Staff 9972 Posted ... Hello! We're very glad to announce all VPN servers progressive upgrade to Data Channel CHACHA20-POLY1305 cipher and TLS 1.3 support. UPDATE 18-Nov-2020: upgrade has been completed successfully on all AirVPN servers. The upgrade requires restarting OpenVPN daemons and some other service. Users connected to servers will be disconnected and servers during upgrade will remain unavailable for two minutes approximately. In order to prevent massive, simultaneous disconnections, we have scheduled a progressive upgrade in 15 days, starting from tomorrow 5 Nov 2020. Please see the exact schedule at the bottom of this post, in the attached PDF file. Servers marked as "OK" have been already upgraded and you can use CHACHA20-POLY1305 with them right now. When should I use CHACHA20-POLY1305 cipher on OpenVPN Data Channel? In general, you should prefer CHACHA20 over AES on those systems which do not support AES-NI (AES New Instructions). CHACHA20 is computationally less onerous, but not less secure, than AES for CPUs that can't rely on AES New Instructions. If you have an AES-NI supporting CPU and system, on the contrary you should prefer AES for higher performance. How can I use CHACHA20-POLY1305 on AirVPN? CHACHA20-POLY1035 on Data Channel is supported by OpenVPN 2.5 or higher versions and OpenVPN3-AirVPN library. In Eddie Android edition, open "Settings" > "AirVPN" > "Encryption algorithm" and select CHACHA20-POLY1305. Eddie Android edition will then filter and connect to VPN servers supporting CHACHA20-POLY1305 and will use the cipher both on Control and Data channels.In our web site Configuration Generator, after you have ticked "Advanced Mode", you can pick OpenVPN version >=2.5, and also select "Prefer CHACHA20-POLY1305 cipher if available". If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN.In Eddie desktop edition, upgrade to 2.19.6 version first. Then select the above mentioned option. However, most desktop computers support AES-NI, so make sure to check first, because using CHACHA20-POLY1305 on such systems will cause performance harm when you go above 300 Mbit/s (if you stay below that performance, probably you will not notice any difference). Also note that if your system does not have OpenVPN 2.5 or higher version you will not be able to use CHACHA20-POLY1305.If you wish to manually edit your OpenVPN 2.5 profile to prefer CHACHA20 on Data Channel when available: delete directive cipher add the following directive: data-ciphers CHACHA20-POLY1305:AES-256-GCM Pending Upgrade Server Schedule Kind regards and datalove AirVPN Staff 3 4 Shiver Me Whiskers, zsam288, spinmaster and 4 others reacted to this Quote Share this post Link to post
Shiver Me Whiskers 15 Posted ... Oh wow... . 2020.11.04 21:00:21 - OpenVPN > open_tun . 2020.11.04 21:00:21 - OpenVPN > wintun device [Local Area Connection] opened It worked ! First time ever on my computer. --- Edit: Wrong thread, now I see the other ones about Eddie 2.19.5, but... well, here it is, it works ! Microsoft Windows [Version 10.0.19042.572] ( aka 20H2 ), WinTUN driver installed and connection to AirVPN was blazing fast ! Typing this message through the VPN 😉 1 2 Flx, Staff and pklammer reacted to this Quote Share this post Link to post
Staff 9972 Posted ... @Shiver Me Whiskers Hello! Yes, today Eddie 2.19.5 with wintun support for Windows was also released. 😎 Thank you, enjoy AirVPN! Kind regards Quote Share this post Link to post
sooprtruffaut 5 Posted ... Quote If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN. From where do we select OpenVPN3-AirVPN? Is this an option in Config Generator, because I'm unsure where to find it. I'm expecting to find it in the >=2.5 dropdown, but that's not the case. Very curious to check out using chacha! Quote Share this post Link to post
Staff 9972 Posted ... 22 minutes ago, sooprtruffaut said: From where do we select OpenVPN3-AirVPN? Is this an option in Config Generator, because I'm unsure where to find it. I'm expecting to find it in the >=2.5 dropdown, but that's not the case. Very curious to check out using chacha! Hello! We're sorry, it's not yet implemented. You can already test CHACHA20 from Eddie Android edition and Hummingbird, anyway, not only from OpenVPN 2.5. If you have any issue please let us know. Kind regards Quote Share this post Link to post
sooprtruffaut 5 Posted ... 14 minutes ago, Staff said: We're sorry, it's not yet implemented. No problem! Looking forward to seeing chacha get rolled out across the rest of the servers. I'm hoping it will improve download speeds, which have really plummeted for me recently. I seem to find a server with good uploads and a few days later its routing seems to shift and it drops to under a Mbps. Keep innovating and I'm always curious to see how air develops! Quote Share this post Link to post
Staff 9972 Posted ... @sooprtruffaut Thank you! In which system do you need CHACHA20 for performance improvement? Kind regards Quote Share this post Link to post
sooprtruffaut 5 Posted ... 16 minutes ago, Staff said: Thank you! In which system do you need CHACHA20 for performance improvement? Raspberry Pi. Hopefully there'll be a performance hike on ARM CPUs. Quote Share this post Link to post
iwih2gk 93 Posted ... Clarification needed please. Running Eddie 2.19.5 on linux Debian Buster. I changed opnvpn directives to prefer cha cha. I don't see any other options in Desktop client 2.19.5 to enable cha cha. My connection stats still only show AES in the connection channel. Please, what am I missing here? Also assuming opnvpn 2.5 is now in the client? Quote Share this post Link to post
OpenSourcerer 1435 Posted ... 49 minutes ago, iwih2gk said: Clarification needed please. Running Eddie 2.19.5 on linux Debian Buster. I changed opnvpn directives to prefer cha cha. I don't see any other options in Desktop client 2.19.5 to enable cha cha. My connection stats still only show AES in the connection channel. Please, what am I missing here? Also assuming opnvpn 2.5 is now in the client? Are you running Eddie portable? Because the DEB package will use the system OpenVPN which in current stable is 2.4.7. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
iwih2gk 93 Posted ... 1 hour ago, OpenSourcerer said: Are you running Eddie portable? Because the DEB package will use the system OpenVPN which in current stable is 2.4.7. No sir. Eddie is a full install on Buster. I was hoping maybe Eddie had "nested OPNVPN2.5" somehow. I should have thought it through. One thing for sure; I don't want to create a Franken-Debian, LOL! So, on this issue then I am dead in the water until Debian moves up to 2.5 I suppose? The client performs flawlessly but the possibility of a small speed improvement has interest for all of us. My machine does not have AES-NI. The Air servers are all over 100 Meg for me even on high latency tunnels. I am on TOR usually so obviously at times speed isn't critical, LOL! Quote Share this post Link to post
OpenSourcerer 1435 Posted ... 8 hours ago, iwih2gk said: I was hoping maybe Eddie had "nested OPNVPN2.5" somehow. Eddie ships with OpenVPN in portable. You could download that, then point the installed Eddie at the openvpn binary from that portable package. Optionally move it to ~/.local/bin or something. 8 hours ago, iwih2gk said: One thing for sure; I don't want to create a Franken-Debian, LOL! I looked into the packages. In case of OpenVPN you wouldn't break anything if you install it from sid on stable. The only dependency change is liblzo2-2 requiring version 2.02 or higher instead of it simply being present, but stable is already on 2.08, so I don't expect problems. Anyway, as always, pay attention to what gets upgraded or even removed if you choose to install it. You never know; maybe you've got packages depending on OpenVPN 2.4. But I think it's one of the better examples of using something from sid in Debian stable 9 hours ago, iwih2gk said: So, on this issue then I am dead in the water until Debian moves up to 2.5 I suppose? If you want to play it way too cool for my taste, you can always wait for Debian 11 bullseye. Expecting a release late summer 2021. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
buthowcome 0 Posted ... I'm trying to connect to servers with Cha cha on Android via Eddie but using this encryption the speed is extremely slow and connection is basically nonexistent. Im in a DPI country - is this the issue? Quote Share this post Link to post
Staff 9972 Posted ... @buthowcome Hello! We can't be sure and we can't rule it out. Try to switch to TCP and check whether performance improves or not. For the quick connection, open "Settings" > "AirVPN" > "Default protocol" and set it to "TCP". Then set "Quick connection mode" to "Use default options only". If you don't use quick connection, in order to force TCP on the server specific connections, tap the gearbox, open "Protocol" and select "TCP". Kind regards Quote Share this post Link to post
buthowcome 0 Posted ... (edited) @StaffYup - TCP and UDP working fine! Just was excited to try the new encryption but I just spent some time reading up on it and it seems like my device doesn't need it as it supports the AES encryption I guess for most new smartphones, tablets etc. they don't need to use this new encryption right? There's no real benefit, unless it is a device which does not suport the other encryption types? Edited ... by buthowcome Quote Share this post Link to post
Staff 9972 Posted ... @buthowcome Hello! Yes, correct: if your CPU and system support AES-NI, you will have higher performance with AES. Kind regards Quote Share this post Link to post
iwih2gk 93 Posted ... On 11/6/2020 at 10:14 AM, OpenSourcerer said: Eddie ships with OpenVPN in portable. You could download that, then point the installed Eddie at the openvpn binary from that portable package. Optionally move it to ~/.local/bin or something. I looked into the packages. In case of OpenVPN you wouldn't break anything if you install it from sid on stable. The only dependency change is liblzo2-2 requiring version 2.02 or higher instead of it simply being present, but stable is already on 2.08, so I don't expect problems. Anyway, as always, pay attention to what gets upgraded or even removed if you choose to install it. You never know; maybe you've got packages depending on OpenVPN 2.4. But I think it's one of the better examples of using something from sid in Debian stable If you want to play it way too cool for my taste, you can always wait for Debian 11 bullseye. Expecting a release late summer 2021. This exact post of yours is why folks come here to learn and get support. You have given me/us a great deal to consider. Thank you for that!! I don't know what my final decision on this is yet. I had to go through "hell" when I created a Franken-Debian in the past. My system is highly personalized and I cannot simply use an ISO and install an out of the box system. That won't meet my needs at all. I likely will pull 2.5 out of SID but in a few months if it goes "Franken" on me all smiles will be lost. I am backing up a perfect clone of this system to at least come back to "the here and now" quite easily. Thanks again for your comments and ideas. Quote Share this post Link to post
OpenSourcerer 1435 Posted ... 42 minutes ago, iwih2gk said: This exact post of yours is why folks come here to learn and get support. You have given me/us a great deal to consider. Thank you for that!! Thank you for your kind words, it's very much appreciated. 43 minutes ago, iwih2gk said: I don't know what my final decision on this is yet. I had to go through "hell" when I created a Franken-Debian in the past. My system is highly personalized and I cannot simply use an ISO and install an out of the box system. That won't meet my needs at all. I likely will pull 2.5 out of SID but in a few months if it goes "Franken" on me all smiles will be lost. I am backing up a perfect clone of this system to at least come back to "the here and now" quite easily. There's a remedy for that: Partitions. Immensely strong on *nix in comparison to Windows. Have you considered splitting up your / into parts you don't want to redo everytime you reinstall a Linux distribution? I split my SSD into /, /boot, /home and /opt for example. This way the only partition rewritten is /. /boot will be updated when update-grub is run and /home, containing all your user settings, will remain, so that, when you boot the new installation for the first time, you will find that everything will be where you left it. Some also create an extra partition for /etc to keep software configuration as well, but I find backups of /etc slightly more dynamic for my use case. The only real thing you need to do before reinstalling is listing what software you have installed. Since I exclusively use APT for installations, I list the packages marked as manual (apt-mark showmanual) and work through it, reinstalling all I might need in the next two weeks. Everything else can be reinstalled as the need arises. If you want to use your own packages right after installation, there's always the possibility to create your own image using simple-ccd or Debian Live. Anyway, we're off-topic. If you want to dive deeper, please write me a message. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
sooprtruffaut 5 Posted ... (edited) @Staff When will tls 1.3 be implemented? Edited ... by sooprtruffaut Quote Share this post Link to post
Staff 9972 Posted ... @sooprtruffaut Hello! It is implemented already on all servers supporting CHACHA20-POLY1305 on Data Channel, i.e. all servers running OpenVPN 2.5. Please check the schedule in the first message. Kind regards Quote Share this post Link to post
mith_y2k 6 Posted ... Maybe a silly question, I'm running Hummingbird 1.1.0 on a Raspberry Pi and I have an ovpn profile generated a few months ago. Do I need to regenerate the file or can I simply restart hummingbird with the -C CHACHA20-POLY1305 flag? Quote Share this post Link to post
Staff 9972 Posted ... @mith_y2k Hello! You can simply re-start Hummingbird with the option you mention. Enjoy CHACHA20! Kind regards 1 mith_y2k reacted to this Quote Share this post Link to post
kbps 29 Posted ... When using OpenVPN for Android how do I know if ChaCha is being used? I have advanced generated a 2.5 version openvpn config file with ChaCha selected as the cipher and imported to OpenVPN for Android. When connected how do I know it is using ChaCha? Quote Share this post Link to post
zsam288 36 Posted ... On 11/12/2020 at 8:19 PM, kbps said: When using OpenVPN for Android how do I know if ChaCha is being used? I have advanced generated a 2.5 version openvpn config file with ChaCha selected as the cipher and imported to OpenVPN for Android. When connected how do I know it is using ChaCha? In the log look for a line "Outgoing Data channel: Chiper'" and "Incoming Data channel: Chiper'" then there might be AES-256 there or Cha Cha Quote Share this post Link to post
zsam288 36 Posted ... @Staff Comae is still marked as experimental hence being ignored by Eddie Quote Share this post Link to post