Jump to content
Not connected, Your IP: 3.237.66.86
Staff

CHACHA20-POLY1305 on all servers

Recommended Posts

Hello!



We're very glad to announce all VPN servers progressive upgrade to Data Channel CHACHA20-POLY1305 cipher and TLS 1.3 support.

UPDATE 18-Nov-2020: upgrade has been completed successfully on all AirVPN servers.


The upgrade requires restarting OpenVPN daemons and some other service. Users connected to servers will be disconnected and servers during upgrade will remain unavailable for two minutes approximately. In order to prevent massive, simultaneous disconnections, we have scheduled a progressive upgrade in 15 days, starting from tomorrow 5 Nov 2020. Please see the exact schedule at the bottom of this post, in the attached PDF file. Servers marked as "OK" have been already upgraded and you can use CHACHA20-POLY1305 with them right now.
 

When should I use CHACHA20-POLY1305 cipher on OpenVPN Data Channel?
 
In general, you should prefer CHACHA20 over AES on those systems which do not support AES-NI (AES New Instructions). CHACHA20 is computationally less onerous, but not less secure, than AES for CPUs that can't rely on AES New Instructions. If you have an AES-NI supporting CPU and system, on the contrary you should prefer AES for higher performance.
 
How can I use CHACHA20-POLY1305 on AirVPN?

CHACHA20-POLY1035 on Data Channel is supported by OpenVPN 2.5 or higher versions and OpenVPN3-AirVPN library.

In Eddie Android edition, open "Settings" > "AirVPN" > "Encryption algorithm" and select CHACHA20-POLY1305. Eddie Android edition will then filter and connect to VPN servers supporting CHACHA20-POLY1305 and will use the cipher both on Control and Data channels.

In our web site Configuration Generator, after you have ticked "Advanced Mode", you can pick OpenVPN version >=2.5, and also select "Prefer CHACHA20-POLY1305 cipher if available". If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN.

In Eddie desktop edition, upgrade to 2.19.6 version first. Then select the above mentioned option. However, most desktop computers support AES-NI, so make sure to check first, because using CHACHA20-POLY1305 on such systems will cause performance harm when you go above 300 Mbit/s (if you stay below that performance, probably you will not notice any difference). Also note that if your system does not have OpenVPN 2.5 or higher version you will not be able to use CHACHA20-POLY1305.

If you wish to manually edit your OpenVPN 2.5 profile to prefer CHACHA20 on Data Channel when available:
  • delete directive cipher
  • add the following directive:
data-ciphers CHACHA20-POLY1305:AES-256-GCM


Pending Upgrade Server Schedule


Kind regards and datalove
AirVPN Staff


 

Share this post


Link to post

Oh wow...
. 2020.11.04 21:00:21 - OpenVPN > open_tun
. 2020.11.04 21:00:21 - OpenVPN > wintun device [Local Area Connection] opened

It worked !
First time ever on my computer.

---
Edit: Wrong thread, now I see the other ones about Eddie 2.19.5, but... well, here it is, it works ! Microsoft Windows [Version 10.0.19042.572] ( aka 20H2 ), WinTUN driver installed and connection to AirVPN was blazing fast !
Typing this message through the VPN 😉

Share this post


Link to post
Quote
If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN.

From where do we select OpenVPN3-AirVPN? Is this an option in Config Generator, because I'm unsure where to find it. I'm expecting to find it in the >=2.5 dropdown, but that's not the case.

Very curious to check out using chacha!

Share this post


Link to post
22 minutes ago, sooprtruffaut said:

From where do we select OpenVPN3-AirVPN? Is this an option in Config Generator, because I'm unsure where to find it. I'm expecting to find it in the >=2.5 dropdown, but that's not the case.

Very curious to check out using chacha!

Hello!

We're sorry, it's not yet implemented.

You can already test CHACHA20 from Eddie Android edition and Hummingbird, anyway, not only from OpenVPN 2.5. If you have any issue please let us know.

Kind regards
 

Share this post


Link to post
14 minutes ago, Staff said:

We're sorry, it's not yet implemented.


No problem! Looking forward to seeing chacha get rolled out across the rest of the servers. I'm hoping it will improve download speeds, which have really plummeted for me recently. I seem to find a server with good uploads and a few days later its routing seems to shift and it drops to under a Mbps.

Keep innovating and I'm always curious to see how air develops!

Share this post


Link to post
16 minutes ago, Staff said:

Thank you! In which system do you need CHACHA20 for performance improvement?


Raspberry Pi. Hopefully there'll be a performance hike on ARM CPUs.

Share this post


Link to post

Clarification needed please.

Running Eddie 2.19.5 on linux Debian Buster.  I changed opnvpn directives to prefer cha cha.  I don't see any other options in Desktop client 2.19.5 to enable cha cha.

My connection stats still only show AES in the connection channel.  Please, what am I missing here?  Also assuming opnvpn 2.5 is now in the client?

Share this post


Link to post
49 minutes ago, iwih2gk said:

Clarification needed please.

Running Eddie 2.19.5 on linux Debian Buster.  I changed opnvpn directives to prefer cha cha.  I don't see any other options in Desktop client 2.19.5 to enable cha cha.

My connection stats still only show AES in the connection channel.  Please, what am I missing here?  Also assuming opnvpn 2.5 is now in the client?


Are you running Eddie portable? Because the DEB package will use the system OpenVPN which in current stable is 2.4.7.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
1 hour ago, OpenSourcerer said:

Are you running Eddie portable? Because the DEB package will use the system OpenVPN which in current stable is 2.4.7.

No sir.  Eddie is a full install on Buster.  I was hoping maybe Eddie had "nested OPNVPN2.5" somehow.  I should have thought it through.  One thing for sure; I don't want to create a Franken-Debian, LOL!  So, on this issue then I am dead in the water until Debian moves up to 2.5 I suppose?  The client performs flawlessly but the possibility of a small speed improvement has interest for all of us.  My machine does not have AES-NI.  The Air servers are all over 100 Meg for me even on high latency tunnels.  I am on TOR usually so obviously at times speed isn't critical, LOL!

Share this post


Link to post
8 hours ago, iwih2gk said:

I was hoping maybe Eddie had "nested OPNVPN2.5" somehow.


Eddie ships with OpenVPN in portable. You could download that, then point the installed Eddie at the openvpn binary from that portable package. Optionally move it to ~/.local/bin or something.
 
8 hours ago, iwih2gk said:

One thing for sure; I don't want to create a Franken-Debian, LOL!


I looked into the packages. In case of OpenVPN you wouldn't break anything if you install it from sid on stable. The only dependency change is liblzo2-2 requiring version 2.02 or higher instead of it simply being present, but stable is already on 2.08, so I don't expect problems.
Anyway, as always, pay attention to what gets upgraded or even removed if you choose to install it. You never know; maybe you've got packages depending on OpenVPN 2.4. But I think it's one of the better examples of using something from sid in Debian stable :D
 
9 hours ago, iwih2gk said:

So, on this issue then I am dead in the water until Debian moves up to 2.5 I suppose?


If you want to play it way too cool for my taste, you can always wait for Debian 11 bullseye. Expecting a release late summer 2021. :)

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

I'm trying to connect to servers with Cha cha on Android via Eddie but using this encryption the speed is extremely slow and connection is basically nonexistent. Im in a DPI country - is this the issue?

Share this post


Link to post
@buthowcome

Hello!

We can't be sure and we can't rule it out. Try to switch to TCP and check whether performance improves or not.

For the quick connection, open "Settings" > "AirVPN" > "Default protocol" and set it to "TCP". Then set "Quick connection mode" to "Use default options only".

If you don't use quick connection, in order to force TCP on the server specific connections, tap the gearbox, open "Protocol" and select "TCP".

Kind regards
 

Share this post


Link to post
Posted ... (edited)

@StaffYup - TCP and UDP working fine! Just was excited to try the new encryption but I just spent some time reading up on it and it seems like my device doesn't need it as it supports the AES encryption :) I guess for most new smartphones, tablets etc. they don't need to use this new encryption right? There's no real benefit, unless it is a device which does not suport the other encryption types?

Edited ... by buthowcome

Share this post


Link to post
On 11/6/2020 at 10:14 AM, OpenSourcerer said:

Eddie ships with OpenVPN in portable. You could download that, then point the installed Eddie at the openvpn binary from that portable package. Optionally move it to ~/.local/bin or something.
 
I looked into the packages. In case of OpenVPN you wouldn't break anything if you install it from sid on stable. The only dependency change is liblzo2-2 requiring version 2.02 or higher instead of it simply being present, but stable is already on 2.08, so I don't expect problems.
Anyway, as always, pay attention to what gets upgraded or even removed if you choose to install it. You never know; maybe you've got packages depending on OpenVPN 2.4. But I think it's one of the better examples of using something from sid in Debian stable :D
 
If you want to play it way too cool for my taste, you can always wait for Debian 11 bullseye. Expecting a release late summer 2021. :)


This exact post of yours is why folks come here to learn and get support.  You have given me/us a great deal to consider.  Thank you for that!!

I don't know what my final decision on this is yet.  I had to go through "hell" when I created a Franken-Debian in the past.  My system is highly personalized and I cannot simply use an ISO and install an out of the box system.  That won't meet my needs at all.  I likely will pull 2.5 out of SID but in a few months if it goes "Franken" on me all smiles will be lost.  I am backing up a perfect clone of this system to at least come back to "the here and now" quite easily.

Thanks again for your comments and ideas.

Share this post


Link to post
42 minutes ago, iwih2gk said:

This exact post of yours is why folks come here to learn and get support.  You have given me/us a great deal to consider.  Thank you for that!!


Thank you for your kind words, it's very much appreciated. :)
 
43 minutes ago, iwih2gk said:

I don't know what my final decision on this is yet.  I had to go through "hell" when I created a Franken-Debian in the past.  My system is highly personalized and I cannot simply use an ISO and install an out of the box system.  That won't meet my needs at all.  I likely will pull 2.5 out of SID but in a few months if it goes "Franken" on me all smiles will be lost.  I am backing up a perfect clone of this system to at least come back to "the here and now" quite easily.


There's a remedy for that: Partitions. Immensely strong on *nix in comparison to Windows. Have you considered splitting up your / into parts you don't want to redo everytime you reinstall a Linux distribution? I split my SSD into /, /boot, /home and /opt for example. This way the only partition rewritten is /. /boot will be updated when update-grub is run and /home, containing all your user settings, will remain, so that, when you boot the new installation for the first time, you will find that everything will be where you left it. Some also create an extra partition for /etc to keep software configuration as well, but I find backups of /etc slightly more dynamic for my use case. The only real thing you need to do before reinstalling is listing what software you have installed. Since I exclusively use APT for installations, I list the packages marked as manual (apt-mark showmanual) and work through it, reinstalling all I might need in the next two weeks. Everything else can be reinstalled as the need arises.
If you want to use your own packages right after installation, there's always the possibility to create your own image using simple-ccd or Debian Live.

Anyway, we're off-topic. If you want to dive deeper, please write me a message. :)

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
@sooprtruffaut

Hello!

It is implemented already on all servers supporting CHACHA20-POLY1305 on Data Channel, i.e. all servers running OpenVPN 2.5. Please check the schedule in the first message.

Kind regards
 

Share this post


Link to post

Maybe a silly question, I'm running Hummingbird 1.1.0 on a Raspberry Pi and I have an ovpn profile generated a few months ago. Do I need to regenerate the file or can I simply restart hummingbird with the -C CHACHA20-POLY1305 flag?

Share this post


Link to post

When using OpenVPN for Android how do I know if ChaCha is being used?

I have advanced generated a 2.5 version openvpn config file with ChaCha selected as the cipher and imported to OpenVPN for Android.  When connected how do I know it is using ChaCha? 
 

Share this post


Link to post
On 11/12/2020 at 8:19 PM, kbps said:

When using OpenVPN for Android how do I know if ChaCha is being used?

I have advanced generated a 2.5 version openvpn config file with ChaCha selected as the cipher and imported to OpenVPN for Android.  When connected how do I know it is using ChaCha? 
 


In the log look for a line "Outgoing  Data channel: Chiper'" and "Incoming Data channel: Chiper'"
then there might be AES-256 there or Cha Cha

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...