Suite: Issue with traffic splitting and reconnect

[Pi77Bull 0]

Hi everyone. I have a couple of issues.

For your information: I'm using Fedora 43 (KDE Spin) on a Laptop with WiFi and the AirVPN Suite 2.0.0.

My bluetit.rc file looks like (I stripped bootstrap servers and RSA parameters):

airconnectatboot                  quick
networklockpersist                on
airusername                       <redacted>
airpassword                       <redacted>
airkey                            Laptop
forbidquickhomecountry            on
country                           us
tunpersist                        on
networkcheck                      off
allowprivatenetwork               on
allowping                         off
ignorednspush                     off
allowtrafficsplitting             on
trafficsplitfirewall              on

and my goldcrest.rc only specifies air-user, air-password and air-key.
 

1. When 'networkcheck' was 'on' (the default value), the bluetit.service got stuck waiting for the network ('systemctl status bluetit' printed something along the lines of "waiting for network" over and over again)
   Now that it's set to 'off' everything works as expected.
2. Traffic splitting doesn't work. I suspect this has to do with Fedora restricting user namespaces (or something like that). I'm not very familiar with that.
   When I run 'cuckoo -r bash' I get this output: 

   ERROR setnamespace: Cannot open directory '/etc/netns/aircuckoo': No such file or directory

   Or maybe it's something completely different, I really don't know.
3. When disconnecting the connection via 'goldcrest --disconnect' and after that reconnecting via 'goldcrest --reconnect', I get the following error:

   ERROR: Cannot start WireGuard connection. Client name and user name (system login name) not provided.

   When reconnecting while the connection is still active, everything works.

If anybody can help with with 2. and 3. I'd be very happy. If you need more info, please ask.

[Staff 10478]

@Pi77Bull

Hello!

1. This is a bug experienced on different distributions by a few users but not reproducible on our systems at the moment. A comprehensive inquiry to understand and fix the issue is slated for the near future. In the meantime, can you please also test this:
networkcheck airvpn
and verify what happens? Remember to re-start Bluetit each time you edit its configuration file, of course.

Can you also tell us whether the Docker daemon dockerd is running in your system? According to another report, when this daemon runs (even if no containers are created) the problem you experience appears, and when the daemon is stopped networkcheck works fine but only in airvpn mode and not in gateway mode.

2. This is unexpected. Can you please send us a complete Bluetit log taken after the problem has occurred?

sudo journalctl | grep bluetit > bluetit.log

3. This is expected as the reconnect option is intended solely for the re-establishment of an extant session. A more contextually apposite, tailored to your specific circumstance, error message will be duly considered.

Kind regards
 

[Pi77Bull 0]

1. With networkcheck airvpn the connection was successfull, but between resuming from sleep and establishing the connection I was able to check my public IP and saw my real one. With networkcheck off this doesn't happen.
I've attached two logs - one with networkcheck on and one with networkcheck airvpn .
Regarding Docker, I have never installed Docker on this machine. I have Podman, though I don't use it and its services are all stopped and disabled.

2. I've attached the log from right after running cuckoo -r bash . It says "Cannot find a free IPv4 in 's network". Seems like it can't find the network or something.

3. OK, good to know.

networkcheck_airvpn_bluetit.log networkcheck_on_bluetit.log trafficsplit_bluetit.log

[Staff 10478]

@Pi77Bull

Hello!

Thanks for all the logs. They will help us address the waiting for network loop problem which is under investigation.

The traffic splitting configuration is "dirty" for unknown reasons. You might resolve this specific problem by deleting the /etc/netns/aircuckoo directory content while Bluetit is not running. Please let us know whether this operation solves the problem or not.

Kind regards
 

[Pi77Bull 0]

You're welcome. If you need anything else, let me know.

There was no aircuckoo directory when bluetit was stopped. But I tried using cuckoo again and now it works.
I did see an issue with SELinux. It said systemd couldn't unlink the file "bluetit.lock" and I just allowed that. That might have been what made it work.

Edit: nevermind, I just rebooted and now it doesn't work anymore. But there is still no aircuckoo directory when bluetit is stopped.

Thank you for your help and the awesome work you do!

Edited ... by Pi77Bull

[Staff 10478]

2 hours ago, Pi77Bull said:

there is still no aircuckoo directory when bluetit is stopped.

Thank you.

We're still struggling to reproduce the problem.

The problem with cuckoo is caused by the fact that Bluetit can not create a namespace because no suitable IP address can be found:

Feb 26 19:15:52 <redacted> bluetit[207809]: ERROR: Cannot find a free IPv4 in 's network. Please specify a valid IPv4 address in file /etc/airvpn/bluetit.rc by using 'trafficsplitipv4' directive. Traffic splitting is disabled.

Mentioning the user's manual:

Quote

In case the system is not behind a NAT or router (this is usually the condition for ISP, corporate or institutional entities) the administrator will need to manually assign a specific public IP address to the network namespace dedicated to traffic splitting. In this specific case, to manually set a public IP address, the system administrator can use the directives trafficsplitipv4 and/or trafficsplitipv6 in Bluetit run control file.

The system administrator is warned to keep this limitation in mind especially in case the AirVPN Suite is run with per application traffic splitting on a dedicated or virtual server in some datacenter, as most of the times they are not behind any NAT or router.

However, given that your system is behind a NAT (your gateway address is 192.168.1.1, can you confirm?), we might be experiencing a failure of Bluetit's method to determine a free IP address for the namespace. If so, can you please force manually (according to the above instructions) an address for your namespace? Please make sure it is an address inside your subnet and not used by any other machine in your local network. Then, (re)start Bluetit and check whether the namespace is created properly. Can you also send us the output of the following commands please?

ip addr show
ip -6 r 

Kind regards
 

[Pi77Bull 0]

Yes I'm behind a NAT. I've set trafficsplitipv4 192.168.1.5, restarted bluetit and tried cuckoo, but got the same error:

ERROR setnamespace: Cannot open directory '/etc/netns/aircuckoo': No such file or directory

I've attached the new log again. Also just to make sure we're on the same page. Before I edited my previous post cuckoo did work and it showed this in the logs:

Feb 27 13:46:55 <redacted> bluetit[27029]: WARNING: Traffic splitting setup is dirty. Trying to clean and restore settings.
Feb 27 13:46:55 <redacted> bluetit[27029]: Successfully deleted 'aircuckoo' namespace
Feb 27 13:46:55 <redacted> bluetit[27029]: Successfully restored traffic split settings.
Feb 27 13:46:55 <redacted> bluetit[27029]: Traffic splitting successfully enabled. Unencrypted (outside of the VPN tunnel) traffic is available through network namespace 'aircuckoo'
Feb 27 13:46:55 <redacted> bluetit[27029]: Traffic splitting network interface: wlp2s0
Feb 27 13:46:55 <redacted> bluetit[27029]: Traffic splitting IPv4 address: 192.168.1.242
Feb 27 13:46:55 <redacted> bluetit[27029]: Traffic splitting IPv6 address: fd0d:5d57:5a18::8d7
Feb 27 13:46:55 <redacted> bluetit[27029]: Connection monitor thread started

This only appears a total of 9 times in the logs so it seems to be pretty random.

And here is the output of the commands:

$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether de:ca:af:ad:6d:22 brd ff:ff:ff:ff:ff:ff permaddr 9c:b6:d0:d6:92:dd
    altname wlx9cb6d0d692dd
    inet 192.168.1.241/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp2s0
       valid_lft 30165sec preferred_lft 30165sec
    inet6 fd0d:5d57:5a18::8d6/128 scope global dynamic noprefixroute 
       valid_lft 30167sec preferred_lft 30167sec
    inet6 2a00:20:637b:998f::8d6/128 scope global dynamic noprefixroute 
       valid_lft 30167sec preferred_lft 30167sec
    inet6 2a00:20:637b:998f:483e:edc0:722a:e2fc/64 scope global noprefixroute 
       valid_lft forever preferred_lft 604533sec
    inet6 fd0d:5d57:5a18:0:cce5:a2d6:aac1:fa1e/64 scope global noprefixroute 
       valid_lft forever preferred_lft 604533sec
    inet6 fe80::9e35:789d:3c3d:2612/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
15: tun0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1320 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.168.106.115/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fd7d:76ee:e68f:a993:132f:23e:9be9:555f/128 scope global 
       valid_lft forever preferred_lft forever

$ ip -6 r
2a00:20:637b:998f::8d6 dev wlp2s0 proto kernel metric 600 pref medium
2a00:20:637b:998f::/64 dev wlp2s0 proto ra metric 600 pref medium
::/1 dev tun0 metric 1024 pref medium
8000::/2 dev tun0 metric 1024 pref medium
c000::/3 dev tun0 metric 1024 pref medium
e000::/4 dev tun0 metric 1024 pref medium
f000::/5 dev tun0 metric 1024 pref medium
f800::/6 dev tun0 metric 1024 pref medium
fc00::/8 dev tun0 metric 1024 pref medium
fd0d:5d57:5a18::8d6 dev wlp2s0 proto kernel metric 600 pref medium
fd0d:5d57:5a18::/64 dev wlp2s0 proto ra metric 600 pref medium
fd0d:5d57:5a18::/48 via fe80::9683:c4ff:fea6:5876 dev wlp2s0 proto ra metric 600 pref medium
fd7d:76ee:e68f:a993:132f:23e:9be9:555f dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 1024 pref medium
fe00::/7 dev tun0 metric 1024 pref medium
8000::/1 dev tun0 metric 1024 pref medium
default via fe80::9683:c4ff:fea6:5876 dev wlp2s0 proto ra metric 20600 pref medium

bluetit.log