Leaderboard

@Staff Hi! Thanks for the detailed explanation! It looks like timing is perfect: Bluetit service starts at the same second as Network-Online becomes active and connecting to AirVPN server takes only 2 seconds. This time I had my real IP address along with the ability to visit absolutely any website through the browser within a minute and a half from the moment I entered the user's password and the desktop appeared (yes, I counted it using a stopwatch 😀). I can access the Internet directly through the provider (without VPN connection yet) immediately at the moment the desktop appears (at the same moment any website is successfully loaded in my browser). It looks like network-online.target is a little late on average from a minute to two: while the real Internet access is already available, the service is still inactive for a short period of time. Here are the results of the commands: [hotcapy@hotcapy-desktop ~]$ sudo systemctl status network-online.target [sudo] password for hotcapy: ● network-online.target - Network is Online Loaded: loaded (/usr/lib/systemd/system/network-online.target; static) Active: active since Thu 2021-07-08 16:44:58 +07; 29s ago Docs: man:systemd.special(7) https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget июл 08 16:44:58 hotcapy-desktop systemd[1]: Reached target Network is Online. [hotcapy@hotcapy-desktop ~]$ sudo journalctl | grep bluetit июл 08 16:44:58 hotcapy-desktop bluetit[4049]: Starting Bluetit - AirVPN OpenVPN 3 Service 1.1.0 - 4 June 2021 июл 08 16:44:58 hotcapy-desktop bluetit[4049]: OpenVPN core 3.7 AirVPN linux x86_64 64-bit июл 08 16:44:58 hotcapy-desktop bluetit[4049]: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved. июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Bluetit daemon started with PID 4051 июл 08 16:44:58 hotcapy-desktop bluetit[4051]: External network is reachable via gateway 10.21.10.88 through interface enp37s0 июл 08 16:44:58 hotcapy-desktop systemd[1]: bluetit.service: Supervising process 4051 which is not our child. We'll most likely not notice when it exits. июл 08 16:44:58 hotcapy-desktop audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=bluetit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Successfully connected to D-Bus июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Reading run control directives from file /etc/airvpn/bluetit.rc июл 08 16:44:58 hotcapy-desktop bluetit[4051]: IPv6 is available in this system июл 08 16:44:58 hotcapy-desktop bluetit[4051]: System country set to R2 by Bluetit policy. июл 08 16:44:58 hotcapy-desktop bluetit[4051]: WARNING: networklockpersist directive found in /etc/airvpn/bluetit.rc. networklock directive is ignored. июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Bluetit successfully initialized and ready июл 08 16:44:58 hotcapy-desktop kernel: audit: type=1130 audit(1625737498.647:91): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=bluetit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Enabling persistent network filter and lock июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Network filter and lock are using nftables июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Successfully loaded kernel module nf_tables июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Network filter successfully initialized июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Persistent network filter and lock successfully enabled июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Starting AirVPN boot connection июл 08 16:44:58 hotcapy-desktop bluetit[4051]: AirVPN Manifest updater thread started июл 08 16:44:58 hotcapy-desktop bluetit[4051]: AirVPN Manifest update interval is 15 minutes июл 08 16:44:58 hotcapy-desktop bluetit[4051]: AirVPN Manifest update suspended: AirVPN boot connection initialization in progress июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Persistent Network Lock and Filter is enabled июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Updating AirVPN Manifest июл 08 16:44:58 hotcapy-desktop bluetit[4051]: AirVPN bootstrap servers are now allowed to pass through the network filter июл 08 16:44:58 hotcapy-desktop bluetit[4051]: Waiting for a valid AirVPN Manifest to be available июл 08 16:44:59 hotcapy-desktop bluetit[4051]: AirVPN Manifest successfully retrieved from server июл 08 16:44:59 hotcapy-desktop bluetit[4051]: Logging in AirVPN user Hotty Capy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: AirVPN user Hotty Capy successfully logged in июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Selected user key: Desktop июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Starting connection to AirVPN server Xuange, Zurich (Switzerland) июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Starting VPN Connection июл 08 16:45:00 hotcapy-desktop bluetit[4051]: OpenVPN3 client successfully created and initialized. июл 08 16:45:00 hotcapy-desktop bluetit[4051]: TUN persistence is enabled by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: TUN persistence is enabled. июл 08 16:45:00 hotcapy-desktop bluetit[4051]: TCP queue limit set to 8192 by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Negotiable Crypto Parameters (NCP) is enabled by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Connection timeout set to 0 by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Compression mode set to 'no' by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: TLS minumum version set to 'tls_1_2' by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Proxy HTTP basic auth isdisabled by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: CIPHER OVERRIDE: AES-256-GCM июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Successfully set OpenVPN3 client configuration июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Network lock set to 'nftables' by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Ignore DNS push is disabled by Bluetit policy июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Starting OpenVPN3 connection thread июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Connection statistics updater thread started июл 08 16:45:00 hotcapy-desktop bluetit[4051]: OpenVPN core 3.7 AirVPN linux x86_64 64-bit июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Frame=512/2048/512 mssfix-ctrl=1250 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: UNUSED OPTIONS июл 08 16:45:00 hotcapy-desktop bluetit[4051]: EVENT: RESOLVE июл 08 16:45:00 hotcapy-desktop bluetit[4051]: WARNING: NetworkManager is running on this system and may interfere with DNS management and cause DNS leaks июл 08 16:45:00 hotcapy-desktop bluetit[4051]: WARNING: systemd-resolved is running on this system and may interfere with DNS management and cause DNS leaks июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Local IPv4 address 10.21.10.1 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Local IPv6 address fe80::2d8:61ff:fe19:ea0a июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Local interface enp37s0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Setting up network filter and lock июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Allowing system DNS 1.1.1.1 to pass through the network filter июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Allowing system DNS 1.0.0.1 to pass through the network filter июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Adding IPv4 server 79.142.69.162 to network filter июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Network filter and lock successfully activated июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Contacting 79.142.69.162:443 via UDP июл 08 16:45:00 hotcapy-desktop bluetit[4051]: EVENT: WAIT июл 08 16:45:00 hotcapy-desktop bluetit[4051]: net_route_best_gw query IPv4: 79.142.69.162/32 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: sitnl_route_best_gw result: via 10.21.10.88 dev enp37s0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: net_route_add: 79.142.69.162/32 via 10.21.10.88 dev enp37s0 table 0 metric 0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Connecting to [79.142.69.162]:443 (79.142.69.162) via UDPv4 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: EVENT: CONNECTING июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Peer Info: июл 08 16:45:00 hotcapy-desktop bluetit[4051]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org CA/emailAddress=info@airvpn.org, signature: RSA-SHA1 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=Xuange/emailAddress=info@airvpn.org, signature: RSA-SHA512 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: SSL Handshake: peer certificate: CN=Xuange, 4096 bit RSA, cipher: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Session is ACTIVE июл 08 16:45:00 hotcapy-desktop bluetit[4051]: EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future июл 08 16:45:00 hotcapy-desktop bluetit[4051]: EVENT: GET_CONFIG июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Sending PUSH_REQUEST to server... июл 08 16:45:00 hotcapy-desktop bluetit[4051]: OPTIONS: июл 08 16:45:00 hotcapy-desktop bluetit[4051]: PROTOCOL OPTIONS: июл 08 16:45:00 hotcapy-desktop bluetit[4051]: EVENT: ASSIGN_IP июл 08 16:45:00 hotcapy-desktop bluetit[4051]: VPN Server has pushed IPv4 DNS server 10.10.6.1 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Setting pushed IPv4 DNS server 10.10.6.1 in resolv.conf июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Setting pushed IPv4 DNS server 10.10.6.1 for interface enp37s0 via systemd-resolved июл 08 16:45:00 hotcapy-desktop bluetit[4051]: net_iface_mtu_set: mtu 1500 for tun0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: net_iface_up: set tun0 up июл 08 16:45:00 hotcapy-desktop bluetit[4051]: net_addr_add: 10.10.6.199/24 brd 10.10.6.255 dev tun0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: net_route_add: 0.0.0.0/1 via 10.10.6.1 dev tun0 table 0 metric 0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: net_route_add: 128.0.0.0/1 via 10.10.6.1 dev tun0 table 0 metric 0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: TunPersist: saving tun context: июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Connected via tun июл 08 16:45:00 hotcapy-desktop bluetit[4051]: LZO-ASYM init swap=0 asym=1 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Comp-stub init swap=0 июл 08 16:45:00 hotcapy-desktop bluetit[4051]: EVENT: CONNECTED 79.142.69.162:443 (79.142.69.162) via /UDPv4 on tun/10.10.6.199/ gw=[10.10.6.1/] июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Connected to AirVPN server Xuange, Zurich (Switzerland) июл 08 16:45:00 hotcapy-desktop bluetit[4051]: Server has pushed its own DNS. Removing system DNS from network filter. июл 08 16:45:01 hotcapy-desktop bluetit[4051]: System DNS 1.1.1.1 is now rejected by the network filter июл 08 16:45:01 hotcapy-desktop bluetit[4051]: System DNS 1.0.0.1 is now rejected by the network filter So the problem is definitely in my system, not in Bluetit service. Edit: yes, here is the command output obtained right after turning on the computer and successfully accessing the AirVPN website (before Bluetit service started): [hotcapy@hotcapy-desktop ~]$ sudo systemctl status network-online.target [sudo] password for hotcapy: ○ network-online.target - Network is Online Loaded: loaded (/usr/lib/systemd/system/network-online.target; static) Active: inactive (dead) Docs: man:systemd.special(7) https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget

@YLwpLUbcf77U Hello! It's not something DD-WRT specific, it's an OpenVPN working mode. TLS mode is essential to use all the OpenVPN security features, including PFS. We only operate OpenVPN in TLS mode. When OpenVPN works in TLS mode, TLS Crypt encrypts the whole Control Channel from the very beginning, while TLS Auth does not. Therefore TLS Crypt hides to DPI OpenVPN protocol fingerprint and it's much harder blocking OpenVPN in TLS Crypt mode than blocking OpenVPN in TLS Auth mode. TLS Crypt and TLS Auth are mutually incompatible, and each OpenVPN daemon working as server can only work with TLS Auth or TLS Crypt. That's why we offer different IP addresses for TLS Crypt and TLS Auth modes: Also note that TLS Auth and TLS Crypt keys are different. A more elaborated and precise description can be found here (1st answer): https://serverfault.com/questions/929484/openvpn-2-4-security-differences-between-tls-crypt-and-tls-auth Kind regards