Staff

@OpenSourcerer Hello! There is some confusion on a few Linux concepts and architectural design in your last message which would require some longer explanation or a course-like series of articles. We're afraid that this thread could go off rails and on a long question/answer/question/answer "ping pong" which might be detrimental to the original purpose: community testing and bug reporting. Please feel free to ask your questions on some other forum, for example in "Off Topic" community forum and we'll do our best to explain, or maybe someone from the community will explain even better. We want to leave this thread (remember we're in "News and announcement") aimed at AirVPN Suite 2 preview version(s) community testing and bug reporting, thank you in advance for your understanding. 😉 Kind regards

Hello! That output is correct, and it does not imply what you assume, but only that the program you have just launched runs in an ambient which does not have the specified vector raised. For your verification see our previous command, or just verify for each user the capability. Example (as root): capsh --user=<username> --has-p=CAP_SYS_ADMIN ; echo $? It will exit with status 1 if the ambient vector has not that capability, it will exit with status 0 if it has. Please note that the whole new Suite would work anyway, in all the distributions we tested, if the installer doesn't edit /etc/security/capability.conf but we deem that this is a nice feature anyway, as it might be useful in some obscure distribution, and it adds clarity. We can't: nsenter links the process you run to some existing PID, making it a child of some already existing process in the namespace, so nsenter has different usage for quite different purposes. Yes, that obsolete paper anyway confirms how good this implementation is. Our use case is exactly one of the few perfectly proper, correct and needed "usages" of CAP_SYS_ADMIN without doubts. Additionally, all the worries of the original writer have been properly addressed, as explained (we paste here to readers' comfort again): addressing the issues raised by Eklektix and Kerrisk and others. To clarify: verify with ps. Kind regards

Hello and thank you for your tests! Can you please make sure that you have the following directive in /etc/airvpn/bluetit.rc allowtrafficsplitting on If this is missing you will get that error message. We will make that error message more explicative during the alpha stage. Please let us know whether the problem is caused by the missing directive or not. Kind regards

Hello! The critical error is caused by the Express VPN interface. You can fix the problem very quickly. Please see here, this solution applies identically to you: https://airvpn.org/forums/topic/56643-stuck-in-a-broken-route-never-connects/?do=findComment&comment=225323 Kind regards

Hello! Any user in any Linux distribution can run a process with CAP_SYS_ADMIN capability. The installation script makes sure that "airvpn" has that ability too, just in case some distribution erroneously has not set the ability to airvpn. You can check for example with: sudo capsh --print --user=<any existing user> As you might have read, traffic splitting in this implementation relies on namespaces, so CAP_SYS_ADMIN is strictly necessary for setns() - immediately after, setuid is disabled. On top of that cuckoo drops all setuid privileges and sets those of the user running it. Verify this trivially as a cross/double-check during the tests. We can't understand your point in this case. Anyway, we would be reluctant too but for a very different reason, i.e. is it appropriate to prepare an AUR package with "beta" in its name for a software which is not beta but alpha? Kind regards

Hello! Please see here for an explanation and a quick solution: https://airvpn.org/forums/topic/56657-cant-connect-to-anything/?do=findComment&comment=225418 Kind regards

Hello! You have forced a connection in IPv6 only. Maybe your ISP does not support it, or blocks UDPv6. As a first attempt please go back to IPv4 and try again. In "Preferences" > "Networking" change the "Protocol used for connection" combo box back to "IPv4, IPv6" (the original setting). You will have anyway IPv6 over IPv4 so you'll not lose IPv6. Kind regards

Hello! Strange but reproducible. We confirm it, we just tested. A matter for qBittorrent developers, probably. Kind regards

Hello! It looks like your listening program listens to IPv6 addresses only, can you please check? Example: in qBittorrent, "Preferences" > "Advanced" window, verify the "Optional IP addresses to bind to" box and test with "IPv4 addresses only" as well as "All IP addresses" (which should be the default setting and might cause the observed behavior). Kind regards

Hello! We're very glad to inform you that AirVPN Suite version 2.0.0 alpha 1 is now available. UPDATE 2023-11-24: version 2.0.0 alpha 2 is now available. UPDATE 2024-05-14: version 2.0.0 beta 1 is now available. UPDATE 2024-12-16: version 2.0.0 beta 2 is now available. UPDATE 2025-02-13: version 2.0.0 beta 3 is now available. UPDATE 2025-02-14: version 2.0.0 beta 4 is now available. UPDATE 2025-04-04: version 2.0.0 beta 5 is now available. UPDATE 2025-04-16: version 2.0.0 Release Candidate 1 is now available UPDATE 2025-06-10: version 2.0.0 Release Candidate 2 is now available PLEASE NOTE THAT FROM NOW ON COMPATIBILITY WITH DEBIAN 10 AND ITS DERIVATIVES IS LOST, MAINLY BECAUSE THE SUITE IS NOW C++20 COMPLIANT. x86_64 LEGACY VERSION IS SUITABLE FOR DEBIAN 11 AirVPN Suite 2.0.0 introduces AirVPN's exclusive per app traffic splitting system, bug fixes, revised code in order to pave the way towards the final and stable release, WireGuard support, and the latest OpenVPN3-AirVPN 3.12 library. Please see the respective changelogs for a complete list of changes for each component of the suite. The 2.0.0 Release Candidate 1 Suite includes: Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN and WireGuard servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN and WireGuard servers Hummingbird: lightweight and standalone binary for generic OpenVPN and WireGuard server connections Cuckoo: traffic split manager, granting full access and functionality to AirVPN's traffic split infrastructure airsu: a "run and forget" tool to automatically set and enable the user environment for the X.Org or Wayland based ecosystem without any user input WireGuard support WireGuard support is now available in Bluetit and Hummingbird. OpenVPN or WireGuard selection is controlled by Bluetit run control file option airvpntype or by Goldcrest option -f (short for --air-vpn-type). Possible values: openvpn, wireguard. New 2.0.0 default: wireguard. Bluetit run control file (/etc/airvpn/bluetit.rc) option: airvpntype: (string) VPN type to be used for AirVPN connections. Possible values: wireguard, openvpn. Default: wireguard Goldcrest option: --air-vpn-type, -f : VPN type for AirVPN connection <wireguard|openvpn> Suspend and resume services for systemd based systems For your comfort, the installation script can create suspend and resume services in systemd based systems, according to your preferences. allowing a more proper management of VPN connections when the system is suspended and resumed. The network connection detection code has also been rewritten to provide more appropriate behavior. Asynchronous mode A new asynchronous mode (off by default) is supported by Bluetit and Goldcrest, allowing asynchronous connections. Network Lock can be used accordingly in asynchronous connections. Please consult the readme.md file included in every tarball for more information and details. Word completion on bash and zsh Auto completion is now available by pressing the TAB key when entering any Goldcrest or Hummingbird option and filename on a bash or zsh interpreter. Auto completion files are installed automatically by the installation script. AirVPN's VPN traffic splitting AirVPN Suite version 2.0.0 introduces traffic splitting by using a dedicated network namespace. The VPN traffic is carried out in the default (main) namespace, ensuring all system data and traffic to be encrypted into the VPN tunnel by default. No clear and unencrypted data are allowed to pass through the default namespace. Any non-tunneled network traffic must be explicitly requested by an authorized user with the right to run cuckoo, the AirVPN traffic split manager tool. AirVPN's traffic splitting is managed by Bluetit and configured through run control directives. The system has been created in order to minimize any tedious or extensive configuration, even to the minimal point of telling Bluetit to enable traffic splitting with no other setting. In order to enable and control AirVPN's traffic splitting, the below new run control directives for /etc/airvpn/bluetit.rc have been implemented: allowtrafficsplitting: (on/off) enable or disable traffic splitting. Default: off trafficsplitnamespace: (string) name of Linux network namespace dedicated to traffic splitting. Default: aircuckoo trafficsplitinterface: (string) name of the physical network interface to be used for traffic splitting. All the unencrypted and out of the tunnel data will pass through the specified network device/interface. In case this directive is not used and unspecified, Bluetit will automatically use the main network interface of the system and connected to the default gateway. Default: unspecified trafficsplitnamespaceinterface: (string) name of the virtual network interface to be associated to the Linux network namespace dedicated to traffic splitting. Default: ckveth0 trafficsplitipv4: (IPv4 address|auto) IPv4 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv4 address belonging to the system's host sub-network (/24) Default: auto trafficsplitipv6: (IPv6 address|auto) IPv6 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv6 address belonging to the system's host sub-network (/64) Default: auto trafficsplitfirewall: (on/off) enable or disable the firewall in Linux network namespace dedicated to traffic splitting. The firewall is set up with a minimal rule set for a very basic security model. Default: off AirVPN's traffic splitting is designed in order to minimize any further configuration from the system administrator. To actually enable traffic splitting, it is just needed to set "allowtrafficsplitting" directive to "on" and Bluetit will configure the traffic split namespace with the default options as explained above. When needed, the system administrator can finely tune the traffic splitting service by using the above directives. Power and limitations The adopted solution offers a remarkable security bonus in terms of isolation. For example, it gets rid of the dangerous DNS "leaks in" typical of cgroups based traffic splitting solutions. However, the dedicated namespace needs an exclusive IP address. If the system is behind a NAT (connected to a home router for example) this is not a problem, but if the system is not behind any NAT, i.e. it is assigned directly a public IP address, you will need another public IP address for the network namespace dedicated to traffic splitting. You will need to manually set the other public IP address on the trafficsplitipv4 or trafficsplitipv6 directive as the guessing abilities of Bluetit may work only within a private subnet. Please keep this limitation in mind especially if you want to run the Suite with per app traffic splitting on a dedicated or virtual server in some datacenter, as they are most of the times NOT behind any NAT. Introducing Cuckoo, the AirVPN traffic splitting manager tool To generate out of the tunnel traffic, any application software must be run inside the "traffic split" namespace by using the dedicated traffic split tool cuckoo which can be run by users belonging to the airvpn group only. It cannot be used by the superuser. The usage is documented in the manual and on the inline help. The traffic split namespace uses its own routing, network channels and system DNS. It will not interfere or communicate in any way with the default namespace using its own encrypted tunnel. Programs started with cuckoo are regular Linux processes and, as such, can be managed (stopped, interrupted, paused, terminated and killed) by using the usual process control tools. The programs started by cuckoo are assigned to the user who started cuckoo. As a final note, in order to work properly, the following permissions must be granted to cuckoo and they are always checked at each run. Owner: root Group: airvpn Permissions: -rwsr-xr-x (owner can read, write, execute and setuid; group can read and execute, others can read and execute) Special note for snap packages users Snap is a controversial, locking-in package management system developed by Canonical and praised by Microsoft. It packages applications as snaps, which are self-contained units that include all necessary dependencies and run in a sandboxed environment in its default namespace. Therefore, "snap" applications will bypass the order by the system via Cuckoo to have an application running in one specific namespace created for reverse traffic splitting. As a result, snap applications will jettison the Suite's reverse traffic splitting feature. Currently, you must avoid snap packages of those applications whose traffic must flow outside the VPN tunnel. The issue is particularly relevant ever since Ubuntu migrated certain packages exclusively to Snap, such as Chromium and Firefox. At the moment it is still possible to eradicate snap from various distributions, including Ubuntu, quickly. Special note for firewalld users Please read here, it's very important: https://airvpn.org/forums/topic/70164-linux-network-lock-and-firewalld/ AirVPN Switch User Tool Airsu Running an application in a graphical environment requires a user having a local environment properly set, in particular variables and access to specific sockets or cookies. They are usually set at the moment of graphical login, while they may not be properly set in case a user logged in by using the system tool su. In this specific case the user will not probably be allowed to access the graphical environment, so any GUI application will not start. AirVPN’s airsu is used for this specific purpose and configures the user environment to the current X.Org (X11) or Wayland based manager, thus allowing access to GUI applications when run through cuckoo. Note on GUI software and Web Browsers The previous limitations on browsers have been completely resolved. Furthermore, complete compatibility with Wayland based environment has been implemented. Because of the specific Linux architecture and namespaces, some applications may need to specify the graphical environment in order to start and use the currently selected window manager on an X.Org (X11) or Wayland based habitat. Cuckoo can automatically do this by “injecting” predefined options to some preset applications, in particular those based on the chromium engines, most of them being web browsers. To see the list of predefined applications, please start cuckoo with --list-preset-apps option. When running an application with cuckoo, the user should make sure to actually start a new instance. This is usually granted by starting an application from the command line (such as running it with cuckoo). By starting an application from the desktop environment this may not happen. Download AirVPN Suite 2.0.0 Release Candidate 2 ARM 64 bit: https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-aarch64-2.0.0-RC-2.tar.gz https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-aarch64-2.0.0-RC-2.tar.gz.sha512 ARM 64 bit legacy: https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-aarch64-legacy-2.0.0-RC-2.tar.gz https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-aarch64-legacy-2.0.0-RC-2.tar.gz.sha512 ARM 32 bit: https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-armv7l-2.0.0-RC-2.tar.gz https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-armv7l-2.0.0-RC-2.tar.gz.sha512 ARM 32 bit legacy: https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-armv7l-legacy-2.0.0-RC-2.tar.gz https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-armv7l-legacy-2.0.0-RC-2.tar.gz.sha512 x86-64: https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-x86_64-2.0.0-RC-2.tar.gz https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-x86_64-2.0.0-RC-2.tar.gz.sha512 x86-64 legacy: https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-x86_64-legacy-2.0.0-RC-2.tar.gz https://eddie.website/repository/AirVPN-Suite/2.0-RC2/AirVPN-Suite-x86_64-legacy-2.0.0-RC-2.tar.gz.sha512 Changelogs Changelogs are available inside each package. Kind regards & Datalove AirVPN Staff

Hello! We're very glad to announce a special promotion on our long term Premium plans for the end of Summer or Winter, according to the hemisphere you live in. You can get prices as low as 2.06 €/month with a three years plan, which is a 70% discount when compared to monthly plan price of 7 €. If you're already our customer and you wish to stay aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day. Please check plans special prices on https://airvpn.org and https://airvpn.org/buy All reported discounts are computed against the 7 EUR/month plan. Kind regards & datalove AirVPN Staff

Hello! It might be relevant to know (just in case) that currently connections from Russia, China, Egypt, UAE may work only with OpenVPN in TCP, to port 53 or 443, in tls-crypt (entry-IP address THREE). OpenVPN over SSH is working too. Connections from Iran do not work, no matter the connection mode you try. To Iranian citizens we recommend Tor obfuscated and private bridges. You will need to update your bridge frequently. Kind regards

Hello! Currently it is not in our interest to accept it, we are sorry. Kind regards

@Shitsko @wnorcus and @pdannolfo resolved their respective problems which had different causes on the client side and not strictly related to route check. Nothing useful for the readers on this thread unfortunately, we're going to lock the thread and we recommend to follow the suggestion by @OpenSourcerer here above. Kind regards

Hello! Please send us a system report generated by Eddie. Please see here to do so: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/ Kind regards

Hello! Please send the system report as required by the support team. Please see here to do so: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/ Also, please test a connection with OpenVPN, in TCP and UDP, port 443 and port 53 (all the 4 combinations), to entry-IP address THREE and report whether the problem persists or not. You can change connection mode in Eddie's "Preferences" > "Protocols" window (uncheck "Automatic" to pick a specific connection mode). Kind regards

Hello! With "same issue" do you all mean that by switching to WireGuard the problem gets resolved, like it happens to the original two posters in July, while it persists with OpenVPN? If so, can you tell us whether the problem persists if you change OpenVPN port (for example from 443 to 53)? Also, it's very important that you attach a system report generated by Eddie. Kind regards

Hello! We're very sorry, at the moment we support automatic payments only via PayPal and not via Stripe. You may consider, during the next month, to use your credit card via PayPal (no PayPal account needed) and pick "PayPal subscription" payment option. Kind regards

Hello! Your tickets have been received and a reply was added in 8 hours, which is perfectly normal on Sunday. We see that the reply resolved the ticket by accepting your request. You can check your tickets in your "Client Area". Courtesy e-mails are also available if you have linked a valid e-mail address to your account and you don't disable notifications via mail. Kind regards

Understood. In this case we're terribly sorry but it looks like Amazon can not provide any solution. Kind regards

Hello! The VPN server names have changed into <server name>.airservers.org. The old <server name>.airvpn.org has been preserved for the old servers which had it, for backward compatibility and smoother transition. New servers added after the change have only <server name>.airservers.org. As usual, only entry-IP address 1. Kind regards

Hello! Is it not possible to redeem the gift card and credit it to your Amazon account and then use this account to pay on EU Amazon? Kind regards

Hello! We have been informed about an imminent relocation of our VPN servers in London. They will be migrated to a different datacenter. IP addresses will remain the same. Migration will start on Thursday, 14 Sept 2023, 22:00 UTC +1 and will end on Friday, 15 Sept 2023, 06:00 UTC +1 (London Time) Expected Duration: the migration is anticipated to take 8 hours, during which there will be a full interruption of services. We recommend that you connect to different VPN servers (in UK or elsewhere), not located in London, during the mentioned time frame. Kind regards AirVPN Staff

Hello! Apparently not, we're sorry. With our Amazon Seller account, customers are always re-directed to the EU main Amazon sites to process payments, no matter how we interface with it. You will anyway get the language you prefer, of course. Does it cause to you any inconvenience? Kind regards

Just a quick digression on this matter: no, it would not make any difference. Alleged usage of p2p protocols or even usage of p2p to share copyrighted content never causes an IP address to be included in a black list according to our 14 years approaching experience. By blocking torrenting we would also block VoIP, distribution of free and open source software, update systems of various software houses based on p2p and more without touching the problem you mention at all. We would betray our mission for no good side effect at all. Nowadays the main reasons of blocks against VPN IP addresses are a different kind of abuse and, even more importantly, an a priori refusal of connections coming from any privacy enhancing system which hurts personal data harvesting and reselling. We are in the presence of the thorny issue of services that grant access only if the user is willing to give up his or her privacy, be it for personal data harvesting or for definite geo-location for any intellectual monopoly related issue. That said, we also work daily to remove our IP addresses from the most important black lists around the world and we also make an important exception (since AirVPN birth, so it was decided in cold blood and deemed ex ante as the only acceptable violation of Net Neutrality) to the mission by blocking outbound port 25. Only time will tell whether you're right or not: in the last 13 years the amount of ISPs willing to take VPNs on their datacenters has increased significantly. AUP which forbade consumer VPN activity just 7-8 years ago have been rewritten to allow it (the discrimination remains against Tor in some cases, though). In any case our mission comes first, so it's not a matter to tweak the service and accept disgraceful compromises for us, but it's a matter to either providing the service according to the mission or not providing it at all. The customers and users only will reward or punish our commitments. Kind regards