Jump to content
Not connected, Your IP: 52.205.167.104
Staff

WireGuard beta testing available

Recommended Posts

Quote
Interoperability between open-source applications and our service is still a main objective for us.
This is important to me. Thank you. I'm looking forward to trying wg with AirVPN.

Share this post


Link to post
6 hours ago, qitorin said:

Fatal error occured, please contact Eddie support: Exception: nft issue: exit:1; out:^                       ~~; err:Error: syntax error, options must be specified before commands


Known and hotfixed, not a Wireguard error:Clear the cache, then redownload the package:

# apt-get clean && apt-get install --reinstall eddie-ui

.

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post

when creating a config file from the config generator
and improting it to android, the android wireguard app cannot import the config "invalid name"
not using any custom names

QR works fine

Share this post


Link to post
8 hours ago, zsam288 said:

not using any custom names


Rename before importing. Keep it very simple (e.g. airvpn0).

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post
On 10/29/2021 at 6:30 PM, mith_y2k said:

Hi, I want to make sure I understand correctly your answer linked here: are you saying that AirVPN servers will remove the client ip every 10 minutes from memory but that the wireguard client will preserve it or are you saying the Wireguard team will have the client ips indefinitely?
I too am confused as to where and why the user's IP address is stored permantly.  I understand that while connected to Air servers, the user IP address will be known.  Why is this not purged from the Air after disconnect or server change?

Share this post


Link to post
19 minutes ago, kbps said:
On 10/29/2021 at 7:30 PM, mith_y2k said:

Hi, I want to make sure I understand correctly your answer linked here: are you saying that AirVPN servers will remove the client ip every 10 minutes from memory but that the wireguard client will preserve it or are you saying the Wireguard team will have the client ips indefinitely?
I too am confused as to where and why the user's IP address is stored permantly.  I understand that while connected to Air servers, the user IP address will be known.  Why is this not purged from the Air after disconnect or server change?

Hello!

Keeping permanently the client IP address is a WireGuard feature, see also https://airvpn.org/faq/wireguard

That's why we force a purge of the real IP address. "In AirVPN servers, if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the real IP address from server memory.". Note that 180 seconds are not 10 minutes. If that's not acceptable you must not use WireGuard, keep using OpenVPN, which will get rid of the client IP address by itself (no need of active deletion).

About the VPN IP address, which is another privacy problem, we invite to read the above linked FAQ answer.

Kind regards
 

Share this post


Link to post
"I too am confused as to where and why the user's IP address is stored permantly.  I understand that while connected to Air servers, the user IP address will be known.  Why is this not purged from the Air after disconnect or server change?"

Re why: The wireguard protocol itself has no notion of a "disconnect," and the server is always open to seeing more packets from a given peer (client in this case). Keeping the last known IP from which each peer communicates with the server radically speeds up incoming packet authentication, because if a packet arrives from a sender in the "last known" list, it's pretty obvious which public key to try first to test whether it's authentic. 

Air has worked around the issue nicely by deleting the last known IP after (currently) 3m during which the usual handshake packets have not arrived. The next packet that does arrive then has to be tested for authenticity against a large number of peer (users here) public keys.  That carries a computational cost that Air kindly absorbs for the sake of our privacy in the comically unlikely case of some serious evildoer breaking into a datacenter and somehow siphoning off the contents of a running server's memory (IIRC they are diskless) for subsequent analysis.

Summary: Air has made the saved public IP a nonissue in practical terms. 

Share this post


Link to post
4 hours ago, SurprisedItWorks said:

he wireguard protocol itself has no notion of a "disconnect," and the server is always open to seeing more packets from a given peer (client in this case). Keeping the last known IP from which each peer communicates with the server radically speeds up incoming packet authentication, because if a packet arrives from a sender in the "last known" list, it's pretty obvious which public key to try first to test whether it's authentic. 


I see, thanks for the explanation.
So basically,
OpenVPN sends a disconnect packet to the VPN server, server forgets the connected IP address.
Wireguard does not send a disconnect packet to the VPN server, server keeps the connected IP address stored in-case it sees that IP again so that it does not have to re-authenticate. To maintain privacy Air has decided to delete IP's after 3 minutes.  Thanks Air.  Have I understood this correctly?

Out of interest how are other VPN providers dealing with this issue.  Are they doing something similar?
 

Share this post


Link to post

Some other providers are also tweaking things to try and deal with the storage of the public IP (what we discussed above) and the internal-network IP (the 10.X.Y.Z address you can change by renewing your device key).

Air's is the cleanest approach I've seen so far, because it doesn't hurt compatibility with third-party client software. You should be able to set up a dd-wrt or other router to use an Air wireguard server without difficulty, and I've done it in iOS using the official WireGuard app (easy set up & works great), etc. The other approaches I've seen limit you to the VPN provider's client apps.
 

Share this post


Link to post

I want to add a second wireguard tunnel/peer setup on my pfsense box, using a different device as setup in my AirVPN account.  The different device gives me a different, unique interface address for wireguard configs.  However, it still overlaps in network address space with the other address for my other "device" so pfsense doesn't allow me to add it. (The /10 address is a very large address range!)

Is there any solution to this so that I can have multiple wireguard tunnels running?

Share this post


Link to post

re my above post.  I changed the tunnel addresses from /10 to /32 and it works.

however, I was pulling my hair out trying to figure out why my second tunnel wasn't working even after the tunnel addresses didn't overlap.  server was Chameleon.

turns out when I tried to use Leo instead it works.  So perhaps something is wrong with Chameleon wireguard?

Share this post


Link to post
Posted ... (edited)

Hi,

@go558a83nk

Can you explain how/what you changed address and CIDR?

I want to run multiple WG servers in pfsense, but cannot, all server configs have the same Address = 10.153.187.114/10

Thanks in advance 😁

 

Edited ... by Jacker@

Share this post


Link to post

Help, I can't find the WireGuard option in the Eddie protocol section anymore.
I'm on Eddie 2.21.2 (Win10) and "access to beta features" is activated.
At first I was able to switch to WireGuard in Eddie, but after switching back to UDP (due to the negligible WG performance-boost on my old machine) and restarting the system, the WG-option has vanished (only UDP, TCP and SSL>TCP are available)
Can anybody help me, activating WireGuard in Eddie again?
 

Share this post


Link to post
20 hours ago, Jacker@ said:

Hi,

@go558a83nk

Can you explain how/what you changed address and CIDR?

I want to run multiple WG servers in pfsense, but cannot, all server configs have the same Address = 10.153.187.114/10

Thanks in advance 😁

 


You need to create another "device" which will allow you to generate configs with a different tunnel IP address.  https://airvpn.org/devices/ 

As far as changing the /10 to /32 I do that in the interface settings of the wireguard tunnel.  First I setup tunnel and peer for wireguard handshake, then setup interface and gateway for that wireguard tunnel.

Share this post


Link to post
9 minutes ago, go558a83nk said:

You need to create another "device" which will allow you to generate configs with a different tunnel IP address.  https://airvpn.org/devices/ 

As far as changing the /10 to /32 I do that in the interface settings of the wireguard tunnel.  First I setup tunnel and peer for wireguard handshake, then setup interface and gateway for that wireguard tunnel.

Thanks man 😎

Share this post


Link to post
1 minute ago, go558a83nk said:

you're welcome.  did you get it working?

Tested and worked perfectly thank you. I run two together in a failover gateway for IOT's. I have also been using Mullvad purely because of their wireguard support, so this is ideal for me now to migrate back, 👍

Share this post


Link to post

Thanks Staff for the great work. My Synology NAS with a weak CPU (Celeron J3455) managed maybe 30MB/s through OpenVPN UDP with either AES or ChaCha20, with Wireguard I just reached 80MB/s (~640 Mbit/s). I was hoping for a slight improvement, but this is much beyond my expectation!

Share this post


Link to post

Hello!

Testing this it works well, although I can't test it too much yet due to external factors, I wanted to make a suggestion to perhaps further aid privacy and renew my call for a "key management" API.

I want to designate certain keys as WireGuard keys (perhaps a prefix, WGKey_ in the key name) which I want to be able to renew programmatically. It seems renewing the keys does have a minor privacy benefit and is something I'd like to do routinely. At the moment managing keys is only possible via your website and is one of the biggest feature suggestions I'd like to see added to the API (then I can rotate keys freely).

Thanks for being cautious and critical in the design, although not ideal (and not as considered as OpenVPN in its privacy choices) it is certainly feasible if the threat model allows. Will test at the router level at some point and will hopefully see a speedup (even without AESNI I am hoping to see improvements).

Share this post


Link to post

Thanks to lovely AirVPN for launching this protocol ...
I'm getting "bringing up tunnel" error when try to connect ... 
Tried a few solutions around the web, but no luck. 😡

Share this post


Link to post

Anyone managed to get port forwarding to work with wireguard? I am getting connection refused errors. It works fine on openVPN.

Share this post


Link to post
5 hours ago, autone said:

Anyone managed to get port forwarding to work with wireguard? I am getting connection refused errors. It works fine on openVPN.

I opened UDP port 1637 on the router that's behind a W10 machine, and WG worked fine through Eddie.  I'm not sure if that port needs to be open or not on your end - worth a shot if nothing else works.

Share this post


Link to post
5 hours ago, autone said:

Anyone managed to get port forwarding to work with wireguard? I am getting connection refused errors. It works fine on openVPN.

Works fine for me with no additional configuration, just the config from the config generator. You don't need to port-forward anything in the router since Airvpn's port-forwarding is only dependent on the client and server, and gets tunneled through the VPN tunnel. Is the service you are trying to forward listening on the Wireguard tunnel interface?

Share this post


Link to post
2 hours ago, monstrocity said:
8 hours ago, autone said:

Anyone managed to get port forwarding to work with wireguard? I am getting connection refused errors. It works fine on openVPN.

I opened UDP port 1637 on the router that's behind a W10 machine, and WG worked fine through Eddie.  I'm not sure if that port needs to be open or not on your end - worth a shot if nothing else works.
I can connect to wireguard fine. It's port fowarding i'm having an issue with.

https://airvpn.org/ports/

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...