Staff

@qwortz Hello! Well, allowing IP forwarding between different subnets could be deemed as beyond the scope of the allowprivatenetwork directive and could be criticized as a source of hazard. We will consider the matter carefully. Kind regards

Hello! Can you please tell us your Linux distribution name and version and send us the Bluetit log taken after the problem has occurred? sudo journalctl | grep bluetit Can you also check whether firewalld is active in your system? Kind regards

Hello! You must always check your facts, before posting publicly on important matters. As far as we can see, according to web searches and AI answers: And of course they are forbidden by the ToS that every AirVPN user accepts. Kind regards

Hello! If you have persistent network lock set on /etc/airvpn/bluetit.rc that's expected behavior: the persistent network lock must remain on even after you voluntarily disconnect from the VPN. You may consider to disable it. However, if you turn off Bluetit completely (for example with "sudo systemctl stop bluetit"), network lock will be disabled in any case. The directive managing persistent network lock behavior is "networklockpersist". Kind regards

Hello! Thanks a lot, we managed to reproduce the problem, it must be a bug: we are investigating. It occurs when you select country GB (United Kingdom) and you are also in the United Kingdom according to Bluetit detection or your declaration on the run control file. The error message is very misleading. More in general, the error occurs when you declare a country and then you try a connection to that same country with --air-country option. A fix will require a new quick release, but in the meantime please resolve the problem by editing your /etc/airvpn/bluetit.rc file with any text editor with root privileges. Declare that you are in any country where we have no servers with directive "country". For example: country IT Then restart Bluetit and try again to connect with --air-country gb option and you should see that the problem is resolved. As an alternative solution, do not set country directive, instead set the following directive, again on your /etc/airvpn/bluetit.rc forbidquickhomecountry no and restart Bluetit. Kind regards

@BigX Hello! At a first sight this problem seemed not reproducible but we found that there's a non-printable character after gb in your command, at least in the command you published (hopefully it is a faithful copy & paste from your terminal/console), so Bluetit looks for gb<feff> which doesn't exist and prints out the error message, where you can't see the non-printable character after gb. Try to enter a "clean" command and check whether the problem gets resolved. Can you also tell us which char encoding you use in your terminal? If the problem persists, can you please try also: goldcrest --air-connect --air-country "United Kingdom" Kind regards

Hello! Unfortunately this is most probably the cause of the problem. Please follow this thread to circumvent the blocks. Each ISP may apply different blocking techniques so an universal solution is not available. You may need to test various connection modes: https://airvpn.org/forums/topic/59479-block-vpn-in-russia/?do=findComment&comment=233388 Kind regards

@PANDABOY Hello! Thank you very much! After your guide has been tested, we are going to split your message in the "How To" forum and make it a guide for Plex remote access via Proxmox on AirVPN. Kind regards

@alfavpn Hello! We're glad to know that the problem was solved through WireGuard and smaller MTU. The website you mention does not allow connections from datacenters; for that we're afraid we can't offer any solution. If you need to buy tickets or access train information you have to proceed without a VPN. Kind regards

Hello! Eddie runs correctly, the problem that causes the disconnection is related to: . 2025.07.26 19:50:30 - OpenVPN > AEAD Decrypt error: bad packet ID (may be a replay): [ #161361 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Decrypt errors hint at forged packets injection attempts (replay attacks), "dirty" line, MTU related problems... as a first attempt, what happens if you switch to WireGuard (you can do it in Eddie's "Preferences" > "Protocols") with an MTU of 1280 bytes? Please change WireGuard interface MTU on Eddie's "Preferences" > "WireGuard" window. Kind regards

@alfavpn Hello! Are you running the Eddie version built for macOS Catalina and newer versions? Big Sur is still supported by Eddie. Disconnections could be unrelated to software compatibility, can we see a system report taken after a problem has occurred? Please see here: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/ Kind regards

Hello! Yes, this is a famous trial. It is obvious if you think about it and does not require any AirVPN co-operation. If you read all the court papers (publicly available) the alleged criminal was already a primary suspect so FBI worked to show in court that each time a crime was perpetrated through an IP address assigned to AirVPN infrastructure, the suspect was connected to some IP address of AirVPN (even though different, of course). To make things definitely worse for the suspect, he mixed identities, infringing one of the few "golden rules" (stating that you must NEVER mix identities), by connecting to his own bank account and his own iTunes account with real identity from the same AirVPN IP address (the same exit address the crimes were committed from, with strong time correlations)! Compelling clues which, together with another key finding, convinced the court that the suspect was indeed the culprit. Luckily for the justice (and unfortunately, under his point of view!) this criminal committed serious fundamental errors. Yes. But if one mixes identities the hazard remains high. In this case, it was totally unnecessary. It would have been a huge effort to monitor traffic in 24 different jurisdictions and even more datacenters (normally they do not have access to top NSA tech, as far as we know, and anyway the data collection needed to be admissible in court). In reality, once they had a restricted pool of suspects, they just needed to correlate connections to bank, iTunes (+ social media and any service tied to a real identity of the primary suspects) and victims, and the line (usually residential) used by this pool of suspects. Kind regards

Hello! We're very glad to inform you that Hummingbird 2.0.0 for macOS (Mojave or higher version required) is available. Different native versions for Intel and M1/M2/M3/M4 based Mac computers are available for maximum performance. Hummingbird is free and open source released under GPLv3: https://gitlab.com/AirVPN/AirVPN-Suite Main features Lightweight and stand alone binary client supporting both OpenVPN and WireGuard No heavy framework required, no GUI Small RAM footprint Lightning fast Based on OpenVPN 3 library fork by AirVPN and WireGuard Robust leaks prevention through Network Lock based on pf Proper handling of DNS push by VPN servers New, more flexible Network Lock What's new linked against OpenVPN3-AirVPN 3.12 library all libraries and dependencies have been updated added complete WireGuard support by means of the official WireGuard tools provided by its developers. Installation of wg and wireguard-go binaries is currently required, as WireGuard library is not available on macOS. Please check the user's manual (README.md file included in the packages) WireGuard support section for comfortable, step by step instructions. new Network Lock related options offering more flexibility. Now you can accept or deny incoming, outgoing or both ICMP-echo packets, and independently you can permit or forbid IPv6 NDP, which is based on ICMPv6. The new options supported by Hummingbird (please check the readme file for additional details) are: --allow-ping --allow-ipv6ndp Apple ARM based systems version is now C++20 compliant (required by Sequoia) Important note for high speed line users Because of some architectural specifications and implementation in macOS Hummingbird may warn the user about shortage of buffer space, specifically when connected with the UDP. This condition is signaled by Hummingbird with the below messages in the log: UDP send exception: send: No buffer space available ERROR: NETWORK_SEND_ERROR The error is caused by the maximum network sockets size set in macOS, a value usually small and unsuited for modern high speed networks. The solution consists in increasing the maximum allowed size for socket buffers and, in case the problem persists, the number of mbuf clusters. The procedure is simple, please find out all the details in the manual. Open the README.md file with any viewer and consult the "Note on macOS and UDP" section. Download the software here: https://airvpn.org/macos/hummingbird/ Kind regards & datalove AirVPN Staff

Hello! We're very glad to announce that AirVPN Suite 2.0.0 Release is available. Special thanks to the outstanding community beta testers whose continued support in over a year and a half has been invaluable and decisive to find out and address several, insidious bugs. AirVPN Suite 2.0.0 introduces AirVPN's exclusive per app traffic splitting system, bug fixes, revised code, WireGuard support, and the latest OpenVPN3-AirVPN 3.12 library. Please see the respective changelogs for a complete list of changes for each component of the suite. The 2.0.0 Suite includes: Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN and WireGuard servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN and WireGuard servers Hummingbird: lightweight and standalone binary for generic OpenVPN and WireGuard server connections Cuckoo: traffic split manager, granting full access and functionality to AirVPN's traffic split infrastructure airsu: a "run and forget" tool to automatically set and enable the user environment for the X.Org or Wayland based ecosystem without any user input WireGuard support WireGuard support is now available in Bluetit and Hummingbird. OpenVPN or WireGuard selection is controlled by Bluetit run control file option airvpntype or by Goldcrest option -f (short for --air-vpn-type). Possible values: openvpn, wireguard. New 2.0.0 default: wireguard. Bluetit run control file (/etc/airvpn/bluetit.rc) option: airvpntype: (string) VPN type to be used for AirVPN connections. Possible values: wireguard, openvpn. Default: wireguard Goldcrest option: --air-vpn-type, -f : VPN type for AirVPN connection <wireguard|openvpn> Suspend and resume services for systemd based systems For your comfort, the installation script can create suspend and resume services in systemd based systems, according to your preferences. allowing a more proper management of VPN connections when the system is suspended and resumed. The network connection detection code has also been rewritten to provide more appropriate behavior. Asynchronous mode A new asynchronous mode (off by default) is supported by Bluetit and Goldcrest, allowing asynchronous connections. Network Lock can be used accordingly in asynchronous connections. Please consult the readme.md file included in every tarball for more information and details. Word completion on bash and zsh Auto completion is now available by pressing the TAB key when entering any Goldcrest or Hummingbird option and filename on a bash or zsh interpreter. Auto completion files are installed automatically by the installation script. AirVPN's VPN traffic splitting AirVPN Suite version 2.0.0 introduces traffic splitting by using a dedicated network namespace. The VPN traffic is carried out in the default (main) namespace, ensuring all system data and traffic to be encrypted into the VPN tunnel by default. No clear and unencrypted data are allowed to pass through the default namespace. Any non-tunneled network traffic must be explicitly requested by an authorized user with the right to run cuckoo, the AirVPN traffic split manager tool. AirVPN's traffic splitting is managed by Bluetit and configured through run control directives. The system has been created in order to minimize any tedious or extensive configuration, even to the minimal point of telling Bluetit to enable traffic splitting with no other setting. In order to enable and control AirVPN's traffic splitting, the below new run control directives for /etc/airvpn/bluetit.rc have been implemented: allowtrafficsplitting: (on/off) enable or disable traffic splitting. Default: off trafficsplitnamespace: (string) name of Linux network namespace dedicated to traffic splitting. Default: aircuckoo trafficsplitinterface: (string) name of the physical network interface to be used for traffic splitting. All the unencrypted and out of the tunnel data will pass through the specified network device/interface. In case this directive is not used and unspecified, Bluetit will automatically use the main network interface of the system and connected to the default gateway. Default: unspecified trafficsplitnamespaceinterface: (string) name of the virtual network interface to be associated to the Linux network namespace dedicated to traffic splitting. Default: ckveth0 trafficsplitipv4: (IPv4 address|auto) IPv4 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv4 address belonging to the system's host sub-network (/24) Default: auto trafficsplitipv6: (IPv6 address|auto) IPv6 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv6 address belonging to the system's host sub-network (/64) Default: auto trafficsplitfirewall: (on/off) enable or disable the firewall in Linux network namespace dedicated to traffic splitting. The firewall is set up with a minimal rule set for a very basic security model. Default: off AirVPN's traffic splitting is designed in order to minimize any further configuration from the system administrator. To actually enable traffic splitting, it is just needed to set "allowtrafficsplitting" directive to "on" and Bluetit will configure the traffic split namespace with the default options as explained above. When needed, the system administrator can finely tune the traffic splitting service by using the above directives. Power and limitations The adopted solution offers a remarkable security bonus in terms of isolation. For example, it gets rid of the dangerous DNS "leaks in" typical of cgroups based traffic splitting solutions. However, the dedicated namespace needs an exclusive IP address. If the system is behind a NAT (connected to a home router for example) this is not a problem, but if the system is not behind any NAT, i.e. it is assigned directly a public IP address, you will need another public IP address for the network namespace dedicated to traffic splitting. You will need to manually set the other public IP address on the trafficsplitipv4 or trafficsplitipv6 directive as the guessing abilities of Bluetit may work only within a private subnet. Please keep this limitation in mind especially if you want to run the Suite with per app traffic splitting on a dedicated or virtual server in some datacenter, as they are most of the times NOT behind any NAT. Introducing Cuckoo, the AirVPN traffic splitting manager tool To generate out of the tunnel traffic, any application software must be run inside the "traffic split" namespace by using the dedicated traffic split tool cuckoo which can be run by users belonging to the airvpn group only. It cannot be used by the superuser. The usage is documented in the manual and on the inline help. The traffic split namespace uses its own routing, network channels and system DNS. It will not interfere or communicate in any way with the default namespace using its own encrypted tunnel. Programs started with cuckoo are regular Linux processes and, as such, can be managed (stopped, interrupted, paused, terminated and killed) by using the usual process control tools. The programs started by cuckoo are assigned to the user who started cuckoo. As a final note, in order to work properly, the following permissions must be granted to cuckoo and they are always checked at each run. Owner: root Group: airvpn Permissions: -rwsr-xr-x (owner can read, write, execute and setuid; group can read and execute, others can read and execute) Special note for snap packages users Snap is a controversial, locking-in package management system developed by Canonical and praised by Microsoft. It packages applications as snaps, which are self-contained units that include all necessary dependencies and run in a sandboxed environment in its default namespace. Therefore, "snap" applications will bypass the order by the system via Cuckoo to have an application running in one specific namespace created for reverse traffic splitting. As a result, snap applications will jettison the Suite's reverse traffic splitting feature. Currently, you must avoid snap packages of those applications whose traffic must flow outside the VPN tunnel. The issue is particularly relevant ever since Ubuntu migrated certain packages exclusively to Snap, such as Chromium and Firefox. At the moment it is still possible to eradicate snap from various distributions, including Ubuntu, quickly. Special note for firewalld users Please read here, it's very important: https://airvpn.org/forums/topic/70164-linux-network-lock-and-firewalld/ AirVPN Switch User Tool Airsu Running an application in a graphical environment requires a user having a local environment properly set, in particular variables and access to specific sockets or cookies. They are usually set at the moment of graphical login, while they may not be properly set in case a user logged in by using the system tool su. In this specific case the user will not probably be allowed to access the graphical environment, so any GUI application will not start. AirVPN’s airsu is used for this specific purpose and configures the user environment to the current X.Org (X11) or Wayland based manager, thus allowing access to GUI applications when run through cuckoo. Note on GUI software and Web Browsers Complete compatibility with both X11 and Wayland based environments has been implemented. Because of the specific Linux architecture and namespaces, some applications may need to specify the graphical environment in order to start and use the currently selected window manager on an X.Org (X11) or Wayland based habitat. Cuckoo can automatically do this by “injecting” predefined options to some preset applications, in particular those based on the chromium engines, most of them being web browsers. To see the list of predefined applications, please start cuckoo with --list-preset-apps option. When running an application with cuckoo, the user should make sure to actually start a new instance. This is usually granted by starting an application from the command line (such as running it with cuckoo). By starting an application from the desktop environment this may not happen. Download AirVPN Suite 2.0.0 The Suite is available in various flavors: ARM 64 bit, ARM 64 bit legacy, ARM 32 bit, ARM 32 bit legacy, x86-64 and x86-64 legacy. Download page: https://airvpn.org/linux/suite/ Changelog and source code Changelog for each component is available inside each package and on GitLab. Source code is available on GitLab: https://gitlab.com/AirVPN/AirVPN-Suite Kind regards and datalove AirVPN Staff

No, they are strictly forbidden, as you might already know from the ToS. Instead of opening an account to complain on community forums, which is useless if we miss the message, please contact abuse@airvpn.org and provide evidence and any information relevant to enable the department to end the abuse. Do not forget to include the targeted IP address or addresses. Kind regards

Hello! You'll be able to avoid any problem by fixing your unit files according to our previous directions. An updated recap after extensive tests and gdb debugging which shows no problems and no crashes (again, provided that the modifications have been implemented). 1. Change permissions of /etc/airvpn.org into 755 (default is 660) to avoid systemd errors (you must have already done this, or you have used proper directives in the unit file, otherwise Bluetit wouldn't start at all but we repeat it for reader's comfort) chmod 755 /etc/airvpn 2. Add the following directives in Bluetit unit file: KillSignal=SIGTERM SendSIGKILL=no to prevent systemd from sending an expected SIGKILL to Bluetit 3. Consider to define the dependency and sequence criteria (systemd correctly warns you that you have not defined them, so it does not know when to start the unit). Example (taken from the default Bluetit unit file): After=network-online.target firewalld.service ufw.service dbus-daemon.service dbus.socket Wants=network-online.target firewalld.service ufw.service dbus-daemon.service dbus.socket 4. Just in case you will decide to use WireGuard and/or Network Lock, you must allow Bluetit to load kernel modules (WireGuard, iptables, nft, xtables...), so this directive: ProtectKernelModules=true must be deleted or set to false to prevent a critical error. 5. Just in case you will decide to use per app traffic splitting, the following directive must be deleted or set to false RestrictNamespaces=true because per app traffic splitting is based on namespace construction. Kind regards

Hello! Thank you, most probably you are right but please do not cut the log anyway, we want to see it integrally. Kind regards

Hello! No, by design: it is intentional. If you need a permanent (surviving reboots) set of rules blocking all traffic (so that by running Eddie and enabling Network Lock you can unblock traffic to the AirVPN servers only) then you must enter the rules yourself, according to the firewall you run on your machine. Kind regards

Hello! Can you also send us the complete Bluetit log from the journal? Kind regards

Hello! We're sorry to inform you that due to sloppy support by the datacenter provider (Racklot) we have decommissioned the server Metallah. Metallah went down on June the 18th, 2025, because IP addresses were null-routed. After more than a month, in spite of various contacts and solicitations, Racklot still fails to restore the routing. Our patience is over and we're acting accordingly. This was the last server still not supporting IPv6 (again for the laziness and the sloppy behavior of Racklot), so we finally have IPv6 support on every and each server. Kind regards

Hello! You have two 10 Gbit/s servers in San Jose (3 Gbit/s full duplex each guaranteed) which usually do not exceed 2+2 Gbit/s on peak times, so according to our stats there's still plenty of bandwidth available there. We will check manually anyway. Kind regards

Hello! Does it happen in the same environment described here? https://airvpn.org/forums/topic/66706-linux-airvpn-suite-200-preview-available/?do=findComment&comment=251565 Kind regards

Good to know, but it's outside our scope to force users to be rigorous. We offer the option and the proper tools to act rigorously and we try to educate through articles. We can't do much more. That was a very good suggestion but it still remains in a limbo, we will prioritize it when possible. Kind regards

It's implemented since 2012 and currently defeats any AI or not AI attempt to disclose users' identity via traffic analysis. Only the global adversary is potentially able to do it, if it exists, but by definition the global adversary can not be defeated in any case, you can only make to it the content of your communications inaccessible, not your real origin and destinations of communications. Difficult to take offense by one who does not even know (or pretends he/she doesn't know) features implemented 13 years ago. Now locking the thread for a few days to avoid trolling anyway. Kind regards

@Donwo1995 Hello! There are a couple of wrong assumptions in your scenario: We do not log origin IP addresses according to the ToS and the current legal framework, therefore we can not provide information we do not have. Not really, as ports can be deleted/changed for account inactivity, pool shifts and other actions not involving the user. This problem can be resolved with specific payment methods without intermediaries. On a different, higher priority layer we must make clear that you can't come here, declare publicly an intent of illegal usage of the service by writing from an account that does not even have a valid subscription and then expect that AirVPN aids and abets this illegal usage through additional ad hoc options. If one really claims a criminal intent and comes here to declare it publicly, he/she should not expect help from AirVPN, in fact quite the contrary. Kind regards