ANSWERED Configuring White listed servers and traffic splitting

[0bacon 0]

ive followed this gitlab readme here. My goal is to eventually have traffic splitting but so far I can't connect to a server.

When I run goldcrest -O there is  

ERROR: Reached end of AirVPN server list. No suitable server found.

This is because I want to only connect to chicago based vpn's. When goldcrest -O is entered it tells me that it's reading run control directives from file /home/xxx/.config/goldcrest.rc
So I have been configuring it there, and it looks like below. I am also confused because there is config files in /etc/airvpn/bluetit.rc, /root/.config/goldcrest.rc and my home/f/.config/goldcrest.rc. Is one of these higher priority than another?
When I leave everything in default settings then I do  connect to a vpn server. So I tried to split tunnel with cuckoo -r and I get 

ERROR setnamespace: Cannot open network namespace 'aircuckoo': No such file or directory

Any tips would be greatly appreciated. thanks for your time
 

  GNU nano 8.7.1                                                                             /home/x/.config/goldcrest.rc                                                                                       
#
# goldcrest runcontrol file
#

#air-server            Kruger Praecipua Sneden Superba Meridiana Fang Sadalsuud
# air-vpn-type          <openvpn|wireguard>
# air-tls-mode          <auto|auth|crypt>
# air-ipv6              <on|off>
# air-6to4              <on|off>
air-user              myusername
air-password          mypassword
# air-key               <name>
air-white-server-list         Kruger Praecipua Sneden Superba Meridiana Fang Sadalsuud
# air-black-server-list         <server list>
# air-white-country-list        <country list>
# air-black-country-list        <country list>
# cipher                <cipher_name>
# proto                 <udp|tcp>
# server                <server_ip|server_url>
# port                  <port>
# tcp-queue-limit       <n>
# mtu                   <n>
# ncp-disable           <yes|no>
# network-lock          <on|iptables|nftables|pf|off>
# allow-private-network <yes|no>
# allow-ping            <yes|no|input|output>
# allow-ipv6ndp         <yes|no>
# ignore-dns-push       <yes|no>
# allowuaf              <yes|no|default>
# timeout               <seconds>
# compress              <yes|no|asym>
# proxy-host            <host_ip|host_url>
# proxy-port            <port>
# proxy-username        <proxy_username>
# proxy-password        <proxy_password>
# proxy-basic           <yes|no>
# alt-proxy             <yes|no>
# persist-tun           <on|off>
# async                 <on|off>
# conn-stat-interval    <seconds>

[Staff 10534]

@0bacon
 

21 hours ago, 0bacon said:

I am also confused because there is config files in /etc/airvpn/bluetit.rc, /root/.config/goldcrest.rc and my home/f/.config/goldcrest.rc. Is one of these higher priority than another?

Hello!

That's fine, as is standard practice in a multi-user system, each user can have a different configuration file for each piece of software. However, we do not recommend running Goldcrest as root; a user belonging to the airvpn group is sufficient.
 

Quote

ERROR: Reached end of AirVPN server list. No suitable server found.

This error suggests that the intersection between the general Bluetit allowed servers set and the specific Goldcrest white listed server set is empty. Please feel free to publish the Bluetit log to let us look into this error more properly. You can generate it and store it to a specific file, in a systemd based system, with these commands:

sudo journalctl | grep bluetit > bluetit.log

21 hours ago, 0bacon said:

When I leave everything in default settings then I do  connect to a vpn server.  So I tried to split tunnel with cuckoo -r and I get 

ERROR setnamespace: Cannot open network namespace 'aircuckoo': No such file or directory

With default settings, traffic splitting is disabled, from the manual:

Quote

allowtrafficsplitting: (on/off) enable or disable traffic splitting (unencrypted and out of the tunnel traffic) Default: off

Make sure to set allowtrafficsplitting to on on /etc/airvpn/bluetit.rc file. Only the superuser can make this change. Since traffic splitting implies traffic flowing outside the VPN tunnel, this is one of those settings that, by design, are considered the exclusive domain of the superuser. Once you change the setting and re-start Bluetit, you should see that the problem is resolved. If not, again the Bluetit log can offer valuable insight.

Kind regards



 

[0bacon 0]

hello, I'm giving this another try. I am working with the .goldcrest.rc to choose the air-server of my choice. I want to connect to chicago servers. 

I have 

air-server            Fang,Kruger,Meridiana,Praecipua,Sadalsuud,Sneden,Superba

goldcrest -O gives 

ERROR: AirVPN Server "Fang,Kruger,Meridiana,Praecipua,Sadalsuud,Sneden,Superba" does not exist.

 

[Staff 10534]

17 hours ago, 0bacon said:

hello, I'm giving this another try. I am working with the .goldcrest.rc to choose the air-server of my choice. I want to connect to chicago servers. 

air-server            Fang,Kruger,Meridiana,Praecipua,Sadalsuud,Sneden,Superba

goldcrest -O gives 

ERROR: AirVPN Server "Fang,Kruger,Meridiana,Praecipua,Sadalsuud,Sneden,Superba" does not exist.

Hello!

Note: we asked for the Bluetit log and you never sent it. In this case it's no more necessary because there is no problem at all, but in the future you should reply to requests, otherwise you prevent us from supporting you properly.

This is expected and correct. air-server option requires a server name, not a list. If you want to define a list of servers you need air-server-white-list option, which expects a list of server names separated by a comma. When you define a white list of server, leave air-server commented out and do not specify it in the command line. The software will pick the "best" server among the white listed ones. 

As a peculiar case, when you invoke Goldcrest you can still specify --air-server <server name> just in case you want a connection to a specific server included in the white list. However, you can not force a server that's not in the white list.

Nothing in /etc/airvpn/bluetit.rc must contradict goldcrest.rc as Bluetit directives and policy, that can be enforced only by root, take precedence.

Kind regards
 

[0bacon 0]

Ok, my bluetit logs are attached. /etc/airvpn/bluetit.rc has all the default settings. I've only been working with ~/.goldcrest.rc. While goldcrest -O connects to the best performing vpn server, I still don't have a connection. I suspect that it has something to do with the push dns rejected message, could you explain to me in simplest terms what that is? I see the option to ignore the dns push but I don't actually know what it does, or if its even safe. Thanks in advance. 

(I should also mention that in my firewalld.conf, I have NftablesTableOwner=no.) 

bluetit

[Staff 10534]

On 3/26/2026 at 4:33 PM, 0bacon said:

I've only been working with ~/.goldcrest.rc.

On 3/13/2026 at 6:50 PM, 0bacon said:

it tells me that it's reading run control directives from file /home/xxx/.config/goldcrest.rc

Hello!

Note the discrepancy. Goldcrest may read both ~/goldcrest.rc and ~/.config/goldcrest.rc, no problems, but be aware that you might have two different files.
 

On 3/26/2026 at 4:33 PM, 0bacon said:

(I should also mention that in my firewalld.conf, I have NftablesTableOwner=no.) 

Very well, this is essential to allow network lock to work properly.
 

Quote

it has something to do with the push dns rejected message, could you explain to me in simplest terms what that is?

That's fine, it means that Network Lock blocks the traffic to your system DNS. In this case it's not really true because the system DNS has the same gateway IP address, whose traffic will be allowed in any case (you can verify by pinging 192.168.1.1 for example).

About the log, we would like a clarification, we see that, multiple times, soon after a connection you order a disconnection, for example:
 9:11:45 AM bluetit: Requested method "bluetit_status -> Bluetit is connected to VPN (WireGuard)"
 9:11:45 AM bluetit: Requested method "stop_connection"
 9:11:45 AM bluetit: Stopping WireGuard synchronous connection

Why do you order the disconnection immediately (or just a few seconds) after the connection was established? Note (just in case) that you're running goldcrest in synchronous mode, so if you destroy the window of goldcrest terminal emulator parent, it will receive a SIGTERM and in turn will require Bluetit to disconnect. So, is the disconnection ordered by you voluntarily? If so, is it because you see that no traffic flows?

As a side note, you have defined a white list of only one server. If this is intentional it's fine, but please test more, different servers, just in case there is a problem that's specific between you and Fang. You can define a white list of servers through a list of comma separated server names in the air-white-server-list option in your goldcrest.rc file.

Kind regards
 

[0bacon 0]

I don't close the terminal window. I enter goldcrest -O and it says that it is connected but I can't reach anything. I send kill command after I confirm that I have no connection. Ive given it at least 30 seconds before the kill command, maybe something is causing it to quit after a few seconds?

[Staff 10534]

On 3/27/2026 at 9:48 PM, 0bacon said:

I don't close the terminal window. I enter goldcrest -O and it says that it is connected but I can't reach anything. I send kill command after I confirm that I have no connection. Ive given it at least 30 seconds before the kill command, maybe something is causing it to quit after a few seconds?

Hello!

So, the AirVPN Suite works fine as expected. The problem causing the traffic not flowing in the tunnel must lie elsewhere. First, let's determine whether the traffic is completely blocked is it is only apparently blocked. Try to resolve names and ping destinations without names resolution and let's examine the outcome. Examples:

ping -c 4 8.8.8.8
dig google.com

Also, can you please test a connection over OpenVPN? Please set airvpntype openvpn on /etc/airvpn/bluetit.rc file, re-start Bluetit and test again a connection. If it fails too, switch to TCP by setting airproto tcp, re-start Bluetit and test again connections.

Kind regards
 

[0bacon 0]

ping -c 4 8.8.8.8
dig google.com
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3108ms

;; communications error to 10.128.0.1#53: timed out
;; communications error to 10.128.0.1#53: timed out
;; communications error to 10.128.0.1#53: timed out
;; communications error to fd7d:76ee:e68f:a993::1#53: timed out

; <<>> DiG 9.18.44 <<>> google.com
;; global options: +cmd
;; no servers could be reached

While testing my connection over openVPN, I have this ( I did restart the bluetit service)

2026-03-30 12:35:03 Logging in AirVPN user 0000
2026-03-30 12:35:11 AirVPN user 0000 successfully logged in
2026-03-30 12:35:11 Selected user key: Default
2026-03-30 12:35:11 Auto quick connection mode enabled
2026-03-30 12:35:11 ERROR: Reached end of AirVPN server list. No suitable server found.
2026-03-30 12:35:11 Logging out AirVPN user 000

Then I added the Chicago servers to the whitelist in bluetit.rc and I received the same "no suitable server found" message.

[Staff 10534]

@0bacon

Hello!

Bluetit is correctly forbidding connections to servers of the country you are in. Resolve it by setting forbidquickhomecountry off in /etc/airvpn/bluetit.rc (or build a white list of servers outside your home country). From the manual:

Quote

forbidquickhomecountry: (on/off) Never allow quick connection to connect [to] servers in the country where your computer is located at, including those specified in the white list (option airwhiteserverlist). For security reasons, AirVPN strongly advises to set this option on. Default: on

From your tests we see that the traffic doesn't flow in the WireGuard tunnel - it could be a block enforced your ISP, but make sure that you disable firewalld first just in case and test again:

sudo systemctl stop firewalld

If the problem persists let's check with OpenVPN. Try OpenVPN over UDP and over TCP.

Kind regards
 

[0bacon 0]

Good news! forbidquickhomecountry was the issue. I can now use the vpn, Thanks! 

I really appreciate your help. I still have another issue. I want to use cuckoo for traffic splitting. I made allowtrafficsplitting yes in the bluetit.rc

as user airvpn I run goldcrest -O 

After enabling allowtrafficsplitting in bluetit.rc, I no longer have a connection. Everything worked, I enabled allowtrafficsplitting yes, no connection, I disabled allowtrafficsplitting, I still don't have a connection. So allowtrafficsplitting seems to have broke something. I restarted my PC, no change. I disabled firewalld, no change. It's weird that everything was working and allowtrafficsplitting on and off has made it so that I have no connection. 

2026-04-01 11:31:22 WARNING: Traffic splitting setup is dirty. Trying to clean and restore settings.
2026-04-01 11:31:22 Successfully deleted 'aircuckoo' namespace
2026-04-01 11:31:22 Successfully restored traffic split settings.
2026-04-01 11:31:22 ERROR: Traffic Split Error: 'ip' execution error: (netns exec IPv6 route add) RTNETLINK answers: File exists

I attached the full log files. 
I really am trying my best 
 

bluetit2 cuckoo trafficspli

[0bacon 0]

I reinstalled air vpn suite followed the directions from the setup guide and your directions. It appears that wireguard is blocked. When set to openvpn, I have a connection. Changes to username, pw, and allowtrafficsplitting were made in the bluetit.rc, all other options are defaulted. 

When I run cuckoo -r /usr/bin/steam 
From what I have read the namespace aircuckoo is supposed to be created on its own. I tried to rm the directory but it doesn't exist. Whats weirder is the RTNETLINk answers: file exists?

airvpn@fedora:~$ cuckoo -r /usr/bin/steam
Cuckoo - AirVPN Traffic Splitting Manager 2.0.0 - 22 July 2025

ERROR setnamespace: Cannot open network namespace 'aircuckoo': No such file or directory

11:18:27 AM bluetit: ERROR: REPLAY_ERROR
11:18:27 AM bluetit: ERROR: REPLAY_ERROR
11:18:27 AM bluetit: ERROR: PKTID_REPLAY
11:17:55 AM bluetit: ERROR: REPLAY_ERROR
11:17:55 AM bluetit: ERROR: PKTID_REPLAY
11:17:36 AM bluetit: Requested method "list_pushed_dns"
11:17:21 AM bluetit: ERROR: REPLAY_ERROR
11:17:21 AM bluetit: ERROR: PKTID_REPLAY
11:16:52 AM bluetit: ERROR: REPLAY_ERROR
11:16:52 AM bluetit: ERROR: PKTID_REPLAY
11:16:47 AM bluetit: ERROR: Traffic Split Error: 'ip' execution error: (netns exec IPv6 route add) RTNETLINK answers: File exists
11:16:47 AM bluetit: Successfully restored traffic split settings.
11:16:47 AM bluetit: Successfully deleted 'aircuckoo' namespace
11:16:47 AM bluetit: WARNING: Traffic splitting setup is dirty. Trying to clean and restore settings.

FIXED (systemctl restart NetworkManager)

ERROR: Traffic Split Error: 'ip' execution error: (netns exec IPv6 route add) RTNETLINK answers: File exists
 

bluetit3

[0bacon 0]

Following the directions from airvpn.org/forums
I set the ipv4 manually to 192.169.x.x/24 and the ip execution error, traffic splitting setup is dirty error has gone away. 

I also create the user cuckoo because it did not exist and made airvpn the primary usergroup. when logged in as airvpn i run cuckoo -r steam and I get 

ERROR setnamespace: Cannot open network namespace 'aircuckoo': No such file or directory

Then in the bluetit.rc I changed trafficsplitnamespace even though its default should be the same, no change.

trafficsplitnamespace             aircuckoo

Heres my new bluetit logs

bluetit4

[0bacon 0]

I think it had something to do with Fedora, specifically the SELinux. I switched to Arch and everything went smoothly.