Leaderboard

Hello! We're very glad to inform you that a new Eddie Air client version has been released: 2.17beta. It is ready for public beta testing. How to test our experimental release: Go to download page of your OSClick on Other versions Click on Experimental Look at the changelog if you wishDownload and installPlease see the changelog: https://eddie.website/changelog/?software=client&format=html

Hello! We're very glad to inform you that a new 1 Gbit/s server located in São Paulo, BR, is available: Peony. Peony is our first server in South America and we are very proud to start operating there. Special thanks go to out moderator Zhang who helped us find a datacenter with particularly good connectivity The AirVPN client will show automatically the new server. If you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Peony supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/peony Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

After a bit of tinkering I finally get 19/20 on ipv6-test.com running Waterfox 56.2.6 on Debian. I also get 19/20 on Chromium 70 and Firefox ESR (60.4.0). Waterfox addons also indicate that the browser connects to IPv6 addresses all the time. It doesn't seem to be an issue with getaddrinfo() or its config in gai.conf at all as mine is the same as Mr. kaymio's. So, what did I do? I am not entirely sure, to be honest. I disconnected from AirVPN and went on doing experiments on my ISP line with native IPv6. I set network.http.fast-fallback-to-IPv4;false network.notify.IPv6;false and restarted the browser. Then I reenabled the notify setting and restarted again. After that, Firefox/Waterfox magically started to prefer IPv6 and ipv6-test.com gave me 17/20. This is due to my router blocking ICMP (Fritz!Box calls this "Stealth Mode" ) so it should be 19/20 if I decide to stop filtering it. I reconnected to AirVPN and voilà, still prefers IPv6, now 19/20.

Working great so far over here on MacOS 10.13.6!

I tried this on Windows 7. There were problems. Browsers had difficulties with finding web sites on internet. I was able to browse some sites, but too many of them gave errors. Could not find IP or DNS of the site.... I tried different web browsers and problem was the same with all of them. I cleared all caches and did reboot my computer, but that didn't help. I went back to version 2.16.1 and browsers are able to find those web sites again.

Minor issue on arch linux (Plasma desktop). Minimizing to tray no longer works properly: it minimize to tray but taskbar entry is not disappearing and always visible. See screenshot:

Might want to update the changelog page.

Success! And here's a complete how-to! Okay, I got it working without "rooting" the device into Developer Mode. It's a set of hoops that AirVPN can actually make simple by generating their own .onc and .p12 files. Here's the steps that I took that works for me: First, get the files you need from AirVPN.org: 1): click Client Area, then Config Generator. 2): select Linux for your OS (because ChromeOS is Linux) 3): check your preferred server - only choose one! I recommend either by continent or country because then it looks like it randomly picks one. 4): scroll all the way down and check Advanced Mode, and then check 1194 *NOT* the recommended 443 - I couldn't get that one to work right. 5): check Separate keys/certs from .ovpn file (important) 6): check the two boxes at the end and hit Generate. 7): Download the zip file and unzip it somewhere. You will get 5 files - an ovpn file (which has the name of the server which you need for later), a ca.crt, a ta.key, and a user.crt and user.key. Now, you need to convert some things. First off, you need to build a .onc file. There is a GitHub project that does just that. 1): visit https://github.com/CharlesErickT/oncgenerator 2): click the Clone or Download button, and download the zip file. 3): unzip the contents of this file somewhere. 4): double-click the index.html file to bring up the converter. 5): in the name of the connection, use the filename from the .ovpn file (ex: AirVPN_FOOBAR) 6): open the .ovpn file in Notepad or whatever and look for a line similar to this: "remote xx.vpn.airdns.org 1194". The part you want is "xx.vpn.airdns.org", but you may also have it as a dotted ip address like 1.2.3.4 - do NOT use the port (yet!) 7): copy the server name or ip to the Hostname/IP field 8): enter the port # (1194 in this case) 9): enter your username 10): open the ca.crt file in Notepad and copy the contents in the Content of your CA.crt box 11): open the ta.key file in Notepad and copy that contents into the TLS auth key box. 12): hit generate and save the .onc file The .onc file will by default use UDP; I had problems for some reason so I had to edit it. 1): Open the .onc file with Notepad and look for the "Proto": "udp" line. Change the "udp" to "tcp". Upload your .onc to your Google Drive account or copy it to a thumb drive. Upload the ca.crt file to your Google Drive account or copy it to a thumb drive. Now, the magic bit. You will need to make a p12 file from the user.crt and user.key files. For this I used OpenSSL but if you know how to use something else that's fine. 1): open a command window running in the folder where you extracted the files from the AirVPN.zip file 2): run the following command: openssl pkcs12 -export -in user.crt -inkey user.key -certfile ca.crt -name YOURUSERNAME -out user.p12 3): openssl will ask you for a password twice. This password will be needed later. 4): copy the generated user.p12 file to either your Google Drive or a thumb drive. And now finally on the chrome book! Import the certs. 1): Click your user icon on the bottom-right, and then the gear to open the control panel. Type "certificates" in the search box and select Manage Certificates. 2): on the Your Certificates tab, click Import and Bind, and select the user.p12 file from above. Type in the password you used. 3): click the Authorities tab and click Import. Select the ca.crt file from above and import it. Check "trust this for websites" and hit OK. Import the .onc file 1): from a new tab type in chrome://net-internals and hit enter 2): click on ChromeOS on the bottom, and then under Import ONC click Choose File. Select the .onc file you generated and hit ok. It will look like it did nothing. But... Now open your Network control panel and hey, a new VPN entry! Click it and it will show the name that you gave it before. Click Connect, and enter your password for your AirVPN account, and then check Save Identity and Password, then connect. You should be online! To verify, open Google.com and type in "whats my ip"in the search box and you *should* get a different ip than your ISP's number. You can also go into AirVPN.org on a different machine and select Client Area->Overview and verify that the server you are connected to on your chromebook has the same ip as what it says. Notes and caveats: This worked for me. The secrete sauce seems to be the user.p12 file generation. I don't know if you really need to import the ca.crt file or not - it shouldn't matter because it's in the .onc file but whatever. What also worked for me was using the TCP instead of UDP and port 1194 and not 443; however, on my Windows system on the same wifi network I can use Eddie in its default config (udp 443) just fine.

Can you describe what you did to achieve this. Im in the same boat, and want some connections / services to route outside vpn. Mainly my usenet nzbget client and tvheadend server for example

I had the same error in the begin but when I select direct udp during making the confige files. and imported it again. Then it will connect well. I just wonder if I have to do more steps before I can use Sonarr for example.

Hi, I have followed this guide and tried both a specific netherlands server and netherlands in general but the DSM keeps returning error (in screenshot). Can someone please help me? I am not sure where i can find more detailed logs in the synology so please assist with this if this will help getting it resolved. Thank you in advance

Outstanding idea! More = Better and besides suits perfect by the AirVPN's principles I'm personal support already Bits of freedom, a Dutch Digital rights organisation (https://www.bof.nl/home/english-bits-of-freedom/) and founders of the European Digital Rights Initiative https://edri.org/, If my information is correct, BOF is also pretty successful, of-course mostly in the Netherlands.

definitely agreed!

@LZ1 See the license. Eddie is released under GPLv3. GPL was originally written by Stallman of the FSF. Kind regards

This would be a great addition to airvpn.

Hello! We're very glad to announce a special promotion on most of our Premium plans. You can get prices as low as 2.45 €/month with a two years plan, which is a 65% discount when compared to monthly plan price of 7 €. Special deals involve three and six months plans, as well as one and two years plan. If you're already our customer and you wish to stay aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day. Please check the exact prices of each plan on https://airvpn.org and https://airvpn.org/plans Kind regards & datalove AirVPN Staff

I can confirm that at least the first command works. I scored 10/10 and 19/20.

@rohko The first test Here the scripts are not executed: Eddie 2.17.2, for intended security purposes, sets script-security to 1. Your custom directive: script-security 2 ensures that your "up" and "down" scripts will be executed by OpenVPN but they are not. The fact that in Eddie 2.16.3 you did not experience this issue might be related to a wrong bypass of the aforementioned directive. We will investigate with Eddie devs. The second test Here things become interesting. As you can see in the status printout, systemd-resolve acknowledges the DNS set by Eddie in resolv.conf and considers them as global DNS, according to the usual global DNS paradigm, as you correctly point out. However, you/we can see that 1.1.1.1 remains set for "ppp0" link. This implies that systemd-resolved works with "per-interface domain names".. Additionally, the Current Scopes of ppp0 are "DNS", while in tun0 they are set to "None". This cause a priority of names resolution toward the DNS specified in the ppp0 link: According to https://www.freedesktop.org/software/systemd/man/resolved.conf.html : DNS requests are sent to one of the listed DNS servers in parallel to suitable per-link DNS servers acquired from systemd-networkd.service(8) or set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS servers listed in /etc/resolv.conf are used instead, if that file exists and any servers are configured in it. This setting defaults to the empty list. Again, you considerations are correct. This is an important "paradigm shift" from the global DNS (uniquely specified in resolv.conf) which allows to mimic the dangerous Windows DNS implementation (where there is no global DNS at all): since systemd 229, systemd-networkd has exposed an API through DBus allowing management of DNS configuration on a per-link basis. We will carefully consider this behavior with our techies. It appears (according to your last test, when OpenVPN is run directly) that the script handles correctly this case (no DNS for ppp0, from the output you pasted, and tun0 scope set to DNS) while Eddie doesn't. Thank you for the invaluable report, it will be thoroughly investigated to improve Eddie. In the meantime, can you please check the "DNS=" option in your [Resolve] section of your resolved.conf file in each of the tests (before and after each test) you performed and report back? Can you also test with DNS= option empty (remember to restart the service after you have saved the file) and check whether the problem is resolved with Eddie (leaving to Eddie the resolv.conf handling, without scripts of course)? With DNS setting left to empty, systemd will use nameservers specified in resolv.conf Kind regards

@rohko Correct, DNS leaks do not exist in Linux. This is a different issue and must be investigated anyway, but it's not related to DNS leaks. How does Eddie handle DNS (check "Preferences" > "DNS")? Since you rely on that script to handle the DNS push, Eddie must not interfere and you can focus on why your script does not work. Make sure to set "DNS Switch Mode" to "None" in "Preferences" > "DNS". Alternatively, disable your script, enable DNS push handling by Eddie itself (try with "DNS switch mode" set to "Automatic") and check whether the problem persists or not. If it does send a full system report generated by Eddie and taken just after the problem has occurred, please ("Logs" > LIIFE BELT icon > "Copy All" icon > paste into your message). Kind regards

i'm on Windows 8.1 x64 and have the same problem, i cant even really start eddie to connect to a server. :/ seems to be a curl/ipv6/.Net problem? event viewer says: Faulting application name: Eddie-UI.exe, version: 2.16.0.0, time stamp: 0x5ba6502a Faulting module name: KERNELBASE.dll, version: 6.3.9600.18938, time stamp: 0x5a7ddf0a Exception code: 0xe0434352 Fault offset: 0x0000000000008eac Faulting process id: 0xc20 Faulting application start time: 0x01d4530e1a889ab9 Faulting application path: C:\Program Files\AirVPN\Eddie-UI.exe Faulting module path: C:\Windows\system32\KERNELBASE.dll Report Id: 595a6e51-bf01-11e8-82b6-00e04c5125c8 Faulting package full name: Faulting package-relative application ID: and: Application: Eddie-UI.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Exception at Eddie.Core.Tools.Curl.Fetch(Eddie.Core.HttpRequest) at Eddie.Core.Jobs.Updater.OnRun() at Eddie.Core.Job.Run() at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Threading.ThreadHelper.ThreadStart()

Updated to reflect changes on 03-Aug-18 (previously, access was blocked from most servers).

Windows 7 Firefox 61.0.1 Testing on Eridanus server with ipv6-test.com gives me a score of 19/20 test-ipv6.com score of 10/10 with no warnings

At the moment I've got no native IPv6 connection at my disposal to test my hypothesis but I don't think that the problem lies at the application level. The apparent preference for IPv4 does not only seem to prevail in browsers but also in other applications like SSH. If I'm correct, SSH should prefer IPv6 over IPv4 on a native IPv6 connection, if one URL is pointing to multiple DNS entries (A + AAAA in this case). When a connection to a Gen2 server is established (via an IPv4 connection in my case), SSH always prefers IPv4 in my testing. An IPv6 connection to this specific URL can be forced with ssh -6 ... but this shouldn't be the default behavior of SSH. What determines which connection should be preferred? RFC3484 describes the ranking of competing connections. The resulting /etc/gai.conf on my Arch Linux system looks like this: # All lines have an initial identifier specifying the option followed by # up to two values. Information specified in this file replaces the # default information. Complete absence of data of one kind causes the # appropriate default information to be used. The supported commands include: # # reload <yes|no> # If set to yes, each getaddrinfo(3) call will check whether this file # changed and if necessary reload. This option should not really be # used. There are possible runtime problems. The default is no. # # label <mask> <value> # Add another rule to the RFC 3484 label table. See section 2.1 in # RFC 3484. The default is: # #label ::1/128 0 #label ::/0 1 #label 2002::/16 2 #label ::/96 3 #label ::ffff:0:0/96 4 #label fec0::/10 5 #label fc00::/7 6 #label 2001:0::/32 7 # # This default differs from the tables given in RFC 3484 by handling # (now obsolete) site-local IPv6 addresses and Unique Local Addresses. # The reason for this difference is that these addresses are never # NATed while IPv4 site-local addresses most probably are. Given # the precedence of IPv6 over IPv4 (see below) on machines having only # site-local IPv4 and IPv6 addresses a lookup for a global address would # see the IPv6 be preferred. The result is a long delay because the # site-local IPv6 addresses cannot be used while the IPv4 address is # (at least for the foreseeable future) NATed. We also treat Teredo # tunnels special. # # precedence <mask> <value> # Add another rule to the RFC 3484 precedence table. See section 2.1 # and 10.3 in RFC 3484. The default is: # #precedence ::1/128 50 #precedence ::/0 40 #precedence 2002::/16 30 #precedence ::/96 20 #precedence ::ffff:0:0/96 10 # # For sites which prefer IPv4 connections change the last line to # #precedence ::ffff:0:0/96 100 Which reflects the expected behavior described by the RFC standard. The man-page for this has been implemented in kernel 4.16 (very recently). When I apply the little knowledge I have on IPv6, the ULA each OpenVPN connections gets assigned is part of: label fc00::/7 6 and thus very low in the ranking of the competing connections. Hopefully I could point you in the right direction. If not I'm sorry. I don't understand all of it but this seems plausible to me.

Yeah I have done the 3rd point. Bot inside and outside LAN works on laptop and phone, Chromecast does not work outside LAN. Haven't tested the Chromecast inside the LAN as I do not have one. So keep this in mind when you plan to use a Chromecast ouside the LAN. I do not do it regularly, so its not a big problem. For those looking for a solution, on the Apple TV gen 4 you can install DS Video. Then you can still have an easy way of streaming to a TV outside your network.

Good idea LZ1, also people can support EFF financially, independent of Air. The whjole idea of intercepted networks just seems insupportable, but unfortunately people like open web at whatever cost. I reckon they wouldn't be so happy if the Postal Service had somebody standing outside their front door reading their letters.

Thanks a lot! Works fine!

Yes, this happens to me also, but I didn't notice it until now since I almost never reboot my NAS, and I have reconnect script which detects that VPN isn't working and restart it. I think this is Synology VPN implementation bug, it should be reported to them. Hopefully they can fix it in new updates.