Leaderboard

Hello! Today we're starting AirVPN ninth birthday celebrations! From a two servers service located in a single country providing a handful of Mbit/s, the baby has grown up to a wide infrastructure in 22 countries in three continents, providing now 230,000+ Mbit/s to tens of thousands of people around the world. Software related development has also been powered up. Eddie Android edition is now a fully mature application which features an exclusive best effort method to prevent traffic leaks and a complete integration with AirVPN. In 2019 AirVPN has also started operating in South America, on top of Asia, Europe and North America, and the infrastructure has grown significantly, counting now on more than 260 bare metal servers, whose traffic is mainly powered by tier1 and tier2 transit providers. AirVPN has also become recently an EFF "Super Major Donor" member. Furthermore, and we're very glad to announce it here publicly for the first time, development for OpenBSD and FreeBSD has started. We are also integrating OpenVPN 3 on new software which will couple Eddie on UNIX-like systems, including Linux, during the second half of 2019. GDPR compliance was already a de facto standard for AirVPN way before the Regulation entered into force, mainly because we don't collect personal data, period. By the way the compliance is now fully formalized (check details in our Privacy Notice and Terms https://airvpn.org/privacy ). AirVPN provides probably the strongest protection to your data, not only personal data but all data, you can find on any service. If you are an AirVPN customer or user, you are probably aware that our service is radically different than any other VPN service you might have met anywhere. No whistles and bells, no marketing fluff, no fake locations, no advertising on mainstream media, a transparent privacy policy, no trackers on the web site or in mobile applications, no bullshit of any kind in our infrastructure to sell your personal data to any personal data merchant, and above all a clear mission which is the very reason which AirVPN operates for. https://airvpn.org/mission Many of you know that when you buy AirVPN service, you not only support yourself and improve your ability to exercise your fundamental rights, but you also support AirVPN mission. However, while AirVPN in itself has flourished, AirVPN mission aims and values related to fundamental rights have experienced, in 2018 and 2019, a grim time. Australia "encryption-busting" monstrous law is fully in force; the European Union has definitively approved the bad Copyright Directive, mandating automated filters, which will unavoidably limit freedom of expression on big boards, and making the first step to undermine the liability exemptions of mere conduits and web publishers alike; new threats to citizens' privacy are becoming real through plans of wide face recognition deployment, indiscriminate DNA databases proposals, more pervasive and efficient profiling (possibly even through AI), and strict cooperation between Internet tech giants and intelligence agencies; the persecution of journalists, publishers and whistleblowers all around the world has reached unprecedented levels, revealing a widespread plan to suppress freedom of the press and freedom of expression even in so called "Western democracies". One of the greatest journalists and publishers of all times, Julian Assange, nominated seven times for the Nobel Peace prize and winner of many journalistic prizes and awards, has been and is prosecuted and persecuted for having merely published the truth about war crimes, corruption, torture and more, with a 100% accuracy, and for having protected his sources as any good investigative journalist does. He has been detained arbitrarily and illegally, as widely ascertained and recognized by the UN. He has been victim of an abominable smear campaign based on ignominious lies and defamation, a campaign aimed to turn the public opinion against him and distract from WikiLeaks publications content exposing war criminals in governments key positions, warmongers, torture maniacs, systematic illegal surveillance, endemic privacy violations and plots to limit and reduce fundamental rights. He is currently detained in solitary confinement 23 hours a day, with no access to books, maximum two visits per month, forbidden in practice to coordinate a defense with his lawyers, in a tiny cell of a maximum security UK prison which has been designed for dangerous murderers and terrorists, while UK will decide whether to extradite him to the USA to face a potential 175 years imprisonment. Whistleblowers like Chelsea Manning, who should be regarded as a hero, as Noam Chomsky, John Pilger, Daniel Ellsberg and other titans of our times pointed out, have been tortured and are still persecuted by the very same criminals whose crimes were exposed. Privacy activists and software developers, like Ola Bini in Ecuador, are imprisoned without charges, simply for having showed friendship to Assange or WikiLeaks, or for having developed software aimed to protect privacy through encryption. And the list can go on and on and on. But make no mistake: the dark times we are living in, the environment of fear and intimidation that various governments are building against the exercise of those fundamental rights which our mission forces us to protect to the best of our abilities, the mounting attacks against "encryption for everyone" and the awareness that enemies of human rights nestle inside government agencies, have not undermined our determination. Quite the opposite: they have convinced us that our service is even more necessary now and we are resolute to do even more. Our mission has been and will be empowered by the ongoing support to projects and NGOs which aim to the protection of privacy, personal data and freedom of expression, now more than ever. We have confirmed our support to Tor and we will progressively add support to champions of freedom of expression and privacy in any way our capacities and abilities will allow us. If you're curious to know something about a series of fortunate events which gave birth to AirVPN, have a look here: https://airvpn.org/aboutus To worthily celebrate AirVPN ninth birthday, we're glad to inform you that starting from now we will offer a 20% discount on all long term plans. Hurry up, this special offer will end on June the 11th, 23:59:59 UTC! Check the new prices here. Kind regards and datalove AirVPN Staff

DNS is unencrypted. If you use a DNS other than AirDNS, the query is unencrypted after the AirVPN server and visible to the outside. If you use AirDNS, it stays in the tunnel which is encrypted, therefore, the DNS query is as well. So yes, Vegas stays in Vegas kind of a thing.

All Air is doing is putting a target on their back and making their political viewpoints known. At this time it's only comfortable to place a year's service at a time (over 3 years) since with their recent statements I can't see where there are no reprocussions for their actions. Users should be weary of what may come as a result - some really really dislike Chelsea Manning and Air is controdicting that viewpoint. It'd be like air donating to a 'end Scientology' movement. I never expected Air to push their "agenda" in this way and have little confidence that there will be no reprocussions, I wonder if Air are willing to deal with them (and hope that their opsec is absolutely faultless). Only time will tell, but not an advisable move.

Happy Birthday AirVPN 🎂 & here's to many more. Been a member here for 5 years now, the time has flown by. Nice work on the discount 😀

Happy Birthday! Nice work!

Hello! I note the change: So everything below the 1 year plans, do not get the discount anymore. It's still weird to me, that the birthday celebrations still aren't the ones with the biggest and widest discounts. Seems more worthy to me . Happy birthday.

It's also interesting that the developer evozi.com is looking for Bayesian modelers and "Knowledge Engineering Supervisors"... SSH account on the AirVPN server, or am I not getting something? Strange thing to ask, though. Likely answer is a no.

su -l root [enter password] eddie-ui

Please look into your Netflix situation. I just attempted to watch a video but the speed that could be sustained was so slow the video was unwatchable. Playback on other video streaming services that worked through the VPN were quite speedy. Vudu, for example, burst to 300mbit/s to buffer. Curiousity Stream buffered at 100mbit/s. Your netflix setup could only manage 5mbit/s. Not near enough for a 4k stream. Thanks.

When you use Tor over VPN it doesn't matter how many other "cover traffic" side connections you make. The ISP will only see a single connection from your device to the VPN server, and not connections inside (on top of) it. In case of UDP tunnel the ISP won't even see a full connection since it's a stateless protocol. Also without VPN, when you use obfs4 or meek-azure, the connection to the guard is not done directly so ISPs that actively censor Tor fail to detect it.

i will try to be concise and to the point. I want to hide the fact that i use Tor from my ISP. Hence i use Tor over VPN whenever i want to use Tor, which is maybe once a week or so to catch up on the best doujinshi updates. I keep my VPN on pretty much whenever i am online, and i sign in to personal and social media only from my Iphone, not this laptop. And i like to download and seed torrents. A lot. So, it turns out, whenever i want to load Tor, i am already connected to my OpenVPN app, and i am already pretty much seeding torrents. I am still interested in avoiding being detected by my ISP that i use Tor because there is tremendous misinformation about Tor in my country's mainstream media. Here is my question: If at the same time i am downloading my cbr updates on Tor, if i am downloading and seeding multiple torrents, and if i have a different gateway and exit ip on the VPN, what are the chances of traffic correlation/netflow determining i am a Tor user? Mind you, i am connecting to a server outside my country which happens to be in the 14 eyes. The OpenVPN tunnel server endpoint is in a country outside the 14 eyes, specifically where torrent laws are lax. Will the utorrent traffic hurt me, or help me? From not just my ISP but maybe foreign govt where the Tor exit ip or Tor guard node is? Once again, i am not asking about the benefits or cons of running Tor over VPN, because as i have indicated, i want to avoid the stigma from my ISP/Government that i am using Tor. Also, i like to surf with the VPN browser extension also turned on, connected to a different country than the OpenVPN tunnel. So, normal https website traffic, tor traffic, and utorrent traffic all will be coming into my machine at any given instance.

Your connection client to the AirVPN server just drops and tries to do a reconnect....in Eddie? Just make sure that VPN/TAP adapter is in DHCP mode.(See above)

Hi! Thanks for all the info you provided here NaDre. I currently use a Windows 10 x64 machine, I don't see 10 referenced in the guide but I assume that, having the Advanced Firewall Configuration panel, it should be ok. My main question is this: I'm already set up with AirVPN and I connect with no problem. I have firewall rules to block torrent clients in case the VPN is down. What I would like to achieve is having: - All torrent clients (Deluge, qBittorrent and Tixati) + Firefox go through VPN - Everything else go through regular IP (DNS included) Is this achievable by just following Part 2 of the guide? Edit: I would actually be ok with having to launch all four programs (Deluge, qBittorrent, Tixati and Firefox) through ForceBindIP if that would make things easier. Basically a configuration where the VPN is active, the three torrent clients are blocked by the firewall, but if I launch them through ForceBindIP they go through the VPN. Would that be easier/possible?

Updated: Noted release of 2.11.15 version of EddieAdded instructions from Khariz and ~Daniel~ on Torrenting with Tixati.Added info on free trials, which I assume to be correct: "Trials have unlimited data and full speed. But you can only get a refund if you have used less than 5GB".Added info on Glasnost tests for testing traffic shaping. Thanks to giganerd.Not so much in this update, as I just wanted to make some quick edits due to 2.11.15 being released.

Tried that few years ago. I think that problem what that I couldn't have same external and internal port, and in some programs I couldn't change port.

What version did you upgrade to? I know in 133/134 if coming from something older, a complete NVRAM wipe is required as a LOT of internal variables changes. I think it's in the release notes for 133.

Isn't there a way to export those settings so we can just import them?

Happy Birthday!!! Keep up the good work You guys are doing an amazing job

Check this project, from one of the community members: https://github.com/corrad1nho/qomui Add config files: qomui-cli -a $provider Connect to a server: qomui-cli -c $server Activate options (e.g. firewall): qomui-cli -e firewall List and filter available servers: qomui-cli -l Airvpn "United States" It's also possible with Eddie cli but python will be probably more easier to start with.

Don't know if it helps... but I'm using this .bat on my connection with lot of disconnects and client/TAP adapters hangs with great success Replace VPN with the name of your TAP inteface This is the script that runs on VPN down @echo off netsh interface set interface VPN admin=disable timeout /t 2 /nobreak netsh interface set interface VPN admin=enable timeout /t 2 /nobreak taskkill /IM AirVpn.exe /F taskkill /IM openvpn.exe /F timeout /t 5 /nobreak start "" "C:\Program Files\AirVPN\AirVPN.exe" & exit

Sorry. I was lazy before. You did use process explorer. Are you certain that the outbound block is on the same physical executable as is show in the "image" tab in process explorer? I believe that I did try this stuff with Windows 10, and it still worked. So unless a Windows update has broken Windows Firewall, if you block the correct executable, it should work. Failing that, try using ForceBindIP to prevent uTorrent from reverting to the native interface. Now that I think of it, I corresponded with someone in a forum at a private tracker who had a similar issue, and found that ForceBindIP helped. Hi mate, Unfortunately i tried with ForceBindIP and got the same issue, when vpn goes down, connections start going through the 192.168.1.X interface. Besides, when connecting again but to a different server, it continue going through the 192.168.1.X, so it seems that ForceBindIP doesn't make utorrent respect the network GUID. This is how I lunch ForceBindIP ForceBindIP.exe {C464A1E4-E52A-2201-CFA4-464AB1768AB3} utorrent.exe Where {C464A1E4-E52A-2201-CFA4-464DC0768AE4} is the GUID of the network adapter attached to airvpn. I also tried the -i switch with ForceBindIP without luck. Do you have another tip or recommendation to follow that you can remember? Thanks in advance,

So you want traffic on port 5000 use your ISP connection and not the VPN, but all other traffic to use the VPN? I'm not sure it's possible with just the GUI, and besides I think that would cause a leak as your real IP could be revealed.

I installed ufw & gufw & had a bit of a go tonight. I had to modify the procedure some, as Manjaro (Arch) uses systemd. Even so, I have all sorts of errors going on. My problem I know. It looks like perhaps ufw won't tolerate IPv6 being disabled, by the look of this anyway: # ufw status WARN: / is world writable! WARN: / is group writable! Traceback (most recent call last): File "/usr/bin/ufw", line 95, in <module> ui = ufw.frontend.UFWFrontend(pr.dryrun) File "/usr/lib/python2.7/site-packages/ufw/frontend.py", line 153, in __init__ self.backend = UFWBackendIptables(dryrun) File "/usr/lib/python2.7/site-packages/ufw/backend_iptables.py", line 45, in __init__ ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files) File "/usr/lib/python2.7/site-packages/ufw/backend.py", line 88, in __init__ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables) File "/usr/lib/python2.7/site-packages/ufw/util.py", line 734, in get_netfilter_capabilities raise OSError(errno.ENOENT, out) OSError: [Errno 2] ip6tables v1.4.20: can't initialize ip6tables table `filter': Address family not supported by protocol Perhaps ip6tables or your kernel needs to be upgraded. I'm running kernel: x86_64 Linux 3.12.5-1-MANJARO edit: I'm now running IPTables so the above is now unimportant to me.

Some of the newer features of UFW haven't arrived with the version you are using. And although the GUI version of UFW is nice the command-line version is much more advanced. In the following quick tutorial I will try to give you some guidance to get a simple setup (hopefully) working. This is only for general guidance. Adjust addresses, port numbers and protocols as needed. E.g. If your router is on a different IP-address then adjust the rule to fit to your needs. Also if you want to connect to a different VPN-server use the IP-address of the server you wish to use. The IP numbers used here are only as an example. Keep in mind that rule ordering is important and the first match wins! The rule which is entered first will end up higher in the list. At the end I will explain more about this (see point 8). 1. Open an terminal window and enter the following commands and adjust them to your needs. Use su to log in as root if you haven't or place sudo before every command. the $ represents the prompt in the terminal. 2. Enable UFW. $ ufw enable This will enable the firewall and now you can add rules. 3. Set the default behavior to deny all incoming and out going traffic. $ ufw default deny out $ ufw default deny in Now all in- and outgoing traffic will be blocked. 4. Add a rule to allow traffic to your router (only if this is needed). $ ufw allow out to 192.168.178.0/24 This will allow traffic to the router/internal network which in this case is located on 192.168.178.0/24. If your computer has multiple network interfaces you can add the interface which you want to use. E.g. $ ufw allow out on eth0 to 192.168.178.0/24 This will allow only connections to the internal network/router on eth0. If eth0 is not connected and you use for example the wlan0 connection UFW will block the traffic and you will not be able to connect to the router/internal network, because only traffic from eth0 is allowed to connect to 192.168.178.0/24. 5. Add a rule to allow traffic to 46.19.137.114 on port 443 with UDP traffic. This is the AirVPN_CH-Virginis_UDP-443 server. $ ufw allow out to 46.19.137.144 port 443 proto udp This will allow UDP traffic on port 443 to the Virginis server (=46.19.137.144). This is needed to connect to the VPN-server. You can add more than one VPN-server by repeating the above rule and adjust the IP-address to the server which you want to add. It is also possible to specify different port numbers. Just change the port number to the port number which is needed to connect to the VPN server. If the proto udp part is omitted then tcp and udp traffic is allowed and if it's changed to proto tcp then only tcp traffic is allowed. 6. Add a rule to allow in- and outgoing traffic over tun0. This is the traffic from and to the VPN-server. $ ufw allow out on tun0 Now it's possible for an application like the browser to connect to different sites on the web. All the traffic will go through the vpn server. 7. In the case that you use a bit-torrent client, you will also need to allow incoming traffic from the port which is specified by you in the bittorrent client (this is the port which is needed to allow peers/seeders to connect to the bit-torrent client (NAT). $ ufw allow in on tun0 from any to any port 54321 This will enable incoming traffic which is coming from different IP-addresses (the peers/seeders which want to connect to your client) to connect through the VPN-server connection (which is tun0 here). In this case port number 54321 is used, adjust it the correct port number! 8. If you now enter. $ ufw status verbose You will get a numbered list which something like: Status: active Logging: off Default: deny (incoming), deny (outgoing) New profiles: skip To Action From -- ------ ---- 54321 on tun0 ALLOW IN Anywhere 192.168.178.0/24 ALLOW OUT Anywhere 46.19.137.114 443 ALLOW OUT Anywhere Anywhere ALLOW OUT Anywhere on tun0 This shows you which rules are applied and what the status of the firewall is. When you enter: $ ufw status numbered You will get a numbered list. It will look something like this: Status: active To Action From -- ------ ---- [ 1] 192.168.178.0/24 ALLOW OUT Anywhere (out) [ 2] 46.19.137.114 443 ALLOW OUT Anywhere (out) [ 3] Anywhere ALLOW OUT Anywhere on tun0 (out) [ 4] 54321 on tun0 ALLOW IN Anywhere This is a numbered list. It is important to know that the order of the rules is important. If you allow something with rule number 1 which allows for example all incoming and outgoing traffic, all the other rules which are specified after that will have no effect! And as a final notice I will also point to the possibility to delete and insert rules. If you enter: $ ufw delete 1 # and confirm of course Rule number 1 will be deleted and all the other rules which followed rule 1 will shift up in this example the list will look something like this (after $ ufw status numbered): Status: active To Action From -- ------ ---- [ 1] 46.19.137.114 443 ALLOW OUT Anywhere (out) [ 2] Anywhere ALLOW OUT Anywhere on tun0 (out) [ 3] 54321 on tun0 ALLOW IN Anywhere And if you want to add a rule on a specific spot it is possible by using the insert command. E.g. we want to add a second VPN-server so we can choose a different one in the case one is down (could happen you know :-)) or if we want options. The command would look like this; $ ufw insert 2 allow out to 119.81.1.122 port 443 proto tcp # this will add the SG-Sagittarii server Now on spot number 2 there is a new rule inserted. The other rules will shift down. We can generate a new list: $ ufw status numbered And the list will look like: Status: active To Action From -- ------ ---- [ 1] 46.19.137.114 443 ALLOW OUT Anywhere (out) [ 2] 119.81.1.122 443/tcp ALLOW OUT Anywhere (out) [ 3] Anywhere ALLOW OUT Anywhere on tun0 (out) [ 4] 54321 on tun0 ALLOW IN Anywhere This concludes the tutorial. Use it to you benefit and I hope some things get a little bit clearer. Make the appropriate changes for you setup and expand on it. And again the GUI version is nice, but the command-line version is beter, it only takes a little bit of time to get used to it.

This guide shows how to set rules to prevent leaks in case of unexpected VPN disconnection and provides you with clear scripts ready to be used with basic modifications on Red Hat Enterprise Linux and RHEL rebuilds such as Oracle Linux, Scientific Linux, X/OS, CentOS etc. THANKS TO JESSEZ - ORIGINAL POST BY JESSEZ (minor editing & clean-up by Air staff) This method requires the ipset package: sudo yum install ipsetRHEL 6 and rebuilds (Oracle Linux, Scientific Linux and CentOS) do not have a kmod-ipset that I could find. The ip_set module has to be loaded manually as neither netfilter, iptables nor conntrack call the module themselves. As far as I know some Linux distros do have a kmod for ip_set so that would make usage of sysconfig/ipset.conf not necessary and also could cause a boot-time error (fatal nor not). The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses) so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws the error that no ipset "airvpn" exists). So there are 3 files. The first and the second file can be found attached to this message. The last one is a system file that needs a modification. 1 /etc/sysconfig/ipset.conf This script tests whether the ip_set module is already loaded. If not it loads it into the kernel (modprobe). ipset.conf.txt 2 /etc/sysconfig/ipset-airvpn.sh This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use: sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and can only be a power of 2 (1024, 2048, 4096, ..., 131072...) If you're only using one or two servers and you need to save RAM, just change it down, re-run the script and issue the command sudo ipset -L airvpn again to check that all the desired servers are listed. Keep doubling the hashsize until they are. If anyone is wondering about the -exist option, it's there so that in case of accidental duplication of an IP address the script won't fail. iptables-airvpn_2013-01-19.txt 3 /etc/init.d/iptables This is the system file, so be careful; add 2 new lines that become line 55 and line 56: # Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table sh /etc/sysconfig/ipset-airvpn.sh Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying Internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no Internet before starting a VPN connection, and you will be able to connect to any of the servers you added to ipset-airvpn.sh without OpenVPN throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)). Note: rename the attached files according to the names given above. Put the files in the appropriate folders as listed above. Regards, jz

I am not sure how to do that with the Firestarter firewall. Firestarter simplifies iptables. I tried doing something similar with iptables, but could not get it to work. I would say that is your best way to do what you are asking, but you would definitely have to do quite a bit of reading on iptables. You can try to do that with Firestarter too, I would have to look into doing that kind of setup with it, although I am very satisfied with this setup here now. Here is the website for Firestarter. They have a tutorial on there.-------> http://www.fs-security.com/ BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.