Jump to content
Not connected, Your IP: 18.97.14.91
galbeedee

my review after 1 hour

Recommended Posts

Posted ... (edited)

1/ 10G servers. What is this 2009..? Nearly all your servers should be 10G by now. I can't get more than 400-600Mbit from the least loaded severs.

2/ The WireGuard files names are *horrible*. WireGuard .conf files should conform to linux interface naming specs as best practice is to name the tunnel interface after the .conf file name.
air-{2 digit country code}-{2 or 3 digit region code}{number}.conf  example: air-us-va4.conf DONE

3/ WireGuard conf download should just give me every server config as a zip file. I can pick which one later.

These are all basic table stakes best practices that many competitors(Mullvad, iVPN, etd) have had for years. 

4/ The port forwarding setup is pretty good. Really no complaints there.

Overall I give AirVPN D+ or C- (Honestly if not for port forwarding there would be no reason at all to choose AirVPN over its competitors)
 

Edited ... by galbeedee

Share this post


Link to post

I agree, port forwarding is great and works well. Looking at average internet speeds, not so many people have gigabit class connections and hardware to handle that so I don’t personally see the small number of 10gbps servers as an issue. I appreciate staff is making efforts to improve this. I have a feeling it isn’t any kind of bad will but rather their desire to find proper data centers and tuning for these things. 

True, WireGuard config filenames could be simplified. Manual renaming is sometimes annoying. I know it’s just one step but if life can be made easier a bit then why not. 

Interesting idea with “download all”. Could be useful instead of hunting through that long list of everything in config generator. I might take a stab at this myself. APIs are already there.

I’d kill the compression method choice as that’s also pointless because usually people just grab text config files. They are tiny and compress well with any method. 

Share this post


Link to post
22 hours ago, benfitita said:

I’d kill the compression method choice as that’s also pointless because usually people just grab text config files. They are tiny and compress well with any method. 


I have no opinion on the compression method. Just anything standard. tar.gz whatever...

Another thing about WireGuard that I really should not have overlooked. Config gen, gens the private and public key. This is an enormous no no. Perhaps the number one violation of best practice. Either the customer should hand a pubkey to config gen or, as many due, local script does it without the privkey ever leaving your browser.

I am also unsure what the deal with generating a preshared WireGuard key. I have never seen this done anywhere else. It seems like another divergence from best practice of never passing non-pubkeys.
 
22 hours ago, benfitita said:

I agree, port forwarding is great and works well. Looking at average internet speeds, not so many people have gigabit class connections and hardware to handle that so I don’t personally see the small number of 10gbps servers as an issue. I appreciate staff is making efforts to improve this. I have a feeling it isn’t any kind of bad will but rather their desire to find proper data centers and tuning for these things.


It's not really "a small number". There are *zero* in all of North America. No 10G servers in at least the largest US subsea cable points (NY, Seattle, and LA) is just not meeting par.

Ashburn, VA (AWS East) would also be good as it's some ungodly percent of US web in one place. Also with gobs of express paths to subsea cable systems.

Share this post


Link to post

Please mind your tone. Calls for improvement should be spelled out in a way that compels the responsible party to look at it objectively, prompting an increase in motivation to implement changes. What you just spit out was downright offensive complaining, pushing the responsible dev into a defensive role. I can say for absolutely sure that none of your points will be implemented in some time; and since you make them out as pretty big points (for you, given the rating), AirVPN might not be the best suit for you at this point, simple as that.
 

On 6/22/2023 at 7:17 PM, galbeedee said:

2/ The WireGuard files names are *horrible*. WireGuard .conf files should conform to linux interface naming specs as best practice is to name the tunnel interface after the .conf file name.


I think the motivation was to keep the naming scheme consistent in the config generator with how OpenVPN configs are named, since those don't care about the file name. In any case, for now you can simply rename the files with Bulk Rename Utility on Windows, or mmv or some shell magic on Linux. :)
 
On 6/22/2023 at 7:17 PM, galbeedee said:

3/ WireGuard conf download should just give me every server config as a zip file. I can pick which one later.


That's quite superfluous, seeing as you are choosing the servers in the step before that. If you want them all, tick Advanced, then Reverse selection in the continent, country or servers sections, generate and download all files as an archive of your choice.
 
On 6/22/2023 at 7:17 PM, galbeedee said:

1/ 10G servers. What is this 2009..? Nearly all your servers should be 10G by now. I can't get more than 400-600Mbit from the least loaded severs.


I'll link to some threads talking about max throughput. 400-600 Mbit is quite a good result with OpenVPN. It can be optimized a bit more, but that task falls to you and your environment..

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
@galbeedee

Thank you for your review!

We would like to point out some features of our service that you probably missed according to your review, so that you will be able to use them.
 
Quote

Config gen, gens the private and public key. This is an enormous no no. Perhaps the number one violation of best practice. Either the customer should hand a pubkey to config gen or, as many due, local script does it without the privkey ever leaving your browser.


You can use per-session WireGuard key, to overcome the questionable design of WireGuard under this respect (WireGuard does not offer dynamic address management at all). It's not very important that your private key is held by you when WireGuard demands that, server side, each public key is linked in files to the VPN IP address and to the public IP address of the client. Therefore, thanks to our design, you are able to use a one session key if necessary. You can renew your key either through the web site or through the API in order to patch this problem. On our side, we actively remove WireGuard entries to public IP addresses when a session is over. We do not understand the link you claim between the key and your browser, feel free to clarify if you wish so.
 
Quote

2/ The WireGuard files names are *horrible*. WireGuard .conf files should conform to linux interface naming specs as best practice is to name the tunnel interface after the .conf file name.
air-{2 digit country code}-{2 or 3 digit region code}{number}.conf  example: air-us-va4.conf DONE


File names of the generated profiles are very descriptive and they reflect community requirements. Community majority currently prefers descriptive file names and wants that the system is not tweaked to accommodate terrible WireGuard design under this respect (WireGuard wants to name the virtual interface with the file name regardless of the system limits). This is an understandable point of view and we will respect it. We will change according to community suggestions. Far from being "best practice", in our opinion, and in the current opinion of the community, that would be the practice to lower a service standard to meet the terrible design of somebody else, something reminding the old, awful but widespread, practice to develop flawed web sites to circumvent Internet Explorer bugs and accommodate its non-W3C compliant dialect. That said, we can of course add some options to make life more comfortable for anyone who should be wearied by the exhausting effort of renaming a set of files. The QR code anyway is already available for Android and iOS (in the Configuration Generator), so you don't need renaming in mobility, just shoot the code from inside wg.
 
Quote

I am also unsure what the deal with generating a preshared WireGuard key. I have never seen this done anywhere else. It seems like another divergence from best practice


This is a key which is necessary when you want an additional encryption layer, and this is a great WireGuard feature. Useful for example in a post-quantum world, when a decent cryptographic algorithm is found (as the wg core has ciphers hard coded by design). Read the WireGuard documentation for more details. Currently pre-shared keys are implemented because a significant part of the community insisted that we got prepared to beat powerful quantum computers, not because we strongly believe that a post-quantum world is imminent. Relevant considerations on the topic can be found here: https://airvpn.org/forums/topic/45608-quantum-computing-and-encryption/?do=findComment&comment=218988 It is anyway considered best practice by various experts to get prepared. Since you mention Mullvad as your opinion of service operating in accordance with best practices, then be informed that pre-shared keys have been recently implemented by them too.
 
Quote

3/ WireGuard conf download should just give me every server config as a zip file. I can pick which one later.
basic table stakes best practices that many competitorshave had for years.


We offered this option 13 years ago, well before WireGuard or many other VPN companies even existed. Then they were inspired by our CG. You can pick zip, 7zip, tarball, and compressed tarballs (tar.gz, tar.xz, tar.bz2). You can operate either through the API or web site, as you prefer, to generate and download the package(s) containing the profiles. Note that today the button which would let you select all the servers at once is disabled because of work in progress, but it will be re-enabled very soon.
 
Quote


1/ 10G servers. What is this 2009..? Nearly all your servers should be 10G by now. I can't get more than 400-600Mbit from the least loaded severs.


It's a good performance in our infrastructure, but you can improve it (check the top user speed table in the server status page and open a ticket to fine tune WireGuard).

About the infrastructure, in 2009 the industry standard was between 20 and 100 Mbit/s, and we are very careful to offer an excellent balance between price and service quality. Since you mention iVPN as an example to follow, please compare AirVPN prices with theirs. Lupus in fabula, the following message by one of our fans reminds us of the consequences of an unwise investment policy. https://airvpn.org/forums/topic/56425-two-new-1-gbits-servers-available-us/?do=findComment&comment=223857 Remember that AirVPN is the only one offering a rigorous no overselling commitment shown by a transparent and verifiable server monitor, that's why most users enjoy higher throughput than with any competitor, and after all we are pleased to see that you are an unsatisfied customer but with 600 Mbit/s throughput and with some requirements for features that are already available. Criticisms help us improve our service, except when required features are already available, as in that case we can't implement them twice. :D

Kind regards
 

Share this post


Link to post

I believe they refer to a following solution:
1. Before connecting use API to renew your device keys.
2. Fetch appropriate config with API for that device.
3. Connect using the new config.
AFAIK there’s nothing off the shelf to do this. A custom script would be needed. 

Share this post


Link to post
10 hours ago, SurprisedItWorks said:
Quote

You can use per-session WireGuard key

How?  Or is this specific to Eddie (which I do not use)?  I find nothing on the website about this.

EDIT: posted unknowingly together with @benfitita - we confirm that the described procedure is fine.

Hi,

you need to renew the key when you end the current session or you start a new one (but in this latter case you need the consider the caveat below). You can automate the procedure via API, but also remember to update the key or the whole profile for the next session.

You can automate this procedure too. With a caveat: key renewal order through the API is not executed in real-time, it may take several seconds (you can check the status via API, or you can simply renew the key at the end of the session and take care to allow enough time for the next key/profile download and session).

Kind regards
 

Share this post


Link to post
Quote
servers should be 10G by now. I can't get more than 400-600Mbit from the least loaded severs.
... example: air-us-va4.conf DONE
Sorry for inserting my 2 cents into this slot machine, but I really believe you shouldn't be connecting to US servers with your pipe for reasons other than the size and throughput of said pipe. One solution is to clearly separate ISP and VPN traffic based on applications used.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...