Leaderboard

Hello! We're very glad to inform you that three new 10 Gbit/s full duplex servers located in Toronto (Ontario), Canada, are available: Castula, Chamukuy and Elgafar. The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. They support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor : https://airvpn.org/servers/Castula https://airvpn.org/servers/Chamukuy https://airvpn.org/servers/Elgafar/ Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

Congratulations on the launch. This is great news for CA which has had most of its 2 Gbit/s servers pretty saturated during peak hours. Hopefully the ghost of Wurren does not come back to haunt us.

Hello! We're very glad to inform you that a new 10 Gbit/s full duplex server located in Los Angeles, California, is available: Revati. The AirVPN client will show automatically the new server; if you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. Revati supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor , by clicking the server name. Direct link: https://airvpn.org/servers/Revati Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

Hello! We had a similar project that is now temporarily frozen for good reasons: in real life the ability of the "AI"s to guess successfully the real destination from analysis of the VPN tunnel traffic is poor (the excellent success rates you see are achieved only in a controlled environment where the victim visits only destinations pre-determined from a tiny list) AmneziaWG is quickly becoming (*) a more universal approach that may be effective and that does not require our own proprietary solution, provided that constant rate tunnel, deterministic batching and traffic morphing are not required -- safe assumptions as DAITA doesn't aim at obtaining them (*) While early AmneziaWG releases could "only" add junk packets during handshakes, making it not suitable to replace DAITA, AmneziaWG latest release is also capable to perform padding of transport messages and modification of their header range. It can do all of the above, optionally, over a faithful imitation of a different protocol (any protocol that can be built on UDP), including specific HTTP/3 web sites initial flow mimicry. While these options efficacy in fighting AI guided traffic analysis must be verified in a controlled environment when AI abilities will improve, and in spite of the fact that AmneziaWG currently lacks the important active distortion feature that DAITA offers, together with reason 1 they are sufficient to let us prioritize AmneziaWG support in the infrastructure and our software, and freeze proprietary solutions research. Once AmneziaWG is operating in the whole infrastructure, it may be considered whether adding active distortion to match this DAITA feature, or anyway building additional features to outperform DAITA (on top of the many already available in Amnezia and not from scratch), is worth the effort or not. Kind regards

Hello! We're very glad to announce that Eddie Android edition 4.0.0 beta 2 is now available. New: how to use Eddie in network where the "bootstrap" servers can not be reached Eddie downloads user and infrastructure data, essential to use the service, from special "bootstrap servers" through an encrypted flow inside HTTP. If the bootstrap servers are blocked or the underlying protocol to port 80 is filtered out, Eddie is unable to proceed. Starting from Eddie 4 beta 2 version, the ability to retrieve such data locally has been added. Whenever bootstrap servers are unreachable, Eddie can read the latest available local data to connect to a VPN server. Once connected the bootstrap servers are again reachable and the local data are immediately updated for future usage. The local data remain valid as long as you don't need to change user. On top of all of the above, Eddie can now retrieve such data through the login procedure that now can be started even when a connection to a VPN server was previously established via a profile. Therefore, when you are in a restrictive network that blocks access to bootstrap servers, you can connect through a profile generated by AirVPN web site Configuration Generator. After this first connection, log your account in to the service by selecting the specific option on the left pane, enter your AirVPN account credentials as usual and make sure that Remember me checkbox is ticked: Eddie will download all the necessary files and store them locally. This procedure is "once and for all", at least as long as you don't need to change account. After this initial connection, Eddie will be able to log your account in to the infrastructure, retrieve servers data and establish connections without profiles and without bootstrap servers, offering again full AirVPN integration even when bootstrap servers are unreachable. Only If you change account you must repeat the procedure. New: "Open with..." option added to "Share" option Different Android versions allow management of files with different restrictions. Different apps may support different intents on specific Android versions. To enlarge total compatibility, now Eddie offers two different options to export and manage files, including generated profiles. You will find the usual "Share" option coupled with a new "Open with..." option. Some apps support only one intent, other apps only specific intents on specific Android versions, and so on. By adding this option Eddie enlarges considerably the amount of apps you will be able to open and/or share files with. New: AmneziaWG parameters range validity AmneziaWG parameter range validity has been documented in three different ways (official web site, GitHub documentation files, and developers comment) and the web site documentation that it's still official is in reality not aligned with the source code. The new parameters range validation adopted by Eddie 4.0.0 beta 2 is based now on GitHub latest documentation integrated by source code analysis. The original message of this thread has been updated accordingly. You will find on it the new download link and checksum, as well as detailed Amnezia description. If you decide to test, please report at your convenience any bug and problem in this thread. If possible generate a report from the app in a matter of seconds: by tapping the paper plane icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private). Kind regards & datalove AirVPN Staff

How can the load percentage be conveyed even clearer in your opinion? Those are highly subjective things depending on your setup, and I don't want to see them as data points in a server overview showing factual data valid for everyone the same way. Load (= bandwidth usage), number of clients and RTT between the servers are factual data valid for everyone, whereas your own latency and "connection quality metrics" are the result of your client's configuration, connection type and its config, ISP, routes, etcetc. I mean, what is even the definition of "connection quality" in your own words? Preferably something that is valid for you, me and the random reader of this thread at the same time.

Kornephoros is airvpns better 10gb server in canada. it almost gives me full speeds on my home server(connected via wifi) funny enough their now decommissioned wurren was a pretty crappy in my experience. i was never able to get more than 80mbit on wurren even though it was also supposedly a 10gbit server... even regular 1gbit server outperformed wurren

Maximum of 7.3 Gb/s on Terebellum. I think most users are probably not using that much bandwidth to push the 10 Gb/s servers to their max.

May I request the addition of 10Gbps Tokyo and Singapore servers? Thank you.

Yes, works for me too.

Every time a VPN connection is started, there is a chance Eddie will crash, most often by the third connection attempt. Here, I just tapped on the same server (but it could be any server) three times, then Eddie quit and the VPN disconnected. This doesn't happen with Eddie 3.3.0. https://eddie.website/report/46708ecc/

Hello! We're very glad to announce that Eddie Android edition 4.0.0 Beta 1 is now available. UPDATE 2026-01-14: Eddie Android edition 4.0.0 Beta 2 is now available This is a major update: for the first time Eddie Android edition features AmneziaWG complete support. Eddie Android edition is a fully integrated with AirVPN, free and open source client allowing comfortable connections to AirVPN servers and generic VPN servers offering compatible protocols. Eddie 4.0.0 aims primarily at adding, besides the already available OpenVPN and WireGuard, a thorough and comfortable AmneziaWG support. AmneziaWG is a free and open source fork of WireGuard by Amnezia inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems. It can operate in several different ways, including a fallback, "compatibility mode" with WireGuard featuring anyway various obfuscation techniques. What's new in Eddie 4.0.0 AmneziaWG support Amnezia WireGuard API stronger anti-blocking logic: ability to log in to the service and download AirVPN infrastructure and user data while connected through a profile with a specific option on the left pane ability to read and use local user data when bootstrap servers are unreachable new "Open with..." option on top of the usual "Share" option to manage and export comfortably generated profiles on any Android version with any suitable application updated AmneziaWG parameters allowed ranges updated OpenSSL, OpenVPN3-AirVPN and WireGuard libraries bug fixes see the complete changelog below AmneziaWG overview From the official documentation: https://docs.amnezia.org/documentation/amnezia-wg AmneziaWG offers: Dynamic Headers for All Packet Types (compatibility with WireGuard: YES) During tunnel initialization, the library generates a set of random constants applied to each of the four WireGuard packet formats: Init, Response, Data, Under‑Load. These constants: Replace predictable WireGuard packet identifiers; Shift offsets of Version/Type fields; Modify reserved bits. As a result, no two clients have identical headers, making it impossible to write a universal DPI rule. Handshake Length Randomization (compatibility with WireGuard: NO) In WireGuard, the Init packet is exactly 148 bytes, and the Response packet is exactly 92 bytes. AmneziaWG adds pseudorandom prefixes S1 and S2 (0-64 bytes by default): len(init) = 148 + S1 len(resp) = 92 + S2 Offsets of the remaining fields are automatically adjusted, and MAC tags are recalculated accordingly. In order to keep backward compatibility with WireGuard, S1 and S2 must be set to 0. Obfuscation Packets I1-I5 (Signature Chain) & CPS (Custom Protocol Signature) (compatibility with WireGuard: partial, with fallback) Before initiating a "special" handshake (every 120 seconds), the client may send up to five different UDP packets fully described by the user in the CPS format. In this way AmneziaWG can mimic perfectly QUIC, DNS and other protocols adding powerful methods to circumvent blocks. QUIC is particularly interesting as HTTP/3 is built on it and currently, from Chrome and other compatible browsers, 50% of traffic to/from Google is QUIC traffic. Therefore, blocking QUIC may have major disruptions for any ISP. Junk‑train (Jc) (compatibility with WireGuard: YES) Immediately following the sequence of I-packets, a series Jc of pseudorandom packets with lengths varying between Jmin and Jmax is sent. These packets blur the timing and size profile of the session start, significantly complicating handshake detection. Under‑Load Packet (compatibility with WireGuard: YES) In WireGuard, a special keep-alive packet (“Under-Load”) is used to bypass NAT timeouts. AmneziaWG replaces its fixed header with a randomized one, the value of which can be set manually. This prevents DPI from filtering short ping packets, ensuring stable tunnel connections, especially on mobile networks. How to use Eddie with AmneziaWG To enable AmneziaWG mode, just tap the connection mode available in the main and other views. It will rotate between WireGuard, AmneziaWG and OpenVPN. Set it to AmneziaWG. In its default AmneziaWG mode, Eddie will use all the possible obfuscation, except protocol mimicking, that keeps WireGuard compatibility, thus allowing connections to AirVPN servers. The default settings choice was possible thanks to the invaluable support of persons living in countries where VPN blocks are widespread. Such settings have been tested as working and capable to bypass the current blocking methods in various countries. You may consider to modify them if they are ineffective to bypass "your" specific blocks. In Settings > Advanced, you will find, at the bottom of the page, a new "Custom Amnezia WG directives" item. By tapping it you will summon a dialog that will let you customize any possible AmneziaWG parameter. You can maintain backward compatibility with WireGuard in the dialog WireGuard section, or enable the full AmneziaWG support in the Amnezia section, which is not compatible (at the moment) with AirVPN WireGuard servers. This mode will be mostly valuable in a not distant future, when AirVPN servers will start to support AmneziaWG natively. You may also enable QUIC or DNS mimicking for additional obfuscation efficacy. In order to maintain WireGuard backward compatibility, with or without QUIC or DNS mimicking, you must set: S1 = S2 = 0 Hn ∈ {1, 2, 3, 4} H1 ≠ H2 ≠ H3 ≠ H4 Furthermore, do not exceed the valid limit of the J parameters (anyway Eddie will not let you do it). In this preview version, Eddie's formal control of the input data is based on the following document. We strongly recommend you read it if you need to modify manually parameters: https://github.com/amnezia-vpn/amneziawg-linux-kernel-module?tab=readme-ov-file#configuration Please do not modify In parameters if you don't know exactly what you're doing. Eddie implements QUIC and DNS mimicking and random obfuscation packets for each specific "I" parameter (by using the corresponding "Generate" button). You can enable them with a tap on the proper buttons. You may mimic QUIC and DNS even to connect to WireGuard based servers. When you enable QUIC mimicking and you maintain WireGuard backward compatibility, you add a powerful tool against blocks, because the first packets will be actual QUIC packets. AmneziaWG will fall back to WireGuard compatibility very soon. However, when DPI and SPI tools, and demultiplexers in general, identify the initial QUIC flow, most of them will be unable to detect a WireGuard flow for several minutes. This has been tested thoroughly with deep packet inspection on Linux and FreeBSD based machines by AirVPN staff. Therefore, in different blocking scenarios the QUIC mimicking increases likelihood of successful block bypass. NOTE: the same does not happen with DNS mimicking. In this case DPI / SPI tools identify the stream initially as DNS, but are much quicker (just in a few dozens of packets) to identify the stream as WireGuard's, after the initial DNS identification. How to use Eddie in network where the "bootstrap" servers can not be reached Eddie downloads user and infrastructure data, essential to use the service, from special "bootstrap servers" through an encrypted flow inside HTTP. If the bootstrap servers are blocked or the underlying protocol to port 80 is filtered out, Eddie is unable to proceed. Starting from this Eddie 4 version, the ability to retrieve such data locally has been added. Whenever bootstrap servers are unreachable, Eddie can read the latest available local data to connect to a VPN server. Once connected the bootstrap servers are again reachable and the local data are immediately updated for future usage. The local data remain valid as long as you don't need to change user. On top of all of the above, Eddie can now retrieve such data through the login procedure that now can be started even when a connection to a VPN server was previously established via a profile. Therefore, when you are in a restrictive network that blocks access to bootstrap servers, you can connect through a profile generated by AirVPN web site Configuration Generator. After this first connection, log your account in to the service by selecting the specific option on the left pane, enter your AirVPN account credentials as usual and make sure that Remember me checkbox is ticked: Eddie will download all the necessary files and store them locally. This procedure is "once and for all", at least as long as you don't need to change account. After this initial connection, Eddie will be able to log your account in to the infrastructure, retrieve servers data and establish connections without profiles and without bootstrap servers, offering again full AirVPN integration even when bootstrap servers are unreachable. Only If you change account you must repeat the procedure. Download link, checksum and changelog https://eddie.website/repository/Android/4.0.0-Beta2/EddieAndroid-4.0.0-Beta-2.apk This is a build debug package and side load is mandatory. If you decide to test, please report at your convenience any bug and problem in this thread. If possible generate a report from the app in a matter of seconds: by tapping the paper plane icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private). $ sha256sum EddieAndroid-4.0.0-Beta-2.apk 20d4aee7a0544eec2ad379b8ab8126c2f276e4762a0a32109cb808701d2c0bb3 EddieAndroid-4.0.0-Beta-2.apk Changelog 4.0.0 (VC 37) - Release date: 26 November 2025 by ProMIND Beta 2 LogActivity.java [ProMIND] added View log button (open with...) MainActivity.java [ProMIND] method startAirVPNManifestRefresh() renamed to startAirVPNDocumentRefresh() [ProMIND] method stopAirVPNManifestRefresh() renamed to stopAirVPNDocumentRefresh() [ProMIND] member timerAirVPNManifestRefresh renamed to timerAirVPNDocumentRefresh [ProMIND] onCreate(): do exported files cleanup [ProMIND] onDestroy(): do exported files cleanup [ProMIND] drawer: added login item [ProMIND] drawer: changed login and logout icons [ProMIND] navigationViewItemSelected(): added code for AirVPN login [ProMIND] onResume(): show proper drawer's login/logout item QuickConnectFragment.java [ProMIND] onCreate(): removed AirVPN autologin (superseeded by extended "remember me" local login) [ProMIND] onCreate(): in case "remember me" is set, do local login by using locally stored user instance SettingsActivity.java [ProMIND] ameziaSettingsDialog(): fixed formal check for jc [ProMIND] removed AirVPN Autologin option (superseeded by extended "remember me" local login) SettingsManager.java [ProMIND] removed added SYSTEM_AIRVPN_AUTOLOGIN and SYSTEM_AIRVPN_AUTOLOGIN_DEFAULT (superseeded by extended "remember me" local login) [ProMIND] removed methods isAirVPNAutologinEnabled() and setAirVPNAutologin() SupportTools.java [ProMIND] added enum ShareMode [ProMIND] sharePlainText(): added argument share mode [ProMIND] sharePlainText(): the code is now compliant to all supported Android versions [ProMIND] sharePlainText(): exclude "myself" from helper apps [ProMIND] removeShareFile() renamed to removeShareFiles() [ProMIND] sharePlainText(): share/view files are now removed on app exit Beta 1 Native Library [ProMIND] updated to version 4.0.0, API 10 [ProMIND] added Amnezia WireGuard API [ProMIND] updated to OpenVPN-AirVPN 3.12 (20251126) AirVPNUser.java [ProMIND] getWireGuardProfile(): added Amnezia support ConnectAirVPNServerFragment.java [ProMIND] showConnectionInfo(): added AmneziaWG logo display [ProMIND] onCreateContextMenu(): added AmneziaWG items [ProMIND] onContextItemSelected(): added AmneziaWG items [ProMIND] added method loadVPNProfile() ConnectVpnProfileFragment.java [ProMIND] added Amnezia support EddieLibraryResult.java [ProMIND] added Amnezia WireGuard API QuickConnectFragment.java [ProMIND] onCreateView(): added AmneziaWG logo display [ProMIND] updateStatusBox(): added AmneziaWG logo display SettingsActivity.java [ProMIND] added "Custom AmneziaWG directives" setting SettingsManager.java [ProMIND] added Amnezia specific settings and methods SupportTools.java [ProMIND] removed method getVPNProfile() VPN.java [ProMIND] added methods enableAmneziaWireGuard() and isWireGuardAmneziaEnabled() VPNManager.java [ProMIND] added method isWireGuardAmneziaEnabled() VPNProfileDatabase.java [ProMIND] added AMNEZIA type WebViewerActivity.java [ProMIND] EddieWebViewClient.shouldOverrideUrlLoading(): it now properly opens android asset files WireGuardClient.java [ProMIND] added WireGuard tunnel node to constructor [ProMIND] added methods for generating Amnezia's junk settings WireGuardTunnel.java [ProMIND] added support for Amnezia WireGuard [ProMIND] added Mode enum [ProMIND] added tunnel node to constructor EddieLibrary.java [ProMIND] added Amnezia WireGuard API Kind regards & datalove AirVPN Staff

Hello! We think that the problem is on your side. Castula is absolutely perfect just like other servers you experience this problem on. We have no complaints whatsoever about any of the servers you mention. Note that Castula, Chamukuy, and Elgafar are all connected to the same upstream in the same small subnet. Your tests have been instrumental to make us aware of the problem (SYN flood and similar events) frequently occurring on specific Canadian servers, so thank you! A good thing you can do on your side is black listing the servers that don't work well for you. You have anyway a vast range to pick from. Keep us informed if the problem suddenly appears on one or more of the servers that are perfectly fine for you now. Kind regards

I checked the list of AirVPN updates and saw that there has been no update to the Windows application for a year. What's happening?

Did everyone notice? The Kornephoros server achieved astonishing speeds today. As a 10Gbps server, it loaded over 5Gbps of bandwidth. I've never seen such speeds on any 10Gbps server before. What makes this server different from other 10Gbps servers? Is it the unprecedentedly powerful hardware, the data center's network environment, or AirVPN's optimization of the server's kernel? Staff can take a look and use this information to optimize other 10Gbps servers. Kornephoros is truly unexpected.

Hello! Eddie Android edition 4.0.0 beta 2 is now available featuring improved AmneziaWG support and strengthened logic against AirVPN bootstrap server blocks: https://airvpn.org/forums/topic/77633-eddie-android-edition-400-preview-available/ Kind regards

Hello! On Eddie 2.22 and higher versions you can "fix" the interface name by setting it on Eddie's "Preferences" > "Networking" window (make sure you pick an interface name that's valid in your system). Kind regards

@3x3x3 Hello! Assuming that the notices are genuine, we need to remind you that VPN usage must be compliant to the relevant legal framework of the country the VPN server is in. With all of the above said, you must make sure you do not suffer traffic leaks outside the VPN tunnel. If you run AirVPN software, this is easily achieved by activating Network Lock which is also active by default during connections (opt out). You also must make sure that you don't start the torrent software before you have connected to some VPN server if you don't run AirVPN software. Network Lock is a set of firewall rules that remain in place even in case of software crash and protect you from leaks even when the torrent software is configured in a way that permits it to bypass the VPN tunnel (typical example: UPnP enabled). Please read AirVPN FAQ and starting guide, you will get plenty of useful information and avoid unpleasant consequences by improper usage. All the important links are included in the welcome message and you can start from here: https://airvpn.org/forums/topic/18339-guide-to-getting-started-links-for-advanced-users FAQ: https://airvpn.org/faq Binding a software to the VPN network interface is another excellent layer of defense. It is highly valuable in case of a "momentary lapse of reason", for example if you completely forget to fire up AirVPN software (or your favorite software) and you start the torrent program with already active torrents. Interface binding is a simple setting if supported by your torrent program. Procedure varies according to the program you run, please read your software documentation. Kind regards

Hello! Hold on @Tech Jedi Alex, you hit the mark. You were just misled by this: 0777 is for a directory, but for data files the default is 0666, here's why the user ends up with 644: For the reader, if the umask is 022, the newly created file by root will get 644 (rw-r--r--) (the complement of 666 with 022 in octal) which causes the first problem. So that's why /sbin/bluetit doesn't have x even though it does in the extracted package. It doesn't matter that the original bluetit file has 755, the umask starts from 666. cp in the original script lacks the -p option so this problem should get resolved by your change with install (it should be solved even by adding "-p" to the cp command, or an additional chmod of course). It looks like a long time installation script issue that went strangely unnoticed. Noted down for a fix in the next release or a package hot fix, we'll see. Apparently there is another problem too but maybe it's not related to Suite's installation, we'll keep following the thread. Kind regards

Should be Elgafar, right? Was briefly confused that eldafar had no IP.

Your best bet might be to request a reroute over the DE rerouting server. Kindly open a support request and give a few URLs to blocked content.

I'm running Linux Mint with a VM of Windows 7. Both have Eddie and going through the same physical Ethernet cable over Cable Internet. The latency on Linux start in the 40s whereas on the VM of Windows 7 running in that Linux start in the low 20s which. Included is the Linux on left and windows 7 VM on the right. Linux is a new install with Eddie 2.24.6 whereas the Win7 is running on Eddie 2.18.9.

Thanks a lot for your time and giving all these insights 👍 Learning a lot there.

Thanks @pit61. I've asked the staff to create a new How-To document based on this info. The old Tomato How-To is very dated and these settings worked very nicely.

Thank you very much. For the readers: the key information here and other threads where the problem could be resolved swiftly is that it does not matter how you configure it: Plex will always listen to port 32400 of the VPN interface. Therefore, AirVPN's port "re-mapping" function comes handy. Once you choose a random port for your Plex server on your AirVPN account port panel, fill the "Local" field with "32400". Reach the Plex server from the Internet on the port remotely forwarded and the VPN server will take care to forward the packets to port 32400 of your local VPN interface. Kind regards

Hello! We're very glad to inform you a new 10 Gbit/s full duplex server located in Miami, Florida (USA), is available: Dziban. The AirVPN client will show automatically the new server; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator. The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. It supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor : https://airvpn.org/servers/Dziban Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

That's incredible! It seems the server hardware wasn't that bad; perhaps it was just maintained two days ago? Or maybe the hardware was replaced? I see that this server only has 280+ users. Could it be a user issue? More users using the Wireguard protocol can indeed bring higher bandwidth usage. If the AmneziaWG protocol becomes widespread, it would be incredible if even 10G servers could be fully utilized.😄😄😄

@Stalinium Yes, the packets you obtain yourself are better suited to your network environment. If you find that troublesome, you can also try other people's parameters. Here are my parameters. Jc = 8 Jmin = 86 Jmax = 892 S1 = 0 S2 = 0 H1 = 2 H2 = 3 H3 = 4 H4 = 1 I1 = ... I2 = ... I3 = ... I4 = ... I5 = ... CPS I1-I5(bing.com-initial QUIC).txt

This wouldn't really interact with the existing port forwarding system at all. The point is to not have to forward any ports at all, all traffic to your public IP would automatically be forwarded to you, circumventing the entire port forwarding mechanism. The advantage is that you don't have a limitation on the number of forwarded ports anymore or restrictions on which exact ports are available. You'd have access to the entire range of 65535 ports. This is useful for several scenarios, for example if you have multiple clients that need port forwarding you run out very fast. It's also useful for punching through restricted networks or heavily NATed/CG-NATed networks and get a publicly addressable IP. Useful if I want to e.g. share a file with someone on IRC but we're both behind CG-NAT, or if I want to spin up a http server to show off a demo but the cafe I'm at blocks incoming port 80. As for the server infrastructure, stateless address translation is less resource intensive than stateful NAT, so the more popular of a feature this is the less the routing overhead on the servers will be. There's plenty of ways for spammers and other evildoers to do that for free already, they wouln't need an AirVPN subscribtion to get trillions of ipv6 addresses. Which is why with ipv6 nobody blocks on a per-address level, but prefixes.

Jc = 10 Jmin = 53 Jmax = 488 S1 = 0 S2 = 0 H1 = 2 H2 = 4 H3 = 1 H4 = 3 I1 = <b 0xc800000001142041eb35d428321d4c7b5a54f4a25b2eb42b1473144d6f82c2a7fb72748e0ec1cb05dbee502b24ad1f008000047c54b2c6fd1b8d38cc5b2898ffb4ab45a98e34500df11f17d7a00e6feee8b1689e65d3de8267c53ab147353c33bb36072efc65b807af56031e5531651e06f604b15a2cffe4ac57a2611c5b4ed0de39c051de95ad48ca096859db12be3164a2b4c4780c20889a6d9f592cb30b7c0de1636492f9c708ba5ef94c62ff52355782fdc80a7cb7c271004b31164f17ae1164b2a6879182d4e43c06cc29803ee6817da5f08a2c43757cc0f1748ef45fd8b69559b96ecc22828bf5eb9c5796db363da6cd1e675808ff1fa60ed2f226ea9347b6aead0a77419dbea8c03053c6c78e98652faa8b3d7c266d508586f2bc642b55adadbfbeae7d36bf1555e5769b8bf21f81908da3418882937d394e73284fa254926373aeb3d9093f837281c533688e29dacf3d798a36e32ae5d06683b4fba6031652f3abd817d4e585dc8682d2fc661d58242f9148cf051ecd0bfc4d3d1ebbd5db752567389710d3f39d963e01d39240e79a83e5043455609733b00cf2abec95270125882327c93bb2702d2beb03fcf8e5df1234e10f28768d76458f5380a256c27d6623774deabcd327c845e1398006bf288fd3732ea36d13a661ee551d024403283bfde1213ff4e767fefac1db3a2555ae0ffc5ab72251c269bc5115cf4bb65280ffa35c62468801e191131d35ad081659abb97a8fbe26049556ffe87f4d7f592a6f4423133e79661a26928511288cf98e54e34a4e8ecdd4d8c6e1af469ded38a159d625e45e549b3a711ef293f7930040c72b7cd975045ed7e629b60104cced6cb5afb75712eefd60bd705c040bf2143de63d2f637f825c69e53034e183aadb94858d63f2506d42d4faed810ba98172d2340b9d2eb63a4665a5480124f6ce5369cccf2bf18d512fc1b52c0ae7f64ca4380a17d19882b69bcda00277f73b8e02160cddfd913b807149e8519cfbdcb216b80a377a735ad31b87b41c7fb966ebcaae7213e6d4915beb845f926f6e29a284ea11a4f3a63ed22a61d0110cd33b1c31a8a0538b312e9266b773621cdeb9aa862db0d99e04b3cfa1e9ab03ff35cf6a6d3b72be1a6e039104547f9041e007d02c3769510d507f07ea3ebf38a326a9d82977a1cd32b25af02ccf1ddac08389dfb0a30932161f20b53b7a19b6fa8850d86f67b4420eb65f5ed45ba282ad1b82bf341cb9ad3b36437a1f007ad98ce2058fef118a650c908ac9c8cfaffc6eb37f203946a05b1d1698a0e325fc25594d41df81e5984486209aaf3ec854bea023663a7b8c63d31aea21921dcfca5d828b10fca0dd0855ffcaf4e9f0ae83372ff1674f2229954b7dd5dedff81a34aea41537f4536a86a746fa1e28c06985bc029e76df04d383fa7559679d67aa53e153663653ea75cc29a400e20f7ec5c55d13669d08eb9a5615b6871f51c08fde02ddb3bdaa0cc28ef207c6ff51f52bbd3cd49fab6708db0ccda23c7cfd6bd7aae5143b4a88aedf4d232ef39645ddb5bfe794b3e7175cb0b355c4f44df07b53bc48c11e80c3b62319f6a26f8a9b300306c2077b3c0a06028ed9cc2ffabb9984500cd98420b58a6649be2ac1969c3cc2b2fe62dae03c4e48b080ae812c7e105f45fc4ad3544e46d38e25662177644d6ea87e99a892> It is highly preferred that you get your own QUIC packet for I1. You could do that with Wireshark and "curl --http3-only (possibly any Russian website that is whitelisted)" . Select first QUIC Initial packet, right click "QUIC IETF" below -> Copy -> Copy as a Hex Stream. (Mozilla Firefox QUIC packets did not work for 16 kbyte blocked subnets for me)

🙄

I'm also confused. Perhaps the hardware isn't powerful enough? A 1Gbps server can handle 100+ users with 80% bandwidth utilization. This means a 10Gbps server would need 1000+ users to achieve the same 80% bandwidth utilization. However, in reality, a 10Gbps server experiences a significant speed drop when handling 300+ users, seemingly unable to keep up. It would be better to label it as a 3Gbps or 5Gbps server, as the actual speed difference from the advertised 10Gbps is substantial. If that's the case, it would be better to replace one 10Gbps server with ten 1Gbps servers. Maybe that's the case? I think AirVPN may have leased a 10Gbps network in the data center, but the servers can't handle that 10Gbps network. Isn't that a waste of resources? I think AirVPN can increase the number of 1Gbps servers as much as possible to make full use of network bandwidth, which would also save on server costs for AirVPN, wouldn't it?

less than 100GB

Use 'Policy table' not Object networking. Then create a NAT rule. I would prefer that they catch up with the competition on the basics (Like supporting IPv6 in VPNs), rather than reinventing yet another way to manage firewall rules 😕

Here is my working Open VPN config on a Netgear R7000 with Fresh Tomato:

I currently run a linux firewall without eddie and just use openvpn client. here is what i did to protect against dns leaks and maintain privacy. i don't use windows because of privacy concerns so i don't know how well this translates. assuming you have a layer 3/4 firewall, you can try this. the network: set the interface to start disabled on bootup. this is not necessary, but will work if you're firewall is not default. then you can set your firewall before the interface is open. nothing can leak during boot because the interface did not come up. in the firewall: set policy to block on input (inbound), output, and forward (or whatever windows equivalent is). this should be the default action in case there are no specific rules to catch particular traffic. setting this means nothing passes the firewall unless you explicitly allow it. set all rules with tracking (ct state), such that no inbound traffic is allowed unless it is a response from a request you sent out. only exception is icmp and other network diagnostic protocols like traceroute, which in my opinion should be open. icmpv6 should be selectively open since it also does network setup. log all blocked traffic on the physical interface: open source and destination port 67/68, udp, inbound and outbound so your ISP can give you an IP. configure your client to not accept the dns it will give you. open destination upd port 53 or 853 only for specific IPs, typically a public DNS that advertises no logs. this is your fall back in case vpn drops or if you connect to vpn using a domain name. your ISP will see this traffic, but it will not be destined to your ISP DNS. it will pass through and go to the server you specify. i am not yet convinced encrypted dns actually hides your dns, but i would consult with a network admin. open destination tcp/udp port 1194 (or whatever port you are using for VPN). Do not use port 443 for VPN as that is the same port for https website traffic. Note: broadly speaking, destination port 53 and 853 will not be open, blocking dns leaks. this is permanent i used to have to open port 80 for AirVPN IPs to make the initial connection, but I don't see this in my firewall anymore, so it may not be necessary. if you see this in your firewall logs when attempting a vpn connection, apply this rule in the same format as above, but make sure it is limited to only just the AirVPN IPs as this would otherwise allow normal website traffic. on the tunnel interface: open source and destination port 67/68, udp, inbound and outbound so Airvpn can give you an IP. you can use AirVPN dns, or create a rule to use the public dns of your choice like on the physical interface. open destination port 53 outbound on the 10/8 IP range, or if you have a way to limit it to just the DNS that you get with VPN, that'll work. (AirVPN will give you an IP starting with 10.) open destination port ntp outbound on the 10/8 IP range (to keep the time accurate on your devices) open destination tcp port 80,443 outbound, for website traffic. 8443 for websockets if you use things like chat/voice on a website app like discord. Ongoing: open any other ports you may be using, such as Steam IPs. Check your firewall logs any time something doesn't work, and add those ports. exhibit discernment about whether to open a port, as you may see crap trying to leak out of your network, not just dns. this is expected and is keeping your stuff private. speedtest sites like to use port 8080, so open destination port 8080 (ct state new) if you want to test your speed, and on inbound, open source port 8080 (ct state established) Note: broadly speaking, destination port 53 and 853 will not be open, blocking dns leaks. this is permanent Extra Notes: starting or stopping your vpn will not change any firewall rules. you will not have access to websites unless vpn is up. this will not work if you're using port 443 for your tunnel. the tunnel port and website port needs to be different. in some countries, this may not be possible. for every outbound destination port (ct state new) opened, there should be a corresponding inbound source port (ct state established) opened as well. traffic is 2 way, outgoing request, incoming response this may not be comprehensive. my firewall has a lot more rules and i may have missed something. view your firewall logs to see what is being blocked, and see whether you need to open it. This should absolve the need for a network lock, and maintain privacy during bootup and anytime eddie is not running. check your firewall logs for traffic on port 53 over the wan interface. these will be dns leaks you prevented. A quick note about windows: Microsoft overrides the hosts files and looks for various microsoft domains it uses for telemetry gathering. it will ignore these rules. this means the standards government hosts files are no longer being followed. this is a violation of long standing networking standards and causes people to reduce trust in the rest of the windows network setup. because of this, you should no longer trust that your firewall will not be overridden by Windows and allow dns traffic through even if you explicitly blocked it. Microsoft has admitted to running a keylogger since Windows 10. i mean ... my god. linux has come a long way in usability. you no longer have to be a hacker to run it well. i would make an attempt to convert to linux. it has been 30 years since computers were around. it is no longer acceptable to be computer-illiterate. old world literacy means you know how to use a feather quill pen. modern literacy means you know how to work your way around a computer. know the tool you use to communicate. linux is a different paradigm, but it is still just a computer. It would be great if somewhere on this site is pinned exact instructions for windows. it will help those concerned and those who don't yet know they should be. for anyone knowledgeable enough, please feel free to correct any of this if it is incorrect. share the knowledge! i don't frequent this site. admins have permission to edit this. -s

Completely disconnects in the middle of watching something wherein it will then reconnect. Slower than a dog shitting molasses in winter on sites not owned by majority shareholders of the internet. Ookla numbers do not mean fuck for this - pings the same tzulo servers as AirVPN 1 star out of 5 instead of 0 because of GUI split tunneling.

Hey there, Taiwan is a provincial administrative region of China, an inalienable part of China’s territory. But when I checked my IP on ipleak.net, I saw Taiwan was shown with those outdated flags, which is totally wrong. These flags don’t reflect the fact that Taiwan belongs to China. Using them misrepresents Taiwan’s status and goes against the One - China principle. It’s really important to fix this mistake. Please correct the display and stop using such wrong flags. Let’s make sure the info about Taiwan is right, in line with the One - China principle. Thanks for handling this!

Hello! We're very glad to inform you that a new 10 Gbit/s full duplex server located in Toronto (Ontario, Canada), is available: Kornephoros. The AirVPN client will show automatically the new server; if you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. Kornephoros supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor . Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

Hello! Thank you for the feedback! That's our contribution to cover the expenses. Just check the price for each 10 Gbit/s full duplex unmetered dedicated line for 1 year to get an idea of expenses for the network traffic, then also consider the depreciation of 20 servers and their maintenance (hardware replacements, manpower maintenance hours...) over the years. It's not like managing a VPS with a few TB per month and a few Mbit/s shared line, and we're talking about exit nodes. Kind regards

Hello! Starting from version 2.3, firewalld by default owns exclusively nftables tables generated by itself, thus preventing Eddie, Bluetit and Hummingbird Network Lock related operations. If you want to have Network Lock enabled and firewalld running at the same time, then you must configure firewalld by setting the following option: NftablesTableOwner=no in firewalld's configuration file, usually /etc/firewalld/firewalld.conf . After you have edited the configuration file with any text editor with root privileges, reload firewalld configuration or restart firewalld, and only then (re)start Bluetit, Hummingbird or Eddie. Additional insights: https://discussion.fedoraproject.org/t/firewalld-add-flags-owner-persist-in-fedora-42/148835 https://forums.rockylinux.org/t/rocky-9-5-breaks-netfilter/16551 Kind regards

109.202.110.35 s9.rapidgator.net last time

If you notice that the connection speed drops down again increase the Jc parameter (I recommend values 10-80) and rearrange the H1, H2, H3, H4 values (they should be the numbers from 1 to 4 but their order can be any). ТСПУ is able to detect and throttle AmneziaWG and I personally had this situation twice, and twice I had to pump up the Jc parameter. Don't set it too high though: too much junk is also abnormal and potentially can become a fingerprint. According to the recent news Roskomnadzor has set a budget of 60 billion rubles (655 000 000 USD) to significantly upgrade their wonderboxes in the next 5 years. So I guess even more fun is coming. I've already bought a cheap VPS and installed Xray (VLESS-TCP-XTLS-Vision-REALITY), sing-box (Shadowsocks with 2022-blake3-aes-128-gcm) and Cloak but don't use it much to keep the IP from prematurely getting into the black lists (if they even currently exist in Russia, but in Iran they already do). May be it's all over the top but who knows the future? For now my main method of accessing the larger data world is still the good old AirVPN.

Hello! I am a bit new to the Torrenting world, and I have set up my VPN(airvpn) and I have Qbitorrent. I have set up a port and put that port into my port for incoming connections, and I have my torrent running through Eddie(Airvpn). For some reason every time I click "Test open" under my port it says "Connection timed put(101)" Can anyone tell me what I am doing wrong?

@itsmeprivately Hello! Please try the following settings (usually they are strictly necessary to bypass China blocks): switch to OpenVPN (if you haven't already done so) by tapping the icon "VPN Type" on the main view. Each tap switches between WireGuard and OpenVPN. force connection over TCP to port 443 in the following way: open "Settings" and expand "AirVPN" by tapping on it tap "Default OpenVPN protocol", select "TCP" and tap "OK" tap "Default OpenVPN port", select "443" and tap "OK" tap "Quick connection mode", select "Use default options only" and tap "OK" Finally test again connections to various servers in various locations. Kind regards

FYI, links for Eddie for Android are broken ;)

Let me just add the observation that only a few percent of domains you might be looking up in a DNS system are going to be DNSSEC signed anyway. While it's nice to have DNSSEC functioning as a sort of future proofing and for the rare cases when it matters now, becoming alarmed at its absence in a DNS system at this stage is seriously inappropriate. Example: in the US the only major financial institution that I can find that signs its DNS entries with DNSSEC is the Internal Revenue Service! Yes, irs.gov is signed, as are some other US-gov't agency sites. But the big banks do not use DNSSEC, and neither do the well-known large brokerage houses. (Every site foo.bank is a DNSSEC-signed bank site, but see https://www.register.bank/dotBANKers/# to see which banks have bothered. They're all small.) In the VPN world, AirVPN.org is signed, mullvad.net is signed, and privateinternetaccess.com is signed. Every other well-known VPN service that I've tried depends on unsigned DNS entries. So basically at present, DNSSEC from the consumer point of view is little more than a cute toy.

You're on fiber, right? Because if so, you are not the first with this, and you won't be the last. I can't wrap my head around it myself because I don't know anyone who is on fiber to test anything (I'm in Germany, after all), but all the people before you suggest that OpenVPN is problematic with fiber connections.

Hello, could you please make a tutorial? I tried this but Im doing something wrong, because the client cant connect to the AIR servers after I set the firewall rules ... A permanent network locker is for other vpn providers normal, but here? Why you dont just make a option in the Eddie client? Anyway a tutorial would be great

hello people, i have a question because of the network lock in airvpn, i activated it but 1 problem: its only working when the AIRVPN client is started, i chose airvpn auto windows start but the problem is that still with ssd its taking maybe 5 seconds to start (it starts with loading beam). the question is how can if fix that? example: the airvpn client eddie crashes (latest version ofc) -> my internet IS UNPROTECTED! thanks for any help regards