Jump to content
Not connected, Your IP: 44.197.230.180
Thebrynn

AirVPN Servers blacklisted

Recommended Posts

Hope someone can point me in the right direction.

I am aware of the cat and mouse game that are blockinglists, as well as the lazy blanket bans that admins do on the ip ranges.

My set up is that my router is set up with airvpn, and the tunnel is always active (and network lock is on). I also use unbound on that router.

That said, It gets increasingly difficult to find an Airvpn server that is not blacklisted. Making surfing the internet more challenging as you constantly need to do captchas, being blocked from some more security aware site, not to mention that I my company has amped up security monitoring (as we all work from home these days). Sometimes I am being blocked as my ip is different than my known location and suddenly is part of a potentially dangerous network.  I have spoken to our CISO's on a few occasions already :)

Yes I understand that I could disable my vpn, but that would defeat the purpose.

Is there a way for us to find out easily if the current active airvpn server is on a blacklist. Then chose a server that is not on a blacklist yet, and connect to that.
Ideally a way to automate this would be even better.

Right now I am checking on sites like https://mxtoolbox.com/SuperTool.aspx and check if my current exit ip is blacklisted. Then I try out all the different servers manually until I find one that does not block everything or is on a blacklist.

Any input or feedback would be greatly appreciated.

Share this post


Link to post
1 hour ago, Thebrynn said:

Is there a way for us to find out easily if the current active airvpn server is on a blacklist. Then chose a server that is not on a blacklist yet, and connect to that.
Ideally a way to automate this would be even better.


IPLeak once checked with some Tor server lists if the server one is connected to is on it, but I don't see that feature any more. Probably removed because it was "laggy", so to speak.
Thing is: Those lists are maintained by people other than those associated with AirVPN. So AirVPN cannot exhaustively know if a server is on a list or not. You could have some luck with list providers offering an API for automated checks, building a little application around it, but to my knowledge there is no such thing (it might exist, maybe even as a FLOSS project, but probably discontinued… dunno).

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Unofficial Eddie for Android F-Droid repository: repo.opensourcery.eu

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

I went a bit down the rabbit hole and it seems a lot of issues (blacklists for AIRVPN ip addresses) boil down to two main use cases:

  • Servers not having a valid FCRDNS (see https://spfbl.net/en/fcrdns/)
  • on the worst and repeat offender blacklist for email spam
    • Quote
      spam.dnsbl.sorbs.net is the final step in the spam blacklists. spam.dnsbl.sorbs.net contains all data from old.dnsbl.sorbs.net, which in turn contains all the data in recent.dnsbl.sorbs.net and new.dnsbl.sorbs.net. These are generally offenders that have no intention of stopping spam, and will continue to be a burden on the inboxes of email users the world over. These hosts have further not made any effort to ask for delisting of any kind from SORBS.
The following links have helped me troubleshoot a bit:
https://whatismyipaddress.com/blacklist-check

This one even offers monitoring (trial and then paid)
https://www.blacklistmaster.com/
Might check it out, but that is only a part of the puzzle. The trick is then to find of all the Airvpn addresses one that is not blacklisted in these lists at least.


 

Share this post


Link to post

This is becoming really painful over time. I've just reliased that I can't access my ISP hosted websites and they are picking up the AirVPNs addressed as insecure. Can AirVPN admins try to track down somehow the offenders that perpertrate bad activities using the AIrVPN servers, thus making life difficult for all of us?

Share this post


Link to post
On 7/6/2022 at 12:29 AM, hydrotux said:

Can AirVPN admins try to track down somehow the offenders that perpertrate bad activities using the AIrVPN servers, thus making life difficult for all of us?


The moment this happens is the moment half of AirVPN's users lose trust in the provider.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Unofficial Eddie for Android F-Droid repository: repo.opensourcery.eu

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
Posted ... (edited)

That is a good point but being so heavily blacklisted makes using the VPN really difficult and frustrating. The internet community should come up with a way of banning and making the life of abusers more difficult.

On another related point, I'm trying to understand why when I choose the server for the configuration file (tls-crypt, tls1.2 option), I get an IP ending 165. I check this IP on www.blacklistmaster.com and it is not listed. When I then connect with my pfSense machine using that IP, i actually end up being connected to a server with IP ending 163. I turns out that the 163 IP is banned on several servers when checking www.blacklistmaster.com.
So then I
'm wondering how will I ever find an IP that is not listed if I end up being connected to IPs that I actually don't specify in my pfSense config. Is this a pfSense thing or is it a AirVPN thing that assigns users to different IPs/servers for load balancing requirements, etc. Presumably this means that there isn't just one IP for those choosing OpenVPN 2.4 + tls-crypt, tls1.2 option?
 

Edited ... by hydrotux
Don't want to add another post

Share this post


Link to post
On 7/11/2022 at 9:59 PM, hydrotux said:

Presumably this means that there isn't just one IP for those choosing OpenVPN 2.4 + tls-crypt, tls1.2 option?


No, there is only one. But there are tls-auth and tls-crypt, both with a primary and secondary IP address, in total 4/server. Check your pfSense settings, you might acually not connect with tls-crypt there.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Unofficial Eddie for Android F-Droid repository: repo.opensourcery.eu

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

This is a problem with no-log do what you want VPN providers like AirVPN and finding datacenters/hosting providers that will take their business.

It probably will be of little internet given their userbase, but I'd love if Air had "privacy-oriented" servers that were hosted with smaller hosting companies with potentially stricter rules (no file-sharing, lower b/w caps, restricted ports, etc.).

As someone who has to deal with fraud on the internet for their work, M247, Digital Ocean, and others are rated extremely high risk and usually it makes sense to block them if other risk factors are tied with the user using the IP address.

Share this post


Link to post
6 hours ago, YLwpLUbcf77U said:

It probably will be of little internet given their userbase, but I'd love if Air had "privacy-oriented" servers that were hosted with smaller hosting companies with potentially stricter rules (no file-sharing, lower b/w caps, restricted ports, etc.).


This directly violates AirVPN's mission statement, in which the pledge to Net Neutrality is formulated.
 
6 hours ago, YLwpLUbcf77U said:

As someone who has to deal with fraud on the internet for their work, M247, Digital Ocean, and others are rated extremely high risk and usually it makes sense to block them if other risk factors are tied with the user using the IP address.


We've been noticing this in the community for quite some time now. Especially M247 is quite a common point of complaint.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Unofficial Eddie for Android F-Droid repository: repo.opensourcery.eu

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hello!

 

The main reason of complaints and black list presence of IP addresses are attacks via HTTP(S) and spam mails. A server with blocked outbound ports 80 and 443 blocked would be avoided by anyone, we think, while we might consider to block outbound ports 465 and 587 (outbound port 25 is already blocked on all servers) and renounce to our fight to defend net neutrality. This will require however a mission as well as Terms of Service modification, as noted by @OpenSourcerer , so it's not a viable solution for the current management administration and the contracts with our current users.

 

Out there you can already find tons of VPNs which violate net neutrality by inspecting your traffic and blocking (or shaping) applications, protocols and ports. Or you can just use your own ISP. The peculiarity of AirVPN is that it doesn't enforce that rubbish.. If one asks for traffic inspection, ports blocking and so on and so forth to get a "cleaner" IP address, then he/she probably "deserves" a pervasive surveillance and must take into account that his/her personal information and his/her behavior will be sooner or later used against him/her, as it already happened to millions and millions of people around the world in the last years.

 

Kind regards

Share this post


Link to post
1 hour ago, OpenSourcerer said:

This directly violates AirVPN's mission statement, in which the pledge to Net Neutrality is formulated.
 
We've been noticing this in the community for quite some time now. Especially M247 is quite a common point of complaint.

True, but if NN = let's put everything on web hosts that are blacklisted most everywhere, then it may make sense to update the mission statement or at least make some exceptions to it.

Edit:  I just want to clarify I like AirVPN very much.  My posts here are not a complaint, but just a shower thought-level suggestion.

Share this post


Link to post
2 hours ago, YLwpLUbcf77U said:

True, but if NN = let's put everything on web hosts that are blacklisted most everywhere, then it may make sense to update the mission statement or at least make some exceptions to it.
 

Hello!

An exception could be attempted, as "opt-in" and not part of the main service, in order to avoid contract violation with our customers. We need a legal advice first, however under a practical point of view we really don't know who would connect to a server where you can't do HTTP(S). As a second option we could run servers which only block outbound ports 22, 25, 465 and 587 (to prevent many SSH attacks, and spam mails), but again we would be subjected to black listing due to HTTP(S) based attacks (malicious forms, injections etc. etc.). Frankly it seems that the pervasive monitoring and logging required to punish those who allegedly perform attacks based on HTTP(S) would impact legit users remarkably, and it would make our service more or less the same as using directly your ISP (or worse in some circumstances), as it already happens with most VPNs out there.

Kind regards
 

Share this post


Link to post

The cost of spinning up a test server(s) would probably not be much.  I agree that given your target userbase, it remains seen how popular these servers would be. 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...