Linux: AirVPN Suite 2.0.0 preview available

Staff

1 hour ago, colorman said:

./install.sh: line 385: setcap: command not found

Hello!

setcap sets file capabilities and requires libcap. Please install libcap and libcap-progs packages, uninstall and re-install the Suite, test again and report back at your convenience.

Kind regards

colorman

I missed package libcap-progs

But still error;

localhost:/usr/local/bin> ./goldcrest AirVPN_Belgium_UDP-1637-Entry3.conf
Goldcrest - AirVPN Bluetit Client 2.0.0 beta 4 - 14 February 2025

2025-02-15 11:49:25 Reading run control directives from file /home/gerrit/.config/goldcrest.rc
2025-02-15 11:49:25 Bluetit - AirVPN WireGuard/OpenVPN3 Service 2.0.0 beta 4 - 14 February 2025
2025-02-15 11:49:25 OpenVPN core 3.11 AirVPN (20250206) linux x86_64 64-bit
2025-02-15 11:49:25 Copyright (C) 2012- OpenVPN Inc. All rights reserved.
2025-02-15 11:49:25 OpenSSL 3.1.4 24 Oct 2023
2025-02-15 11:49:25 AirVPN WireGuard Client 2.0.0 Linux x86_64 64-bit
2025-02-15 11:49:25 Bluetit options successfully reset
2025-02-15 11:49:25 Requesting VPN connection to Bluetit
2025-02-15 11:49:25 Network filter and lock are using nftables
2025-02-15 11:49:25 Kernel module nf_tables is already loaded
2025-02-15 11:49:25 Network filter successfully initialized
2025-02-15 11:49:25 Private network is allowed to pass the network filter
2025-02-15 11:49:25 ERROR: Cannot start WireGuard connection. Client name and user name (system login name) not pro
vided.
2025-02-15 11:49:25 Bluetit session terminated

Staff

2 hours ago, colorman said:

But still error;

Hello!

2 hours ago, colorman said:

2025-02-15 11:49:25 ERROR: Cannot start WireGuard connection. Client name and user name (system login name) not provided.

We managed to reproduce the bug by trying to launch Goldcrest by both airvpn (or users in the airvpn group) and root. We will address the problem in the next beta version. In the meantime (so you can continue testing) please do not use a configuration file for WireGuard connections. Run Hummingbird directly when you want to establish a WireGuard connection through a configuration file and run Goldcrest for AirVPN integration.

Thank you for your tests!

Kind regards

colorman

1 minute ago, Staff said:

Hello!

We managed to reproduce the bug by trying to launch Goldcrest by both airvpn (or users in the airvpn group) and root. We will address the problem in the next beta version. In the meantime (so you can continue testing) please do not use a configuration file for WireGuard connections. Run Hummingbird directly when you want to establish a connection through a configuration file and run Goldcrest for AirVPN integration.

Thank you for your tests!

Kind regards

Thanks..
Use Eddie now

jeffiscow

Hey Y'all!

First I'd like to say this tool seems awesome that for the handwork and support.

I've been having a problem after I tried opening a port for p2p on the Airvpn site and binding it to my bittorrent client bluetit detected 2 dns and shutdown and locked and was getting the "lock file --recover-network" message. I was able to fix that but now was getting a “D-Bus serviceorg.airvpn.server is not available” message. After trying everything I could find on the forums and the only thing that has fixed it was reinstalling, I figured I'd check if the Arch had a package in the AUR.

There are a few things I tried airvpn-suite-beta-bin 2.0.0-3 and this is what happened:

myusername@ArchLaptop % yain airvpn-suite-beta-bin                                                                                                                                                                  ~
AUR Explicit (1): airvpn-suite-beta-bin-2.0.0-3
:: (1/1) Downloaded PKGBUILD: airvpn-suite-beta-bin
  1 airvpn-suite-beta-bin                    (Build Files Exist)
==> Packages to cleanBuild?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> a
:: Deleting (1/1): /home/jeffiscow/.cache/yay/airvpn-suite-beta-bin
HEAD is now at b19ea8b pkgver++; arch=armv7h; license=GPL-3.0-only
  1 airvpn-suite-beta-bin                    (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> a

:: Proceed with install? [Y/n] y
==> Making package: airvpn-suite-beta-bin 2.0.0-3 (Sat 08 Mar 2025 11:18:48 AM EST)
==> Retrieving sources...
  -> Downloading AirVPN-Suite-x86_64-2.0.0-beta-1.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3877k  100 3877k    0     0  3234k      0  0:00:01  0:00:01 --:--:-- 3236k
  -> Found airvpn-suite.sysusers
==> WARNING: Skipping verification of source file PGP signatures.
==> Validating source files with sha512sums...
    AirVPN-Suite-x86_64-2.0.0-beta-1.tar.gz ... Passed
    airvpn-suite.sysusers ... Passed
:: (1/1) Parsing SRCINFO: airvpn-suite-beta-bin
==> Making package: airvpn-suite-beta-bin 2.0.0-3 (Sat 08 Mar 2025 11:18:52 AM EST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found AirVPN-Suite-x86_64-2.0.0-beta-1.tar.gz
  -> Found airvpn-suite.sysusers
==> Validating source files with sha512sums...
    AirVPN-Suite-x86_64-2.0.0-beta-1.tar.gz ... Passed
    airvpn-suite.sysusers ... Passed
==> Removing existing $srcdir/ directory...
==> Extracting sources...
  -> Extracting AirVPN-Suite-x86_64-2.0.0-beta-1.tar.gz with bsdtar
==> Sources are ready.
==> Making package: airvpn-suite-beta-bin 2.0.0-3 (Sat 08 Mar 2025 11:18:56 AM EST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> WARNING: Using existing $srcdir/ tree
==> Entering fakeroot environment...
==> Starting package()...
install: invalid group 'airvpn'
==> ERROR: A failure occurred in package().
    Aborting...
 -> error making: airvpn-suite-beta-bin-exit status 4
 -> Failed to install the following packages. Manual intervention is required:
airvpn-suite-beta-bin - exit status 4

Is this saying I need to create the “airvpn” group before I install the package, and if so, any idea what permissions and setting that group would need?

inxi print out for ya if that helps.

Thanks in advance!

inxi.txt

OpenSourcerer

I see my lapse in thinking there. In package(), the cuckoo binary is copied with airvpn as its group, but this group is only created in pacman's post-transaction hooks, after a package is installed. Since it's not able to create the package in the first place, airvpn-suite-beta-bin 2.0.0-3 is upgradeable (since the airvpn group would exist already) , but uninstallable from scratch.
I don't know that "yain" program you use (yay fork?), but if there is an option to edit the PKGBUILD before installing, comment out line 34, otherwise edit the PKGBUILD and build using makepkg:

34   # install -Dm4755 -g airvpn bin/cuckoo "$pkgdir/usr/bin/cuckoo"

makepkg -sCcri

After installing, set mode of cuckoo to 4755 and change group to airvpn:

# chmod 4755 /usr/bin/cuckoo
# chgrp airvpn /usr/bin/cuckoo

Be advised that the package is unmaintained. I abandoned maintainership of all Suite packages two months ago.

jeffiscow

@OpenSourcerer
I'm in the process of learning about Linux, security and how to best use of VPNs, so I apologize for not including everything I tried first before coming to the forum to ask for help. I didn't want to write a novel. My thought process on using the package from the AUR was It would save time and energy when installing and reinstalling. Also, “yain” is just an alias I set for “sudo yay -S”.

I didn't realize at the time the package was unmaintained, but know that I know I'll go back and try setting up Suite the suggested way. If I run into the "--recover-network" not working again I'll post the bluetit log and whatever is recommended and advised.

colorman

@Staff
Is there any development on the next Beta version?
It's very quiet.
Thanks in advance

Staff

14 hours ago, colorman said:

@Staff
Is there any development on the next Beta version?
It's very quiet.
Thanks in advance

Hello!

Yes, there has been intensive work behind the scenes to fix some tricky bugs and improve the implementation of specific parts (special thanks to beta testers behind the scenes). The next beta version, or perhaps the first Release Candidate, is scheduled for the very first days of April.

Kind regards

Staff

Hello!

We're very glad to inform you that AirVPN Suite 2.0.0 beta 5 for Linux is now available. The original post link is updated to show the new download URLs. This is an extensive bug fix version addressing all the issues reported ever since beta 4 was released and with the addition of new Network Lock related options offering more flexibility. Now you can accept or deny incoming, outgoing or both ICMP-echo packets, and independently you can permit or forbid IPv6 NDP, which is based on ICMPv6. The new options supported by Bluetit and Hummingbird are:

allowping [on | off | input | output], default: output
allowipv6ndp [on | off], default: on

The Goldcrest and Hummingbird corresponding options are:
--allow-ping
--allow-ipv6ndp

with the very same possible values and default settings. EDIT: BUG/error: the Hummingbird default value of allow-ping is "on" - please take note! It will be fixed in the next version.

Please check the changelogs for each application included in the packages to see all the changes in detail.

Kind regards and datalove
AirVPN Staff

colorman

with openSUSE 15.6 it seems ok now.
also with goldcrest.
good work. 😀

Staff

Hello!

We're very glad to inform you that AirVPN Suite 2.0.0 Release Candidate 1 for Linux is now available. The original post link is updated to show the new download URLs. The important differences from beta 5 are:

a bug causing a crash when nft error messages exceeded a definite size has been fully addressed
Bluetit features additional pause and re-connection attempts aimed at facilitating re-connection at system resume after suspension and other situations
Hummingbirtd --allow-ping default value is now "output"

Special note for firewalld users

Please read here, it's very important: https://airvpn.org/forums/topic/70164-linux-network-lock-and-firewalld/

Please note that from now on compatibility with Debian 10 and its derivatives, that reached end of long term support and end of life on June 2024, is lost even for the legacy version, mainly because the Suite is now C++20 compliant. The legacy version remains suitable for Debian 11 and its derivatives.

Kind regards

183aTr78f9o

@Staff
Are NixOS packages planned at some point, after the stable version is released? Just curious.

Staff

14 hours ago, 183aTr78f9o said:

@Staff
Are NixOS packages planned at some point, after the stable version is released? Just curious.

Hello!

The Suite distribution concept avoids any specific package manager for their excessive proliferation. Most of these package managers are incompatible with each other. We count nowadays 18 package managers on 800+ different distributions. Development team is committed to offering exclusively tarballs and an installation script written in sh to ensure compatibility with a wide range of distributions.

Kind regards

Staff

Hello!

We're very glad to inform you that AirVPN Suite 2.0.0 Release Candidate 2 for Linux is now available. The original post is updated to show the new download URLs. The important improvements over RC 1 are:

Cuckoo's design flaw has been fixed. Now cuckoo can be run when no graphic environment is installed
added check and warning to clearly inform the user when firewalld is configured to be the exclusive owner of its tables / chains / rules
in case VPN is busy in a pending process (such as reconnecting) stop_connection command is not performed by Bluetit, thus avoiding potential problems
a few changes to greatly improve network management during sessions based on WireGuard
libxml2 is now statically linked. This pondered decision was driven by various problems caused by a few Linux distributions inconsistencies with established practices and standards
linked against the new OpenVPN3-AirVPN 3.12 library

Special note for firewalld users

Please read here, it's very important: https://airvpn.org/forums/topic/70164-linux-network-lock-and-firewalld/

Please note that compatibility with Debian 10 and its derivatives, that reached end of long term support and end of life on June 2024, is lost even for the legacy version, mainly because the Suite is now C++20 compliant. The legacy version remains suitable for Debian 11 and its derivatives.

Kind regards

jeffiscow

Awesome! Going to give it another go with this release, will report back. Any public repos to post issues to? It seems like the GitLab reop hasnt been updated in bit.

On 6/10/2025 at 8:41 AM, Staff said:

Special note for firewalld users
Please read here, it's very important: https://airvpn.org/forums/topic/70164-linux-network-lock-and-firewalld/

Thanks for this, I'm a firewalld fan would have been trying to mess with this to fix it forever!

Pwbkkee

Bluetit 2.0.0 RC 2 does not exit cleanly. Either it fails with SIGSEGV when Goldcrest is terminated or it fails with SIGABRT when systemd sends it a SIGTERM.

Here is the log showing Bluetit's SIGABRT failure:

Jun 25 01:03:00 systemd[962]: Stopping goldcrest@Delphinus.service - Goldcrest...
Jun 25 01:03:00 bluetit[1288]: Requested method "bluetit_status -> Bluetit is connected to VPN (OpenVPN)"
Jun 25 01:03:00 bluetit[1288]: Requested method "stop_connection"
Jun 25 01:03:00 bluetit[1288]: Stopping OpenVPN synchronous connection
Jun 25 01:03:00 bluetit[1288]: Connection statistics updater thread terminated
Jun 25 01:03:00 bluetit[1288]: OpenVPN3 connection thread terminated
Jun 25 01:03:00 systemd-networkd[646]: tun0: Link DOWN
Jun 25 01:03:00 systemd-networkd[646]: tun0: Lost carrier
Jun 25 01:03:00 bluetit[1288]: Sending event 'event_disconnected'
Jun 25 01:03:00 bluetit[1288]: Connection time: 04:00:56
Jun 25 01:03:00 bluetit[1288]: Total transferred Input data: 39.03 MB
Jun 25 01:03:00 bluetit[1288]: Total transferred Output data: 2.67 MB
Jun 25 01:03:00 bluetit[1288]: Max Input rate: 542.04 Kbit/s
Jun 25 01:03:00 bluetit[1288]: Max Output rate: 55.31 Kbit/s
Jun 25 01:03:00 bluetit[1288]: Logging out AirVPN user Pwbkkee
Jun 25 01:03:00 bluetit[1288]: Sending event 'event_end_of_session'
Jun 25 01:03:00 bluetit[1288]: Sending event 'event_end_of_session'
Jun 25 01:03:00 dbus-daemon[642]: [system] Rejected send message, 3 matched rules; type="error", sender=":1.39" (uid=1000 pid=1298 comm="/usr/local/bin/goldcrest --air-connect --air-serve") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.37" (uid=0 pid=1288 comm="/usr/local/bin/bluetit")
Jun 25 01:03:00 systemd[962]: Stopped goldcrest@Delphinus.service - Goldcrest.
Jun 25 01:03:00 systemd[962]: goldcrest@Delphinus.service: Consumed 6.388s CPU time.
Jun 25 01:04:00 sudo[3244]: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/systemctl stop bluetit.service
Jun 25 01:04:00 sudo[3244]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Jun 25 01:04:00 bluetit[1288]: Received Terminated signal. Terminating Bluetit.
Jun 25 01:04:00 systemd[1]: Stopping bluetit.service - AirVPN Bluetit Daemon...
Jun 25 01:04:00 bluetit[1288]: AirVPN Manifest updater thread terminated
Jun 25 01:04:00 bluetit[1288]: Sending event 'event_end_of_session'
Jun 25 01:04:00 systemd[1]: bluetit.service: Main process exited, code=dumped, status=6/ABRT
Jun 25 01:04:00 systemd[1]: bluetit.service: Failed with result 'core-dump'.
Jun 25 01:04:00 systemd[1]: Stopped bluetit.service - AirVPN Bluetit Daemon.
Jun 25 01:04:00 systemd[1]: bluetit.service: Consumed 8.632s CPU time.

Here is my bluetit.service file:

[Unit]
Description=AirVPN Bluetit Daemon
[Service]
CapabilityBoundingSet=CAP_NET_ADMIN
ConfigurationDirectory=airvpn
DeviceAllow=/dev/net/tun rw
DevicePolicy=closed
ExecStart=/usr/local/bin/bluetit
KillMode=mixed
LockPersonality=true
MemoryDenyWriteExecute=true
Nice=-10
NoNewPrivileges=true
PrivateIPC=true
PrivateMounts=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_ALG AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=forking
WorkingDirectory=/etc/airvpn

Here is my goldcrest@.service file:

[Unit]
Description=Goldcrest
[Service]
DevicePolicy=closed
ExecStart=/usr/local/bin/goldcrest --air-connect --air-server %i
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
RestrictNetworkInterfaces=lo
RestrictRealtime=true
RestrictSUIDSGID=true
Slice=background.slice
StandardError=null
StandardOutput=null
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

My system is running Debian 12 "bookworm" with linux 6.1.140-1 and systemd 254.26~bpo12+1.

Staff

@Pwbkkee

Hello and thank you for your tests!

Please post at your convenience the complete Bluetit log to let us investigate.

Suite components are designed after a client-daemon architecture, where Bluetit is a real daemon (not a generic service, a real daemon) and Goldcrest is a client. Your setup is odd and poses a few problems, since you turn a client into a service and you try to have a service-service arch.

What is it that you can't do with current architecture that forces you into this sort of aberration? For example, in your case if you want Bluetit to connect by itself you don't need an auxiliary service, you can do it through the run control directives in bluetit.rc file and you would have a connection as soon as Bluetit comes up, instead of being forced to wait for yet another service to come up.

Kind regards

Pwbkkee

The log snippet that I posted is the full log concerning the SIGABRT failure. The rest of Bluetit's log shows nothing abnormal. Only 2.0.0 RC2 has this issue; all previous versions of Bluetit exited cleanly.

My setup allows me to run both Bluetit and Goldcrest in sandboxed environments. It also allows me to run Goldcrest in the background without using screen. I start and stop both Bluetit and Goldcrest manually, and my goldcrest@.service file allows me to specify which server I want to connect to. I can't do that with Bluetit's automatic connection feature.

Staff

9 hours ago, Pwbkkee said:

Only 2.0.0 RC2 has this issue; all previous versions of Bluetit exited cleanly.

Thank you, under investigation.

Quote

it also allows me to run Goldcrest in the background without using screen

screen or any other multiplexer is unnecessary thanks to the async mode (option --async). We will keep you posted.

Kind regards

Linux: AirVPN Suite 2.0.0 preview available

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation