvpn and my normal account at the same time and then switch between the environments. Switching is quite fast on Linux and it helps me focus on which is which. It resolves a problem I met which I did not look into much, maybe you like to hear it. The airvpn account apparently does not get properly configured by the installer or maybe I made some error during installation, because airvpn account via cuckoo can't run any de based application on the desktop of someone else. [virtualized Fedora 38 here].
 

Share this post


Link to post
8 hours ago, Staff said:

Yes, of course, we take care of both resolv.conf and nsswitch.conf inside the aircuckoo namespace (/etc/netns/aircuckoo/nsswitch.conf) in order to

Hey I found what I was thinking of, man ip-netns:
Quote
DESCRIPTION
      A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.

      By default a process inherits its network namespace from its parent. Initially all the processes share the same default network namespace from the init process.

      By convention a named network namespace is an object at /var/run/netns/NAME that can be opened. The file descriptor resulting from opening /var/run/netns/NAME
      refers to the specified network namespace. Holding that file descriptor open keeps the network namespace alive. The file descriptor can be used with the
      setns(2) system call to change the network namespace associated with a task.

HERE: For applications that are aware of network namespaces, the convention is to look for global network configuration files first in /etc/netns/NAME/ then in /etc/.
      For example, if you want a different version of /etc/resolv.conf for a network namespace used to isolate your vpn you would name it /etc/netns/myvpn/re‐
      solv.conf.


 
This is what you already do, nice. However for systemd-resolved I did not find a single mention of network namespaces (i.e. this convention) in their manual. God knows what it does or does not do.

Looking further I found https://github.com/systemd/systemd/issues/17155 - "portable: default profile /etc/resolv.conf bind mount can break in the container namespace." maybe that's similar to my case even though I don't use systemd-resolved (but rebinding happens; I'm not worried about DNS going through main namespace since I use dnscrypt there anyway - my ISP interferes with DNS). Yeah, I really should check Wireshark. For others reading, what's funny is Wireshark not supporting network namespaces yet. You must launch it in the appropriate net ns with enough permissions or Wireshark will not see the other interfaces.

Now an unrelated but good link with explanation of some systemd service options, here the user manually created a service with Wireguard-style netns: https://github.com/systemd/systemd/issues/28694
Here again a lengthy discussion of starting systemd services in a network namespace: https://github.com/systemd/systemd/issues/2741

Share this post


Link to post

@Staff

I have been using Bluetit on Debian 11 for more than a year now, and have ran into an issue with SSD activity.

It seems that Bluetit is causing noticeable read/write activity on the SSD.  This completely goes away if I use wireguard, or openvpn that is not running on Bluetit.  Version of Bluetit also doesn't seem to matter, as the same issue persists after updates.  Since the PC stays online 24/7, it is now causing significant wear on SSD. 

Is this a known issue?  If not, any suggestions on how to get around this?

Share this post


Link to post
@TooLittleTime

Hello and thank you for your tests!

We are unable to reproduce the issue at the moment, can you please tell us whether you see the same when you run Hummingbird (with Bluetit not running at all)?

Kind regards
 

Share this post


Link to post

Hello!

We're glad to inform you that AirVPN Suite 2.0.0 alpha 2 is now available.

 
NEW:
  • WireGuard support by Bluetit and Goldcrest
  • minor bug fixes

The announcement message has been updated accordingly. Thank you for your tests! Please report bugs or any malfunction here.

Kind regards
 

Share this post


Link to post

Great, it works, and I see dramatic performance increase with WIreGuard and lower CPU load on a level playing field with OpenVPN (same server etc.). It's totally consistent with the wg client for Linux with kernel module. Not my case but out of information what happens if the module is unavailable?

Share this post


Link to post
15 hours ago, Quallian said:

Great, it works, and I see dramatic performance increase with WIreGuard and lower CPU load on a level playing field with OpenVPN (same server etc.). It's totally consistent with the wg client for Linux with kernel module. Not my case but out of information what happens if the module is unavailable?


Hello!

Thank you for your tests!
If the WireGuard kernel module is missing, the Suite will not work in WireGuard mode.

Kind regards
 

Share this post


Link to post
Posted ... (edited)
Cuckoo - AirVPN Traffic Splitting Manager 2.0.0 alpha 1 - 24 November 2023

ERROR: Cannot open network namespace 'aircuckoo': No such file or directory
$ sudo ls -l /etc/airvpn
total 168
-rw-rw---- 1 root root 138622 Jan 12 10:02 airvpn-manifest.xml
-rw-r----- 1 root root      5 Jan 12 10:02 bluetit.lock
-rw-rw---- 1 root root   3496 Jan 12 09:54 bluetit.rc
-rw-rw---- 1 root root   1445 Jan 12 09:41 connection_priority.txt
-rw-rw---- 1 root root     48 Jan 12 09:41 connection_sequence.csv
-rw-rw---- 1 root root    103 Jan 12 09:41 continent_names.csv
-rw-rw---- 1 root root   1743 Jan 12 09:41 country_continent.csv
-rw-rw---- 1 root root   3737 Jan 12 09:41 country_names.csv
-rw-rw---- 1 root root    225 Jan 12 09:41 nsswitch.conf

getting the same error as above. here's what i changed in bluetit.rc:
airvpntype wireguard
allowtrafficsplitting on
trafficsplitnamespace aircuckoo

distro: debian 12 stable amd64

bluetit.log

edit: i think it's because i didn't set my airvpn username and password 😅 now bluetit starts to connect

Edited ... by irxhnfdptv

Share this post


Link to post
@irxhnfdptv

Hello!

WireGuard can't connect. Might it be blocked in your network? If you try a connection with the native WireGuard client for Linux, is it successful? You can generate a profile for WireGuard on our Configuration Generator available in your AirVPN account "Client Area". By testing the WireGuard client directly you may let us discern whether the problem is Bluetit-specific or not.

Kind regards
 

Share this post


Link to post
Posted ... (edited)
16 minutes ago, Staff said:
@irxhnfdptv

Hello!

WireGuard can't connect. Might it be blocked in your network? If you try a connection with the native WireGuard client for Linux, is it successful? You can generate a profile for WireGuard on our Configuration Generator available in your AirVPN account "Client Area". By testing the WireGuard client directly you may let us discern whether the problem is Bluetit-specific or not.

Kind regards
 
hello. yea it works natively if i use "wg-quick up wg0" Edited ... by irxhnfdptv

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...