Jump to content
Not connected, Your IP: 13.58.18.135
avpnhome

AirVPN silently connect me exactly where I did NOT want...

Recommended Posts

I'm pretty baffled here, and kind of shocked.

 

You see, the rule of thumb of using a VPN is to NOT to connect to your own country if possible, especially if you have sensitive data.

 

I'm in Canada, and as such, I have set up my AirVPN connection to specifically use a server in France (fr.vpn.airdns.org).  So, everything was find, and each time I connected, I was connecting to Furud, or another France server.

 

However, as announced lately, AirVPN terminated their France servers contract, and as such, there is no servers in France now.  That's ok, this is legitimate and I understand the why, but what not OK is that now, when I connect to fr.vpn.airdns.org, that point to Saragas, a server where?  Yup, in Canada...

 

So, I do consider this A MAJOR SECURITY/PRIVACY ISSUE.  Not only did AirVPN connect me in my own country, it did so without ANY WARNING, completely silently.

 

That is exactly the type of example of the 'what NOT to do' things, as I can no longer trust AirVPN.

 

It's sad, as I really built some trust when seeing what their team done regarding security issues that came along the way, like when they re-issued VPN keys when vulnerabilities were found, or with their philosophy of thinking that if there is a remote possibility that something could have been compromised, then to assume that it has been (which is exactly how things HAS to be handled, security-wise)!

 

What should have been done?  Sorry, I meant what *MUST* be done, is to stop providing DNS records to fr.vpn.airdns.org.  So, this mean that my router would have given an error, and I would no longer be able to connect to AirVPN, but this is exactly what I would have expected.  This way, I would have investigated, and found out the issue.  What happen however is probably the worst thing that could happen.

 

So, AirVPN, please fix this NOW!  Remove fr.vpn.airdns.org from DNS records if there are no servers in France.

Share this post


Link to post

Hello!

 

What a way to overreact. If you think that's the worst that could've happened, then I'm inclined to think you live in a very safe world indeed . I think if this is what it takes to apparently completely ruin your trust in AirVPN, then I wish you good luck in finding another service which equals it. I'm sure that had the VPN not connected and instead thrown an error or something, there would've been an equal number of people posting about how Air "broke their internet" lol.

 

But thank you for notifying us, regardless. It would've been nice if you could also tell us what version of Eddie, if you're using it, you're using and what your OS is.

 

We'll see if the Staff agrees with you about this being such a major security issue.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

You misinterpret the official documentation regarding servers entry IP addresses:

https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/

 

The correct way to resolve strictly country IP addresses is ISO.all.vpn.airdns.org.

Where "ISO" is the ISO-3166-1 format for country name prefixes, i.e.:

 

United Kingdom: gb.all.vpn.airdns.org

Germany: de.all.vpn.airdns.org

 

And so on.

 

So obviously France would be fr.all.vpn.airdns.org > Which still resolves to 195.154.188.113,

which is the IP of the removed server Thuban, as you noticed.

 

What ISO.vpn.airdns.org provides is the best available server (and not strict entry by country), so

since France was removed the choice was Canada because of various reasons.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Hello

 

Well, I'm actually connecting using pfSense router, so the configuration is pretty much 'set and forget'.  I would imagine that a Windows client would probably have unlisted France as an option.  Also, if connecting to 'any server', it would have not tried any France router.  If that's the case, then yes, I guess I have an atypical configuration   Still, it's pretty valid, and I guess that any Linux connections in general, using a .ovpn tailored specifically for fr.vpn.airdns.org, would have got the same issue.

 

The thing is that I do not want 'any server', as not only there's the possibility I get connection from my country, but I also found out that some locations are better than other for such things as Torrents in general.

 

Sorry if I looked jumpy, but still, I just found it bold to see that with your experience and knowledge of good security practice, this sort of things was overlooked.  I did not want to bash your services, I do acknowledge all the efforts you are making, and from what I seen elsewhere, I have to say that you are still probably one of the best team for privacy concerns.  You do follow-up every issues, let it be technical or security issues.  And I,m sure that this issue here will be resolved promptly :-)  I'm sorry if I sounded harsh, I'm more the paranoid type of guy on the Internet, and I often barks more than I bite

 

Sure, a few people would have got issues, but probably not that much, as they would have to ask to specifically connect to that specific server to have seen an issue.  And even if so, that probably would have been the right thing to do.

 

I'm not really doing much that could be this critical as to where I do connect, but imagine the scenario if somehow, the Canadian authorities would enforce their VPN server providers to log their incoming connections, and to so without notifying the server's customer (AirVPN in this case).  Then you see why it's best practice to connect in another country, as this give better isolation from a government regime.

 

Best regards

 

Share this post


Link to post

You misinterpret the official documentation regarding servers entry IP addresses:

https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/

 

The correct way to resolve strictly country IP addresses is ISO.all.vpn.airdns.org.

Where "ISO" is the ISO-3166-1 format for country name prefixes, i.e.:

 

United Kingdom: gb.all.vpn.airdns.org

Germany: de.all.vpn.airdns.org

 

And so on.

 

So obviously France would be fr.all.vpn.airdns.org > Which still resolves to 195.154.188.113,

which is the IP of the removed server Thuban, as you noticed.

 

What ISO.vpn.airdns.org provides is the best available server (and not strict entry by country), so

since France was removed the choice was Canada because of various reasons.

 

 

Well, I'm using a .ovpn I downloaded using the config generator, and I tested it just again now, and when I choose, for example, Canada, I get:

 

# --------------------------------------------------------

# Air VPN | https://airvpn.org | Sunday 27th of November 2016 04:34:17 PM

# OpenVPN Client Configuration.

# AirVPN_Canada_UDP-443

# --------------------------------------------------------

 

client

dev tun

proto udp

remote ca.vpn.airdns.org 443

...

 

Regards :-)

Share this post


Link to post

That is correct, the config generator will use that prefix, but only when this country is available.

If what you require is a fail-safe option, which will prevent the issue you described, the correct

record should have been fr.all.vpn.airdns.org.

 

This actually proves the point that the ISO.vpn.airdns.org is more of a long-term solution, which

will not break even if some country will become unavailable. For that reason a new location will

be available on another server (same applies to pt.vpn.airdns.org).

 

What you require is some strict way of connecting to only servers you hand pick, in which case

I am not sure why do you use DNS at all - the most fail-safe option in your case would be static

resolved IP addresses in the config files.

 

I can't agree with your statement that this issue was overlooked. The main idea behind it is to

still provide safe connectivity, while you can switch to another location in this timeframe.

A fail-open vs. fail-close is a much better approach when no obvious security risk has been determined.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

You are right, though that would be what I would expect from when I generate a config using a country.  There is the option to generate a config from a specific server, and higher, there is an option to generate a config by country, by continent, or by planet...

 

So, could I expect that if I select by planet, and Terra Prime happen to be down, that the connection would be took over by Luna Prime?

 

More seriously, this should not be the way it is.  If in the first place, I select by a specific location, and that location is unavailable for any reason, then I think it would be perfectly valid to get no connection.

 

Nowhere does it say 'preferred' connection, not even in the advanced mode.

 

By the way, I tried fr.all.vpn.airdns.org, and I properly got what I expected, getting no connection (actually connecting and getting disconnected).

 

Regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...