Leaderboard

I'm glad that we now have a 10-gigabit server in New York. However, I'm curious about the possibility of future upgrades extending to other major metropolitan hubs like Los Angeles, CA, Chicago, IL, and Dallas, TX. For me, I have the best latency to Chicago, so that's an area I would like to see upgraded. On a related note, I'm also curious as to why we don't see the decommissioning of other lower bandwidth servers when a new 10 Gigabit server is introduced to the same area. I know that the benefits of redundancy/failover, maintenance, load balancing, and resource allocation are some of the reasons why you would have multiple servers in the same area, but I don't see how it is beneficial in terms of cost.

Hello! Paper of Tunnelcrack attack: https://www.usenix.org/system/files/usenixsecurity23-xue.pdf First quick reply, we might add information in the future. The Tunnelcrack can be finalized with two different attacks: LocalNet and ServerIP, provided that: the victim connects to a network fully controlled by the attacker (for Localnet attack) the victim DNS queries are poisoned and the attacker has all the features of an "on path" attacker (for ServerIP attack) LocalNet attack If you are in a WiFi unencrypted or not trusted (even if encrypted) network, or you are in an untrusted network in general (including Ethernet) prevent LocalNet attack by not allowing communications within the local network. Please make sure that Allow LAN is not checked in Preferences > Network Lock settings window. The AirVPN Suite for Linux allows this traffic by default so do not use it in untrusted network until we implement the option to block local network (EDIT: option implemented in AirVPN Suite 2.0.0). Eddie Android edition forbids local traffic by default but you can enable this option in the Settings. Make sure you do NOT enable it when the device is connected to an untrusted network. ServerIP attack ServerIP attack requires DNS poisoning/spoofing, so Eddie Desktop Edition and Bluetit/Goldcrest are immune. It's mainly up to the local system to use reliable DNS (consider DNS over TLS or DNS over HTTPS) and protect the queries, but for additional safety use profiles with only IP addresses, and not host names, if you run directly OpenVPN, WireGuard, Hummingbird, or any other software needing profiles. Our CG will generate profiles with country domain names, so avoid country selection but prefer single server selection, or secure your DNS queries. When you select specific servers, the CG will insert IP addresses for the servers and not names. Eddie Android edition and the AirVPN Suite resolve domain names if you order a connection to a country, so avoid this type of connection. It is planned that next release will no more use country domain names. Once inside the VPN, ServerIP attack variation with "route hijack" (described in an old paper) fails in AirVPN (even if you query the VPN DNS) because the DNS server address matches the VPN gateway address. TL;DR The Tunnelcrack attack can be easily defeated by not allowing communications with the local network when you are in an untrusted network and by using secure DNS or direct IP addresses to point to VPN servers when you start the VPN connection. All of the above can be easily obtained with our service or it is already implemented by default. Kind regards

Yeah I agree it would be nice to see 10gbit servers at these locations. I know there were two 10gbit servers added in the NA region recently (Toronto and New York) which is awesome to see. They seem to be making good progress so far so hopefully it won't be long before we see more 10gbit US locations. Would really like to see Per City load balancing at some point as well that would help a lot with congestion in some areas.

ill happily upvote this post/ suggestion

Hello! Currently it is not in our interest to accept it, we are sorry. Kind regards

Hello! Yes, what you write is substantially true, although a server reboot is not needed. The matter has become a FAQ and we added an answer to this FAQ here: https://airvpn.org/faq/wireguard/ In the answer you can see how we patch a specific problem, how you can act through our tools to improve your privacy when you run WireGuard, and all by not breaking original WireGuard compatibility. However OpenVPN under this respect remains widely superior, so consider it according to your threat model and the amount of annoyance you would get to generate new keys after each WireGuard session. Kind regards

I tested it myself and OpenVPN for Android is more comprehensive than this. You can do more things with it. They don't only recommend it because of it's open source status (although they write it).. AirVPN is trying to deliver a great service and their recommendations support this aim.

If only users had a gigabit line to leverage… *cries in DSL*