Leaderboard

Thank you, I am sorry if it looks like I am blaming AirVPN, that was not my intention and you are completely right, I turned server off for the weekend and went hiking.. Let's see what I can do with clear head and thank you for tips and posting your stack.

Your mentioning of the buffers led down a rabbit hole. So buffer adjustment let to a slight increase in performance (like 5mb/s). The real culprit for me was faulty hardware, the overaged SSD had super slow read/write speeds, which then caused the slow down. I guess the kernel doesn't like waiting for reads and writes while having huge amounts of packets coming in. Replacing the SSD fixed it.

I managed to increase the speed by increasing the TCP buffers and reducing the MTU. (in DEBIAN) For the MTU: (in docker run or docker compose) environment: - WIREGUARD_MTU=1320 or - VPN_MTU=1320 For TCP buffers: (not in container, in the host vm) sudo sysctl -w net.core.rmem_max=25000000 sudo sysctl -w net.core.wmem_max=25000000 sudo sysctl -w net.ipv4.tcp_rmem=“4096 87380 16777216” sudo sysctl -w net.ipv4.tcp_wmem=“4096 65536 16777216” For permanant buffers after reboot: - modify /etc/sysctl.conf - sudo sysctl -p I managed to increase the speed from 30 Mbps to 300 Mbps with this 2 modifications.

Hello! This is by design to avoid permanent lock out on remotely accessed machines while allowing non-VPN traffic when wished. Please also note that the article is wrong in telling that there's a leak during a system reboot even when network lock is enabled: the leak may occur only if the Network Lock has not been engaged, for example if you have not started the AirVPN software. On Linux systems you also have the option of setting a persistent network lock with Bluetit daemon, a component of the AirVPN Suite. As soon as the daemon starts it enforces the network lock, no matter whether a connection is started or not. If you have a systemd based Linux distribution, please note that the asinine systemd init startup is not deterministic and this is of course not our responsibility. Therefore you can't be sure when Bluetit will be started, regardless of the priority you wish. If you need permanent blocking firewall rules surviving reboots even when the VPN software is not running the solution is straightforward: set permanent firewall rules as explained in various articles (a recent one is here https://airvpn.org/forums/topic/69097-permanent-kill-switch-for-eddie-client) or follow the suggestion included in the very same article you linked. Be aware that this setup is problematic on remotely accessed machines. Kind regards

I am also interested in this, but I didn't get it working. Could you please provide more details on how to set it up? A few snippets for the Powershell would be very helpful. Allowing DHCP traffic out, seems to be an default rule with Windows 10. Hello! Something like this will do the trick, starting from a clean status and Windows Firewall enabled. Make sure you operate from a Powershell with administrator privileges. The rules will survive at reboot. You must adjust your local network address/netmask (change 192.168.0.0/16 and fe80::/10 if necessary). Do not proceed if you don't understand exactly every single command; instead, get documented first. netsh advfirewall firewall add rule name="Allow DHCPv4" protocol=UDP dir=out localport=67,68 action=allow netsh advfirewall firewall add rule name="Allow DHCPv6" protocol=UDP dir=out localport=546,547 action=allow netsh advfirewall firewall add rule name="Allow Local IPv4 Network" protocol=TCP dir=out remoteip=192.168.0.0/16 action=allow netsh advfirewall firewall add rule name="Allow Local IPv6 Network" protocol=TCP dir=out remoteip=fe80::/10 action=allow netsh advfirewall firewall add rule name="Allow Localhost Outbound" dir=out action=allow remoteip=127.0.0.1 netsh advfirewall firewall add rule name="Block All Other Outbound Traffic" dir=out action=block protocol=any You may also consider to backup the rules and enable them only when needed, instead of keeping them permanent. Check your system manual to do this. Kind regard

There lies a "danger" in only using Secure Boot without creating the types of rules I explain in the thread. Secure Boot is set on shutdown, so if the PC crashes for example, the next boot will be with your regular filtering profile. But that doesn't matter if the firewall rules are set to block all but AirVPN IPs.