Leaderboard

Hello! We're very glad to inform you that a new 10 Gbit/s full duplex server located in Frankfurt, Germany, is available: Ashlesha. The AirVPN client will show automatically the new server; if you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. Ashlesha supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor . Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

Chicago servers are consistently reaching their 1 Gbps capacity, frequently throttling connections below 10 Mbps! I think there is a need for an upgrade in the region. Chicago/Midwest region would benefit greatly from a 10 Gbps server. I see several 10 Gbps servers were added in other major cities around the US over the past year or two, but so far haven't seen any in the Midwest (US). I've been exclusively using Chicago servers on AirVPN for several years now. I’ve noticed a decline in reliability over the past six months due to increased user demand and lack of bandwidth capacity. Switching between Chicago servers often yields no improvement. I have tried the nearest 10gbit servers in Toronto, New York and Phoenix, but have had pretty poor results. Most likely due to the fact that they are so far away. Even during non peak times it's very rare there is enough available capacity on these 1gbit Chicago servers to saturate my 500mbps fiber home connection. Would love to know if there are any plans in the near future for upgrading servers in this region. I would also like to mention a post I made over a year ago, where I mentioned how I think adding Per City Load balancing functionality would greatly improve the experience in these congested areas. Even right now as I'm writing this, I am struggling to find a Chicago server running at acceptable speeds. See the below screenshots and you can see for yourself: With VPN on Praecipua server: : Without VPN:

Eddie 2.24.6 Desktop Edition released Hello! We're very glad to inform you that a new stable release of Eddie is now available for Linux (various ARM based architectures included, making it compatible with several Raspberry Pi systems), macOS, Windows. Special thanks to all the beta testers, whose invaluable contributions and suggestions in the last months have helped developers fix several bugs and improve the overall stability of the software. Eddie is a free and open source (GPLv3) OpenVPN GUI and CLI by AirVPN with many additional features such as: traffic leaks prevention via packet filtering rules DNS handling optional connections over Tor or a generic proxy customizable events traffic splitting on a destination IP address or host name basis complete and swift integration with AirVPN infrastructure with OpenVPN and WireGuard white and black lists of VPN servers ability to support IPv4, IPv6 and IPv6 over IPv4 What's new in Eddie 2.24.6 WireGuard is the new communication protocol by default, while OpenVPN remains available for any necessity CPU usage optimization update of packaged binaries and libraries new options to customize WireGuard improved management and configuration of bootstrap servers (qualified domain names are now possible too) systemd-resolved (Linux) enhanced compatibility for all working modes improved management of SIGTERM signal several bug fixes Operating and architectural notes Eddie GUI and CLI run with normal user privileges, while a "backend" binary, which communicates to the user interface with authentication, gains root/administrator privileges, with important security safeguards in place: strict parsing is enforced before passing a profile to OpenVPN in order to block insecure OpenVPN directives external system binaries which need superuser privileges (examples: openvpn, iptables, hummingbird) will not be launched if they do not belong to a superuser Eddie events are not run with superuser privileges: instead of trusting blindly user's responsibility and care when dealing with events, the user is required to explicitly operate to run something with high privileges, if strictly necessary Backend binary is written in C++ on all systems (Windows included), making the whole application faster. Settings, certificates and keys of your account stored on your mass storage can optionally be encrypted on all systems either with a Master Password or in a system key-chain if available. Download Eddie 2.24.6 Eddie 2.24.6 can be downloaded here: https://airvpn.org/linux - Linux version (several architectures and various distribution specific packages for easier installation) https://airvpn.org/macos - Mac version https://airvpn.org/windows - Windows version Eddie is free and open source software released under GPLv3. Source code is available on GitHub: https://github.com/AirVPN/Eddie Complete changelog can be found here. Kind regards & datalove AirVPN Staff

I've been a happy customer for a long time now. And I have a long time commitment to AirVPN too, with my plan not expiring for four more years. In the past few months the situation with servers load has gone from bad to worse. It's become noticeable in all applications. P2P above else, where I have a pretty firm idea of what the performance can be. This is my current performance under AirVPN. This is my current performance outside the tunnel. Before the recent influx of new users the situation was far better. Sad state of affairs and I'd like to understand if AirVPN is planning to so something to remedy the situation or if I have to look elsewhere in order to properly use my connection. Thank you. Even though the message might not sound like it, I'm a big fan of AirVPN and of their overall mission.

Hello! We're very glad to inform you that a new 1 Gbit/s full duplex server located in Auckland (NZ) is available: Theemin. The AirVPN client will show automatically the new server. If you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts OpenVPN connections on ports 53, 80, 443, 1194, 2018 UDP and TCP, and WireGuard connections on ports 1637, 47107 and 51820. Just like every other Air server, Theemin supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/Theemin Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

I’d love to see a new 10G server in the Midwest. While it’s not a dealbreaker, it would definitely be a great addition! Edit: One thing I want to point out is that I’ve been testing Mullvad VPN to compare speeds based on server providers. I’ve noticed that certain server providers and may experience poor routing or routing bottlenecks depending on your ISP. For example, the new New York servers on Tzulo (used by both AirVPN and Mullvad) give me terrible results—decent latency but typically only around 40 Mbps symmetrical. Meanwhile, servers from Datapacket and M247 consistently provide over symmetrical gigabit speeds on WireGuard. I think Mullvad's approach of using multiple providers in some cities is a good idea, as it gives users the flexibility to choose servers with the best routing or latency. I don’t know for certain, but AirVPN may have their reasons (costs, contracts, security) for not choosing certain providers, and that’s completely fine. However, I think this is something they could consider if its in the realm of possibility.

Hello! Good news. A new server in New Zealand was ordered early on January and it has just been connected. We are going to configure it in the next business day, and if everything goes well it will be available a few days later. Kind regards

id rather them dedicate that time to finalizing/ continuing to work with openvpn DCO

Hello! It could. The current decision is that next [EDIT: now current 2.24.6] Eddie Desktop edition version will print "Taiwan, Republic of China", by breaking ISO compliance and at the same time not leaving any doubt to PRC propaganda brainwashed people. This definition should be strong enough to satisfy everyone except mainland China and supporters of standards, of course. Kind regards

Hello! A new 10 Gbit/s (full duplex) server is now available in Germany. Kind regards

@tranquivox69 Hello! We will investigate the issue you reported and we confirm that the expansion of the infrastructure proceeds exactly at the required pace as usual. We have recently completed in the USA the switch to all 10 Gbit/s dedicated lines in every strategic area and expansion in Europe has been remarkable in the last 2 years. Even Oceania and Asia have all seen remarkable expansions in the last 2 years. We do not have doubts that your experience worsened and that will be a matter of investigation of course, but please note that saying "too many clients same bandwidth" is unfair. In April 2022, we provided in Europe 175000 Mbit/s, with a real required throughput of 37000 Mbit/s. The average connected clients at any given time were 8000-8500: https://web.archive.org/web/20220317052230/https://airvpn.org/status/ Today, we provide 446000 Mbit/s to about 18000 clients connected to Europe servers at any given time: https://airvpn.org/status with a real / required throughput of 190000 Mbit/s. So, in 2022 the average real provided throughput was 4.6 Mbit/s per connection, while today it is 10.6 Mbit/s. Even the required throughput top peaks of users sky rocketed. In 2022 they were around 400 Mbit/s, today between 800 Mbit/s and 2 Gbit/s. All of the above not to say that we will be slowing the infrastructure expansion, but just to reassure you that the expansion has continued and is continuing at a fast pace according to needs. If any country is unbalanced within Europe we will of course fix the situation. Kind regards

For me, it's usually a balance of ping and speed, but general stability as well, because I play games from time to time. So, I prefer Estonian server, or Norwegian servers when they are not loaded more than 75%. These locations have the least ping and good speed delivery for my location. (Latvia has even lower ping, but I seem to lag from time to time when I'm playing a shooter, so I don't usually use them, and Swedish servers don't seem to fit my needs)

Agree! Support Taiwan on political is vital!

Baseline, without any tunnels: All tests were done with Wireguard and 1400 MTU. 10 Gb/s servers in Netherlands: Menkent, 18% load, 213 users: Piautos, 25% load, 198 users: Dalim, 20% load, 245 users: Other EU servers: Switzerland, 10 Gb/s, Alpherg - 21% load, 287 users: Norway, 1 Gb/s, Ophiuchus, 77% load, 103 users: Estonia, 1 Gb/s (or is it more?), Alruba, 82% load, 79 users: Download speeds seem to be mostly okay-ish on all servers, but something is up with the upload speed. Not sure what causes it to drop significantly. Will say that we definitely need more 10 Gb/s servers. I think you should try using servers in other EU countries as well. Server in Estonia is interesting, because it seems to always give me good download speed, even when it's loaded to 100%. Old screenshot from it:

Version 2.24.6 (Wed, 08 Jan 2025 16:23:32 +0000) [change] [all] ISO 3166 break, changing "Taiwan, Province of China" into "Taiwan, Republic of China" [change] [all] New bootstrap endpoint [bugfix] [all] Bootstrap emergency urls fix [bugfix] [macOS] WireGuard issue [bugfix] [all] Minor fixes If no other serious issues arise, this version will be released as stable within a few days. The remaining minor issues (IP Exit, Speed Chart, etc.) are under investigation and will be fixed in the next version. Thank you.

Thanks for the new server! Speeds are very good, about as much as I can get from my ISP.

When using 2.24.6 with Win7 32bit (for reasons) I get an "unable to obtain elevated privileges" and can go no further. No problems with 2.21.8. 2.24.6 working flawlessly on Win10 machines.

Hello! An unexpected problem related to IPMI is causing a delay but we're working with the datacenter to resolve it as expeditiously as possible. Kind regards

Hello! The quoted log entry shows that core problem. Debian 12 is based on nftables. Can you please check which of the following userspace utilities you have in your system: nft, iptables-legacy, iptables-nft, and any other iptables* ? Kind regards

I'm having similar issues. I was able to make Eddie usable by reducing my screen resolution, but it's still glitchy. System details: Screen recording of behavior: Screencast_from_2025-01-21_10-38-42.webm

Windows 8.1 Seems to work perfectly for now. Thanks to the team and keep going the work. AirVPN for ever 🏆

Hello, I can confirm via Eddie and Community Fibre I can connect to all of the above servers. Also just did a quick test of the some of the servers @tycoon21 couldn't connect to and had the same result. The dutch servers are working ok via pfSense which I have been running since on openVPN.

Hello. It's works without problem on Linux Mint 20.1 Ulyssa. Thanks for upgrade!

I also wanted to do as user shortfacedbear planned. I also used the wire sock instructions that were in the forums somewhere. It works temporarily, but I have encountered nothing but troubles and instability in trying to use wire sock and wire sock UI. Huge packet loss, massive latency, and a replicable issue that i cannot solve. It will often connect quickly through the wiresock tunnel, qbit will blast at 30mbps for maybe a few minutes at the very best and then speeds crater to the ground, ping climbs to the thousands, and pocket loss goes upwards of 40% and my supposedly untunneled connection gets heavily affected to basically being useless and not loading anything. I have sought out anwers from support with no reply, several other hobby forums where no one can solve the issue and frankly i am tired. I just want qbit to be the only thing going to the tunnel and this shouldnt be as difficult as it has been. Please for the love of god, what amount of money do i have to pay for you guys to add this feature already. It is quite litterally the only feature airvpn lacks to make it hands down no competition the best vpn out there. This issue i stated was replicable no matter what server i was on and what config i changed with airvpns config generator. It simply doesnt work

Yes, everything is working well. I want to have the webGUI on 8082 internally, forwarded to 27586 by airvpn. I don't plan to have this enabled all the time, but there are times when I can't access my internal network and it would be easier to flip a switch and access remotely with Transdroid. I think you've nailed it with the devices issue. On my previous server using rtorrent/rutorrent over Eddie (not running docker), I think because the device was connected all the time, it was considered "default", so it always worked. I've now given that device a specific name and used those keys in the compose file. Now that server appears as "device2" in the sessions list and the port is now showing as open. However, I'm getting an "unauthorized" message when I connect.

Hello! Yes, it is related to OpenSSL library (1.1 is now deprecated and perhaps not available anymore in Mint). Please upgrade to Eddie 2.24.6 and also upgrade your OpenVPN package in your Mint distribution: https://airvpn.org/forums/topic/57401-eddie-desktop-224-beta-released/ Kind regards

Some differences between yours and mine are: I also use Wireguard and I have "- WIREGUARD_PUBLIC_KEY=[redacted]" and you don't; I don't have any volumes set up, everything in the docker compose; You aren't specifying the latest image, consider using "qmcgaw/gluetun:latest"; I do not use CIDR notation for the "WIREGUARD_ADDRESSES" and you do, consider trying it without the "/32"; Are you sure your forwarded port is in AirVPN's pool #1? For P2P it has to be. For qBittorrent: again use the latest: "lscr.io/linuxserver/qbittorrent:latest" consider adding the following for robustness: "depends_on: gluetun: condition: service_healthy restart: true" You don't have "TORRENTING_PORT=[your pool #1 port number]"; Its usually best to have these in the same stack, not separate containers. Keep trying, it DOES work.

Okay, I've found a solution (just asked ChatGPT lol) Here's the diagnosis for anybody else that's having the same problems: NOTE: THE FIRST SOLUTION WORKED FINE FOR ME It suggested multiple solutions, and I just used the first, but I'll put em all here anyway: (I've replaced all addresses with 192.168.0.1) If none of the above work, here were the advanced diagnostic steps it suggested:

Hello! It looks like an architecture error. Can you please check whether you have installed the correct package? Please make sure you download the proper package for your OpenSUSE architecture (x86-64, aarch64 etc.). Kind regards

Hello! Area domain names records are updated every 2-5 minutes but remember that TTL is 1 hour, so you can expect that a TTL respectful DNS updates cached records on average after 30 minutes. On our authoritative servers, us3.vpn.airdns.org did not resolve to Sarin entry-IP address 3 immediately after the packet loss was detected by the monitoring system. We're investigating the problem on Sarin. Kind regards

Am I right in understanding that Eddie uses the "score" value from the Servers tab, in order to pick the server to connect to? On what basis is this score calculated? Because I see servers with over 60% load being ranked higher than servers with 20% load and lower latency. Like right now, in front of me. And it doesn't make much sense to me. Could you explain? Thanks. Edit: a search for "score" brought me to this topic: But the link provided is not working (probably too old or something). I'm also seeing some servers not having a score (all five stars are white/empty), even though they have good latency and low load. Using Eddie 2.21.8 on Linux Mint 22.

Hello! Microsoft has confirmed that the April 2024 security updates (KB5036893 in particular) for Windows 11, Windows 10 and Windows Server have introduced bugs that cause various problems related to VPN (all protocols, including the pre-installed IPsec). A reported problem is that multiple VPN interfaces appear on affected systems as they accumulate at each session. The bugs should have been fixed with the latest updates: can you please make sure that your Windows system is up to date, just in case the problem is caused by the mentioned update? Kind regards

One more tip from my experience: AmneziaWG with AirVPN worked great until about two months ago when I started noticing degradation in website responsiveness, especially for the first connect to any domain, while the download speeds remained great. About a week ago the browsing experience became so bad (TLS handshakes started to timeout), so I had to look into this problem. I quickly found out that the problem was caused by slow DNS response when it was done through AirVPN's native DNS server and only when using IPv4. I don't know where this problem comes from exactly, but the solution was to install dnsproxy (which is smaller and easier to setup than dnscrypt-proxy) and set it up to use the 3rd party DNSCrypt servers. The problem is not present with WG Tunnel for Android, I presume because it uses IPv6. I plan to try to set up IPv6 on my home PC as well but my ISP provides only IPv4, so I'll probably have to use some IPv6-to-IPv4 tunnel.

Hello I would like to give my personal recommendations to help with network censorship in Russia. I may not have time to write a authoritative, proper guide, but wanted to share this. Everything "clicked" once I read a comment how the DPI works to determine a new connection. Preface IP and subnet blocks came first. They completely blackhole all traffic to blocked IP addresses. The only thing you can try is IPv6 in place of IPv4. Some Air servers are blocked by IP. The Deep Packet Inspection (DPI) is a required installation for residential ISPs and (as of late) industrial networks like data centers. It works to dynamically block known protocol traffic, anything "forbidden" that's not yet in IP blocklists from above. This system was put in law many years ago. Nevertheless, the networks across the country are at various stages of rollout and their capabilities will differ. Real example: residential ISP did not block OpenVPN->Air, yet the mobile carrier did. Yet in 2024 the residential ISP upgraded their DPI system and started blocking OpenVPN too. Common methods of circumvention Mangle traffic locally to fool the DPI systems. It will allow you to connect to servers not blocked by IP (TLS SNI name detection). Proxy/VPN server: A prerequisite is an outside server, it must not have been blocked by IP. If it's a private server and OpenVPN or Wireguard work - you're lucky. However be prepared to still get blocked by DPI any day for using a VPN protocol. There are many proxy tools, especially developed to combat the Great Firewall of China. They don't run directly on Air, so this is something for self-hosting or other services to provide. We're talking about Air, so let's get that VPN working. Everything below requires you to find a reachable Air server (no direct IP blocks). The configuration server used by Eddie is IP blocked, so it won't work at all. I suggest you to generate all server configs in advance and see which are reachable from Russian networks. Airvpn.org seems to be reachable though. OpenVPN over SSH to Air It is possible to set this up on mobile, however the connection is reset after 10-30 seconds due to a lot of traffic being pushed. I used ConnectBot and it didn't restart the SSH connection properly, anyhow OpenVPN and ConnectBot had to be reconnected manually each time --> unusable. Since both apps are easily downloadable from app stores/F-Droid, this can be enough to generate and download configs from AirVPN's website in a dire situation. This connection type works like this: SSH connects to Air server, forwards a local port -> Air (internal_ip:internal_port) OpenVPN connects to local_ip:local_port and SSH sends the packets to Air's OpenVPN endpoint inside this tunnel Once the connection is established, it works like a regular OpenVPN on your system OpenVPN over stunnel to Air I haven't tried, desktop only? OpenVPN (TCP) over Tor to Air While connecting to Tor will be another adventure, do you really need a VPN if you get Tor working for browsing? If yes, I suppose it could work. I haven't tried. OpenVPN (TCP) to Air May start working after hours on Android, if the connection was established initially. Until then you'll see a lot of outgoing traffic but almost zero incoming traffic (NOT ZERO though!) It is unclear to me whether this is because Android keeps reconnecting after sleeping or sometimes it pushes so little traffic over the established connection that DPI forgets or clears the block for this connection only. OpenVPN (UDP) to Air Doesn't work. Wireguard to Air Doesn't work, it's always UDP and very easily detected. AmneziaWG client to connect to standard Wireguard Air servers This worked for me almost flawlessly. The trick of AmneziaWG is to send random trash packets before starting the connection sequence. This is what the new parameters are and some of them are compatible with standard Wireguard servers. The DPI only checks traffic within the initial traffic size window of the connection. If it doesn't find VPN connection signatures (and it doesn't due to random data) then it whitelists the connection. Wireguard then sends its connection packets and connects to Air. Full speed ahead, no throttling. The VPN connection works! What's the catch? The AmneziaWG packet configuration must be right. This worked for me across all networks I encountered: MTU: 1320 (safe value, higher MTU will give better bandwidth, if it works at all and doesn't begin to fragment packets) Junk Packet count (Jc): 31 Junk Packet minimum size (Jmin): 20 Junk Packet maximum size (Jmax): 40 Init packet junk size (S1): none (afaik only with AmneziaWG server; delete from config or try to set 0) Response packet junk size (S2): none (afaik only with AmneziaWG server; delete from config or try to set 0) Magic header settings changeable afaik only with AmneziaWG server: Init packet magic header (H1): 1 Response packet magic header (H2): 2 Underload packet magic header (H3): 3 Transport packet magic header (H4): 4 And how would you know what numbers to set? This single insight: This means flooding small random UDP packets at the beginning is the winning strategy. That's how I optimized someone's config from "sometimes it works, sometimes it doesn't" to "works 100% of the time, everywhere". You actually don't want to blast big packets and be blocked because of it. Smaller random packets are good for mobile traffic too. How would you setup AmneziaWG to connect to Air (Android)? Generate and download AirVPN Wireguard configs, for each individual server, try different entry IPs too. DO NOT USE THE DEFAULT (OFFICIAL) WIREGUARD PORT. We don't want long-term logging to highlight the working servers for the next round of IP blocks. Download AmneziaWG VPN client (the Android edition is actually a fork of the official Wireguard app): amnezia.org or https:// storage.googleapis .com/kldscp/amnezia.org or https://github.com/amnezia-vpn/amnezia-client/releases/ Import Air's configs in the app Apply "Junk Packet" settings from above Try to connect Try different entry IPs and servers if the connection doesn't work. See if the server IP is completely blocked either with: ping "<entry IP>" nc -zv -w 10 "<entry IP>" "<port 80 or 2018 for OpenVPN TCP>" This is GNU netcat Keep in mind: on Android the safest way to avoid any traffic leaks is to go to system settings, Connection & sharing > VPN, or search for "VPN", click on (i) for advanced settings, Enable: "Stay Connected to VPN" & "Block All Connections not Using VPN". If you ever disconnect from VPN by using Android's system notification, you'll need to re-enable these settings. If you switch between VPN apps (like Eddie -> AmneziaWG), I suggest to make sure these settings are always enabled like this: Turn off Wi-Fi (or mobile data) For previous VPN app disable: "Stay Connected to VPN" & "Block All Connections not Using VPN" For next VPN app enable: "Stay Connected to VPN" & "Block All Connections not Using VPN" Turn on Wi-Fi / connect using next VPN app Thanks for reading. Big politicians are not your friends, stay strong and propagate what you truly believe in.

Any plans for 10Gbit servers in the UK @Staff? Thanks

Hello and thank you very much! Not really substantiated arguments, only the generic fear that the support team could be overwhelmed by tickets. In reality, we are already working to migrate toward an easier and even more scalable solution with pools supporting all the protocols and not requiring anymore specific choices by the users. Exactly. The system we're working on aims at getting rid of this relevant problem by dividing users into unique pools and exit-IP addresses, so they will not have to face multiple pools (where pool 1 is "superior" to the other pools) and multiple exit-IP addresses. We see this future new system as a better solution because it will not force choices on pools and IP addresses, and it will be scalable for real: when a pool is close to exhaustion we can just add a new pool and reserve it to future new users. Stay tuned. Kind regards

I have been using AirVPN for years now and Reddit is logged in all the time. Your problem is definitely not related with vpn. The only problem is you have to be logged in to Reddit to use it. Otherwise vpn IPs are blocked and you can navigate in Reddit. So try to login with you credentials to Reddit.

My refund request was accepted, they said that within 5 days I will receive a refund of the amount in my account, 6 days have passed and I have not received anything...

In one previous thread long time ago I ended up using basic Windows Firewall to only allow internet access to VPN and block everything else. The problem with this approach was that Windows will detect attempts to restrict it and will disable or create new firewall rules to circumvent any user made restrictions. Solution to this I have found to be Windows Firewall Control by Binisoft/MalwareBytes which is like an advanced frontend to Windows Firewall. Don't try this if you don't know what you are doing. The end result is a Windows which can only connect online by a VPN. (Of course you can make exception rules or disable the whole firewall if needed :)) The main purpose of this is securing Windows with a tinfoil hat attitude and preventing leaks. I also recommend using a router to only allow access to whitelisted VPN IPs for your workstations. Use case scenario here is that your Home network is your own trusted local network and not a public Wifi or similar, as setting your network to Private profile makes the PC discoverable. Although this might be countered with settings, like disabling sharing etc, and firewall rules if needed but it's not for this guide. (I think countering this could be as easy as changing WFC Private Inbound rules from Allow to Block) The logic is to constrict access to Home/Private location so that only Eddie is allowed to connect to outer internet through Private network. Basic network and firewall settings So I've set my Home network as a Private network profile and Eddie as a Public network profile, really important step. Easiest way to see them both is Network and Sharing Center in Control Panel. Home network's profile can be changed in Windows 11 Settings -> Network & internet -> Properties. Both of them can be changed with Group policy gpedit.msc -> Computer Configuration -> Windows Settings -> Security Setting -> Network List Manager Policies -> Eddie / Network -> Properties -> Network Location There is also an option there for "User cannot change location" which I have set for both networks just in case after setting the correct locations. Other ways to change the network location are with PowerShell, Registry Editor or Local Security Policy https://www.elevenforum.com/t/change-network-location-to-private-public-or-domain-in-windows-11.955/ In Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties I've blocked Inbound and Outbound connections that do not match a firewall rule for both Private and Public Profiles (and Domain but I don't use it). Also an important step. A less strict version would Allow Outbound in Public Profile as is the default. You would then not need separate outbound rules for each program for Public network, and the most crucial thing would still remain which is limiting the access to Private. I don't use this myself so I cannot guarantee anything, I like restricting applications' access to the internet 🤭 Windows Firewall Control Now to Windows Firewall Control. When first installing it, I believe it will offer to make a backup of your firewall rules which is recommended, it will then create it's own set of firewall rules which are needed for basic internet and these can be used to replace Windows' default rules. In WFC settings Rules I have UNCHECKED "Private" so that new firewall rules are not applied for the Private location. (You can also uncheck Domain if needed or not used). If you already made new rules with WFC before unchecking this you can either delete them or uncheck Private location from them rule by rule. In WFC settings Security I have checked "Secure Profile", which protects the firewall from external tampering (by even Windows itself I believe). And checked "Secure Rules" so that unauthorized rules are Deleted (even rules made by Windows). In the authorized group I have made "MyRules" group but it's not mandatory per se as you can also set your own rules in the already authorized "Windows Firewall Control" group. BUT BE WARNED, after this all of your old firewall rules will be deleted. So if you have really important rules go and change their group to an authorized one like "MyRules". For regular application rules this is not recommended as new secure rules will be created. Also if you have old firewall Allow rules you want to preserve it's good idea to uncheck Private location from them if they are not needed in LAN. I also have "Secure Boot" enabled and will change the profile to Medium Filtering from the tray icon on boot after Eddie has launched with network lock on. It's just a safety measure. Eddie Next step is to make rules for Eddie. You can either have one rule for "eddie-ui.exe" in which you allow it for Private and Public without any IP restrictions. Or to be more secure you can make two rules (even three rules after a recent version update!), where you limit the connection in Private only for the Airvpn Bootstrap and Server IP's (you can find the IPs in the firewall log). You can also set your local IP address, protocols, ports, interface to have more restrictions. Then make a duplicate rule for eddie-ui.exe with location Public. I have not made any IP restrictions for this as it's only for Public connections. Edit: After a recent update of Eddie, eddie-ui.exe not only connects to the Bootstrap servers via Private, like it previously did, but also makes a connection to the VPN servers on port 89 through Private (maybe some bootstrap backup as the changelog mentions some changes relating to that). So if and when making separate rules for eddie-ui.exe in location Private, also add the VPN server IPs as allowed Remote addresses. If port limitations are not in place this is all that needs to be done, otherwise additionally add port 89 to allowed Remote ports or have a completely separate rule for the server IPs on port 89 for eddie-ui.exe. The server IPs for this new connection seem to be identical to which eddie-cli-elevated.exe connects to, so they can be just copied over. And you can always check the WFC log if anything is getting blocked that should not be, as we can see updates might change things. Lastly "eddie-cli-elevated.exe" needs a similar rule, it's the process that connects to the VPN servers so you can limit it to apply only for the remote IPs of the servers you use if you want. But the location must be set to Private, there is no need for a Public rule. (If you sometimes have to use like a public wifi so that both of the networks, Wifi and Eddie, are Public profiles, you could make a duplicate of this rule and set the location to Public to not block Eddie from making connections. Of course all the leakproofing made by these firewall rules are moot in a situation like that and it's all on Eddie's Network lock then. But once you are back on your Home network the rules would still work). A strict version of rules for Eddie with port and protocol limitations. The IPs of the VPN servers of course vary based on which servers are used. The two topmost rules can be combined into one with no Remote port restrictions or with ports 80,89. But Bootstrap servers do not use port 89 and vise versa (at the time of writing). The least strict version would only have one rule for eddie-ui.exe allowing access to Private and Public without any limitations. Notes and important fine tuning These were the basic steps, the way I did it was I removed all the old and default firewall rules (but had made a backup!) and only kept the ones WFC creates at the start. Then made all new rules for my applications with WFC on Medium filtering and notifications on. All new rules will be created only for Public (and Domain if checked) locations, as per settings, so programs wont "leak" to your Private network. One important modification that needs to be done is for the default rules which WFC creates as they are too permissive in this case. They allow Windows components etc. in Private location, so Windows can still phone home. So go through the rules and uncheck Private for all that you dare. I have only left few WFC rules the access to Private and those are the ones that have "LocalSubnet" as their Remote address, and they are not allowed in Public. The rules are for File and Printer sharing and Network Discovery, picture related. And if you did preserve or import any of your old Allow rules I advise going through them the same way. The only WFC rules I have allowed to access Private. For the rest of the WFC rules Private has has been unchecked. DHCP If you have not set a manual static IP for your home network, DHCP is then needed in Private to have basic connectivity. WFC has it's own rule "WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)" which can be edited, or a new rule can be created from the WFC log of Blocked connections. The rule is not needed when a static IP is in place which I always prefer. Extra settings Of course some applications have to be allowed in Private as you might have LAN or similar needs. You can always create separate rules in which you allow access for a program only to Private and limit it to Local / Remote IPs. For example a separate rule for "firefox.exe" in location Private but only "192.168.1.1" as it's Remote address and "80,443" as Remote ports to access your router's admin panel. Or to allow ping on LAN: inbound and outbound rules for "System" in Private but only on addresses "192.168.1.0/255.255.255.0" and protocol as ICMPv4. (You can duplicate the existing WFC ping rules and make the changes). Sometimes you might need an external application to create firewall rules (like with some privacy tools). You can then temporarily set the Secure Rules to "Disable unauthorized rules". Then create the rules in the external program, find the new disabled rules in WFC, set them in an authorized group, enable them and restore the Secure Rules as it was. Just be careful not to create unneeded allow rules in Private this way. In WFC Notifications settings you can block notifications for the certain programs which will repeatedly prompt you as the rules block them. For example eddie-ui.exe might prompt you every time you re/disconnect as it fails to connect online for awhile, so the exe can be added to the "Notifications exceptions list" after you have made all the necessary rules for it. But before adding anything to Notification exclusion list check in the notification prompt that the path of the exe has not changed, because for some programs the version number of the application is included in it's installation path, so they will require a new rule each time the version changes. There is no way to make a wildcard for paths in rules and you don't want to accidentally end up blocking things you didn't mean to. For example every time I use Windows Store, which I never really do, WFC will prompt for a new rule because the path is different than last time eg. "C:\program files\windowsapps\microsoft.windowsstore_22410.1401.2.0_x64__8wekyb3d8bbwe\winstore.app.exe" The exceptions can be for the full path or only for the name of the process. You can also disable the notifications for Windows Firewall so they wont bother you, as WFC has it's own notifications. qBittorrent causes these firewall prompts for me sometimes even when I've set it only use the Eddie interface. First you have to temporarily disable Secure Profile in WFC's Security settings. Then head to either Windows Settings or Control Panel to disable the notifications. After that enable Secure Profile once again in WFC. Windows Settings > Firewall & network protection > Firewall notification settings > Manage notifications > Notify me when Microsoft Defender Firewall blocks a new app > Off Control Panel\All Control Panel Items\Windows Defender Firewall > Change notification settings -> "Notify me when Microsoft Defender Firewall blocks a new app" Uncheck for all profiles As a safety measure when updating WFC, disconnect internet before running the setup. DNS One last thing you might want to do is setting your physical network adapter's DNS server to be the static IP of AirVPNs internal DNS 10.128.0.1. Doing this will make DNS requests fail when not connected to AirVPN even when the firewall is disabled, which in this user case is a good thing. It will also prevent your ISP DNS from potentially showing up. The IP must be set when Eddie is not connected and it is for the physical adapter not for the adapter Eddie. Windows 11 Settings -> Network & internet -> Ethernet (or wifi) -> Properties or Control Panel\Network and Internet\Network Connections\Ethernet (or Wifi) -> Properties -> Internet Protocol Version 4 > Properties For IPv6 the similar address is fd7d:76ee:e68f:a993::1 Circumventing the restrictions Sometimes you might have to use your real non-VPN IP on the same machine, but it would be unwise to disable the firewall or to make any unsafe changes. Circumventing the restrictions can be achieved with a virtual machine instead. Virtualbox by default will use NAT-mode for the virtual machine's network adapter in which the VM will use the same connection as the host, but changing this to Bridged Adapter mode for the VM makes the VM use the physical network adapter of the PC and get it's own LAN IP from the router. As simple as that, no need for any advanced firewall rules, everything you do in the VM will use your real IP when attached to Bridged Adapter. I usually prefer some light basic Linux distro like Xubuntu for stuff like this. If you instead need to use your real IP on the Windows host machine itself without allowing Windows system to use the IP, one way it can be done is by ssh LAN proxy. (But this is also riskier approach as it may leave traces of your real IP on Windows compared to keeping everything inside a VM). Let's say the LAN IP for the Bridged Adapter mode VM is 192.168.1.10. First install openssh if needed on the VM, then run on the Linux terminal (it can be any open port, I just typed something): ssh -N -D 192.168.1.10:3473 localhost Now there is a SOCKS5 proxy running on LAN. You could then for example have a completely separate browser (in a permanent private browsing mode) on the Windows host machine and have it use SOCKS5 proxy on 192.168.1.10:3473 in it's settings, the browser would then use your real naked IP from the VM for everything. Or use an add-on like FoxyProxy for Firefox which lets you make site-based rules for proxies. So you could have a rule for "BankingSiteWhichBlocksVPNs.com" to use the proxy for only that specific website. In these cases there would have to be a firewall rule in WFC because the browser is now accessing Private network. It would be an outbound rule for firefox.exe in location Private with 192.168.1.10 as the remote address and 3473 as the remote port.

AirVPN has always been as more customizable and advanced in features than other providers. AirVPN seams to target normal / average users that require simplicity (Eddie) as well as power users that want to generate and tune their own configuration files. Of coruse Wireguard is faster and eats less resources but OpenVPN has some features, for them I hope and think AirVPN will not drop support: - OpenVPN can run in TCP mode and can be used with http/https proxies, socks4/socks5 proxies (these support UDP too) - OpenVPN can emulate HTTP(s) traffic and thus run behind corporate office firewalls or more restrictive firewalls. Other than this Wireguard is faster, easier to deploy and set-up but is UDP only. Aslo, there are set-ups that work on OpenVPN (even without its TCP functionality) that will take a lot of time to migrate to wireguard. And OpenVPN is actively and well maintained, I don't see a direct awesome reason to drop support for it. just my regular user humble opinion.

Are there any plans to implement proper IP-based load balancing on a per city/data-center basis? Gives a single point of contact on a per-location basis in a way that automatically factors out down servers For physically large countries like US, Canada, DNS-based load balancing by country is far from ideal Better supports home-router connections for whole-home connections to the closest location (and which can't easily fail over if one location's server is down) Supports advanced configurations like policy-based-routing (which need IP addresses) seamlessly Almost any data center will support IP load balancing at the router level, letting you have as many servers as you want behind a single input IP.

Thanks for the fast reply! I will look into it. EDIT: For future readers: the link above was exactly my problem. I fixed by delaying the health check to 2 minutes. Apparently this is used for OpenVPN only anyway. Since I use Wireguard it doesn't matter. I added the following line to the environment in the gluetun docker-compose. 12 hours it's still running perfectly. HEALTH_VPN_DURATION_INITIAL=120s

From northern Europe the performance is so similar to SG servers, not bad. Wouldn't that be caving in to PRC's narrative? REPUBLIC OF CHINA is written on Taiwan's citizen's passports and on the official government website https://www.taiwan.gov.tw/ . It is the official name freely chosen by Taiwan citizens and democratically elected government. Though I'm afraid that the ambiguity mentioned by Wikipedia is nowadays instrumental to PRC and its omnipresent propaganda. BTW kudos to AirVPN for operating a server in Taiwan and for including Taiwan as a country in the server list, every small action counts. How strange that a self proclaimed PRC critic shares PRC propaganda and doesn't admit ROC existence, while acting as an indignant Taiwan defender. Unless you're an undercover Beijing tramp?

Hello! It's ISO 3166 used by Eddie. Kind regards

Disappointed this is called "province of China" in Eddie, hope this is an oversight.

I guess I should document the process for those who don't know how to do it. I run a DE so I want to launch the eddie gui on startup for my user rather than cli. 1. As the wanted user, create a file ~/.config/systemd/user/eddie-ui.service 2.Configure as needed but I did [Unit] Description=eddie-ui user service [Service] ExecStart=eddie-ui Restart=always RestartSec=10s TimeoutStopSec=10 [Install] WantedBy=default.target As is there's a bug where when sigterm is sent it will timeout after the default 90 seconds and the process gets sent sigkill to kill it so you might want to reconfigure that so you don't have to wait as I did. I'm not sure the best way to work around that but I found that waiting 10 seconds is enough for eddie to close connections and past that it sits there doing nothing before getting killed by sigkill so I expedited it. You have to let it send sigterm first, if you switch it to sigkill, openvpn gets stuck open. 3. systemctl --user enable eddie-ui.service 4. systemctl --user start eddie-ui.service If you want to configure the service for all users, use the --global option. so systemctl --user --global then enable disable start stop etc. Also, your DE probably has an easy way to autostart applications or run commands for you but I switch DEs and WMs constantly and remove and install new ones so this is easier for me to set once and never again.

wow ok thanks for confirming my fears. how the hell did we get here... this bill needs to die.

Let's talk code. public int Score() { lock (Warnings) { if (HasWarningsErrors()) return 99998; else if (Warnings.Count > 0) return 99997; else if (Ping == -1) return 99995; else { string scoreType = Engine.Instance.Options.GetLower("servers.scoretype"); double x = Users; double x2 = UsersPerc(); double PenalityB = Penality * Convert.ToDouble(Provider.GetKeyValue("penality_factor", "1000")); double PingB = Ping * Convert.ToDouble(Provider.GetKeyValue("ping_factor", "1")); double LoadB = LoadPerc() * Convert.ToDouble(Provider.GetKeyValue("load_factor", "1")); double UsersB = UsersPerc() * Convert.ToDouble(Provider.GetKeyValue("users_factor", "1")); double ScoreB = ScoreBase; if (scoreType == "speed") { ScoreB = ScoreB / Convert.ToDouble(Provider.GetKeyValue("speed_factor", "1")); LoadB = LoadB / Convert.ToDouble(Provider.GetKeyValue("speed_load_factor", "1")); // 2.18.7 UsersB = UsersB / Convert.ToDouble(Provider.GetKeyValue("speed_users_factor", "1")); // 2.18.7 } else if (scoreType == "latency") { ScoreB = ScoreB / Convert.ToDouble(Provider.GetKeyValue("latency_factor", "500")); LoadB = LoadB / Convert.ToDouble(Provider.GetKeyValue("latency_load_factor", "10")); // 2.18.7 UsersB = UsersB / Convert.ToDouble(Provider.GetKeyValue("latency_users_factor", "10")); // 2.18.7 } return Conversions.ToInt32(PenalityB + PingB + LoadB + ScoreB + UsersB); } } } The score is the sum of multiple values multiplied by different factors: "Penality" (penalty?), ping, load percentage, users percentage and a "ScoreBase". The factors are 1000, 1, 1, 1 and 1 initially. It makes sense that for each server the raw values are taken from some other location in the code base: Ping from the results of ping, Load and Users from the current server status values. "Penality" is a little unclear to me. If there is a note on a server like "Line problems" or "High packet loss", the value is set to an astronomically high value, here 99998 for errors, 99997 for warnings and 99995 if ping didn't return usable results, so the score will be 0 stars. Let's calculate both on the basis of two servers: A: latency 50, load 20%, 50 clients. B: latency 10, load 50%, 80 clients. For the Speed metric values are divided by preset factors, the results added: Penality (not sure about the values here, let's say, it's all roses now) / 1000 = 0.0 Ping: 50 / 1 = 50 LoadPerc: 20 / 1 = 20 ScoreBase (initially 0, unsure where set) / 1 = 0 UsersPerc: 50 / 1 = 50 0+50+20+0+50 = 120 Server B: Penality: 0 / 1000 = 0 Ping: 10 / 1 = 10 LoadPerc: 50 / 1 = 50 ScoreBase: 0 / 1 = 0 UsersPerc: 80 / 1 = 80 0+10+50+0+80=140. Server A is better, despite much higher latency. For the latency metric, server A: Penality: 0 / 1000 = 0 Ping: 50 / 1 = 50 LoadPerc: 20 / 10 = 2 ScoreBase: 0 / 500 = 0 UsersPerc: 50 / 10 = 5 Server A: 0 + 50 + 2 + 0 + 5 = 57 Server B: 0 + 10 + 5 + 0 + 8 = 23 Server B is better, despite much higher activity. All factors are decreased in importance in the Latency metric, so the ping value can be used as is in the formula. But all factors from Speed are still used. That's what I take away from reading that bit of code. Hope that helps you a little.

Hello, last year I had written a wrapper for Eddie's CLI version (in bash) to be able to use it more easily and extensively in the linux command line like the GUI, but with less resources. I have used it since then every day without problems, but now I have finally gotten to overhaul it and adjust it to Hummingbird because it is just so much faster! I also tried to make it more easy to configure (by having a separate configuration file) and added some new functionality like support (and automatic recognition) of iptables and nftables to lock down the system even without being connected to AirVPN and automatic connection at boot with a systemd unit. Again, feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time. Features graphical interface in the command line to connect to AirVPN with Hummingbird (no Eddie involved) runs in background, the interface can be closed/opened anytime without affecting the running connection possibility to connect to any server with just one ovpn configuration file easily connect to a random server, to a recommended server, to the recommended server of a specific country or to a specific server sortable list of all servers including info like used bandwidth, load and number of users possibility to connect to other VPNs with openconnect lock down system by default (permanently if you want), so even without AirVPN/Hummingbird running there won't be any unwanted network traffic automatically establish connection at boot (which can later be controlled via the interface) logging of Hummingbird's output (number of days to keep logs for can be adjusted) system notifications to let you know what happens in the background Some general notes The default network lock determines, like Hummingbird itself, if iptables, iptables-legacy or nftables is available on your system and will use the first one found in that list. You can overwrite that by specifying which one to use in the configuration file. Once activated, the lock will stay in place until manually deactivated, so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. You can make the lock permanent (or rather activate at boot) by enabling that option in the configuration file. AirVPN's network lock overwrites the default network lock, so there will be no interference. IMPORTANT: If you have any frontend firewall for iptables/nftables running, you might to disable that or read up on how it might interfere with rule changes you make directly via iptables/nft. The same thing applies if you use just Hummingbird itself. If you enable the default permanent network lock, it will write the lock rules at boot, most likely overwriting rules by firewalld or the like, but other enabled firewalls might interfere later. Also important: If you have SELinux and you want to use nftables for Hummingbird starting at boot, you have to create a SELinux exception for nft bcause otherwise it will be denied and Hummingbird starts without setting up its own lock, thus leaving you unprotected (AirVPN staff is aware of this issue). You can do that with audit2allow. Follow for example this guide to troubleshoot the problem and fix it with the solution given by sealert. Check your /etc/resolv.conf file while not running Hummingbird (because Hummingbird's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it. To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules (netfilter_ipbatles.rulesipv4/ipv6 and/or netfilter_nftables.rules). Only edit those files with the default network lock deactivated. The rules for airvpn.org can be copied and adjusted. You can set custom options for Hummingbird in the interface or the configuration file. All the possible options can be found in the Hummingbird manual or with sudo hummingbird --help Apart from dialog I tried to only use basic system tools. The scripts will check if everything needed is present, if not they will exit. At least bash 4 is needed. The scripts rely mostly on dialog, awk and curl (and iptables/nft as described and openconnect if needed), so it should work on most systems. I wrote and tested this on Fedora 32 with Hummingbird 1.0.3. It should be possible to use any ovpn config file generated by the AirVPN's config generator. Even with the file for one specific server it should be possible to connect to any other server because the server override function is used here. I haven't tested that extensively though and just use the config file for earth. AirVPN's API seems to be a little unreliable sometimes as in not correctly reporting the connection status. Sometimes the API reports me not being connected although I am connected to an AirVPN server. This is no big deal, it just means that the connection status sometimes may be shown falsely as disconnected. If you have the default network lock activated, no traffic would be possible if you were actually disconnected. And, lastly, VERY IMPORTANT: I am still no programmer and do this only on this on the side, so even though I tried my best to make these scripts secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works very well for me (and has for quite a while by now), but better check it yourself. UPDATE As of 2020/08/29 this project including updates, changelog and further instructions is publicly available on GitLab. There it can be more easily examined, downloaded and updated. Thus I have removed the scripts, installation instructions and the archive with all the files from this post. Check out the GitLab project for the newest version.

How is anyone going to understand that guide? It's not made for normal users at all, it's for superusers. I paid for this VPN just like everyone else, now why does it have to be so hard to follow the official guides, just because I'm not into computers? I am getting minimum speeds with AirVPN connected and really fast without it connected.