Jump to content
Not connected, Your IP: 35.170.54.171
Guest

ANONYMOUS VPN PROVIDERS? 2016 EDITION (TF)

Recommended Posts

Guest

https://torrentfreak.com/vpn-anonymous-review-160220/

 

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, what information and for how long?

 

2. What is the registered name of the company and under what jurisdiction(s) does it operate?

 

3. Do you use any external visitor tracking, email providers or support tools that hold information of your users / visitors?

 

4. In the event you receive a takedown notice (DMCA or other), how are these handled?

 

5. What steps are taken when a valid court order or subpoena requires your company to identify an active user of your service? Has this ever happened?

 

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

 

7. Which payment systems do you use and how are these linked to individual user accounts?

 

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide DNS leak protection and tools such as “kill switches” if a connection drops?

 

9. Do you offer a custom VPN application to your users? If so, for which platforms?

 

10. Do you use your own DNS servers?

 

11. Do you have physical control over your VPN servers and network or are they hosted by/accessible to a third party?

 

12. What countries are your servers located in?

 

AIR:

 

1. No, we don’t keep such logs.

 

2. The company is registered in Italy with name “Air”.

 

3. No, we don’t.

 

4. They are ignored, except when they refer to web sites running behind our VPN servers. Due to our service features, it is perfectly possible to run web sites from behind our servers: we also provide DDNS for free to our customers. For these specific cases, we can act similarly to a hosting provider and we verify that the web site is compliant to our Terms of Service. We have had web sites spreading viruses and other malware (verified without any doubt) and we intervened to quickly stop them when we were warned about the issue.

 

5. Since we can’t provide information that we don’t have, an “ex-post” investigation is the only solution, if and when applicable. So far we have had no court orders of this kind.

 

6. Yes, it’s allowed on every and each server. We do not discriminate against any protocol or application and we do not monitor traffic or traffic type.

 

7. We accept Bitcoin, a wide range of cryptocoins, PayPal and major credit cards. About PayPal and credit cards, the usual information pertaining to the transaction and account/credit card holder are retained by the financial institutions, and it is possible to correlate a payment to a user (which is good for refund purposes when required). When this is unacceptable for security reasons, then Bitcoin or some other cryptocoin should be used. Bitcoin can also be provided with a strong anonymity layer simply by running the Bitcoin client behind Tor.

 

8. We would recommend our setup which includes Perfect Forward Secrecy, 4096 bit RSA keys, 4096 bit Diffie-Hellman keys and authentication on both sides not based on username/password. Our free and open source client Eddie (under GPLv3) for GNU/Linux, Windows and OS X, implements features which prevent the typical DNS leaks in Windows and any other leak (for example in case of unexpected VPN disconnection). Leaks prevention, called “Network Lock”, is not a trivial kill-switch, but it prevents various leaks that a classical kill switch can’t block: leaks caused by WebRTC, by programs binding to all interfaces on a misconfigured system and by malevolent software which tries to determine the “real” IP address.

We provide guides, based on firewalls and not, to prevent leaks on various systems for all those persons who can’t or don’t wish to use our client Eddie. Our service setup, based on OpenVPN, is the following:

DATA CHANNEL CIPHERS
AES-256-CBC with HMAC-SHA1 for authentication
CONTROL CHANNEL CIPHERS
AES-256-GCM with HMAC-SHA384 for authentication
AES-256-CBC with HMAC-SHA1 for authentication
4096 bit RSA keys size
4096 bit Diffie-Hellman keys size
TLS Ciphers (IANA names): TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS additional authorization layer key: 2048 bit
Perfect Forward Secrecy through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)

 

9.Yes, we provide a free and open source application, “Eddie”, released under GPLv3 for GNU/Linux, Windows and OS X. Source code is published on GitHub. This application does not retain connection logs, unless the customer explicitly configures it (for diagnostic purposes for example) to store logs in files.

 

10. Yes, we use our own DNS servers, thanks to which we provide additional services, such as ICE/ICANN censorship bypass as well as OpenNIC and NameCoin integrated names resolution. Unless a customer explicitly picks third-party DNS servers, the client queries never need to get out of the virtual network, with significant privacy enhancement and performance improvement in names resolutions.

 

11. Our servers are housed in datacenters which we have physical access to, provided that the access is arranged in advance for security reasons. Datacenters must comply with some technical and privacy requirements. With rare exceptions, a datacenter must have a PoP to at least one tier1 provider. Without exceptions, datacenter must be network neutral, must provide bandwidth redundancy, minimum uptime of 99.8% and our servers must have a dedicated port and a guaranteed bandwidth.

 

12. We have servers located in Canada, Czech Republic, France, Germany, Hong Kong, Latvia, Lithuania, Netherlands, Portugal, Romania, Singapore, Spain, Sweden, Switzerland, United Kingdom, USA. We only rent lines with guaranteed bandwidth and we have dedicated servers only. They are connected to ports which are adequate to the line bandwidth.

Share this post


Link to post

Nice to read. But these are the same questions as every year. And mostly the same answers. The only interesting thing are the new providers and their answers to the questions.

Share this post


Link to post

Someone has to crowdfund a yearly account campaign on those providers, and then run a few tests with

actual results. The tests should include, at minimum:

 

1) Be able to achieve at least 50% of your ISP bandwidth on a tested node, for a month

2) Seeding most 100 Top downloaded torrents in a specific month

3) Making "unobtrusive" mapping of the internet, such as setting up masscan in HTTP banner mode,

GET / HTTP/1.0 on 0.0.0.0/0, again for 1 month (that is a very slow scan and shouldn't stress the network).

To those who are not into networks, it means scanning all the internet address space (1.0.0.0-255.255.255.255)

and getting a simple response for a simple HTTP request. This may get some automatic abuse letters, but it's a

great test to see if a provider logs your activity. Since this is a very unobtrusive test, the provider does not have to

explain the reason for such traffic  to any 3d party that supplied an automatic email about a single HTTP request.

4) Checking real DNS/WebRTC/IPv6 leaks with the client officially recommended by the provider.

 

There are many more activities you can do in order to test the words mentioned in this article, but these

tests should be totally accepted under any providers ToS I came across so far.

 

The real "winners" list should include the providers that didn't terminate your account after at least one month of

doing steps 1-4 simultaneously.

 

Any volunteers?


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

@zhang888

Point number one is particularly difficult since it can fail without the VPN provider having any problems whatsoever. Your ISP can manage to mess that up without any notice or any way to determine the cause.

 

In my case, where I live has exactly one single ISP available. Charter Cable. And I get a whopping 2MB down per second and 320 KB per second up from them, so it would be difficult for even a garbage VPN to fail that. (And yes, those are Mebibyte and Kibibyte numbers, not megabit and kilobit numbers.)

 

Your point number one would make perfect sense if the VPN in question was owned and operated by the ISP itself. But I have never heard of such a case.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post
Guest

I might use that list at some point to replace my current provider who decided to forcibly set ipv6 on their servers and refusing to make it optional so, I like them tho cuz I can use primary in my own country then cascade to another on that list I saw at least 3 or so with locations here not counting PIA don't trust them after I saw the IP changed to Ukraine, but didn't see any with multi-hop/cascading I may have overlooked it tho since I was skimming through it.

Share this post


Link to post

I might use that list at some point to replace my current provider who decided to forcibly set ipv6 on their servers and refusing to make it optional so, I like them tho cuz I can use primary in my own country then cascade to another on that list I saw at least 3 or so with locations here not counting PIA don't trust them after I saw the IP changed to Ukraine, but didn't see any with multi-hop/cascading I may have overlooked it tho since I was skimming through it.

 

This does not make any sense, sorry.

If your ISP or VPN provider forcefully push you IPv6 routes, you can either:

 

1) Ignore these routes by setting a manual IPv6 in your network interface, if you wish so

2) Disalbe all IPv6 traffic with any software firewall provided by your OS, either Windows

Firewall, ip6tables (Linux), or PF (BSD/OSX)

3) Completely disable your IPv6 network adapter

 

 

I don't believe that IPv6 is a big "loss" in 2016. I could find zero useful websites or services who

provide content on IPv6 only, most of them have a fallback to IPv4 and they run dual-stack.

This means that even without IPv6, you can still enjoy the majority of the meaningful part of the

internet, without any connectivity issues. I believe Air shares the same view as mine.

I am not against IPv6, this is indeed the future, however not the near future because of the

large complexity of things. The internet is managed by administrators like us, it is still much

easier to remember 12.34.56.78 other than 2001:db8:dead:dead:dead:dead:beef:1.

No admin will admit it openly, but this is the real issue why IPv6 is still not widely used

We need better memory for this sort of thing, I hope this will be delayed until after I retire.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post
Guest

 

I might use that list at some point to replace my current provider who decided to forcibly set ipv6 on their servers and refusing to make it optional so, I like them tho cuz I can use primary in my own country then cascade to another on that list I saw at least 3 or so with locations here not counting PIA don't trust them after I saw the IP changed to Ukraine, but didn't see any with multi-hop/cascading I may have overlooked it tho since I was skimming through it.

 

This does not make any sense, sorry.

If your ISP or VPN provider forcefully push you IPv6 routes, you can either:

 

1) Ignore these routes by setting a manual IPv6 in your network interface, if you wish so

2) Disalbe all IPv6 traffic with any software firewall provided by your OS, either Windows

Firewall, ip6tables (Linux), or PF (BSD/OSX)

3) Completely disable your IPv6 network adapter

 

 

I don't believe that IPv6 is a big "loss" in 2016. I could find zero useful websites or services who

provide content on IPv6 only, most of them have a fallback to IPv4 and they run dual-stack.

This means that even without IPv6, you can still enjoy the majority of the meaningful part of the

internet, without any connectivity issues. I believe Air shares the same view as mine.

I am not against IPv6, this is indeed the future, however not the near future because of the

large complexity of things. The internet is managed by administrators like us, it is still much

easier to remember 12.34.56.78 other than 2001:db8:dead:dead:dead:dead:beef:1.

No admin will admit it openly, but this is the real issue why IPv6 is still not widely used

We need better memory for this sort of thing, I hope this will be delayed until after I retire.

 

I'm sorry if what I said was confusing, no my ISP does not force IPv6 my VPN provider does, and it's not a loss, but what I like about Air they give a choice my other provider litterally forces it because after their last update IPv6 was forced without it you couldn't connect to their servers and yes I had IPv6 disabled I had to enable it. I'm a gamer so I need to either make my IP public(definitely not an option lol) or have a server here to play since games are region locked.

Share this post


Link to post

Hello!

 

AirVPN is the most badass when it comes to technical answers, haha.I love that about AirVPN.

I love the professionalism of the staff too. They always seem cool, composed, professional and highly knowledgeable about technology; yet at the same time helpful.

On bestvpn.com AirVPN wrote in to correct a reviewer in regards to SHA1 vs SHA1 HMAC, haha. It was quite epic.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...