avpnhome 3 Posted ... I'm pretty baffled here, and kind of shocked. You see, the rule of thumb of using a VPN is to NOT to connect to your own country if possible, especially if you have sensitive data. I'm in Canada, and as such, I have set up my AirVPN connection to specifically use a server in France (fr.vpn.airdns.org). So, everything was find, and each time I connected, I was connecting to Furud, or another France server. However, as announced lately, AirVPN terminated their France servers contract, and as such, there is no servers in France now. That's ok, this is legitimate and I understand the why, but what not OK is that now, when I connect to fr.vpn.airdns.org, that point to Saragas, a server where? Yup, in Canada... So, I do consider this A MAJOR SECURITY/PRIVACY ISSUE. Not only did AirVPN connect me in my own country, it did so without ANY WARNING, completely silently. That is exactly the type of example of the 'what NOT to do' things, as I can no longer trust AirVPN. It's sad, as I really built some trust when seeing what their team done regarding security issues that came along the way, like when they re-issued VPN keys when vulnerabilities were found, or with their philosophy of thinking that if there is a remote possibility that something could have been compromised, then to assume that it has been (which is exactly how things HAS to be handled, security-wise)! What should have been done? Sorry, I meant what *MUST* be done, is to stop providing DNS records to fr.vpn.airdns.org. So, this mean that my router would have given an error, and I would no longer be able to connect to AirVPN, but this is exactly what I would have expected. This way, I would have investigated, and found out the issue. What happen however is probably the worst thing that could happen. So, AirVPN, please fix this NOW! Remove fr.vpn.airdns.org from DNS records if there are no servers in France. Quote Share this post Link to post
LZ1 672 Posted ... Hello! What a way to overreact. If you think that's the worst that could've happened, then I'm inclined to think you live in a very safe world indeed . I think if this is what it takes to apparently completely ruin your trust in AirVPN, then I wish you good luck in finding another service which equals it. I'm sure that had the VPN not connected and instead thrown an error or something, there would've been an equal number of people posting about how Air "broke their internet" lol. But thank you for notifying us, regardless. It would've been nice if you could also tell us what version of Eddie, if you're using it, you're using and what your OS is. We'll see if the Staff agrees with you about this being such a major security issue. 3 User of AirVPN, RidersoftheStorm and Khariz reacted to this Quote Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post
zhang888 1066 Posted ... You misinterpret the official documentation regarding servers entry IP addresses:https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/ The correct way to resolve strictly country IP addresses is ISO.all.vpn.airdns.org.Where "ISO" is the ISO-3166-1 format for country name prefixes, i.e.: United Kingdom: gb.all.vpn.airdns.orgGermany: de.all.vpn.airdns.org And so on. So obviously France would be fr.all.vpn.airdns.org > Which still resolves to 195.154.188.113,which is the IP of the removed server Thuban, as you noticed. What ISO.vpn.airdns.org provides is the best available server (and not strict entry by country), sosince France was removed the choice was Canada because of various reasons. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
avpnhome 3 Posted ... Hello Well, I'm actually connecting using pfSense router, so the configuration is pretty much 'set and forget'. I would imagine that a Windows client would probably have unlisted France as an option. Also, if connecting to 'any server', it would have not tried any France router. If that's the case, then yes, I guess I have an atypical configuration Still, it's pretty valid, and I guess that any Linux connections in general, using a .ovpn tailored specifically for fr.vpn.airdns.org, would have got the same issue. The thing is that I do not want 'any server', as not only there's the possibility I get connection from my country, but I also found out that some locations are better than other for such things as Torrents in general. Sorry if I looked jumpy, but still, I just found it bold to see that with your experience and knowledge of good security practice, this sort of things was overlooked. I did not want to bash your services, I do acknowledge all the efforts you are making, and from what I seen elsewhere, I have to say that you are still probably one of the best team for privacy concerns. You do follow-up every issues, let it be technical or security issues. And I,m sure that this issue here will be resolved promptly :-) I'm sorry if I sounded harsh, I'm more the paranoid type of guy on the Internet, and I often barks more than I bite Sure, a few people would have got issues, but probably not that much, as they would have to ask to specifically connect to that specific server to have seen an issue. And even if so, that probably would have been the right thing to do. I'm not really doing much that could be this critical as to where I do connect, but imagine the scenario if somehow, the Canadian authorities would enforce their VPN server providers to log their incoming connections, and to so without notifying the server's customer (AirVPN in this case). Then you see why it's best practice to connect in another country, as this give better isolation from a government regime. Best regards Quote Share this post Link to post
avpnhome 3 Posted ... You misinterpret the official documentation regarding servers entry IP addresses:https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/ The correct way to resolve strictly country IP addresses is ISO.all.vpn.airdns.org.Where "ISO" is the ISO-3166-1 format for country name prefixes, i.e.: United Kingdom: gb.all.vpn.airdns.orgGermany: de.all.vpn.airdns.org And so on. So obviously France would be fr.all.vpn.airdns.org > Which still resolves to 195.154.188.113,which is the IP of the removed server Thuban, as you noticed. What ISO.vpn.airdns.org provides is the best available server (and not strict entry by country), sosince France was removed the choice was Canada because of various reasons. Well, I'm using a .ovpn I downloaded using the config generator, and I tested it just again now, and when I choose, for example, Canada, I get: # --------------------------------------------------------# Air VPN | https://airvpn.org | Sunday 27th of November 2016 04:34:17 PM# OpenVPN Client Configuration.# AirVPN_Canada_UDP-443# -------------------------------------------------------- clientdev tunproto udpremote ca.vpn.airdns.org 443... Regards :-) Quote Share this post Link to post
zhang888 1066 Posted ... That is correct, the config generator will use that prefix, but only when this country is available.If what you require is a fail-safe option, which will prevent the issue you described, the correctrecord should have been fr.all.vpn.airdns.org. This actually proves the point that the ISO.vpn.airdns.org is more of a long-term solution, whichwill not break even if some country will become unavailable. For that reason a new location willbe available on another server (same applies to pt.vpn.airdns.org). What you require is some strict way of connecting to only servers you hand pick, in which caseI am not sure why do you use DNS at all - the most fail-safe option in your case would be staticresolved IP addresses in the config files. I can't agree with your statement that this issue was overlooked. The main idea behind it is tostill provide safe connectivity, while you can switch to another location in this timeframe.A fail-open vs. fail-close is a much better approach when no obvious security risk has been determined. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
avpnhome 3 Posted ... You are right, though that would be what I would expect from when I generate a config using a country. There is the option to generate a config from a specific server, and higher, there is an option to generate a config by country, by continent, or by planet... So, could I expect that if I select by planet, and Terra Prime happen to be down, that the connection would be took over by Luna Prime? More seriously, this should not be the way it is. If in the first place, I select by a specific location, and that location is unavailable for any reason, then I think it would be perfectly valid to get no connection. Nowhere does it say 'preferred' connection, not even in the advanced mode. By the way, I tried fr.all.vpn.airdns.org, and I properly got what I expected, getting no connection (actually connecting and getting disconnected). Regards Quote Share this post Link to post