AirVPN in Incus Container

[adilakport 0]

I decided to try out AirVPN for a couple days and purchased the smallest plan. I am using Incus (Linux System Container) in my homelab setup. It is a headless setup running Debian Bookworm, and I used eddie-cli.

Initially everything worked fine, and I even managed to get port forwarding working. But later while I'm exploring I did something with `netlock`. I'm not really sure what I did, or even this is the reason why I'm not being able to connect anymore. Right now it fails with the following debug message,
 

Quote

I 2025.03.30 09:32:27 - Checking route IPv4
. 2025.03.30 09:32:31 - Elevated: Command:dns-switch-do
. 2025.03.30 09:32:31 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'dns', arg:'eth0', arg:'10.128.0.1', arg:'fd7d:76ee:e68f:a993::1', exit:0
. 2025.03.30 09:32:31 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'default-route', arg:'eth0', arg:'false', exit:0
. 2025.03.30 09:32:41 - Elevated: Command:dns-switch-do
. 2025.03.30 09:32:41 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'dns', arg:'eth0', arg:'10.128.0.1', arg:'fd7d:76ee:e68f:a993::1', exit:0
. 2025.03.30 09:32:41 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'default-route', arg:'eth0', arg:'false', exit:0
. 2025.03.30 09:32:51 - Elevated: Command:dns-switch-do
. 2025.03.30 09:32:51 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'dns', arg:'eth0', arg:'10.128.0.1', arg:'fd7d:76ee:e68f:a993::1', exit:0
. 2025.03.30 09:32:51 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'default-route', arg:'eth0', arg:'false', exit:0
. 2025.03.30 09:33:01 - Elevated: Command:dns-switch-do
. 2025.03.30 09:33:01 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'dns', arg:'eth0', arg:'10.128.0.1', arg:'fd7d:76ee:e68f:a993::1', exit:0
. 2025.03.30 09:33:02 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'default-route', arg:'eth0', arg:'false', exit:0
. 2025.03.30 09:33:03 - Checking route (4° try)
. 2025.03.30 09:33:12 - Elevated: Command:dns-switch-do
. 2025.03.30 09:33:12 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'dns', arg:'eth0', arg:'10.128.0.1', arg:'fd7d:76ee:e68f:a993::1', exit:0
. 2025.03.30 09:33:12 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'default-route', arg:'eth0', arg:'false', exit:0
. 2025.03.30 09:33:17 - Checking route (5° try)
. 2025.03.30 09:33:22 - Elevated: Command:dns-switch-do
. 2025.03.30 09:33:22 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'dns', arg:'eth0', arg:'10.128.0.1', arg:'fd7d:76ee:e68f:a993::1', exit:0
. 2025.03.30 09:33:22 - Elevated: Exec, path:'/usr/bin/resolvectl', arg:'default-route', arg:'eth0', arg:'false', exit:0
E 2025.03.30 09:33:27 - Checking route IPv4 failed, last reason: Fetch url error:Timeout was reached
! 2025.03.30 09:33:27 - Disconnecting

I'm attaching the full debug log as a file. I have tried the usual, Uninstall, Purge, Restart, etc but no luck. I tried searching forum and google, but could not find a solution. Any help is appreciated.

eddie_2025-03-30.log

[adilakport 0]

Please close this topic as this got automatically resolved, without me doing anything. Not really sure on what is going on.

I remember creating a new thread, somehow my new topic got added under this. Hence making this edit.

Edited ... by adilakport
new topic didn't get created

[adilakport 0]

I started to test out AirVPN yesterday, and the experiment continues. I'm using Incus for creating system containers, and I'm testing inside it.

So today I decided to test out AirVPN in a single isolated and fresh container to see the issues more detailed. Steps i did are given below,

1. Launched a container with Debian Bookworm 12, amd64.
2. add `non-free` and `non-free-firmware` sources and `apt update`
3. Added eddie repository and restarted the container
4. Then installed eddie-cli,

apt install eddie-cli

5. I tried to start AirVPN and got the following error (Colour added by me) [Debug Level]

I 2025.03.31 07:04:05 - Server switch requested from keyboard.
. 2025.03.31 07:04:05 - Elevated: Command:ping-request
. 2025.03.31 07:04:05 - Elevated: Command:ping-request
I 2025.03.31 07:04:05 - Session starting.
F 2025.03.31 07:04:05 - There is no available or enabled Network Lock mode, sorry.
I 2025.03.31 07:04:05 - Cancel requested.
. 2025.03.31 07:04:05 - Elevated: Command:ping-request
. 2025.03.31 07:04:05 - Elevated: Command:ping-request
. 2025.03.31 07:04:05 - Elevated: Command:ping-request
x. 2025.03.31 07:04:19 - Above log line repeated 157 times more
I 2025.03.31 07:04:19 - Cancel requested from keyboard.
. 2025.03.31 07:04:19 - Shutdown in progress
! 2025.03.31 07:04:19 - Session terminated.
. 2025.03.31 07:04:19 - Elevated: Client soft disconnected
! 2025.03.31 07:04:19 - Logged out.
. 2025.03.31 07:04:20 - Shutdown complete

6. Some trial and error indicated it is the lack of ip-tables/nf_tables so I installed

apt install nftables

7. Again started eddie-cli, This time the error changed, again colour added by me. [Debug Level]

I 2025.03.31 07:04:52 - Server switch requested from keyboard.
. 2025.03.31 07:04:52 - Elevated: Command:ping-request
. 2025.03.31 07:04:52 - Elevated: Command:ping-request
I 2025.03.31 07:04:52 - Session starting.
. 2025.03.31 07:04:52 - Elevated: Command:netlock-nftables-available
. 2025.03.31 07:04:52 - Elevated: Exec, path:'/usr/sbin/nft', arg:'list', arg:'ruleset', exit:0
. 2025.03.31 07:04:52 - Activation of Network Lock - Linux nftables
. 2025.03.31 07:04:52 - Elevated: Command:netlock-nftables-activate
. 2025.03.31 07:04:52 - Elevated: Exec, path:'/usr/sbin/nft', arg:'list', arg:'ruleset', exit:0
. 2025.03.31 07:04:52 - Elevated: Exec, path:'/usr/sbin/nft', arg:'-f', arg:'/tmp/eddie_tmp_netlock_nftables_apply.nft', exit:1, err:'netlink: Error: Could not process rule: Message too long'
. 2025.03.31 07:04:52 - Elevated: Command:netlock-nftables-deactivate
. 2025.03.31 07:04:52 - Elevated: Exec, path:'/usr/sbin/nft', arg:'flush', arg:'ruleset', exit:0
. 2025.03.31 07:04:52 - Elevated: Exec, path:'/usr/sbin/nft', arg:'-f', arg:'/tmp/eddie_tmp_netlock_nftables_backup.nft', exit:0
F 2025.03.31 07:04:52 - Exception: nft issue: exit:1; err:netlink: Error: Could not process rule: Message too long; path:/usr/sbin/nft; arg:-f; arg:/tmp/eddie_tmp_netlock_nftables_apply.nft - Stack: at Eddie.Platform.Linux.NetworkLockNftables.Activation()
F 2025.03.31 07:04:52 -     at Eddie.Core.NetworkLockManager.Activation(Boolean)
I 2025.03.31 07:04:52 - Cancel requested.
. 2025.03.31 07:04:53 - Elevated: Command:ping-request
. 2025.03.31 07:04:53 - Elevated: Command:ping-request
. 2025.03.31 07:04:53 - Elevated: Command:ping-request
x. 2025.03.31 07:05:32 - Above log line repeated 122 times more
I 2025.03.31 07:05:32 - Cancel requested from keyboard.
. 2025.03.31 07:05:32 - Shutdown in progress
! 2025.03.31 07:05:32 - Session terminated.
. 2025.03.31 07:05:32 - Elevated: Client soft disconnected
! 2025.03.31 07:05:32 - Logged out.
. 2025.03.31 07:05:32 - Shutdown complete

Not sure how to proceed. Looks like some issue with nf_tables and the rule passed into it. So what can be done at this stage?

Important: Last time the AirVPN worked inside a similar container with ip-tables-legacy, so it definitely looks like an `nf_table` related issue

If there is any other way to get more debug information, please let me know.
 

[adilakport 0]

So I'm not sure how this works, but I found out after running,

apt install iptables
apt remove nftables

I'm able to connect. But it still

root@vpn-host:~# iptables --version
iptables v1.8.9 (nf_tables)

Also, the log used to show 

. 2025.03.31 14:16:43 - Elevated: Command:netlock-nftables-available

But after removing, as expected,

. 2025.03.31 14:17:19 - Elevated: Command:netlock-iptables-available

So I guess this is specific to nftables and iptables-legacy works inside the container.