Jump to content
Not connected, Your IP: 52.14.110.171
Staff

Major system upgrade COMPLETED

Recommended Posts

Its better to use your regular connection for personal things and use a VPN for everything else in your anonymous life. Also you can use different servers on different devices. Not really sure what the benefit of that is but 3 connections is better than 1!

 

About the only advantage I can see is that your 3 simultaneous vpn connections won't be hammering just one server. By spreading the load over 3 different servers there *may* be a slight performance benefit. Not sure if it'll really be noticeable though considering you still share any server with other users, but more options are better than none. 

 

I was just wondering if there were any other benefits to 3 simultaneous vpn connections that perhaps aren't so obvious - something technical perhaps? 

Share this post


Link to post

Hello,

New user of around a week.

Thanks for the comprehensive updates on the broken internet.

I do notice that OpenVPN has now released version 2.3.3, however AirVPN is hosting the 2.3.2 quickfix

I grabbed the latest 2.3.3 I001 from openvpn.org when I read the news.

Any reason I shouldn't prefer it to the AirVPN bundled one?

 

thanks for a great service.

Share this post


Link to post

 

Nice

 

What is the current DH parameter size? It is not mentioned on the website.

 

Hello!

 

2048 bit keys, currently.

 

 

And how about TLS 1.2 support? OpenSSL may not be vulnerable to attacks on TLS 1.0, but TLS 1.2 supports SHA-2.

SHA-1 is in progress of deprecation by MS: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

NIST advises against SHA-1: http://www.zdnet.com/nist-makes-a-hash-of-sha-1-ban-7000025980/

This may be less worrysome in the VPN/OpenSSL context, but it's best to stay ahead instead of becoming a cat and mouse game.

 

So what...? The Control Channel cipher is HMAC SHA1, not SHA1. SHA1 is the underlying hash verification. Deprecation has nothing to do with it. It is well known that SHA1 should never be used as a security cipher and OpenVPN does not use it. In HMAC SHA1 we don't even have to care at all about SHA1 hash collisions. In order to inject forged packets in your traffic flow, an attacker should first break every single upper layer, starting from HMAC which is extremely robust, and THEN try hash collisions.

 

Kind regards

 

Thanks, my router has an OpenVPN server, but it's DH parameters are only 512 bit.. It's possible to change through Telnet/SSH but it doesn't work very well and gone after a reboot.

 

Ah good to know.

Share this post


Link to post

Thank you for the Update 


     9yzTU300x300.png                                                                                      visa1.png                  

Share this post


Link to post

You guys simply rock... What a dream world will be if only half of the companies around the world would take seriously the product they sale to their clients the same way you do.

Share this post


Link to post

There's obvious advantages to having 3 simultaneous connections (albeit this is already possible if your router is vpn enabled), but can anyone please answer what advantages would there be in having your simultaneous connections on different servers?

May be just to help spread the load?

Share this post


Link to post

Thanks for the heads up.  Been with Airvpn for two years now and the service has been superb.  Welcome news re the 3 connections.  Thank you.

Share this post


Link to post

Thank you to all the amazing AirVPN staff for the continuing hard work and dedication to making this the best VPN service anywhere, and creating and maintaining the best forum community on the net. Kudos to you all.

I think the best mostly irrelevant comment was from ZPK Z : Never been this happy about downtime   <-- I couldn't agree more.

2nd mention goes to foxbat for the comment: I think im going to wet myself.....ooops too late.  .....ROFL.

Warm regards to all, meet you at the config server in a few hours ...hahaha!

Jessez

Share this post


Link to post

Well, while I was cleaning out all the old AirVPN config files and keys and whatnot, I had a thought that might help a few that are worried about downloading the new info in the clear (Some info may still go in the clear between vpn servers, but it will help minimize risk). There is a plugin for Chrome (ium) called ZenMate. It's basically a browser based VPN plugin/service (and doesn't have any system-wide option). Also while it is still somewhat in testing there is no fee to use it. You can find it in the Chrome extensions galley. They have a Zurich server as an option, so I'd recommend that to anyone wanting to try getting the new AirVPN config, keys, etc, when they are available after the upgrade is complete. I have tested the extension a few times over the last few weeks and found it to be solid, and reliable at not exposing my true IP address.

Insert usual disclaimer here, use at your own risk, and take whatever other precautions that help protect you and your data.

There are a couple of Android VPN apps that advertise no fees, but I don't know anything about them or whether their claims are true. Use with caution if you choose to go that route.

Anyway, all anyone needs is one server and the new keys, etc from AirVPN, then get hooked back into AIR and get the remainder of what you want.

Warm regards,

Jz 

Share this post


Link to post

Customers running any other OpenVPN wrapper or OpenVPN will need to re-download configuration, certificates and keys files.

 

Additional information for customers running manually configured wrappers:

  • the "TLS-Cipher" or equivalent name in your configuration becomes: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  • in Tomato, DD-WRT, pfSense, Fritz!Box etc., the client certificate, the server certificate, the client key and the TLS key must be pasted again (after they have been generated and downloaded from the Configuration Generator as usual) in the appropriate fields of your configuration

Sorry for not knowing a whole lot about this.

But does this mean, that if I use tunnelblick from a mac, I have to uninstall and reinstall tunnelblick, in the same manner that I installed it in the first place?

ITunnelblick is not a manually configured wrapper right?

 

Kind Regards.

Share this post


Link to post

Will the customer be allowed to generate its own pair of RSA 4096 bit asymmetric keys, thus uploading/sharing to/with airvpn.org site his public RSA key only?

This fact would ensure the highest level of security.In fact, as long as airvpn.org knows both RSA asymmetric keys (i.e.: public and private) there's no guarantee of real privacy.

Right?

 

Edo

Share this post


Link to post

Tunnelblick users need to re-generate certificates, configuration files and keys, just like users of any other OpenVPN wrapper (except the Air client) need to do.

 

Kind regards

Share this post


Link to post

UPGRADE IS IN PROGRESS.

 

You can already download the new configuration files (which include new keys and certificates) if you wish so.

 

Kind regards

Share this post


Link to post

Thanks a lot,

I can't see Crucis server anymore though.

why?

 

 

Hello!

 

We're glad to inform you that upgrade completed successfully!

 

Kind regards

Share this post


Link to post

Well, while I was cleaning out all the old AirVPN config files and keys and whatnot, I had a thought that might help a few that are worried about downloading the new info in the clear (Some info may still go in the clear between vpn servers, but it will help minimize risk).

 

 

Hello!

 

No, wait, the download of keys and certificates is NOT in the clear. It's encrypted via HTTPS with TLS up to 1.2 and Perfect Forward Secrecy (with DHE or ECDHE key exchange). Just don't use Internet Explorer 6 or 8 otherwise you will lose FS and TLS 1.2.

 

Kind regards

Share this post


Link to post

I want to verfiy something. I've downloaded all new keys, etc. I noticed the post stating:

 

"the "TLS-Cipher" or equivalent name in your configuration becomes: TLS-DHE-RSA-WITH-AES-256-CBC-SHA"

 

I changed the TLS Cipher in DD-WRT's OpenVPN settings to the above and get a TLS error. However, turning this off logs me in fine. Am I misunderstanding that it becomes that on your end and I need to change nothing in DD-WRT, or am I hitting a bug?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...