Staff

@pjnsmb Hello! Hummingbird tries to use in sequence the first available firewall between iptables, iptables-legacy, nftables and pf. In your case, Hummingbird finds iptables-legacy. With IPv4 no errors seems to arise, but the problem comes out with IPv6. ip[6]tables-legacy is a wrapper to nftables, so IPv6 support in nftables might be the problem, or maybe it's a bug in ip6tables legacy in your unstable distribution (or you just disabled IPv6 support in your system, but you told us that you keep getting the error even when you re-enable it, can you confirm?). Can you please re-test Humminbird without the --ipv6 no option you enforced, just in case, and check whether the problem is the same or not? Another possible test, but it's more problematic if you need iptables syntax somewhere in your system or applications, would be removing iptables and iptables-legacy packages. In this case Hummingbird will use nftables. We can not support unstable distributions (you're running Debian Sid according to your ticket) because we can't circumvent all the possible bugs which an unstable distribution may potentially come with: it would be a wrong approach and anyway it would be an overwhelming task. However, we will offer in a near future release the option to force Hummingbird to use a firewall chosen by the user. When the option is available you will be able to force usage of nftables, bypassing iptables-legacy, if it's causing the issue. Please keep us informed if you decide to perform any of the above tests. Kind regards

Hello! We're glad to inform you that Hummingbird 1.0.1 has just been released. Hummingbird is a free and open source software by AirVPN for: Linux x86-64 Linux ARM 32 (example: Raspbian for Raspberry PI) Linux ARM 64 macOS (Mojave or higher version required) based on OpenVPN3-AirVPN 3.6 library supporting CHACHA20-POLY1305 cipher on OpenVPN Data Channel and Control Channel. Hummingbird is very fast and has a tiny RAM footprint. AES-CBC and AES-GCM are supported as well. Version 1.0.1 uses new OpenVPN3-AirVPN 3.6.2 library which features various improving minor changes and fixes an annoying bug which caused "ncp-disable" directive to be ignored in profiles. Note: command line options --ncp-disable and --cipher, when specified, override profile directives. Please consult the following page for details, changelog, instructions and download links. https://airvpn.org/hummingbird/readme/ Hummingbird source code is available here: https://gitlab.com/AirVPN/hummingbird OpenVPN3-AirVPN library source code is available here: https://github.com/AirVPN/openvpn3-airvpn Important: Hummingbird is not aimed to Android. To have CHACHA20-POLY1305 on Android, please run our software Eddie Android edition, which uses our OpenVPN3-AirVPN library. Kind regards

@pjnsmb Hello! You are still running Hummingbird directly. To run it through Eddie (so you have Network Lock by Eddie) please see here: https://airvpn.org/forums/topic/45326-eddie-desktop-218beta-released/?do=findComment&comment=103687 Kind regards

@pjnsmb Hello! Thank you very much, we will investigate. Now you can even use Hummingbird via Eddie, if you wish so, because Network Lock is enforced by Eddie even when it runs Hummingbird. Of course please make sure that Network Lock is applied properly, just in case. Kind regards

@airdev No updates. No changes or new donations in 3rd and 4th 2019 quarters Kind regards

@pjnsmb Thank you for your report! 1) We are aware of re-keying errors (ERROR: KEY_STATE_ERROR ecc.) and we are investigating. They do not cause disconnection but block Perfect Forward Secrecy. 2) Network lock can't be activated, and that's a new error never met before. We think it's related to some change in Debian 11. Can you tell us whether you get the following error: ip6tables-save v1.8.4 (legacy): Cannot initialize: Address family not supported by protocol Sat Jan 18 14:21:10.690 2020 ERROR: Cannot initialize network filter always or only sometimes? It's an important error because it prevents network lock to be enforced, therefore please keep it into consideration, we're sorry. Can you please check whether you have, in your system, both "iptables-legacy" and "ip6tables-legacy"? Can you also tell us whether your Debian kernel supports IPv6, and whether you have disabled IPv6 in some system configuration? Last but not least, can you check whether Network Lock by Eddie 2.18.6 beta is enforced correctly or not, if you have time? Kind regards

Hello! Thank you, sending to devs right now. Kind regards

Hello! Can you give us the exact Android version, as well as TV brand and model? EDIT: if you have a way to extract Eddie log from the TV, please send it to us as well (taken after the problem has occurred). Check whether one of the sharing modes in the "Log" view of Eddie is appropriate. Kind regards

Hello! Connection slots are service related, not Eddie. Please open a ticket at your convenience (if you haven't already done so) describing what you do exactly and the different behavior you see between Eddie 2.18 beta 6 and the the previous version you used. Kind regards

@Terry Stanford Hello! Can you please test Eddie 2.18.6 beta and check whether the same problem occurs or not? To download Eddie latest beta version please see here: https://airvpn.org/forums/topic/45326-eddie-desktop-218beta-released/ Bypassing password authentication to gain root privileges is possible but do NOT do it, it's an important security feature and from your message we suspect that you have no idea of the consequences of what you're asking for. Viscosity did that for mysterious reasons and it did not end well, with exploits which were soon born to gain total control of systems running Viscosity. https://www.exploit-db.com/exploits/20485 A different approach is coming soon which will offer more comfort without compromising security, unlike it happens with some reckless VPN providers. Some of them adopted unacceptable solutions, such as flagging their binaries with x+s flags, so any normal user (even a non-sudoer) could run them as superuser with no authorization, incredibly foolish and dangerous thing and it's even more astonishing that such solutions may be considered in a good light by some people. Stay tuned. Kind regards

@monstrocity Hello! Does the issue occur when you run Hummingbird alone, without having it invoked by Eddie? @56Kmodem Do you have the option to upgrade to Ubuntu 18 or 19? Kind regards

Hello! Sorry, a mistake. Please wait for the next Eddie version which will not need this procedure by you, as @Clodo wrote.. If you can't wait and you like to test right now, just enter: sudo chown root /Applications/Eddie.app/Contents/MacOS/hummingbird

Hello! It's definitely unexpected and probably an Eddie bug. We apologize for any inconvenience. Can you please send us a system report (if you prefer so, you can do it in a ticket), taken just after the problem has occurred? Click "Logs" tab, click the LIFE BELT icon, click "Copy all" icon and paste everything in your message. Kind regards

Hello! From a terminal: sudo chown root:root /Applications/Eddie.app/Contents/MacOS/hummingbird Kind regards

Hello! It's a minimal, due security check by Eddie. Eddie will run the external OpenVPN/Hummingbird binary with root privileges (remember, you give Eddie the authorization to run with administrator privileges). "root" is the Unix and BSD conventional name of a user with UID 0 (aka a superuser). Therefore, Eddie could be exploited to gain malicious root access to your system if it did not verify that the binary launched with root privileges belongs to some user with UID 0. In this way, an attacker who wants to gain root privileges inside your system can not have his/her own malware run by Eddie, escalating therefore privileges, because the attacker should already have root privileges himself/herself to begin the exploitation. Solution: make Hummingbird binary belong to user root, group root. You can achieve your purpose with command chown (change owner). https://ss64.com/osx/chown.html Kind regards

@puremorning Check the servers available bandwidth because 30 MB/s are 240 Mbit/s. To give you 240 Mbit/s the server needs 480 Mbit/s, therefore you are probably at server/OpenVPN daemon capacity. We would say that now your fine tuning with Virgin is just fine. Additional fine tuning on your side (if you haven't already done so) is setting very large OpenVPN sockets buffers. For your kind of throughput they are necessary, but don't keep large buffers if you need high responsiveness such as in online gaming. Keep at least 512 KB (you can set buffers in Eddie's "Preferences" > "Networking" window). Kind regards

@monstrocity Thank you! Please post a copy of your message in the Eddie 2.18 beta thread though. Here we just need to verify whether the problem occurs or not when Hummingbird is run by itself: when you are connected to some VPN server, over TCP, can you "ping" an arbitrary host without errors? Faster throughput and higher general responsiveness is expected as our OpenVPN 3 AirVPN library is highly optimized, from the source code itself, if you compare it with OpenVPN 2.x. Kind regards

Hello! Please copy Hummingbird binary either in /usr/lib/eddie-ui directory or somewhere in your path. Binary file name must be exactly "hummingbird". Go to "Preferences" > "Advanced" (from Eddie main window) and tick "Use Hummingbird if available". Click "Save" and start a new connection. Kind regards

@jeuia3e9x74uxu6wk0r2u9kdos Hello and thank you! It's still a beta version, but we expect to release a stable version really soon. We will also evaluate the feedback of course, please keep testing and report (if any) glitches or bugs as you have always done, thank you for your patience. Kind regards

Version 2.18.6 (Fri, 17 Jan 2020 13:46:48 +0000) [change] Bug fixes and code cleanup [change] OpenVPN 2.4.8 [change] Windows - Tap driver (Win7-Win10) upgraded from 9.23.3-i601 to 9.24.2-i601 [new] New option 'Skip promotional messages'. [change] macOS - New menubar icons [bugfix] macOS - 'Rules not loaded' in some environment [change] Hummingbird integration (experimental) All other reported issues are under investigation. (Linux Arch package is not yet available, fix coming soon).

Hello! Consult the RIPE database too. If someone compiles a private database in which an addresses pool is assigned to the Flying Spaghetti Monster, would it be sufficient for you to believe that it is indeed assigned (and eventually used by) the Flying Spaghetti Monster? $ whois 213.152.161.30 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '213.152.161.0 - 213.152.161.184' % Abuse contact for '213.152.161.0 - 213.152.161.184' is 'abuse@global-layer.com' inetnum: 213.152.161.0 - 213.152.161.184 netname: NL-AIR descr: AirVPN.org country: NL descr: **************************************************** descr: Alblasserdam datacenter descr: AirVPN IP Space descr: NL, Europe descr: **************************************************** --- cut --- Kind regards

Hello! A connectionless tunnel (UDP is connectionless) is kept alive with ping inside the tunnel. In our service a ping every 10 seconds and a keepalive timeout of 60 seconds. If a side does not receive any reply from the other side in 60 seconds, it assumes that the other side is no more there. The keepalive timeout is followed by a reconnection attempt, as we can see in the log. IF you see that the reconnection attempt does not follow a keepalive timeout, please notify us and send us the log pertaining to the event. Kind regards

Hello, please check your Eddie servers white and black lists because all the 10 Dallas servers are up as usual. Open a ticket for support at your convenience, if necessary. Kind regards

Hello! We confirm the issue on iOS with some browsers, but Safari behaves correctly. We are going to investigate the problem. In iOS, please use Safari to download ovpn files from the Configuration Generator in the meantime. Kind regards

@tlc Hello! Look: $ dig @208.67.222.222 airvpn.org +short 5.196.64.52 $ dig @208.67.222.220 airvpn.org +short 5.196.64.52 which is correct. However 208.67.222.123 considers airvpn.org an adult only web site or a porn site. Just another proof of how idiotic censorship is, how web site filtering is exploited by hidden political agenda eventually, and how stupid the persons who gladly look for censorship and delegate their choices to a third party are. Kind regards