Staff

Hello!

It's a crack for some program unrelated to AirVPN or a malware. Our software does not need any crack, it is free and open source software which does not need the activation key they claim they give you. There's another "Air VPN" (with a space) in China using fraudulently this name but it was shut down recently. We will hide your link just in case it's malware. About NordVPN, yes, they have been cracked a couple of times and thousands of account were compromised in the past. By the way still unrelated to AirVPN.

Kind regards
 

Hello!

@1301
It might be a virtual network interface MTU size related problem, try with the custom directive mssfix 1280, or switch to WireGuard and set MTU to 1280 bytes.
In Eddie, you can set custom OpenVPN directives in "Preferences" > "OVPN Directive" window. Type "mssfix 1280" in the custom directives field, click "Save", and re-start a connection to apply the change.
You might like to test a connection over WireGuard as well. If you run Eddie 2.23.x you can also set WireGuard's MTU size in "Preferences" > "WireGuard" window.

Also make sure that both your router firmware and your physical network interface driver are up to date. A sustained UDP flow causes problems on some old network interface drivers as well as old router firmwares.
 

Quote

Wouldn't we have seen this with all packets, then? 

Possible, but it's not necessarily so, as some datagrams may fit in the frame other ones may not. Anyway from the log it's not clear whether all the packets had to be re-sent or not. Shrinking the MTU size is well worth a test.

The following, however, makes the MTU size problem less likely, but not impossible anyway:

Quote

Problem is still sometimes i get the full  download speed of 200 with the VPN but otherwise it's limited to around 50 Mbps,

Kind regards
 

10 minutes ago, MarianekPazur said:

Hi, I change password without signs and now works. Thank You for help.

Thank you very much, we will have developers investigate the problem, there's a potential bug somewhere. Can you post all the non-alphabetic characters you were using, like @ and #?

Kind regards
 

18 minutes ago, MarianekPazur said:

Do I have to make new openvpn configuration file if I change password for my deluge-vpn container? Or just put new password there? 

Hello!

No, that's not necessary. You don't need anyway configuration files with Eddie Android and Desktop editions. How is it related to the original problem?

Kind regards
 

1 hour ago, MarianekPazur said:

Hi, thanks for fast answer. I have regular english letters and numbers in password and signs like `@#$` Do I have to change that?

Hello!

There is a bug affecting Eddie Android edition and causing a crash, but not a login failure, when the symbol % is in the username and not in the password. Anyway, please try to wipe out all the @, # and $ characters and check whether something changes or not.

Kind regards
 

Hello!

Eddie and the bootstrap servers it talks to may interpret correctly only UTF-8 characters. Do you have any character outside UTF-8 in your password? If in doubt, try to change your password to a password with only and exclusively ASCII characters.

Kind regards
 

On 9/19/2023 at 1:40 PM, fsy said:

Not that I am into traffic splitting, not at all, but just to test the new Suite I think I would resolve the problem by having split Firefox environments: different datadir, profiles etc. Before I try, do you think it can work? I guess it might be overkill, if someone found a smoother solution let me know...
 

Hello!

Unfortunately it will not work. We are investigating different issues caused by web browsers. Please check the original announcement, we have changed a part to reflect the matter, we paste it here for readers' comfort and in order to outline the issue:
 

Note on Web Browsers

Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems. We are investigating this behavior. Brave, Opera and Konqueror are not affected by this problem, but please consider that due to how browser instances are tied to each other, you might get unexpected behavior if you run the same browser in both namespaces from the same user.
For example, if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future apparent instance launched by the same user, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance.
In order to circumvent the issue, at this stage you may tale care to run programs in the aircuckoo namespace via cuckoo only from airvpn account, and programs whose traffic must be tunneled from your ordinary account. In other words, to add security, do not add your ordinary account to the airvpn group if you plan to use traffic splitting, so your ordinary account will not be able to run cuckoo by accident.
 
Kind regards
 

11 hours ago, jonjon91 said:

Yes I have this setting and I am still receiving the same error.
 

Hello!

Thanks. Thus, it must be a different issue or maybe a bug. Can you tell us your distribution name and version? Can you also please send us the complete Bluetit log? You can see it via journalctl if you are in a systemd based distribution. The following command:

sudo journalctl | grep bluetit > bluetit.log

will store the whole log in bluetit.log file.
 

11 hours ago, jonjon91 said:

I was also dealing with an issue that airvpn changed the /etc/resolv.config file. I had to delete the file contents and add my DNS to the nameserver to regain internet access 

When this other problem occurs, please send us a Bluetit log again as well as the content of the /etc/airvpn directory:

sudo ls -l /etc/airvpn

Kind regards

 

@OpenSourcerer

Hello!

There is some confusion on a few Linux concepts and architectural design in your last message which would require some longer explanation or a course-like series of articles. We're afraid that this thread could go off rails and on a long question/answer/question/answer "ping pong" which might be detrimental to the original purpose: community testing and bug reporting. Please feel free to ask your questions on some other forum, for example in "Off Topic" community forum and we'll do our best to explain, or maybe someone from the community will explain even better. We want to leave this thread (remember we're in "News and announcement") aimed at AirVPN Suite 2 preview version(s) community testing and bug reporting, thank you in advance for your understanding. 😉

Kind regards
 

17 hours ago, OpenSourcerer said:

Tested on Ubuntu 20 and Armbian 23.08 (so assuming Debian does the same), SLES 12 and 15 and RHEL 7 and 8 (and my Arch machines, of course), with neither of these I had this cap by default. I must ask about the source of this info.

$ capsh --current
Current: =
Current IAB:
$ capsh --has-p=cap_sys_admin
cap[cap_sys_admin] not permitted

.
 

Hello!
That output is correct, and it does not imply what you assume, but only that the program you have just launched runs in an ambient which does not have the specified vector raised. For your verification see our previous command, or just verify for each user the capability. Example (as root):

capsh --user=<username> --has-p=CAP_SYS_ADMIN ; echo $?

It will exit with status 1 if the ambient vector has not that capability, it will exit with status 0 if it has.
Please note that the whole new Suite would work anyway, in all the distributions we tested, if the installer doesn't edit /etc/security/capability.conf but we deem that this is a nice feature anyway, as it might be useful in some obscure distribution, and it adds clarity.

 

17 hours ago, OpenSourcerer said:

You can use namespaces of other processes using nsenter, though, can't you?

We can't: nsenter links the process you run to some existing PID, making it a child of some already existing process in the namespace, so nsenter has different usage for quite different purposes.

 

Quote

Interestingly, my research turned up that this cap and the lack of documentation surrounding it, especially for kernel devs coding a new kernel feature, is a constant source of grievances. LWN once suggested to rename this CAP_AS_GOOD_AS_ROOT. It's grants so many permissions now with no alternatives. Rather entertaining.

Yes, that obsolete paper anyway confirms how good this implementation is. Our use case is exactly one of the few perfectly proper, correct and needed "usages" of CAP_SYS_ADMIN without doubts. Additionally, all the worries of the original writer have been properly addressed, as explained (we paste here to readers' comfort again):

Quote

Immediately after, setuid is disabled. On top of that cuckoo drops all setuid privileges and sets those of the user running it. Verify this trivially as a cross/double-check during the tests.

 addressing the issues raised by Eklektix and Kerrisk and others. To clarify: verify with ps.

Kind regards




 

11 hours ago, jonjon91 said:

Hi. I'm trying to get up and running but I am having some trouble. please assist.

I have installed the package, the installer created the airvpn user and group, I then ran cuckoo [program] from the airvpn user. I get the following error message 

Cuckoo - AirVPN Traffic Split Manager 2.0.0 alpha 1 - 15 Sep 2023

ERROR: Cannot open network namespace 'aircuckoo': No such file or directory

Hello and thank you for your tests!

Can you please make sure that you have the following directive in /etc/airvpn/bluetit.rc

allowtrafficsplitting on

If this is missing you will get that error message. We will make that error message more explicative during the alpha stage. Please let us know whether the problem is caused by the missing directive or not.

Kind regards
 

Hello!

The critical error is caused by the Express VPN interface. You can fix the problem very quickly. Please see here, this solution applies identically to you:
https://airvpn.org/forums/topic/56643-stuck-in-a-broken-route-never-connects/?do=findComment&comment=225323

Kind regards
 

On 9/18/2023 at 12:30 PM, OpenSourcerer said:

Erm… why do you need the CAP_SYS_ADMIN capability for cuckoo?

Hello!

Any user in any Linux distribution can run a process with CAP_SYS_ADMIN capability. The installation script makes sure that "airvpn" has that ability too, just in case some distribution erroneously has not set the ability to airvpn. You can check for example with:

sudo capsh --print --user=<any existing user>

Quote

Nothing in the description of that capability points at something cuckoo would need,

As you might have read, traffic splitting in this implementation relies on namespaces, so CAP_SYS_ADMIN is strictly necessary for setns() - immediately after, setuid is disabled. On top of that cuckoo drops all setuid privileges and sets those of the user running it. Verify this trivially as a cross/double-check during the tests.
 

Quote

I'm very reluctant to do in the airvpn-suite-beta-bin AUR package what your install script does.

We can't understand your point in this case. Anyway, we would be reluctant too but for a very different reason, i.e. is it appropriate to prepare an AUR package with "beta" in its name for a software which is not beta but alpha?

Kind regards
 

Hello!

Please see here for an explanation and a quick solution:
https://airvpn.org/forums/topic/56657-cant-connect-to-anything/?do=findComment&comment=225418

Kind regards
 

Hello!

You have forced a connection in IPv6 only. Maybe your ISP does not support it, or blocks UDPv6. As a first attempt please go back to IPv4 and try again. In "Preferences" > "Networking" change the "Protocol used for connection" combo box back to "IPv4, IPv6" (the original setting). You will have anyway IPv6 over IPv4 so you'll not lose IPv6.

Kind regards
 

Hello!

Strange but reproducible. We confirm it, we just tested. A matter for qBittorrent developers, probably.

Kind regards
 

Hello!

It looks like your listening program listens to IPv6 addresses only, can you please check? Example: in qBittorrent, "Preferences" > "Advanced" window, verify the "Optional IP addresses to bind to" box and test with "IPv4 addresses only" as well as "All IP addresses" (which should be the default setting and might cause the observed behavior).

Kind regards
 

Hello!

We're very glad to inform you that AirVPN Suite version 2.0.0 alpha 1 is now available. UPDATE 2023-11-24: version 2.0.0 alpha 2 is now available.

AirVPN Suite 2.0.0 alpha 2 introduces AirVPN's exclusive per app traffic splitting system as well as some bug fixes, revised code in order to pave the way towards the final and stable release, WireGuard support, and the latest OpenVPN3-AirVPN 3.9 library. Please see the respective changelogs for a complete list of preliminary changes for each component of the suite. If you feel adventurous and you wish to test this preview version, please feel free to report any glitch, bug and problem in this very thread.

 

The 2.0.0 alpha 2 Suite includes:

• Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN and WireGuard servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap
• Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN and WireGuard servers
• Hummingbird: lightweight and standalone binary for generic OpenVPN server connections
• Cuckoo: traffic split manager, granting full access and functionality to AirVPN's traffic split infrastructure

WARNING: this is alpha software in its development stage, it is provided "as is" and with no implicit or explicit warrant it will work properly and as expected or planned. Because of the development stage, the software may have bugs which may also cause critical and unstable conditions. This software is used at the whole risk of the user and it is strongly advised not to use it in production or critical systems or environments. Please note that features and functionalities of this alpha/development version may be changed or removed in future releases.

WireGuard support
 

WireGuard support is now available in Bluetit. OpenVPN or WireGuard selection is controlled by Bluetit run control file option airvpntype or by Goldcrest option -f  (short for --air-vpn-type). Possible values: openvpn, wireguard. Default: openvpn. The option is documented in the 1.3.0 manual as well. Currently Hummingbird does not support WireGuard, please rely on Bluetit and Goldcrest.

Bluetit run control file (/etc/airvpn/bluetit.rc) option:

airvpntype: (string) VPN type to be used for AirVPN connections. Possible values: wireguard, openvpn. Default: openvpn

Goldcrest option:

--air-vpn-type, -f : VPN type for AirVPN connection <wireguard|openvpn>

 

AirVPN's VPN traffic splitting

AirVPN Suite version 2.0.0 introduces traffic splitting by using a dedicated network namespace, therefore completely separating the VPN traffic from unencrypted and "out of the tunnel" traffic. The VPN traffic is carried out in the default (main) namespace, ensuring all system data and traffic to be encrypted and tunneled into the VPN by default. No clear and unencrypted data are allowed to pass through the default namespace.
Any optional unencrypted data or clear network traffic must be explicitly requested by an authorized user with the right to run cuckoo, the AirVPN traffic split manager tool.

AirVPN's traffic splitting is enabled and controlled by Bluetit and by means of run control directives. The system has been created in order to minimize any tedious or extensive configuration, even to the minimal point of telling Bluetit to enable traffic splitting with no other setting.

In order to enable and control AirVPN's traffic splitting, the below new run control directives for /etc/airvpn/bluetit.rc have been introduced:

• allowtrafficsplitting: (on/off) enable or disable traffic splitting (unencrypted and out of the tunnel traffic) Default: off
• trafficsplitnamespace: (string) name of Linux network namespace dedicated to traffic splitting. Default: aircuckoo
• trafficsplitinterface: (string) name of the physical network interface to be used for traffic splitting. All the unencrypted and out of the tunnel data will pass through the specified network device/interface. In case this directive is not used and unspecified, Bluetit will automatically use the main network interface of the system and connected to the default gateway. Default: unspecified
• trafficsplitnamespaceinterface: (string) name of the virtual network interface to be associated to the Linux network namespace dedicated to traffic splitting. Default: ckveth0
• trafficsplitipv4: (IPv4 address|auto) IPv4 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv4 address belonging to the system's host sub-network (/24) Default: auto
• trafficsplitipv6: (IPv6 address|auto) IPv6 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv6 address belonging to the system's host sub-network (/64) Default: auto
• trafficsplitfirewall: (on/off) enable or disable the firewall in Linux network namespace dedicated to traffic splitting. The firewall is set up with a minimal rule set for a very basic security model. Default: off

AirVPN's traffic splitting is designed in order to minimize any further configuration from the system administrator. To actually enable traffic splitting, it is just needed to set "allowtrafficsplitting" directive to "on" and Bluetit will configure the traffic split namespace with the default options as explained above. When needed, the system administrator can finely tune the traffic splitting service by using the above directives. At this early alpha stage, it is advised not to change the network namespace name but leave it to its default value "aircuckoo" to let cuckoo tool properly work.

 

Power and limitations

 

The adopted solution offers a remarkable security bonus in terms of isolation. For example, it gets rid of the dangerous DNS "leaks in" typical of cgroups based traffic splitting solutions. However, the dedicated namespace needs an exclusive IP address. If the system is behind a NAT (connected to a home router for example) this is not a problem, but if the system is not behind any NAT, i.e. it is assigned directly a public IP address, you will need another public IP address for the network namespace dedicated to traffic splitting. You will need to manually set the other public IP address on the trafficsplitipv4 or trafficsplitipv6 directive as the guessing abilities of Bluetit may work only within a private subnet. Please keep this limitation in mind especially if you want to run the Suite with per app traffic splitting on a dedicated or virtual server in some datacenter, as they are most of the times NOT behind any NAT.

 

Introducing Cuckoo, the AirVPN traffic splitting manager tool

Traffic splitting is implemented in AirVPN Suite by using a separate and independent network namespace, directly communicating with the system's default gateway through a virtual interface associated to a physical network interface available in the system. This ensures a true separation of traffic between tunneled and encrypted VPN data from the unencrypted and clear data to be channeled out of the VPN tunnel. The unencrypted traffic will never pass through the default namespace - which is under the VPN control - including, and most importantly, DNS requests.

To generate unencrypted and out of the tunnel traffic, any software having this need must be run inside the traffic split namespace. In order to do so, AirVPN Suite 2.0.0 introduces a new tool meant to be specifically used for this purpose: Cuckoo.
The tool can be used by users belonging to the airvpn group only. It cannot be used by root or any user belonging to the root group.

Additionally, in order to fully use the cuckoo tool, the user must also have special capabilities enabled, notably CAP_SYS_ADMIN, CAP_NET_ADMIN and CAP_NET_RAW. The installation script will set these capabilities to the "airvpn" user only. In case you need to let other users of the airvpn group use the cuckoo tool, you can simply duplicate the corresponding line in /etc/security/capability.conf and adapt it to your needs.
Note that in many distributions all of the above will not be necessary but keep it in mind if you find some issue and please feel free to report it.
At this current alpha stage cuckoo supports "aircuckoo" namespace only, that is the default namespace configured by Bluetit.

This preliminary alpha version does not provide any option and it is meant to simply run an application inside the traffic split namespace only.
The usage is straightforward:

cuckoo program [program options]

 

The traffic split namespace uses its own routing, network channels and DNS. It will not interfere or communicate in any way with the default namespace where the VPN is running and using its own encrypted tunnel. As for DNS, the traffic split namespace will use default system DNS settings.

Programs started with cuckoo are regular Linux processes and, as such, can be managed (that is stopped, interrupted, paused, terminated and killed) by using the usual process control tools. The programs started by cuckoo are assigned to the user who started cuckoo.

As a final note, in order to work properly, the following permissions must be granted to cuckoo and they are always checked at each run.

• Owner: root

• Group: airvpn

• Permissions: -rwsr-xr-x (owner can read, write, execute and setuid; group can read and execute, others can read and execute)

Note on Web Browsers

 

Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems. We are investigating this behavior. Brave, Opera and Konqueror are not affected by this problem, but please consider that due to how browser instances are tied to each other, you might get unexpected behavior if you run the same browser in both namespaces from the same user.
For example, if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future apparent instance launched by the same user, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance.
In order to circumvent the issue, at this stage you may tale care to run programs in the aircuckoo namespace via cuckoo only from airvpn account, and programs whose traffic must be tunneled from your ordinary account. In other words, to add security, do not add your ordinary account to the airvpn group if you plan to use traffic splitting, so your ordinary account will not be able to run cuckoo by accident.
 

Download AirVPN Suite 2.0.0 alpha 2:

https://eddie.website/repository/AirVPN-Suite/2.0-alpha2/AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz

$ sha512sum AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz 
c70f7b553d5489e02233a3e326c175c047c085dac7d4f36289ffc07e0bf0d86c98df4c49f4258d3d83b4fde96c81efbccc394f326260a1ac80d2f7892b825b79  AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz

 

Kind regards & Datalove
AirVPN Staff

Hello!

It might be relevant to know (just in case) that currently connections from Russia, China, Egypt, UAE may work only with OpenVPN in TCP, to port 53 or 443, in tls-crypt (entry-IP address THREE). OpenVPN over SSH is working too.
Connections from Iran do not work, no matter the connection mode you try. To Iranian citizens we recommend Tor obfuscated and private bridges. You will need to update your bridge frequently.

Kind regards
 

On 9/11/2023 at 10:43 AM, jimbob1337 said:

why dont you except  [accept?] ETH as payment anymore?

Hello!

Currently it is not in our interest to accept it, we are sorry.

Kind regards
 

@Shitsko  @wnorcus and @pdannolfo  resolved their respective problems which had different causes on the client side and not strictly related to route check. Nothing useful for the readers on this thread unfortunately, we're going to lock the thread and we recommend to follow the suggestion by @OpenSourcerer here above.

Kind regards



 

Hello!

Please send the system report. Please see here to do so: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/

Also, please test a connection with OpenVPN, in TCP and UDP, port 443 and port 53 (all the 4 combinations), to entry-IP address THREE and report whether the problem persists or not. You can change connection mode in Eddie's "Preferences" > "Protocols" window (uncheck "Automatic" to pick a specific connection mode).

Kind regards

Hello!

Please send the system report as required by the support team. Please see here to do so: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/

Also, please test a connection with OpenVPN, in TCP and UDP, port 443 and port 53 (all the 4 combinations), to entry-IP address THREE and report whether the problem persists or not. You can change connection mode in Eddie's "Preferences" > "Protocols" window (uncheck "Automatic" to pick a specific connection mode).

Kind regards

 

Hello!

With "same issue" do you all mean that by switching to WireGuard the problem gets resolved, like it happens to the original two posters in July, while it persists with OpenVPN? If so, can you tell us whether the problem persists if you change OpenVPN port (for example from 443 to 53)? Also, it's very important that you attach a system report generated by Eddie.

Kind regards