Jump to content
Not connected, Your IP: 3.144.31.86
Staff

Eddie Android Edition 2.4 released - ChaCha20 support

Recommended Posts

On 7/31/2019 at 3:57 PM, Staff said:

Hello!

On the server side we run OpenVPN 2.5 to offer ChaCha20-Poly1305 on the Data Channel. OpenVPN 2.5 is still in beta testing, although some key functions are performed by OpenSSL or mbedTLS which are stable, so we mark servers running OpenVPN 2.5 as "Experimental" (you will see them listed with the yellow warning color). OpenVPN 2.4.7 does not support ChaCha20 on the Data Channel so it's a no go (note that OpenVPN 3 is a library with client only, and not server, features).

When OpenVPN 2.5 stable version is released, then ALL of our servers will support ChaCha20 on the Data Channel. Estimated release date is November 2019 according to OpenVPN community. In the meantime please feel free to use ChaCha20 on the experimental servers, of course.

We can expand the network of experimental servers if we receive requests. Currently the servers in Canada and the Netherlands seem enough to support the traffic of clients using ChaCha20, but please let us have your feedback!

Kind regards
 

This is great, and the performance improvements (connection, timeout reductions, battery improvement), are definitely visible.

However, two questions:

When will this be available in the desktop (Mac, Windows), clients?
Are there any plans for wireguard to really squeeze out battery life on mobile phones?

Thanks

Share this post


Link to post
@laowai

 
Quote

This is great, and the performance improvements (connection, timeout reductions, battery improvement), are definitely visible.


Hello!

We're very glad you can confirm the outcome of our tests as well as reports by AirVPN users, also published in this thread. Great!
 
Quote

When will this be available in the desktop (Mac, Windows), clients?


Our roadmap includes availability of OpenVPN 3.3 AirVPN binary, with some client side nice additions to make the experience more comfortable. in the following systems:
  • Linux (binaries for both x86 and ARM processors) during August 2019
  • FreeBSD
  • OpenBSD
in the above order.

Desktop systems with AES-NI full support decrease performance with ChaCha20 encryption/decryption when compared to AES-GCM, so ChaCha20 will not be a favorite choice by those users who already enjoy AES-NI.

Therefore: our priority is releasing binaries which will be particularly useful in ARM based devices, which typically run on Linux or *BSD. ChaCha20 might perhaps provide higher performance (than AES-GCM with AES-NI), with coming (in the near future) CPUs featuring AVX512, it will be interesting to test.

Additionally, in desktop systems you can already run OpenVPN 2.5 beta which supports ChaCha20 on the Data Channel, while on some embedded devices building OpenVPN 2.5 may be out of the ability of the average user. You can even integrate OpenVPN 2.5 beta in Eddie desktop editions, as Eddie can be configured to use any OpenVPN binary file in "Preferences" > "Advanced" > "OpenVPN Custom Path". You then need to add the following custom directives:
ncp-disable
cipher CHACHA20-POLY1305
in "Preferences" > "OVPN directives", and finally connect to one of our experimental servers.
 
Quote


Are there any plans for wireguard to really squeeze out battery life on mobile phones?


By using Wireguard on Android devices, you already have roughly the same battery life you experience with Eddie Android edition which uses OpenVPN 3.3 AirVPN linked against mbedTLS, on equal terms (same bandwidth, traffic, etc.). Please feel free to report back if you experience some discrepancy, i.e. if you see longer battery life with Wireguard.

Anyway we are following Wireguard closely. Currently we need a couple of new, key features, which will probably be implemented before a stable version is released, as developers told us. Without them, implementation in our systems is too problematic. For example, linking static IP addresses to client keys is a heavy threat to privacy, for the reasons we explained in another thread; and lack of TCP support would cut out a remarkable amount of our customers, whose ISPs disrupt UDP.

Kind regards
 

Share this post


Link to post

I have an Android 9.0 TV box with Eddie 2.4 and ChaCha20.  The box is not that powerful, and I was wondering if using a lower level of encryption would achieve higher speeds.
There is no critical information being sent, just IPTV.  Any input is appreciated.

Share this post


Link to post
19 hours ago, ErrHead said:

I have an Android 9.0 TV box with Eddie 2.4 and ChaCha20.  The box is not that powerful, and I was wondering if using a lower level of encryption would achieve higher speeds.
There is no critical information being sent, just IPTV.  Any input is appreciated.


Hello!

Can you please compare ChaCha20 with AES performance and report back? ChaCha20 is strong but even less onerous than AES-128-GCM for non-AES NI supporting machines, as you might have seen in this thread. Difficult to find a cipher that performs better. Your very specific case probably requires no encryption at all from/to the VPN servers, but we do not offer such a solution, we're sorry.

Kind regards
 

Share this post


Link to post

It looks like some of the requests for experimental servers were declined (UK, Switzerland) but I'll go ahead and request a Dallas server just to see.

Could we have a Dallas experimental server for chacha20?  Thanks.

Share this post


Link to post

I'd say, show some patience. Eventually all servers will support it. For now, resent to testing it on the servers which are there to see if there are issues. The faster we know all is well, the faster it gets widespread implementation.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
Posted ... (edited)
4 hours ago, giganerd said:

I'd say, show some patience. Eventually all servers will support it. For now, resent to testing it on the servers which are there to see if there are issues. The faster we know all is well, the faster it gets widespread implementation.


There's no impatience and people are more likely to test if the servers is more useful to them. Edited ... by giganerd
Removed insults. Stay objective, please.

Share this post


Link to post
On 7/19/2019 at 9:33 PM, Staff said:

Hello!

That's correct. You can start Eddie and have it connected to an experimental server with ChaCha20 during your device bootstrap by using a profile. Remember that you can generate a profile from inside the app, you don't necessarily have to rely on the Configuration Generator.
  • Go to "Settings" > "AirVPN" and make sure that you have selected "ChaCha20-Poly1305" as "Encryption algorithm"
  • Open "AirVPN Server" view
  • Locate your favorite experimental server
  • Long-tap on it and select "Add to OpenVPN profile", then confirm
  • Go to "OpenVPN Profile" view, tap the generated profile and confirm
  • When the connection is established,  reboot your device. Eddie will start and connect to that experimental server during your device bootstrap

Kind regards

 
Works perfect!! Thanks!.

OpenVPN has really been sucking the life out of my battery. Can't wait to see how much better this works!

Share this post


Link to post
3 hours ago, Glockdoc said:
Works perfect!! Thanks!.

OpenVPN has really been sucking the life out of my battery. Can't wait to see how much better this works!

Please let us know especially when you use exclusively ChaCha20 cipher.

Kind regards
 

Share this post


Link to post
On 8/27/2019 at 4:35 PM, Staff said:

Please let us know especially when you use exclusively ChaCha20 cipher.

Kind regards
 
After a couple of weeks it seems my battery is lasting about 30% longer....however......I am constantly getting "A VPN error has occured. VPN has been locked and will not be resumed until you start a new connection.". Of course this doesn't happen until after I have been trying to do something online for 30se to a minute.

not sure the extra battery life is worth the aggravation as this didn't happen using Open VPN.

Share this post


Link to post
On 9/5/2019 at 10:49 AM, Glockdoc said:
After a couple of weeks it seems my battery is lasting about 30% longer....however......I am constantly getting "A VPN error has occured. VPN has been locked and will not be resumed until you start a new connection.". Of course this doesn't happen until after I have been trying to do something online for 30se to a minute.

not sure the extra battery life is worth the aggravation as this didn't happen using Open VPN.

I too get this issue.  I think it happens when I have lost cellular reception for a while.  I think Eddie times out trying to reconnect.  It has never happened while I am actually using the phone but when the screen is locked.  When it happens data is locked on the device so i get no email notifations etc..

Share this post


Link to post
Guest

^^^^^
Exactly the same here although I can report this happens on home wifi, one main router & one repeater, whether it's the cross over between the two I'm unable to figure out. Worse still when the connection drops I'm still able to access the internet. When I eventually spot the disconnection from air servers I reconnect, maybe somewhere I've missed a setting which prevents this, shall go back for a look. If anyone can give a pointer as to which setting I may need to change that would be great. Thanks

Share this post


Link to post

Hello!
@Glockdoc
@kbps

You have reported the effect of "VPN Lock" option which is the only safe method to prevent leaks in Android 5-6-7 in case of unrecoverable disconnection. Every time you see a lock, Eddie has saved you from traffic leaks outside the VPN tunnel. You can disable "VPN Lock" in "Settings" > "VPN" view.

When VPN lock is disabled Eddie will re-connect as soon as possible. Note that traffic leaks become possible, just like it happens in any other OpenVPN based application for Android.

If you run Android 8 or 9 you can set proper system options to minimize the likelihood of traffic leaks outside the tunnel, making VPN lock no more necessary. Please check here: https://airvpn.org/forums/topic/44623-eddie-for-android-network-lock/

Kind regards
 

Share this post


Link to post
On 9/7/2019 at 11:00 AM, Staff said:

Hello!
@Glockdoc
@kbps

You have reported the effect of "VPN Lock" option which is the only safe method to prevent leaks in Android 5-6-7 in case of unrecoverable disconnection. Every time you see a lock, Eddie has saved you from traffic leaks outside the VPN tunnel. You can disable "VPN Lock" in "Settings" > "VPN" view.

When VPN lock is disabled Eddie will re-connect as soon as possible. Note that traffic leaks become possible, just like it happens in any other OpenVPN based application for Android.

If you run Android 8 or 9 you can set proper system options to minimize the likelihood of traffic leaks outside the tunnel, making VPN lock no more necessary. Please check here: https://airvpn.org/forums/topic/44623-eddie-for-android-network-lock/

Kind regards
 


So why then does encrypted traffic not resume when I have cellular data again.   The network remains locked and I have to disconnect Eddie and reconnect.  This causes any apps that waiting to send/receive data to do so over the unencrypted connection while Eddie reconnects.

Share this post


Link to post
43 minutes ago, kbps said:

So why then does encrypted traffic not resume when I have cellular data again.   The network remains locked and I have to disconnect Eddie and reconnect.  This causes any apps that waiting to send/receive data to do so over the unencrypted connection while Eddie reconnects.

Hello!

That must be seen and evaluated. While Eddie reconnects traffic leaks are of course expected, unless you have activated the proper options in Android 8 or 9 (or you enable VPN Lock in Eddie). Can you open a ticket and send us a complete log?

Kind regards
 

Share this post


Link to post

A few suggestions for Staff:

1) Enable Android fingerprint login. For example: HSBC UK app allows this on all Android One devices, as well as a selection of phones. If you can follow the same process (API), then this will enable AirVPN Eddie to be logged in to much quicker, than typing yet another random password that needs to be remembered

2) Provide a link to the system VPN settings directly, so that "Always-on VPN" and "Block connections without VPN" can be changed more easily

3) Consider changing the headers for the VPN overall. I've noticed in my last company, the Fortinet firewalls would inspect the traffic and see the tunnel, which would then specifically show my username (eg. my whole email address), which identifies me personally. Really not ideal.

Thanks

Share this post


Link to post
52 minutes ago, laowai said:

A few suggestions for Staff:

1) Enable Android fingerprint login. For example: HSBC UK app allows this on all Android One devices, as well as a selection of phones. If you can follow the same process (API), then this will enable AirVPN Eddie to be logged in to much quicker, than typing yet another random password that needs to be remembered

2) Provide a link to the system VPN settings directly, so that "Always-on VPN" and "Block connections without VPN" can be changed more easily

3) Consider changing the headers for the VPN overall. I've noticed in my last company, the Fortinet firewalls would inspect the traffic and see the tunnel, which would then specifically show my username (eg. my whole email address), which identifies me personally. Really not ideal.

Thanks


Hello!

Thank you for your suggestions. First and second ones are clear. We would like to clarify the third one.

Your username, e-mail or password are never exposed, during any interaction with our "auth" or "bootstrap" servers, while with the VPN servers they are not even sent out (they are not necessary to connect to our VPN servers).

Also, you can prevent Fortinet to understand that an OpenVPN tunnel has been built by using "tls-crypt", which is anyway the default Eddie setting. tls-crypt mode encrypts the whole OpenVPN Control Channel, so it is actually a pure TLS connection. It is available to entry-IP addresses 3 and 4 of our VPN servers.

Please feel free to clarify what you mean with "changing headers for the VPN" at your convenience, we're afraid we don't understand.

Kind regards
 

Share this post


Link to post
1 hour ago, Staff said:

Hello!

Thank you for your suggestions. First and second ones are clear. We would like to clarify the third one.

Your username, e-mail or password are never exposed, during any interaction with our "auth" or "bootstrap" servers, while with the VPN servers they are not even sent out (they are not necessary to connect to our VPN servers).

Also, you can prevent Fortinet to understand that an OpenVPN tunnel has been built by using "tls-crypt", which is anyway the default Eddie setting. tls-crypt mode encrypts the whole OpenVPN Control Channel, so it is actually a pure TLS connection. It is available to entry-IP addresses 3 and 4 of our VPN servers.

Please feel free to clarify what you mean with "changing headers for the VPN" at your convenience, we're afraid we don't understand.

Kind regards
 
I wish I'd taken a screenshot as I no longer work there, but in effect the fortinet was able to determine my airvpn username. I'm making assumptions about headers in packets as I have no idea how, but in the IPS or IDS section, it literally had my tunnel listed and my email address username shown. Hence I've been assuming that when the VPN authentication happens, there's something that allows username to be parsed.
Hope that makes more sense

Share this post


Link to post
55 minutes ago, laowai said:
I wish I'd taken a screenshot as I no longer work there, but in effect the fortinet was able to determine my airvpn username. I'm making assumptions about headers in packets as I have no idea how, but in the IPS or IDS section, it literally had my tunnel listed and my email address username shown. Hence I've been assuming that when the VPN authentication happens, there's something that allows username to be parsed.
Hope that makes more sense

Hello!

On Eddie Android Edition it is impossible. We need evidence as username/password pair is encrypted BEFORE leaving the system (check yourself on the source code and through deep packet inspection tools) so at the moment we must rule out what you say, in Eddie Android edition.

Kind regards
 

Share this post


Link to post

Ok that's fine on Android - I wasn't sure if the process was the same between clients. But I saw this on the latest version for Windows. I was running it on Windows 10.

So what's the deal there, is there a way of obfuscating username?

Share this post


Link to post
6 hours ago, laowai said:

Ok that's fine on Android - I wasn't sure if the process was the same between clients. But I saw this on the latest version for Windows. I was running it on Windows 10.

So what's the deal there, is there a way of obfuscating username?


Hello!

Username and password are encrypted, and not simply obfuscated, before they leave your system in Eddie desktop editions as well. However this thread is reserved to Eddie Android edition: please report your evidence on the threads dedicated to Eddie desktop edition at your convenience for thorough investigations.

Kind regards
 

Share this post


Link to post
On 9/7/2019 at 10:00 AM, Staff said:

Hello!
@Glockdoc
@kbps

You have reported the effect of "VPN Lock" option which is the only safe method to prevent leaks in Android 5-6-7 in case of unrecoverable disconnection. Every time you see a lock, Eddie has saved you from traffic leaks outside the VPN tunnel. You can disable "VPN Lock" in "Settings" > "VPN" view.

When VPN lock is disabled Eddie will re-connect as soon as possible. Note that traffic leaks become possible, just like it happens in any other OpenVPN based application for Android.

If you run Android 8 or 9 you can set proper system options to minimize the likelihood of traffic leaks outside the tunnel, making VPN lock no more necessary. Please check here: https://airvpn.org/forums/topic/44623-eddie-for-android-network-lock/

Kind regards
 


I appreciate the attention and replies, however, I decided using Eddie was just too much of a pain in the butt.  Went back to the open VPN app, checked "seamless tunnel" and "endless retry".  Battery life improvement was retained and Open reconnects wayyyyy faster.  On a side note I added the OxyTweaker module for Magisk, which disables a lot of google background stuff,  about the same time and my battery  has gone from  great to amazing!

I have tried 10 or so VPNs since I moved to Thailand. I have been with Air longer than any of the others. I abandoned Vypr and Nord after continuous dns leaks.  Not once have I had a leak with Air.  The Phoenix server seems to provide the least amount of data as to who, what, where when I check at dnsleaktest.com and doileak.com. Thanks for a great product.

Share this post


Link to post
3 hours ago, Glockdoc said:

I appreciate the attention and replies, however, I decided using Eddie was just too much of a pain in the butt.  Went back to the open VPN app, checked "seamless tunnel" and "endless retry". 

Hello!

You should have the identical behavior if you disable "VPN Lock" in Eddie (you can do that in the "Settings" view).

Note that in such a case you will have traffic leaks outside the tunnel just like you have with any other OpenVPN based app (VPN lock is an exclusive Eddie feature).

Android 8 and 9 implement new systems settings which will make "VPN Lock" superfluous. If you run Android 8 or 9 you can consider to prevent leaks with system settings and keep VPN lock disabled.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...