CHACHA20-POLY1305 on all servers

[Staff 9972]

Hello!



We're very glad to announce all VPN servers progressive upgrade to Data Channel CHACHA20-POLY1305 cipher and TLS 1.3 support.

UPDATE 18-Nov-2020: upgrade has been completed successfully on all AirVPN servers.

The upgrade requires restarting OpenVPN daemons and some other service. Users connected to servers will be disconnected and servers during upgrade will remain unavailable for two minutes approximately. In order to prevent massive, simultaneous disconnections, we have scheduled a progressive upgrade in 15 days, starting from tomorrow 5 Nov 2020. Please see the exact schedule at the bottom of this post, in the attached PDF file. Servers marked as "OK" have been already upgraded and you can use CHACHA20-POLY1305 with them right now.
 

When should I use CHACHA20-POLY1305 cipher on OpenVPN Data Channel?

 

In general, you should prefer CHACHA20 over AES on those systems which do not support AES-NI (AES New Instructions). CHACHA20 is computationally less onerous, but not less secure, than AES for CPUs that can't rely on AES New Instructions. If you have an AES-NI supporting CPU and system, on the contrary you should prefer AES for higher performance.
 

How can I use CHACHA20-POLY1305 on AirVPN?

CHACHA20-POLY1035 on Data Channel is supported by OpenVPN 2.5 or higher versions and OpenVPN3-AirVPN library.

In Eddie Android edition, open "Settings" > "AirVPN" > "Encryption algorithm" and select CHACHA20-POLY1305. Eddie Android edition will then filter and connect to VPN servers supporting CHACHA20-POLY1305 and will use the cipher both on Control and Data channels.

In our web site Configuration Generator, after you have ticked "Advanced Mode", you can pick OpenVPN version >=2.5, and also select "Prefer CHACHA20-POLY1305 cipher if available". If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN.

In Eddie desktop edition, upgrade to 2.19.6 version first. Then select the above mentioned option. However, most desktop computers support AES-NI, so make sure to check first, because using CHACHA20-POLY1305 on such systems will cause performance harm when you go above 300 Mbit/s (if you stay below that performance, probably you will not notice any difference). Also note that if your system does not have OpenVPN 2.5 or higher version you will not be able to use CHACHA20-POLY1305.

If you wish to manually edit your OpenVPN 2.5 profile to prefer CHACHA20 on Data Channel when available:

• delete directive cipher
• add the following directive:

data-ciphers CHACHA20-POLY1305:AES-256-GCM

Pending Upgrade Server Schedule


Kind regards and datalove
AirVPN Staff


 

[Shiver Me Whiskers 15]

Oh wow...
. 2020.11.04 21:00:21 - OpenVPN > open_tun
. 2020.11.04 21:00:21 - OpenVPN > wintun device [Local Area Connection] opened

It worked !
First time ever on my computer.

---
Edit: Wrong thread, now I see the other ones about Eddie 2.19.5, but... well, here it is, it works ! Microsoft Windows [Version 10.0.19042.572] ( aka 20H2 ), WinTUN driver installed and connection to AirVPN was blazing fast !
Typing this message through the VPN 😉

[Staff 9972]

@Shiver Me Whiskers

Hello!

Yes, today Eddie 2.19.5 with wintun support for Windows was also released. 😎

Thank you, enjoy AirVPN!

Kind regards

[sooprtruffaut 5]

Quote

If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN.

From where do we select OpenVPN3-AirVPN? Is this an option in Config Generator, because I'm unsure where to find it. I'm expecting to find it in the >=2.5 dropdown, but that's not the case.

Very curious to check out using chacha!

[Staff 9972]

22 minutes ago, sooprtruffaut said:

From where do we select OpenVPN3-AirVPN? Is this an option in Config Generator, because I'm unsure where to find it. I'm expecting to find it in the >=2.5 dropdown, but that's not the case.

Very curious to check out using chacha!

Hello!

We're sorry, it's not yet implemented.

You can already test CHACHA20 from Eddie Android edition and Hummingbird, anyway, not only from OpenVPN 2.5. If you have any issue please let us know.

Kind regards
 

[sooprtruffaut 5]

14 minutes ago, Staff said:

We're sorry, it's not yet implemented.

No problem! Looking forward to seeing chacha get rolled out across the rest of the servers. I'm hoping it will improve download speeds, which have really plummeted for me recently. I seem to find a server with good uploads and a few days later its routing seems to shift and it drops to under a Mbps.

Keep innovating and I'm always curious to see how air develops!

[Staff 9972]

@sooprtruffaut

Thank you! In which system do you need CHACHA20 for performance improvement?

Kind regards
 

[sooprtruffaut 5]

16 minutes ago, Staff said:

Thank you! In which system do you need CHACHA20 for performance improvement?

Raspberry Pi. Hopefully there'll be a performance hike on ARM CPUs.

[iwih2gk 93]

Clarification needed please.

Running Eddie 2.19.5 on linux Debian Buster.  I changed opnvpn directives to prefer cha cha.  I don't see any other options in Desktop client 2.19.5 to enable cha cha.

My connection stats still only show AES in the connection channel.  Please, what am I missing here?  Also assuming opnvpn 2.5 is now in the client?

[OpenSourcerer 1435]

49 minutes ago, iwih2gk said:

Clarification needed please.

Running Eddie 2.19.5 on linux Debian Buster.  I changed opnvpn directives to prefer cha cha.  I don't see any other options in Desktop client 2.19.5 to enable cha cha.

My connection stats still only show AES in the connection channel.  Please, what am I missing here?  Also assuming opnvpn 2.5 is now in the client?

Are you running Eddie portable? Because the DEB package will use the system OpenVPN which in current stable is 2.4.7.

[iwih2gk 93]

1 hour ago, OpenSourcerer said:

Are you running Eddie portable? Because the DEB package will use the system OpenVPN which in current stable is 2.4.7.

No sir.  Eddie is a full install on Buster.  I was hoping maybe Eddie had "nested OPNVPN2.5" somehow.  I should have thought it through.  One thing for sure; I don't want to create a Franken-Debian, LOL!  So, on this issue then I am dead in the water until Debian moves up to 2.5 I suppose?  The client performs flawlessly but the possibility of a small speed improvement has interest for all of us.  My machine does not have AES-NI.  The Air servers are all over 100 Meg for me even on high latency tunnels.  I am on TOR usually so obviously at times speed isn't critical, LOL!

[OpenSourcerer 1435]

8 hours ago, iwih2gk said:

I was hoping maybe Eddie had "nested OPNVPN2.5" somehow.

Eddie ships with OpenVPN in portable. You could download that, then point the installed Eddie at the openvpn binary from that portable package. Optionally move it to ~/.local/bin or something.
 

8 hours ago, iwih2gk said:

One thing for sure; I don't want to create a Franken-Debian, LOL!

I looked into the packages. In case of OpenVPN you wouldn't break anything if you install it from sid on stable. The only dependency change is liblzo2-2 requiring version 2.02 or higher instead of it simply being present, but stable is already on 2.08, so I don't expect problems.
Anyway, as always, pay attention to what gets upgraded or even removed if you choose to install it. You never know; maybe you've got packages depending on OpenVPN 2.4. But I think it's one of the better examples of using something from sid in Debian stable
 

9 hours ago, iwih2gk said:

So, on this issue then I am dead in the water until Debian moves up to 2.5 I suppose?

If you want to play it way too cool for my taste, you can always wait for Debian 11 bullseye. Expecting a release late summer 2021.

[buthowcome 0]

I'm trying to connect to servers with Cha cha on Android via Eddie but using this encryption the speed is extremely slow and connection is basically nonexistent. Im in a DPI country - is this the issue?

[Staff 9972]

@buthowcome

Hello!

We can't be sure and we can't rule it out. Try to switch to TCP and check whether performance improves or not.

For the quick connection, open "Settings" > "AirVPN" > "Default protocol" and set it to "TCP". Then set "Quick connection mode" to "Use default options only".

If you don't use quick connection, in order to force TCP on the server specific connections, tap the gearbox, open "Protocol" and select "TCP".

Kind regards
 

[buthowcome 0]

@StaffYup - TCP and UDP working fine! Just was excited to try the new encryption but I just spent some time reading up on it and it seems like my device doesn't need it as it supports the AES encryption  I guess for most new smartphones, tablets etc. they don't need to use this new encryption right? There's no real benefit, unless it is a device which does not suport the other encryption types?

Edited ... by buthowcome

[Staff 9972]

@buthowcome

Hello!

Yes, correct: if your CPU and system support AES-NI, you will have higher performance with AES.

Kind regards
 

[iwih2gk 93]

On 11/6/2020 at 10:14 AM, OpenSourcerer said:

Eddie ships with OpenVPN in portable. You could download that, then point the installed Eddie at the openvpn binary from that portable package. Optionally move it to ~/.local/bin or something.
 
I looked into the packages. In case of OpenVPN you wouldn't break anything if you install it from sid on stable. The only dependency change is liblzo2-2 requiring version 2.02 or higher instead of it simply being present, but stable is already on 2.08, so I don't expect problems.
Anyway, as always, pay attention to what gets upgraded or even removed if you choose to install it. You never know; maybe you've got packages depending on OpenVPN 2.4. But I think it's one of the better examples of using something from sid in Debian stable
 
If you want to play it way too cool for my taste, you can always wait for Debian 11 bullseye. Expecting a release late summer 2021.

This exact post of yours is why folks come here to learn and get support.  You have given me/us a great deal to consider.  Thank you for that!!

I don't know what my final decision on this is yet.  I had to go through "hell" when I created a Franken-Debian in the past.  My system is highly personalized and I cannot simply use an ISO and install an out of the box system.  That won't meet my needs at all.  I likely will pull 2.5 out of SID but in a few months if it goes "Franken" on me all smiles will be lost.  I am backing up a perfect clone of this system to at least come back to "the here and now" quite easily.

Thanks again for your comments and ideas.

[OpenSourcerer 1435]

42 minutes ago, iwih2gk said:

This exact post of yours is why folks come here to learn and get support.  You have given me/us a great deal to consider.  Thank you for that!!

Thank you for your kind words, it's very much appreciated.
 

43 minutes ago, iwih2gk said:

I don't know what my final decision on this is yet.  I had to go through "hell" when I created a Franken-Debian in the past.  My system is highly personalized and I cannot simply use an ISO and install an out of the box system.  That won't meet my needs at all.  I likely will pull 2.5 out of SID but in a few months if it goes "Franken" on me all smiles will be lost.  I am backing up a perfect clone of this system to at least come back to "the here and now" quite easily.

There's a remedy for that: Partitions. Immensely strong on *nix in comparison to Windows. Have you considered splitting up your / into parts you don't want to redo everytime you reinstall a Linux distribution? I split my SSD into /, /boot, /home and /opt for example. This way the only partition rewritten is /. /boot will be updated when update-grub is run and /home, containing all your user settings, will remain, so that, when you boot the new installation for the first time, you will find that everything will be where you left it. Some also create an extra partition for /etc to keep software configuration as well, but I find backups of /etc slightly more dynamic for my use case. The only real thing you need to do before reinstalling is listing what software you have installed. Since I exclusively use APT for installations, I list the packages marked as manual (apt-mark showmanual) and work through it, reinstalling all I might need in the next two weeks. Everything else can be reinstalled as the need arises.
If you want to use your own packages right after installation, there's always the possibility to create your own image using simple-ccd or Debian Live.

Anyway, we're off-topic. If you want to dive deeper, please write me a message.

[sooprtruffaut 5]

@Staff

When will tls 1.3 be implemented? Edited ... by sooprtruffaut

[Staff 9972]

@sooprtruffaut

Hello!

It is implemented already on all servers supporting CHACHA20-POLY1305 on Data Channel, i.e. all servers running OpenVPN 2.5. Please check the schedule in the first message.

Kind regards
 

[mith_y2k 6]

Maybe a silly question, I'm running Hummingbird 1.1.0 on a Raspberry Pi and I have an ovpn profile generated a few months ago. Do I need to regenerate the file or can I simply restart hummingbird with the -C CHACHA20-POLY1305 flag?

[Staff 9972]

@mith_y2k

Hello!

You can simply re-start Hummingbird with the option you mention. Enjoy CHACHA20!

Kind regards
 

[kbps 29]

When using OpenVPN for Android how do I know if ChaCha is being used?

I have advanced generated a 2.5 version openvpn config file with ChaCha selected as the cipher and imported to OpenVPN for Android.  When connected how do I know it is using ChaCha? 
 

[zsam288 36]

On 11/12/2020 at 8:19 PM, kbps said:

When using OpenVPN for Android how do I know if ChaCha is being used?

I have advanced generated a 2.5 version openvpn config file with ChaCha selected as the cipher and imported to OpenVPN for Android.  When connected how do I know it is using ChaCha? 
 

In the log look for a line "Outgoing  Data channel: Chiper'" and "Incoming Data channel: Chiper'"
then there might be AES-256 there or Cha Cha

[zsam288 36]

@Staff Comae  is still marked as experimental hence being ignored by Eddie