Jump to content
Not connected, Your IP: 44.192.247.184
Thebrynn

AirVPN Servers blacklisted

Recommended Posts

Hope someone can point me in the right direction.

I am aware of the cat and mouse game that are blockinglists, as well as the lazy blanket bans that admins do on the ip ranges.

My set up is that my router is set up with airvpn, and the tunnel is always active (and network lock is on). I also use unbound on that router.

That said, It gets increasingly difficult to find an Airvpn server that is not blacklisted. Making surfing the internet more challenging as you constantly need to do captchas, being blocked from some more security aware site, not to mention that I my company has amped up security monitoring (as we all work from home these days). Sometimes I am being blocked as my ip is different than my known location and suddenly is part of a potentially dangerous network.  I have spoken to our CISO's on a few occasions already :)

Yes I understand that I could disable my vpn, but that would defeat the purpose.

Is there a way for us to find out easily if the current active airvpn server is on a blacklist. Then chose a server that is not on a blacklist yet, and connect to that.
Ideally a way to automate this would be even better.

Right now I am checking on sites like https://mxtoolbox.com/SuperTool.aspx and check if my current exit ip is blacklisted. Then I try out all the different servers manually until I find one that does not block everything or is on a blacklist.

Any input or feedback would be greatly appreciated.

Share this post


Link to post
1 hour ago, Thebrynn said:

Is there a way for us to find out easily if the current active airvpn server is on a blacklist. Then chose a server that is not on a blacklist yet, and connect to that.
Ideally a way to automate this would be even better.


IPLeak once checked with some Tor server lists if the server one is connected to is on it, but I don't see that feature any more. Probably removed because it was "laggy", so to speak.
Thing is: Those lists are maintained by people other than those associated with AirVPN. So AirVPN cannot exhaustively know if a server is on a list or not. You could have some luck with list providers offering an API for automated checks, building a little application around it, but to my knowledge there is no such thing (it might exist, maybe even as a FLOSS project, but probably discontinued… dunno).

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

I went a bit down the rabbit hole and it seems a lot of issues (blacklists for AIRVPN ip addresses) boil down to two main use cases:

  • Servers not having a valid FCRDNS (see https://spfbl.net/en/fcrdns/)
  • on the worst and repeat offender blacklist for email spam
    • Quote
      spam.dnsbl.sorbs.net is the final step in the spam blacklists. spam.dnsbl.sorbs.net contains all data from old.dnsbl.sorbs.net, which in turn contains all the data in recent.dnsbl.sorbs.net and new.dnsbl.sorbs.net. These are generally offenders that have no intention of stopping spam, and will continue to be a burden on the inboxes of email users the world over. These hosts have further not made any effort to ask for delisting of any kind from SORBS.
The following links have helped me troubleshoot a bit:
https://whatismyipaddress.com/blacklist-check

This one even offers monitoring (trial and then paid)
https://www.blacklistmaster.com/
Might check it out, but that is only a part of the puzzle. The trick is then to find of all the Airvpn addresses one that is not blacklisted in these lists at least.


 

Share this post


Link to post

This is becoming really painful over time. I've just reliased that I can't access my ISP hosted websites and they are picking up the AirVPNs addressed as insecure. Can AirVPN admins try to track down somehow the offenders that perpertrate bad activities using the AIrVPN servers, thus making life difficult for all of us?

Share this post


Link to post
On 7/6/2022 at 12:29 AM, hydrotux said:

Can AirVPN admins try to track down somehow the offenders that perpertrate bad activities using the AIrVPN servers, thus making life difficult for all of us?


The moment this happens is the moment half of AirVPN's users lose trust in the provider.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
Posted ... (edited)

That is a good point but being so heavily blacklisted makes using the VPN really difficult and frustrating. The internet community should come up with a way of banning and making the life of abusers more difficult.

On another related point, I'm trying to understand why when I choose the server for the configuration file (tls-crypt, tls1.2 option), I get an IP ending 165. I check this IP on www.blacklistmaster.com and it is not listed. When I then connect with my pfSense machine using that IP, i actually end up being connected to a server with IP ending 163. I turns out that the 163 IP is banned on several servers when checking www.blacklistmaster.com.
So then I
'm wondering how will I ever find an IP that is not listed if I end up being connected to IPs that I actually don't specify in my pfSense config. Is this a pfSense thing or is it a AirVPN thing that assigns users to different IPs/servers for load balancing requirements, etc. Presumably this means that there isn't just one IP for those choosing OpenVPN 2.4 + tls-crypt, tls1.2 option?
 

Edited ... by hydrotux
Don't want to add another post

Share this post


Link to post
On 7/11/2022 at 9:59 PM, hydrotux said:

Presumably this means that there isn't just one IP for those choosing OpenVPN 2.4 + tls-crypt, tls1.2 option?


No, there is only one. But there are tls-auth and tls-crypt, both with a primary and secondary IP address, in total 4/server. Check your pfSense settings, you might acually not connect with tls-crypt there.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

This is a problem with no-log do what you want VPN providers like AirVPN and finding datacenters/hosting providers that will take their business.

It probably will be of little internet given their userbase, but I'd love if Air had "privacy-oriented" servers that were hosted with smaller hosting companies with potentially stricter rules (no file-sharing, lower b/w caps, restricted ports, etc.).

As someone who has to deal with fraud on the internet for their work, M247, Digital Ocean, and others are rated extremely high risk and usually it makes sense to block them if other risk factors are tied with the user using the IP address.

Share this post


Link to post
6 hours ago, YLwpLUbcf77U said:

It probably will be of little internet given their userbase, but I'd love if Air had "privacy-oriented" servers that were hosted with smaller hosting companies with potentially stricter rules (no file-sharing, lower b/w caps, restricted ports, etc.).


This directly violates AirVPN's mission statement, in which the pledge to Net Neutrality is formulated.
 
6 hours ago, YLwpLUbcf77U said:

As someone who has to deal with fraud on the internet for their work, M247, Digital Ocean, and others are rated extremely high risk and usually it makes sense to block them if other risk factors are tied with the user using the IP address.


We've been noticing this in the community for quite some time now. Especially M247 is quite a common point of complaint.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hello!

 

The main reason of complaints and black list presence of IP addresses are attacks via HTTP(S) and spam mails. A server with blocked outbound ports 80 and 443 blocked would be avoided by anyone, we think, while we might consider to block outbound ports 465 and 587 (outbound port 25 is already blocked on all servers) and renounce to our fight to defend net neutrality. This will require however a mission as well as Terms of Service modification, as noted by @OpenSourcerer , so it's not a viable solution for the current management administration and the contracts with our current users.

 

Out there you can already find tons of VPNs which violate net neutrality by inspecting your traffic and blocking (or shaping) applications, protocols and ports. Or you can just use your own ISP. The peculiarity of AirVPN is that it doesn't enforce that rubbish.. If one asks for traffic inspection, ports blocking and so on and so forth to get a "cleaner" IP address, then he/she probably "deserves" a pervasive surveillance and must take into account that his/her personal information and his/her behavior will be sooner or later used against him/her, as it already happened to millions and millions of people around the world in the last years.

 

Kind regards

Share this post


Link to post
1 hour ago, OpenSourcerer said:

This directly violates AirVPN's mission statement, in which the pledge to Net Neutrality is formulated.
 
We've been noticing this in the community for quite some time now. Especially M247 is quite a common point of complaint.

True, but if NN = let's put everything on web hosts that are blacklisted most everywhere, then it may make sense to update the mission statement or at least make some exceptions to it.

Edit:  I just want to clarify I like AirVPN very much.  My posts here are not a complaint, but just a shower thought-level suggestion.

Share this post


Link to post
2 hours ago, YLwpLUbcf77U said:

True, but if NN = let's put everything on web hosts that are blacklisted most everywhere, then it may make sense to update the mission statement or at least make some exceptions to it.
 

Hello!

An exception could be attempted, as "opt-in" and not part of the main service, in order to avoid contract violation with our customers. We need a legal advice first, however under a practical point of view we really don't know who would connect to a server where you can't do HTTP(S). As a second option we could run servers which only block outbound ports 22, 25, 465 and 587 (to prevent many SSH attacks, and spam mails), but again we would be subjected to black listing due to HTTP(S) based attacks (malicious forms, injections etc. etc.). Frankly it seems that the pervasive monitoring and logging required to punish those who allegedly perform attacks based on HTTP(S) would impact legit users remarkably, and it would make our service more or less the same as using directly your ISP (or worse in some circumstances), as it already happens with most VPNs out there.

Kind regards
 

Share this post


Link to post

The cost of spinning up a test server(s) would probably not be much.  I agree that given your target userbase, it remains seen how popular these servers would be. 

Share this post


Link to post

Over the past year, I have found that the AirVPN servers I use are blocked more often. Now I encounter blocking several times a day on sites that are important to my work. Typically public organisations, blogs, and businesses. A nuisance and waste of time!

While Net Neutrality is an ideal I agree with, AirVPN is becoming less useful by the day. I now regret paying three years ahead and will soon have to abandon ship, which saddens me as AirVPN has been immensely useful.

I suggest that AirVPN thinks about what to do to stay relevant to legit users or openly decide to support net abusers only.

Share this post


Link to post
28 minutes ago, kutusow said:

I suggest that AirVPN thinks about what to do to stay relevant to legit users or openly decide to support net abusers only.


Hello!

Please see our previous reply in this thread and also the following one, where we explain more thoroughly our point of view and some facts:
https://airvpn.org/forums/topic/50724-two-new-1-gbits-servers-available-us/?do=findComment&comment=216468

Just a brief addition: your above quoted sentence imply that protecting privacy in an agnostic network means supporting net abusers, which is an inadmissible and shameful idea that we strongly reject. This concept is one  of the "moral" or "ethical" justifications to pervasive surveillance in virtually all countries controlled by human rights hostile regimes, and in a few "Western" countries too: since someone somewhere someday might commit  a crime via the Internet, let's enforce blanket data retention and pervasive packet inspection for everyone, so Internet will be a "safe place" for the "law abiding, conforming" citizen. Your consideration has been and is the founding argument for power groups having the hidden agenda to expunge the right to privacy from the list of fundamental rights. Consider that one of the strictly necessary conditions for any dictatorship to survive is the effective suppression of the right to privacy.

Kind regards
 

Share this post


Link to post
1 hour ago, kutusow said:

Over the past year, I have found that the AirVPN servers I use are blocked more often. Now I encounter blocking several times a day on sites that are important to my work. Typically public organisations, blogs, and businesses. A nuisance and waste of time!

While Net Neutrality is an ideal I agree with, AirVPN is becoming less useful by the day. I now regret paying three years ahead and will soon have to abandon ship, which saddens me as AirVPN has been immensely useful.

I suggest that AirVPN thinks about what to do to stay relevant to legit users or openly decide to support net abusers only.


Thank you, as an AirVPN co-founder I am very proud whenever I come to know that AirVPN has been immensely useful thanks to its mission. Compliance to the mission is what made AirVPN immensely useful to so many people around the world.

What you propose is potentially a betrayal of the mission and would bring us to a slippery slope: once you start monitoring, you open a Pandora box which may become quickly destructive. The matter must be approached carefully as your reasoning is even the rationale which is bringing the EU to an attempt to ban end-to-end encryption in chats etc. https://www.eff.org/deeplinks/2022/10/eu-lawmakers-must-reject-proposal-scan-private-chats

Consider that the alleged infringements we come to know from IP address black list compilers are a negligible percentage (something around ~ 0.1%) over the total amount of sessions and users of the service. It means that the infringers amount is not greater than the general amount of civil or criminal infringers in the society, i.e. every year in every EU country at least 1 citizen out of 1000 infringes civil or criminal laws outside the Internet (and that's only the ascertained amount of infringements).

Many blocks you experience are not even caused by infringements committed intentionally, but simply by infected computers. Several black list compilers just add IP addresses, or even IP address ranges, after a simple, unverified claim by literally anybody showing a text log. So the VPN server might have done nothing, but its address is black listed anyway because in the past, from an IP address in the same range or assigned to the same ASN, some infringement was alleged.

Then web site administrators add black lists in the dangerous illusion of adding security to their sites. It is an illusion according to stats which show that the amount of successful web site breaches has not decreased in the last 5 years, and in reality it is just a, often unaware, step to indirectly jeopardize privacy, because it will push some users to ask for more surveillance and privacy intrusions by their own provider in order to have a "clean" IP address (exactly what you have done here):

Kind regards
pj
 

Share this post


Link to post

Touche!

And thank you very much for your answer to me and the link to your detailed answer. I may have overstated my point, but AirVPN is in a dilemma: Your hardline Net Neutrality/no policing/no monitoring policy (apart from closing port 25) provides all of us a lot of freedom AND criminal governments and individuals using your services with an excellent avenue to abuse the net.

Yet, the alternative to perfect Net Neutrality and the total lack of policing is not for AirVPN to do pervasive surveillance and intrusive monitoring reporting all and sundry to the Iranian Revolutionary Guards. In all human affairs, there are in-between options.

There surely must be stuff that AirVPN can do to reduce the blocking of AirVPN servers. And some measures may involve making life a bit more difficult for abusers. Not all policing is inherently evil.

Given your mission and openness and our contracts, I think you can do something sensible without siding with unfreedom. You are actually defeating your purpose of promoting the freedom of users if your service is blocked still more often.

Share this post


Link to post
On 1/7/2023 at 11:05 AM, kutusow said:

Touche!

And thank you very much for your answer to me and the link to your detailed answer. I may have overstated my point, but AirVPN is in a dilemma: Your hardline Net Neutrality/no policing/no monitoring policy (apart from closing port 25) provides all of us a lot of freedom AND criminal governments and individuals using your services with an excellent avenue to abuse the net.

Yet, the alternative to perfect Net Neutrality and the total lack of policing is not for AirVPN to do pervasive surveillance and intrusive monitoring reporting all and sundry to the Iranian Revolutionary Guards. In all human affairs, there are in-between options.

There surely must be stuff that AirVPN can do to reduce the blocking of AirVPN servers. And some measures may involve making life a bit more difficult for abusers. Not all policing is inherently evil.

Given your mission and openness and our contracts, I think you can do something sensible without siding with unfreedom. You are actually defeating your purpose of promoting the freedom of users if your service is blocked still more often.


There is nothing that can be done, it's a simple fact and reality and one that even the founders of AirVPN - as amazing as they are - probably accept and understand their service is a "best case" offering. Not even the TOR project are immune to censorship and that's their entire purpose, connecting in certain regions can be difficult, if not impossible, depending on the competence of the authorities. I want to be absolutely clear in this, no matter what the provider, whether it's ProtonVPN, Mullvad, Nord or whomever are able to do any differently or better than what AirVPN already deliver.

This is a problem with the 'internet' as a concept, using a numbering system to route packets, where firewalls and blocks can be enacted and efforts to disguise those packets can be dealt with swiftly by simply dropping them, adding them to a firewall etc.

Many places track 24/7 TOR nodes, VPN/other privacy software IP addresses and add them to a .txt document, web admins can set all those IP addresses that match to be blocked - 403 errors or CAPTCHAs are frequent for users of these tools.

No matter what ports are blocked, someone, somewhere will find a way to trigger a system to cause a blacklist to block the IP - if that IP gets a low reputation, the block can be shared around. Consider how easylist for example blocks trackers/ads loading in your browser, AirVPN itself allows you to poison the DNS and domains on that list often make their way to other lists too, it's the same principle.

If you want privacy, there's a cost. I suspect in 10/20 years VPNs will be blocked at the network level, governments will simply not tolerate IP addresses which are "unknown", or shared, and will make services like AirVPN illegal, it's entirely possible over time the societal attitude will change to make people think VPN = someone wants to hide something.

If you want to see improvements you'll need to come up with a better way of routing data through a network, because IP addresses will always be a centralized, controllable entity and misguided web admins are subject to propaganda that users of such networks are all cyber criminals and therefore a block of any such service must be essential, hence the 403 forbidden we all see so often these days.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...