Jump to content
Not connected, Your IP:


Popular Content

Showing content with the highest reputation since 09/07/22 in all areas

  1. 3 points

    AirVPN is sweet!

    Just wanted to say that out of all the VPNs I've tried, this one is the one. Lot's of control, extra features a lot of VPNs lack, and at prices that are nice. Those big VPNs are just bleh.
  2. 2 points

    Do you have your own DNS Servers

    You will always be tracked, neither VPN nor DNS servers will help you with that. What you can do is minimize the impact. I'm running a PiHole in the network. Upstream servers are my ISP's, Quad9 and two from OpenNIC. Some people use Google Public DNS or OpenDNS, I'd avoid those.
  3. 2 points
    Actually an interesting question. I've never seen a list of available instruction sets in Apple's Bionic chips. All I know is, they're ARM with a big/little CPU design (that is, part high-clocking CPUs for performance, part low-clocking CPUs for economy) and the newer devices have an ARMv8 CPU. I'd assume with the latter that AES is part of it, so the choice of AES makes sense. You could put this to the test yourself, I think. Connect with both OpenVPN and Wireguard, download something being connected to the same server and keep an eye on CPU usage. That's the idea, can't really help you further than that. I'd correct this to "AES is for devices with AES-supporting CPUs", which is PCs from ~2010 and embedded devices from ~2020. For instance, my phone is aarch64 supporting the AES set, too, so I prefer an AES cipher over ChaCha20. Since I very rarely use a VPN on my phone, I don't have extensive insight on which is better (and for what). But I tend to agree that ChaCha20 is better suited on older models, both security and performance-wise.
  4. 2 points
    To build on that, AES can even be found in ARM CPUs nowadays, especially those supporting aarch64. To answer Mr. Mas99's question about what the more secure cipher is, it's ChaCha20-Poly1305. For performance and, as written, with availability of AES instruction sets in CPUs, AES-256-GCM should be preferred. CBC should not be used. Compared to AES, ChaCha20 is more resilient against certain kinds of attacks. For example, AES can be attacked with a carefully built timing-based attack in software. Some cryptographically interesting characteristics of AES render it slightly more prone for collision attacks, too. ChaCha20 solves those problems at least. In the end, abusing this is still quite an ordeal, so AES is still a good choice. About CBC vs. GCM, both XOR ("randomize") the plaintext, but in different ways. CBC XORs the plaintext with the preceding cipherblock (hence the name Cipher Block Chaining) and encrypts that. An attacker would know the previous cipherblock, though, and the ciphertext depends on that data. GCM maintains something like a counter, an internal variable, and encrypts this, then XORs it with the plaintext. An attacker can't know this internal variable on which the ciphertext depends, therefore, GCM offers inherited security.
  5. 2 points


    No, your experiences are on-point. I'm stunned as to why Linux Mint is still advertised like this. "But it was historically easy on newbies" – yeah, probably; let's put some emphasis on that little "was". Fedora, Pop!_OS or EndeavourOS, whether you want RPM, APT or pacman to be your base, are currently doing a much better job at this. And still that unyielding "start with Ubuntu or Linux Mint, you can't go wrong with that"… no, I think today you seriously can.
  6. 2 points
    For your comfort and peace of mind, check with traceroute (tracert in Windows) or mtr, and/or access various end points which tell you the IP address your packets come from. Typical speed tests sites and "what is my address" web services are perfect. Compare the IP address you get with the supposed exit-IP address of the VPN server you're connected to and verify they match. Finally, query the IANA database (with whois) for a final cross-check. Repeat multiple times for each server to minimize the likelihood that you end up to services which are accomplices of the attackers and therefore mask your IP address making you believe that you have a perfectly fine IP address while in reality your packet has come out from inside the evil Russian network. As a welcome and smart side-effect, while the attackers could do nothing with the data in transit inside their nodes because of end-to-end encryption, a re-routing of such a kind which would add an additional exit node would turn infringement notices against us exactly to zero, and alas this is not what we observe, not at all 🙄. We have never met such kind and gentle attackers, unfortunately. Kind regards 😋
  7. 2 points
    Small update regarding setting up AirVPN in DSM 7.1: 1. it runs OpenVPN 2.5.4, so no need to select OpenVPN < 2.4 in the config generator. 2. DSM 7.1 requires that one fill in a username and password - just put some random rubbish.
  8. 2 points
    Thanks. It works with this solution : Please: log your AirVPN account in to the web site click "Client Area" from the upper menu click the "Devices" button click your client/key pair "Details" button click "Renew" from Eddie main window log your account out and then in again and the problem will get resolved. Great !
  9. 1 point

    Generate new API key... via API?

    Hello! We're very glad to inform you that the feature has been implemented. Please check your account API explorer in your API panel for information and usage. Service: devices https://airvpn.org/apisettings/ Kind regards
  10. 1 point
    I wrote to the Support Team, after analyzing my situation they suggested me to use Eddi 3.0 for Android instead of Eddi 2.5. Without any changes to termux I was able to connect over the LAN network to the phone. For others with the same kind of problem I am copy & pasting the conversation to here: ------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------ Hello Support Team,Thanks for the suggestion. But it still not working. I have looked into the sshd_config file, there where no binding options specified. When I start the sshd with debug option it prints out the bindingsphone$ sshd -d ... debug1: Bind to port 8022 on ::. Server listening on :: port 8022. debug1: Bind to port 8022 on Server listening on port 8022. looks very general to me. Connection with AirVPN off, it connects just finePC$ ssh myuser@ -p 8022but the same command is not working with AirVPN on. In the sshd_config file I also tried insert ListenAddress What is strange for me thou, when AirVPN is on and sshd is not running I getssh: connect to host port 8022: Connection refusederror and with sshd is runningssh: connect to host port 8022: Connection timed outSomehow AirVPN allows to access the IP and port but sshd is not able to establish a complete connection and hangs silent until a time out. Does sshd use a additional communication channel, which AirVPN is still blocking? I feel I am so close to the solution. Any further suggestions? ---------------------------------------------------------------------------------
  11. 1 point
    I have been using a lot the NL servers. Last weeks I noticed that when I tried to open my gmail account I landed on the russian version of gmail. I disconnected/reconnected back to NL. Stay connected a few days, back to russian gmail then. This doesn't look normal ... But is it ?
  12. 1 point
    This is normal for Google. Since geoIP is such a mess, they don't completely trust what geoIP databases report. Instead they use the data they get from browsers visiting from each IP and try to guess if some IP is now being used elsewhere. Since Russia is currently heavily censoring internet access, AirVPN likely has a lot of Russian users who happen to be using NL servers. Google detects a lot of users with Russian locale are using NL node IPs -> they start offering Russian site by default. Not sure if there are workarounds for this, other than logging in. But this is not a sign of compromise, so no need to be paranoid. If Russia really was listening, they wouldn't route traffic through Russia. ;)
  13. 1 point
    That's because it's always ChaCha20-Poly1305.
  14. 1 point
    Port can be selected so I'll find a HowTo for torrent clients and copy that Thank you
  15. 1 point
    Both OpenVPN and Wireguard don't reinvent the wheel here, they do use the ciphers coded somewhere else, which is exactly why OpenSSL is a dependency. So no, it's not limited to OpenVPN or Wireguard.
  16. 1 point
    CHACHA and AES are both super strong. CHACHA is more efficient on phones and so may give you better speeds and longer battery life. AES is more efficient on most computers because computers now are built with the AES-NI New Instruction set hardware extensions to support encryption. Google on how to verify your computer CPU has the AES-NI feature. The CBC alternative is also plenty strong but IIRC (my memory is always a question) differs in some details of initial negotiation that make GCM the slightly better alternative. Plenty of comparisons online if you want more.
  17. 1 point
    Hello! Please check here for a very quick solution: https://airvpn.org/forums/topic/53004-openssl-error-restart-every-3-seconds/?do=findComment&comment=187787 Kind regards
  18. 1 point
    As OPNsense and pfSense are/where pretty much the same, I am also interested in this! Looking at pictures of the pfSense WireGuard user interface (VPN --> WireGuard --> Tunnel Configuration) it seems that there is no field which would allow setting an MTU or MSS value for the tunnel. It looks like you only have the option to set the MTU (and MSS) value in the pfSense interface section. However on OPNsense there is an extra field (VPN --> WireGuard --> Local --> "Tunnelname") to set the MTU value directly in the WireGuard config but also no field for the MSS value. In the OPNsense interface section it also of course possible to define the MTU (and MSS) value. The interface section also overwrites any setting configured in the WireGuard tunnel configuration. Also reading through this tutorial and the linked reddit thread it seems that it is best to just set these values in the interface section of OPNsense/pfSense and not in the tunnel configuration. I will try this out and report back here. Update It is best to declare the MTU value at the interface configuration and also in the tunnel configuration. The latter is necessary because each reload of the interface configuration and each reload of the WireGuard package will reapply the MTU value to the interface. Setting the MTU=1420 and MSS=1420 in the interface configuration of the interface assigned to the WireGuard tunnel and also MTU=1420 in the tunnel configuration resolved both the speed and SSL issues. Note I personally have to use MTU=1412 since my WAN requires the use of PPPoE, which adds another 8 byte of overhead that needs to be substracted of the theoretical maximum MTU=1420. WireGuard MTU for PPPoE = 1420 - 8 = 1412 Details see here: https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html Note Setting the MSS value the same as the MTU value is specific to OPNsense and pfSense! Both firewalls automatically reduce the value entered in the MSS field by 40 bytes. On other systems the MSS value has to be entered 40 bytes lower than the MTU value. OPNsense / pfSense: MTU entered = actual MTU applied to the interface OPNsense / pfSense: MSS entered = MSS entered - 40 bytes = actual MSS applied to the interface
  19. 1 point
    Using Wireguard, the logs should be in the journal. # journalctl -k --grep wireguard .
  20. 1 point
    I see we're getting especially original with how to shorten my display name. The best one yet still ought to be OS, though. Guess I look like one. OpenDNS employs a technique called Extended Client Subnet, that's how it appears to be quicker. --- PiHole offers a few built-in options. You can also add two v4 and two v6 addresses of your own, such as OpenNIC. You can mix them all to minimize resolution time to a minimum.
  21. 1 point
    Hello! From the screenshot we can see that you did not enable Network Lock. Please enable it to prevent any possible traffic leak, including leaks caused by configuration errors like yours. In general you must not bind programs to the physical network interface: since the original gateway is not deleted in order to allow connectivity after a VPN connection is closed by the user, by binding to the physical network interface a process may bypass the VPN tunnel when Network Lock is not active and incoming connections arrive. Note that wrong binding will arise even from UPnP, NAT-PMP and any other "automatic port mapping" methods so make sure to disable such options from the torrent program. Anyway Network Lock will prevent traffic leaks even in this case. Check your torrent program settings against the following guide available in the FAQ section: https://airvpn.org/faq/p2p/ Kind regards
  22. 1 point
    This one is detected as Sabsik, but this name also comes up when people compile their own software with MSVC, so I think it's definitely erroneous.
  23. 1 point


    Pop!_OS is the Ubuntu-based distribution from System76, well known in the U.S. for selling and supporting Linux systems. They are doing work so that the experience of buying a computer with Pop!_OS preinstalled is like buying one with Windows preinstalled, but without all the bad strings attached. They're not the only retailer doing that, of course (we've got Tuxedo around German-speaking countries for example), but the most visible, because they've got their own distribution and soon their own desktop just lying around, waiting to be downloaded and installed. With a bought Windows PC, you can expect to simply install Steam, download a game and play it, just to name one use case. That's the thing Pop!_OS seems to be aiming at as well: Buy the computer, install Steam via the store, download some game and play it.
  24. 1 point
    Clicking on those will lead you to the VirusTotal entries for both. You could post the links here for us to take a look. Be advised that, while one or two engines flag it as malicious, about 70 don't, so it's quite safe to assume false positives. I imagine those engines flag it because both are custom-built, some database has hashes for the "real" EXEs and a simple comparison was done. If both engines flag it due to a heuristic analysis, some additional caution must be applied interpreting the flag. In short, Eddie is not dangerous and its installation certainly doesn't warrant a wipe of your hard drive. If it is, why trust AirVPN as a whole, then? What's running on the servers is not known, and here you at least have the source code, so you know what's running on the client. It's a shame that Mr. Flx went all out and suggested that; even as a joke, you wouldn't have gotten it. It's also not "VirusTotal garbage", but a side feature of Process Explorer (which can help with identifying unknown running programs, as you did right there; you simply need to take that info with a bit of salt).
  25. 1 point


    And of course there's linux mint, which with its cinnamon window-manager option has long been the standard for linux beginners. In spite of having used fedora for a quarter of a century on my primary computers, some months ago I finally put mint/cinnamon on a late-2010 MacBook Air to revive it from the dead world of having dropped out of MacOS support. I chose mint intending to try transitioning a household Windows user to linux with it, but I've ended up just using it myself. Installation/setup was easy enough with a little help from googling (as long as I didn't insist on changing the video driver from the default), and I've been very pleased with the results. I'm typing on it now. I'm not an Eddie user so haven't tried that, but I do have both wireguard and OpenVPN running on it, the former using wg-quick per Air's instructions and the latter using Air's bluetit/goldcrest suite. Of the two it's wireguard that's by far the easier and faster to get going, though that's without the superior flexibility of OpenVPN. Perspective: generally fedora is, of the more mainstream distributions, The Thing if you want the very latest linux kernels and versions of everything, while mint is at the other end of the spectrum: oriented towards a rock-solid and predictable, zero-hassle experience by sticking with security-updated versions of otherwise slightly older kernels. It's an Ubuntu derivative, so updates can be done with apt in addition to the GUI updater.
  26. 1 point
    Really old computers may lack the AES-NI instructions that make GCM ciphers efficient. In those cases you'll likely do better in OpenVPN if you configure for the CHACHA20-POLY1305 cipher (the cipher that wireguard uses). I'm not an Eddie user so can't advise there, but if you are setting up OpenVPN using the Air configurator, check the "Advanced" box on the upper right, then scroll down to "Advanced - OpenVPN only" and under "Data Cipher" select "Mobile (prefer CHACHA)". The configuration it generates is not actually specific to phones, but where modern hardware is concerned, it's really only phones (and tablets) that are missing the AES-NI instructions, hence the labeling of this choice.
  27. 1 point
    Terry Stanford


    How useful! Thanks!
  28. 1 point


    It's dangerous to go alone! Take this.
  29. 1 point

    [ENDED] End of season sale

    Yea I second the end date information for the sale. Also the Eddie pop up clearly states save up to 74% while the page and the banner here states 70%.
  30. 1 point
    I would also appreciate another server in the Pacific Northwest, as the Vancouver B.C. servers are quite crowded as well.
  31. 1 point
    new log in client area, wireguard till now is reconnecting
  32. 1 point
    Hello! Yes, it is an intended change following several users request. Kind regards
  33. 1 point
    Hello! We're very glad to inform you that Eddie Android edition 3.0 Beta 2 is now available. The original post has been updated accordingly. New in Beta 2: detected client's IP address not written in local log anymore WireGuard error streams management rewrite (*) dark theme heading color change (*) fixing reported bug according to internal tests, please check Find full description, download link and SHA256 signature in the first post of this very thread. Thank you very much for your tests and please report and describe any bug you find! Kind regards
  34. 1 point

    AirVPN & ipad

    Hello! Another option is WireGuard app for iOS, of course, if WireGuard is not blocked by the provider. Configuring WireGuard in iOS is easier, as our CG proposes the QR code. https://airvpn.org/ios/wireguard/appstore/ Kind regards
  35. 1 point

    Eddie Desktop Edition 2.21.6 released

    @telemus Hello! That's normal, it's a Windows exclusive option as it is the only system which needs third-party drivers for tun interfaces. You don't need this option at all in Linux or Mac. Probably "Automatic" is still checked. You need to uncheck it first. Kind regards
  36. 1 point

    Eddie Desktop Edition 2.21.6 released

    Hi Staff, Appreciate the information, so it should be per screen below: Thanks
  37. 1 point

    Infinite Capcha's

    DDoS is not the only problem the internet faces. It might just be that someone behind AirVPN is running script kiddie stuff on an automated basis. We can't know, because security companies exist so that people not knowing much about malware can buy in such expertise. In such a situation it's difficult to verify claims such a company makes. Wordfence blocked access, but on what basis? Ask. That's when they will say "we can't tell because otherwise the bad guys will know and try to go around".
  38. 1 point
    after my last test there was two SO updates, today I deed a fresh reinstall of Eddie and it seems to work well, after more then an hour no disconnection in Settings I select No local network notification sound works at phone start log send edit: it disconnect again...
  39. 1 point
    It would be nice to have a Meta Blocklist. This list block all Meta apps, services, trackers etc. (Facebook, Messenger, Instagram, Whatsapp). Maintained by Lightswitch05 (https://github.com/lightswitch05/hosts) A hosts file to block all Facebook and Facebook related services, including Messenger, Instagram, and WhatsApp. License: Apache 2.0 (https://github.com/lightswitch05/hosts/blob/master/LICENSE) Raw URL: https://www.github.developerdan.com/hosts/lists/facebook-extended.txt
  40. 1 point
    Personally I set up a privoxy proxy on a linux server, then set that server to run through AirVPN. I then use OmegaProxy plugin with firefox to specify which websites bypass the VPN and which use it.
  41. 1 point
    The only way, is to use a residential IP from a VPN company that offers that option as an addon.
  42. 1 point
    System: Ubuntu 22.04 VM Eddie: 2.21.6 Ubuntu system will not connect to a VPN host and just keeps retrying hosts. Here are the logs from the console for two attempt cycles with the client. I 2022.05.18 10:07:01 - Session starting. I 2022.05.18 10:07:01 - Checking authorization ... ! 2022.05.18 10:07:01 - Connecting to Edasich (Netherlands, Alblasserdam) . 2022.05.18 10:07:01 - Routes, add for interface "ens33". . 2022.05.18 10:07:02 - Routes, add for interface "ens33", already exists. . 2022.05.18 10:07:02 - OpenVPN > OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022 . 2022.05.18 10:07:02 - OpenVPN > library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 . 2022.05.18 10:07:02 - OpenVPN > OpenSSL: error:0A00018E:SSL routines::ca md too weak . 2022.05.18 10:07:02 - OpenVPN > Cannot load inline certificate file . 2022.05.18 10:07:02 - OpenVPN > Exiting due to fatal error ! 2022.05.18 10:07:02 - Disconnecting . 2022.05.18 10:07:02 - Sending soft termination signal . 2022.05.18 10:07:02 - Routes, delete for interface "ens33". . 2022.05.18 10:07:02 - Routes, delete for interface "ens33", not exists. . 2022.05.18 10:07:02 - Connection terminated. I 2022.05.18 10:07:05 - Checking authorization ... ! 2022.05.18 10:07:05 - Connecting to Kajam (Netherlands, Alblasserdam) . 2022.05.18 10:07:06 - Routes, add for interface "ens33". . 2022.05.18 10:07:06 - Routes, add for interface "ens33", already exists. . 2022.05.18 10:07:06 - OpenVPN > OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022 . 2022.05.18 10:07:06 - OpenVPN > library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 . 2022.05.18 10:07:06 - OpenVPN > OpenSSL: error:0A00018E:SSL routines::ca md too weak . 2022.05.18 10:07:06 - OpenVPN > Cannot load inline certificate file . 2022.05.18 10:07:06 - OpenVPN > Exiting due to fatal error ! 2022.05.18 10:07:06 - Disconnecting . 2022.05.18 10:07:06 - Sending soft termination signal . 2022.05.18 10:07:06 - Routes, delete for interface "ens33". . 2022.05.18 10:07:06 - Routes, delete for interface "ens33", not exists. . 2022.05.18 10:07:06 - Connection terminated. I have seen similar posts as this but with the windows client. Anyone have some thoughts on this?
  43. 1 point
    Right. Well, have a look at Netflix' route announcements. Let us know when you're finished adding them all, because it's assumed any of them can be used. ❤️
  44. 1 point
    Clicking the download link does not work. Nothing is downloaded.
  45. 1 point
    @prplshroud Hello! For a quick resolution, please renew your client certificate from your account "Devices" panel, available in your "Client Area" in airvpn.org web site, then log your account out and in again from Eddie's main window (or generate new configuration files if you don't use Eddie). We started signing client certificates through SHA512 since 2017, so you must have an older one: thank you, you're a long time customer! Explanation of the problem with additional details: https://airvpn.org/forums/topic/49811-urgent-cant-connect-to-vpn-anymore-on-openvpn-for-android-0725/?do=findComment&comment=169523 Kind regards
  46. 1 point
    entry 3 requires two changes: 1. under TLS KEY USAGE MODE its set to encryption and authentication. (normally just TLS auth) 2. auth digest alg = SHA 512. (normally 160) so in bold is used if using entry point 3. otherwise use non bold good luck!
  47. 1 point

    Splitting tunneling by apps

    Hello! Eddie Android edition includes easy settings to put applications on black or white list. If a black list is defined, applications in the black list will have their traffic not tunneled. Any other application will have its traffic tunneled. If a white list is defined, only applications in the white list will have their traffic tunneled. Any other application will have its traffic not tunneled. Kind regards
  48. 1 point
    @Staff suggestion---->>>change from UDP to TCP protocol.
  49. 1 point

    Eddie can't find client key file

    So guys, finally found the problem: the new behaviour of Eddie to look for .ovpn conf files in /ovpn just below the data dir obviously makes it difficult for him to find the respective key- and certfiles. I did a little debugging with procmon in Windows and after I changed the relative directives in my .ovpn conf to something like that: ca "c:\\myvpnserver2017.crt" cert "c:\\myvpnserver.crt" key "c:\\myvpnserver.key" it finally works. Maybe this is a helpful note to fix this bug ...
  50. 1 point

    Perfect Forward Secrecy Info

    Hello! You need to insert the directive "reneg-sec" in your OpenVPN client configuration (see below a paste from the OpenVPN manual). Detailed instructions vary according to the client or OpenVPN wrapper you're running. With our client Eddie you can insert the directive in "AirVPN" -> "Preferences" -> "Advanced" -> "OVPN directives". Enter "reneg-sec 1800" in the left box reserved to additional directives, click "Save" and start a connection with a VPN server. Kind regards --reneg-sec n Renegotiate data channel key after n seconds (default=3600). When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour. Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side.
  • Create New...