Staff 9971 Posted ... Hello! We're very glad to inform you that two new 1 Gbit/s full duplex servers located in New York City are available: Haedus and Iklil. They are going to replace Dimidium and Gliese. The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637 UDP for WireGuard. Haedus and Iklil support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor:https://airvpn.org/servers/Haedus/https://airvpn.org/servers/Iklil/ Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team 2 1 1 Alexei Sator, go558a83nk, flat4 and 1 other reacted to this Quote Share this post Link to post
Staff 9971 Posted ... 13 hours ago, go558a83nk said: Switching from Dedipath to more m247. 😞 Hello! Unfortunately DediPath could not serve us anymore and demanded block of specific outbound ports to block traffic coming from the usual cretins who spam or have their Windows machines infected with spamware. M247 never posed such a problem to us. Before breaking net neutrality so blatantly we will try with reliable providers and port block remains the last option to be enforced only when absolutely unavoidable (currently we only block outbound port 25). Kind regards Quote Share this post Link to post
alternity75 0 Posted ... So, I've got my pfSense connected to both Dimidium and Gliese, when exactly will those connections go dark and I'll have to reconfigure for the two new servers? I'm assuming the entry IPs are going to change after the switch, though it'd be cool if they didn't, heh. Damn I'm lazy. Quote Share this post Link to post
Staff 9971 Posted ... @alternity75 Hello! Gliese is already down while Dimidium should work up to June the 5th. IP addresses will change, it's inevitable in this case. Kind regards Quote Share this post Link to post
OpenSourcerer 1435 Posted ... 10 hours ago, Staff said: Unfortunately DediPath could not serve us anymore and demanded block of specific outbound ports to block traffic coming from the usual cretins who spam or have their Windows machines infected with spamware. M247 never posed such a problem to us. Before breaking net neutrality so blatantly we will try with reliable providers and port block remains the last option to be enforced only when absolutely unavoidable (currently we only block outbound port 25). I'd love to get to know the action plan when M247 starts asking questions… will you break down half your server fleet? 1 foDkc4UySz reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Staff 9971 Posted ... 1 hour ago, OpenSourcerer said: I'd love to get to know the action plan when M247 starts asking questions… will you break down half your server fleet? If you mean requirements to infringe Net Neutrality, beyond our will (which is blocking outbound port 25 and nothing else), they are unlikely because the contract we sign with them is clear under this respect (and not all providers offer clear contracts). Furthermore, in so many years, a requirement to infringe Net Neutrality has never been made by M247. More in general, providers which requested or enforced by themselves NN infringements have been very few in these 12 years of operations, maybe four, as far as we remember, including one with strange infringements like blocking ICMP altogether. M247 servers, for your information, are 30% of the total in our infrastructure, not 50%, and yes, they can be replaced in the unlikely, worst case scenario. Remember that we still have an oversized infrastructure, so we would be able to do it with no service interruption. Of course if all of our providers enforced Net Neutrality infringements together, then our mission could not be accomplished anymore integrally, or at least not easily at all in a short time, but that's another story. Kind regards Quote Share this post Link to post
OpenSourcerer 1435 Posted ... Look. I'm not the first raising suspicions about the disproportionately high share of M247 servers compared to others. This gets increasingly evident if you isolate the dataset to individual countries. The thing is that, even if it's ~30% of the fleet, M247's share is 66% in DE (10/15) and in UK we're looking at 100%, just as an example. All 15 servers are M247 there. So even if you say the infrastructure can take such a huge hit, the sobering fact is that you will lose the UK flag entirely when shit hits the fan, and DE will be on the brink of overload. Plan for the worst, hope for the best, you know? Or, you know, maybe you do plan to the best of your abilities. Maybe you do play the hand you're dealt as best as you can. Maybe there really is only one single choice you're left with in UK. I can totally understand – if it's communicated that way. But if 100% is M247 in one country, it looks like an evident Single Point of Failure right there to me. This is what I'm concerned about in the end: You're trusting a single provider, who is more or less notorious for being a safe haven for at least many, many VPN providers, with delivering a performant, reliable, perpetual service on the promises of a sheet of paper. I always wished AirVPN to prosper, and probably always will, but even I can't help but feel a slight discomfort looking at where the numbers are headed. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Staff 9971 Posted ... @OpenSourcerer Thank you very much for your concerns and your continued and ongoing support. You have no peculiar reasons to worry about, under this respect, for we have plans considering even the harsh UK and Germany scenario you depict. Kind regards 1 Antti Simola reacted to this Quote Share this post Link to post
3vSIMdRVv6Q1TmbFsIiP8QV8 1 Posted ... Hi! I'm not sure if this is appropriate here or if I should start a new thread, but it involves Iklil, so it seems like this is the best place.... anyway.... I've been traveling and out of my office for a month, but ever since I returned last weekend, I noticed my 'external IP' applet has been showing my server country as being in India. IPlocation.net still shows it as New York, but I've seen some odd 'geo-location' based offerings that were all in Hindi instead of English...so it must be getting read as 'India' by more than just my little applet. Also, my email client has suddenly been throwing up 'rejected credential' warnings from certain email providers. Everything is in order with them, so I'm beginning to think it is the VPN server that may be causing the issue. Anyway, I was getting ready to change to another server, but I'll wait for a response and any would take any advisement under consideration. Quote Share this post Link to post
YLwpLUbcf77U 32 Posted ... This is becoming more and more of an issue because while hosting providers like M247 may be a perfect fit for AirVPN in that it can contractually agree to Air's strict NN requirements, from an actual user experience, it may be difficult to navigate the web as more and more sites may block these higher risk IP addresses. I don't know what type of activities most Air users make use of, but if defending 'NN, privacy, and censorship' (taken from the index page) are what is most important, then Air should consider blocking ports used for tormenting for some servers at least (non-M247) because let's not kid ourselves when looking at users on the scoreboard transferring terabytes a month. It surely isn't backups of Wikipedia and Linux ISO's. As someone who has been using Air for almost a decade, but truly only for privacy purposes, I'd really love to see more lower risk IP servers being added with stricter rules. There is a market for a 'no log VPN service that caters to users who simply want a slightly restricted port-wise private pipe on relatively clean servers'. Air could offer a different product tier for this or a spin-off service to separate it from its core brand. If things don't change where eventually it's picking a server on M247, Dedipath, Digital Ocean, or gosh forbid OVH, users like myself may have to look elsewhere. 1 kutusow reacted to this Quote Share this post Link to post
Staff 9971 Posted ... 1 hour ago, YLwpLUbcf77U said: more and more sites may block these higher risk IP addresses. [...] Air should consider blocking ports used for tormenting [torrenting] for some servers at least (non-M247) because let's not kid ourselves when looking at users on the scoreboard transferring terabytes a month. It surely isn't backups of Wikipedia and Linux ISO's. If things don't change where eventually it's picking a server on M247, Dedipath, Digital Ocean, or gosh forbid OVH, users like myself may have to look elsewhere. Hello! The blocks you mention have nothing to do at all with torrenting or copyright notices. If they were, then yes, it would be trivial indeed to offer special servers with the aims you describe as exceptions to our mission. The main three factors causing black listing are spam e-mails, attacks to web servers via HTTP POST etc., and false positives (we include here the widespread blocks against entire IP ranges when only one IP address in that range is flagged). The first problem can be strongly mitigated, if not solved, by blocking outbound ports 465 and 587, the second problem can be resolved by blocking outbound ports 80 and 443, therefore making the server unusable to reach web sites and send out e-mail. It's easy to guess that this type of service wouldn't be used by anybody as without e-mail and the World Wide Web nobody would feel on the Internet for real, but we could add servers with this limitation for free to our customers, as a free and optional bonus outside the service (in order not to cause a contractual breach) just to test how many would use them and for which purposes (maybe something interesting will come out). Another form of mitigation would be deep packet inspection to discard any packet with malformed queries and potentially malicious purposes according to pre-defined algorithms, data set etc. (needless to say it would be a contractual breach even on a bonus server, so it's not realistic to think of it). Please note that, according to latest reports, about 1 out of 12 Windows machine in the world is infected, so in various (many?) cases the activity causing IP address black-listing is performed without the knowledge of the computer owner. Another approach, which is actually more realistic and followed by most providers, is monitoring the customer's traffic, identify the customer at least via IP address at each connection, block immediately the account when something suspicious goes on and report the customer's IP address to competent authorities (this last step becomes legally mandatory on most countries when a provider monitors the traffic and comes to know that a potential infringement has been committed).. Then it's all up to the competent authorities, end of the story for the provider. This type of service is surely possible (and in reality it has been followed in secret by several VPNs in the recent years, together with personal data harvesting) but (leaving aside our contractual breach this would cause) why then would you need a VPN? Since the traffic would be monitored anyway, most customers might just decide to let their ISP monitor their traffic, rather than shifting this "duty" to some VPN operating company or entity. Then there's another type of block (block enforced against anything that does not come from IP addresses assigned to residential ISPs - for example BBC follows a similar policy), but that's outside the scope of your complaint, we guess, since to bypass those blocks renting IP addresses assigned to residential ISPs become necessary. This is not impossible, but only in some specific countries, and we will be working on it. Kind regards 4 YLwpLUbcf77U, fishbasketballaries, kutusow and 1 other reacted to this Quote Share this post Link to post
ss11 15 Posted ... Unfortunately, this is a well known common problem when you are using a "shared" IP address. There is no simple solution for the simple fact that you use a resource (IP address) that is used by many others, over which you have no control. The only solution that will work is for the provider (in this case AirVPN) to add a feature to exit with your dedicated IPv4 and IPv6 and maybe make it available for a fee because of course, these resources are not free and not exactly cheap (particularly IPv4). But even then, you have two more problems: (1) you become identifiable via your dedicated exit IPv4 and exit IPv6, maybe your identity will not be known but one adversary can do "likability" attacks between your activities online; (2) you take the above disadvantage with no certain guarantee for the effect - there are blacklists companies and provides that list entire IPv4 subnets (/24) and entire IPv6 subnets (/64) in case more than N individual hosts within that subnet cause some activity that they catalog as "abuse" or "spam" or whatever. Let's say for example that AirVPN will get a /24 (254 usable IPv4 addresses) for a server and assign to users own dedicated IP addresses. You get yours and you keep it clean of any blacklist, but if 100 other users (over which you have no control) trigger abusive behavior, the entire subnet might get blacklisted. Then you paid for this feature for nothing and your provider spent time to code it for nothing. I do have the same problem while using AirVPN, but I understand this is a limitation of the privacy method used at its architecture level, its not the providers' fault and there is nothing they can do about it except keep the service running and maintain a no log / no filter policy. Same (and much worse) problems occur when you are using Tor for example. If you need a dedicated static exit point you could deploy a SSH tunnel / socks5 connection on top of the VPN, however you will face the problem described at (1). Quote Share this post Link to post