n8chavez 1 Posted ... There's a feature I've inquired about for years. Using a socks5 that connects to a vpn is a way of adding a software safety net for people that are not using eddie; thus cannot restrict or bind to an adapter and do not have access to eddie's network lock. Why AirVPN has been extremely resistant to adding such a feature is beyond me. There's no additional software required for the user. It's not like this is an ssh tunnel, where the connection is not as secure as a vpn itself. It's simply a means of telling application to connect to the vpn, and only the vpn. That's a game-changer for people like me who use AirVPN on a router and have no software killswitches. I know a lot of people who won't use AirVPN because it lacks this feature. I understand that. It means we have no killswitch, or means of ensuring that data is only sent through the vpn. This would solve that. Quote Share this post Link to post
Staff 9968 Posted ... Hello! 21 hours ago, n8chavez said: I know a lot of people who won't use AirVPN because it lacks this feature. I understand that. It means we have no killswitch, or means of ensuring that data is only sent through the vpn. This would solve that. Effective "Kill switches" are available in Merlin WRT (set Block routed clients if tunnel goes down option to Yes), Tomato and DD-WRT (check Killswitch box). On older OpenWRT versions and other routers supporting OpenVPN or WireGuard you can implement a "kill switch" via specific rules once and for all. The additional SOCKS proxy connection you mention based on SOCKS proxy available inside the VPN does not solve the leaks hazard. It may prevent leaks only for those applications which are explicitly and manually configured to connect to the proxy inside the VPN. Any other application and especially any system process will not have such protection. It is advisable that you enable a proper method of preventing leaks, which will take just a few seconds and is explicitly implemented in any modern router firmware, instead of this somehow flimsy and partial "solution" which is not and should not be advertised as a general traffic leaks prevention method and which provides a false and therefore dangerous sense of security, as your own message hints to. Furthermore, Mullvad introduced this complication in order to be able to guarantee that you always appear on the Internet with the same IP address when you connect to the same VPN server and when an app will "proxy" the traffic. That's not necessary in AirVPN where you already and always have the same public IP address when you connect to the same VPN server. Kind regards Quote Share this post Link to post
xmartymcflyx 5 Posted ... (edited) Hello, I just joined with this account to reply that Mullvad's SOCKS5 proxy has an extra feature than the one which was explained here (this is not advertisement, it's just to add some extra information which might be useful). When you use Mullvad's Socks5 proxy, your first connection is to the VPN server of your choice (e.g. a server from Australia) through Wireguard (which means your connection is encrypted), and then your traffic is re-routed trough the SOCKS5 proxy. The good thing here, besides the one mentioned of having an static exit IP and the killswitch (if your only concern is one specific app not leaking), is that through Wireguard (doesn't work the same for OpenVPN) you can use it as a multihop to another wireguard server, since all wireguard servers are connected in a mesh-like network. Example: You are using an australian server through wireguard, and then you can configure your browser (Brave, for example) to use the socks5 proxy of a Japanese server. That way, your entire connection goes encrypted as usual to Australia, and then only your browser's traffic is re-routed to Japan's SOCKS5 proxy, so your web traffic exits through a japanese server. If you use a browser like firefox, there's an extension called Multi-Account container (made by mozilla), where you can configure each container to use a different socks5 proxy, so you can use the same browser and use multiple containers/tabs which will be using multiple exit nodes from different countries. This would be a nice to have feature for AirVPN too, which would come with the added pseudo-killswitch-protection mentioned in the first post, because nowadays if we want to see web content from another country we have to change the entire device connection in eddie. Sometimes Eddie crashed for me and I have no way to know if my web traffic leaked or not, but if we had the socks5 proxy we (or at least some people) can make sure that web browsers and email clients like thunderbird will always and only work if we are inside the vpn tunnel. Kind regards. Edited ... by xmartymcflyx Quote Share this post Link to post
Staff 9968 Posted ... 1 hour ago, xmartymcflyx said: Sometimes Eddie crashed for me and I have no way to know if my web traffic leaked or not, Hello! You can always know for sure that your web traffic and any other traffic did not leak, provided that you enable "Network Lock" option in Eddie. This feature is a set of firewall rules, so even if Eddie crashes you know that no leaks can occur (unless you reset the firewall rules with root privileges, of course ). Quote Example: You are using an australian server through wireguard, and then you can configure your browser (Brave, for example) to use the socks5 proxy of a Japanese server. That way, your entire connection goes encrypted as usual to Australia, and then only your browser's traffic is re-routed to Japan's SOCKS5 proxy, so your web traffic exits through a japanese server. If you use a browser like firefox, there's an extension called Multi-Account container (made by mozilla), where you can configure each container to use a different socks5 proxy, so you can use the same browser and use multiple containers/tabs which will be using multiple exit nodes from different countries. Yes, it seems comfortable. Actually, you don't even need double hop and a SOCKS proxy to exit on different countries with different containers. You may connect directly each container to a different country server without double-hop and therefore you will have remarkably higher performance on each tunnel and for the whole container, so you are not limited to a single program, and you are not limited to TCP (and not even limited to WireGuard, just in case you need OpenVPN for some blocking or other reason). The limit is 5 concurrent connection slots, which should be anyway enforced to prevent "infinite account sharing" of course. On the other hand, switching proxy directly from inside Firefox is faster if you need only Firefox and the useless double hop performance hit may appear as a fair price to pay. Currently you can do it in AirVPN but with external proxies, since we have no plans to operate directly SOCKS5 proxies at the moment. The proxy will anyway see only the VPN server exit-IP address and together with end to end encryption you would be fine. Kind regards Quote Share this post Link to post
Quallian 26 Posted ... 1 hour ago, Staff said: Currently you can do it in AirVPN but with external proxies, since we have no plans to operate directly SOCKS5 proxies at the moment. The proxy will anyway see only the VPN server exit-IP address and together with end to end encryption you would be fine. I'd do this with the Tor browser, by changing the torrc country code for the exit Tor node. Slightly slower than the solution suggested by @xmartymcflyx but stacking the big bonus to rely on Tor circuits and not on socks proxies around that often stop working, Yeah, anonymity can be weakened when you force Tor exit node countries, yet it's not the point here so why not... Quote Share this post Link to post