Frunobulax 0 Posted ... I love AirVPN and have been using it for years, but more and more often I have been having trouble with random sites and services not working. I am pretty sure this is because some places are blacklisting AirVPN IP ranges from some servers. I know this true at least *some* of the time because a few places have errors set up to tell you: "Your IP address is forbidden" or something similar. Sometimes it['s just 404s or even general "I failed but I don't know why" stuff. The reason I assume iut's blacklisting is because almost every time, if I just disconnect from one server and reconnect to another and try again, it works fine. Or if I shut off AirVPN and try again over my open ISP connection it works fine. I can't think of any other reason this might be. For example, I have several email addresses for various reasons. Most of them are at gmail, but a few are at other ISPs. When I try to get all my email, it's a tossup which ones will succeed and which ones will fail. If I'm connected to server A, them email accounts #1, 2 ,4, and 6 might work and the others return errors. If I connect to server B, then some that worked before will now not work and others will start working - even different ones at gmail (maybe their mail servers keep separate blacklists?) This is clearly sub-optimal, not to mention extremely annoying when you have to do it 3-4 times per session, and even them sometimes no server will allow me to access something. If I could find one that works every time, I would stick to it, but apparently it changes all the time as some get blocked and some get unblocked. The most annoying thing about it is that it's clearly because too many people use AirVPN for evil - spamming, malware, botnets, DOS attacks, whatever. And this is a hard thing for me. On the one hand, I believe in the philosophy of not monitoring or forbidding certain ports or traffic. Free Speech, yay. On the other hand, if it makes the VPN unusable for me, why bother using it at all? Personally I would be completely fine if AirVPN started blocking some ports that are really only used for evil - or vblocking them all by default and then opening up a generous number of them, all of the ones corresponding to legitimate services.activity, including Tor, P2P and whatever else. The alternative would be to monitor for traffic patterns like DOS or botnets or whatever. I really hope I can keep using AirVPN, but I can't take this for much longer. I may have to go to NoirdVPN or some other that still provides good protection and privacy but doesn't let EVERYONE do ANYTHING they want. I'm willing to give up a teensy bit of capability for a stable VPN. I can't imagine ever needing to use any malicious services, so I wouldn't be affected. Share this post Link to post
Staff 10014 Posted ... 9 hours ago, Frunobulax said: I love AirVPN Thank you! Quote The most annoying thing about it is that it's clearly because too many people use AirVPN for evil - spamming, malware, botnets, DOS attacks, whatever. And this is a hard thing for me. Sorry, no. The main problem is that people who don't have any respect for the Internet are so incompetent that they feel forced to block entire IP address ranges (even /24 or /16!) to compensate their pathologic and inexcusable inability to understand how to fix their systems. The fact that such persons end up to do a job for which they are clearly not qualified for is one of the disgraces of our times. Quote I really hope I can keep using AirVPN, but I can't take this for much longer. I may have to go to NoirdVPN or some other that still provides good protection and privacy but doesn't let EVERYONE do ANYTHING they want. I'm willing to give up a teensy bit of capability for a stable VPN. I can't imagine ever needing to use any malicious services, so I wouldn't be affected. Translation: you beg for traffic inspection. You prefer a monitoring environment because you are victim of the fantastic narrative (not to call it the paramount lie) enforced by some regimes according to which traffic inspection and data retention will harm only people with criminal intent (and of course "criminal" meaning varies from country to country). You might find yourself very comfortable and happy with NordVPN, they already send out your personal data from their Android application without your explicit consent, which hints to the fact that it might really be the perfect choice for those who like being profiled or spied without consent: https://reports.exodus-privacy.eu.org/en/reports/search/com.nordvpn.android/ And compare it with: https://reports.exodus-privacy.eu.org/en/reports/search/org.airvpn.eddie/ Mordant regards Share this post Link to post
Frunobulax 0 Posted ... Hey, I'm on your side - I completely understand what you mean about incompetent people. I was a UNIX systems administrator for 30 years. I'm hardly a "victim of a narrative". I've been around the block for decades. I know how it is. And I really agree with your dedication to freedom and privacy. I picked AirVPN for very specific reasons, mostly because you "get" those concepts and I trust you to not sell my data. I do not lightly ask that small exceptions be made (nor do I think my request will change anything). I can see why you might convince yourself that I'm just a clueless random user caught up in some kind of grand conspiracy. But I'm far from that naive. I know well how it is - there's a continuum between usability and security. The more you have of one, the less you have of the other. The only secure system is one that's turned off and in a locked room. I spent years of my life trying to explain to corporate people that you can't have a maximum-security system which also has zero hassles for the user. But all that being said, the fact is that I need my internet to be usable all the time, not just when it feels like it. I can't spend half my day jumping from server to server to find one that hasn't been blocked by whatever site or app I'm trying to use. The fact is that if a service is so secure that it's unusable, then what's the point in having it at all? I';m not asking for deep-packet inspection or even any kind of monitoring of content at all. But I believe it is technically possible to improve things by monitoring and throttling certain connections, like DOS attacks, for example. You could monitor outgoing connections, and if one user is making a thousand connection attempts per second to the same port on the same IP for minutes at a time, then maybe shut down that traffic to that port/IP for ten minutes or something. Or throttle it back to ten connection attempts per second or something. It would be kind of like having cops along the highway who leave you alone unless you're driving like a maniac. And when they pull you over, they don't search your car, ask you where you're going or what you're doing, or even try to sniff for contraband. They just detain you for a while. So it's monitoring of behavior, not content. And maybe if you get enough "tickets" for bad behavior, you are disinvited from using the road at all. My point is that traffic monitoring is not the same as content monitoring. I would never stand for any content monitoring and I applaud the fact that you don't do any. So I use your service and pay for it. But once again, if it's unusable due to people using it as a base to do shitty things, then it does not remain an attractive option. And it seems to be getting worse over time. How will you prevent all your IP address space from being blocked by everyone, eventually? Would is really be that horrendous if you just did some traffic control? Put up some stop lights along the road without searching the cars? Everyone still has their privacy. They still have their security. But they have a few very light restrictions on misbehaving and creating traffic jams for everyone else. Regarding NordVPN, I only picked them from the air as an example. I would have to do another thorough search to find another VPN. But I do note that from the reports you linked, none of the NordVPN permissions seem very scary, though I do wonder what the "Appsflyer" tracker is. None of the permissions they ask for seem dangerous to me. And I note that, unlike NordVPN, AirVPN requires access to the files on my SD card, something the report specifically flags as "dangerous". Why do you need access to my files? At any rate, this is long enough and I know it won't affect your decision, but I felt I should point it out anyway. I note that in your response you neither deny what's happening nor offer any solution beyond "suck it up!". I seems as if you will not take any steps to prevent this situation and the usability of AirVPN will continue to decline due to your stubbornness. Share this post Link to post
zhang888 1066 Posted ... Outgoing DOS attacks are hardly a reason for any block, maybe on a small case by case scenarios, like IDS detection of portscans. The more common datasets used for blocks are based on IP lists, such as: http://getipintel.net So roughly all IPs belong to non-residential users will have a likely chance of being blocked. Streaming services like Netflix use it quite successfully to restrict content. Other online giants (Google, FB) use similar datasets to prevent bots and spam. I hardly believe that any public VPN will have much different results or be completely block-free, such things are technically impossible. To compare, take Tor exit IPs as the most "dirty" ones, and self-hosted VPN where you are the only user as a cleaner example, Air or public VPNs would be somewhere in the middle in terms of blocked content. Quote too many people use AirVPN for evil - spamming, malware, botnets, DOS attacks, whatever. Fortunately it's not the case, because the abuse policy of various datacenters have it's limit of tolerance, and if it was the case more servers would end up being shut down more frequently because of complaints. Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Staff 10014 Posted ... 5 hours ago, Frunobulax said: Regarding NordVPN, I only picked them from the air as an example. I would have to do another thorough search to find another VPN. But I do note that from the reports you linked, none of the NordVPN permissions seem very scary, though I do wonder what the "Appsflyer" tracker is. None of the permissions they ask for seem dangerous to me. And I note that, unlike NordVPN, AirVPN requires access to the files on my SD card, something the report specifically flags as "dangerous". Why do you need access to my files? Obvious: to read the configuration files. Eddie Android edition works even with profiles taken from any VPN provider based on OpenVPN, including AirVPN profiles. Access to files is granted to "OpenVPN for Android" and any other serious OpenVPN based application, otherwise how could the apps read the OpenVPN configuration file? You can check yourself since Eddie is free and open source software, unlike NordVPN which is closed source. Kind regards Share this post Link to post
Staff 10014 Posted ... 5 hours ago, Frunobulax said: You could monitor outgoing connections, and if one user is making a thousand connection attempts per second to the same port on the same IP for minutes at a time, then maybe shut down that traffic to that port/IP for ten minutes or something. Or throttle it back to ten connection attempts per second or something. My point is that traffic monitoring is not the same as content monitoring. I would never stand for any content monitoring and I applaud the fact that you don't do any. So I use your service and pay for it. But once again, if it's unusable due to people using it as a base to do shitty things, then it does not remain an attractive option. And it seems to be getting worse over time. How will you prevent all your IP address space from being blocked by everyone, eventually? Would is really be that horrendous if you just did some traffic control? Put up some stop lights along the road without searching the cars? Everyone still has their privacy. They still have their security. But they have a few very light restrictions on misbehaving and creating traffic jams for everyone else. If you have been a UNIX admin for so many years you probably already know how irrelevant in this context is the distinction between stateful packet inspection with retention of metadata including source and destination IP addresses (which is mandatory in your scenario, otherwise no history can be made up to decide arbitrarily what is "malicious" and what is not) and deep packet inspection in this context. What you suggest is stateful packet inspection with blanket data retention, which has been declared as infringing human fundamental rights twice by two very clear decisions of the Court of Justice of the European Union. And that would not even change anything because of the reasons already explained by zhang888. Kind regards Share this post Link to post
Frunobulax 0 Posted ... 7 hours ago, Staff said: If you have been a UNIX admin for so many years you probably already know how irrelevant in this context is the distinction between stateful packet inspection with retention of metadata including source and destination IP addresses (which is mandatory in your scenario, otherwise no history can be made up to decide arbitrarily what is "malicious" and what is not) and deep packet inspection in this context. What you suggest is stateful packet inspection with blanket data retention, which has been declared as infringing human fundamental rights twice by two very clear decisions of the Court of Justice of the European Union. And that would not even change anything because of the reasons already explained by zhang888. Yes, it would require very brief retention of anonymous connection data, as in, maybe 60 seconds(?), just enough to determine a pattern of events that occur in subsecond amounts of time. And it's not as if the data would be logged or retained anywhere. Keep it in fast cached RAM, never written to a file, log, or drive anywhere. Just make it a very small amount of memory where the oldest gets pushed out as new stuff comes in. I'm not an expert in this technology, but I'd be very surprised if today's advanced routers didn't keep at least some miniscule amount of information in storage briefly while connections are established, routed, and serviced. I doubt that routers just spew data out and keep zero record of where to expect a response from, on what port, etc. There's a difference between "data retention" as in, logs kept on drives, or personal information, and anonymous connection information stored for a few moments in volatile RAM. I know I won't convince you, but I do think you're making this sound harder and more terrifying than it is. Being a security and privacy fanatic is one thing, but taking it to such an absurd extent that the system barely works at all seems sub-optimal. Share this post Link to post
Staff 10014 Posted ... 3 hours ago, Frunobulax said: Yes, it would require very brief retention of anonymous connection data, as in, maybe 60 seconds(?), just enough to determine a pattern of events that occur in subsecond amounts of time. And it's not as if the data would be logged or retained anywhere. Keep it in fast cached RAM, never written to a file, log, or drive anywhere. Just make it a very small amount of memory where the oldest gets pushed out as new stuff comes in. I'm not an expert in this technology, but I'd be very surprised if today's advanced routers didn't keep at least some miniscule amount of information in storage briefly while connections are established, routed, and serviced. Of course, and that's vital. It is however different than what you suggested to inspect traffic in order to find patterns which resemble, according to some arbitrary definition, a "malicious" behavior, and as a consequence enforce packet filtering rules to block that behavior and/or ban a user session. Think about it: in order to find a pattern you need to monitor all the current activity, compartmentalize it on user by user basis (to avoid at least a class of false positives when different users access the same service), and compare it with previous activity. Inevitably all of the above involves active logging which leads, amongst other unpleasant things, to a direct correlation between a user and what he/she does, no matter whether you delete such information after a second (but a second in many cases is insufficient to discern a pattern) or a month, as well as a flagrant violation of net neutrality and potential, very serious problems with the mere conduit condition. It's not acceptable for us, it's not compatible with our mission and anyway what such traffic inspection would be worth for? It would make no difference for the purposes you mention (*), so it would become only a surveillance tool (*) As the ongoing dismantlement of Internet end-to-end principle passes even through the collection and white listing of IP addresses assigned to specific ISPs, especially "residential" ISPs. Kind regards Share this post Link to post
randomairnoob 0 Posted ... I find this topic kind of hilarious because you seem to think the problem you are describing is limited to AirVPN, I'm here to give you a fact check. Let's consider PIA, a few years ago they had serious issues with Cloudflare, that powers around 10% of the web, such that even doing a google query, or going to a cloudflare page with high security would trigger a recaptcha. You can use NordVPN, but as the staff suggests, their application collects analytics, and you can read their subreddit to understand just how terrible they are. What you are describing is a fundamental truth of shared services that isn't limited to the digital world; if you're on a bus, it only takes 1 bad actor to ruin the days of all the other passengers. If this is so unacceptable, I might advise you to forget about VPN's, because let me be very very clear: you must accept the problem you describe, you must accept it can happen on any provider at any time, and you must accept the provider can't do anything to solve this. If I wanted, I could blocklist AirVPN's IP's within 60 seconds such that no customer can connect to my website. I can buy a list of VPN's/Proxies/TOR nodes and block them all because I dislike that. As a matter of fact, this thread concludes you're not best suited for having protection of your traffic. Please do disconnect from AirVPN and use your ISP IP and DNS, they'll not only thank you for such data, but you may find it works better. :). Share this post Link to post
LZ1 673 Posted ... Hello! And now after an interesting exchange, it got a little too interesting, with insults. Locked. Goodbye! Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post