Leaderboard

Hello! We're very glad to inform you that three new 10 Gbit/s full duplex servers located in Toronto (Ontario), Canada, are available: Castula, Chamukuy and Elgafar. The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. They support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor : https://airvpn.org/servers/Castula https://airvpn.org/servers/Chamukuy https://airvpn.org/servers/Elgafar/ Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

Congratulations on the launch. This is great news for CA which has had most of its 2 Gbit/s servers pretty saturated during peak hours. Hopefully the ghost of Wurren does not come back to haunt us.

Hello! We're very glad to inform you that a new 10 Gbit/s full duplex server located in Los Angeles, California, is available: Revati. The AirVPN client will show automatically the new server; if you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. Revati supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor , by clicking the server name. Direct link: https://airvpn.org/servers/Revati Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

Hello! We're very glad to announce that Eddie Android edition 4.0.0 Beta 1 is now available. This is a major update: for the first time Eddie Android edition features AmneziaWG complete support. Eddie Android edition is a fully integrated with AirVPN, free and open source client allowing comfortable connections to AirVPN servers and generic VPN servers offering compatible protocols. Eddie 4.0.0 aims primarily at adding, besides the already available OpenVPN and WireGuard, a thorough and comfortable AmneziaWG support. AmneziaWG is a free and open source fork of WireGuard by Amnezia inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems. It can operate in several different ways, including a fallback, "compatibility mode" with WireGuard featuring anyway various obfuscation techniques. What's new in Eddie 4.0.0 AmneziaWG support Amnezia WireGuard API updated OpenSSL, OpenVPN3-AirVPN and WireGuard libraries see the complete changelog below AmneziaWG overview From the official documentation: https://docs.amnezia.org/documentation/amnezia-wg AmneziaWG offers: Dynamic Headers for All Packet Types (compatibility with WireGuard: YES) During tunnel initialization, the library generates a set of random constants applied to each of the four WireGuard packet formats: Init, Response, Data, Under‑Load. These constants: Replace predictable WireGuard packet identifiers; Shift offsets of Version/Type fields; Modify reserved bits. As a result, no two clients have identical headers, making it impossible to write a universal DPI rule. Handshake Length Randomization (compatibility with WireGuard: NO) In WireGuard, the Init packet is exactly 148 bytes, and the Response packet is exactly 92 bytes. AmneziaWG adds pseudorandom prefixes S1 and S2 (0-64 bytes by default): len(init) = 148 + S1 len(resp) = 92 + S2 Offsets of the remaining fields are automatically adjusted, and MAC tags are recalculated accordingly. In order to keep backward compatibility with WireGuard, S1 and S2 must be set to 0. Obfuscation Packets I1-I5 (Signature Chain) & CPS (Custom Protocol Signature) (compatibility with WireGuard: partial, with fallback) Before initiating a "special" handshake (every 120 seconds), the client may send up to five different UDP packets fully described by the user in the CPS format. In this way AmneziaWG can mimic perfectly QUIC, DNS and other protocols adding powerful methods to circumvent blocks. QUIC is particularly interesting as HTTP/3 is built on it and currently, from Chrome and other compatible browsers, 50% of traffic to/from Google is QUIC traffic. Therefore, blocking QUIC may have major disruptions for any ISP. Junk‑train (Jc) (compatibility with WireGuard: YES) Immediately following the sequence of I-packets, a series Jc of pseudorandom packets with lengths varying between Jmin and Jmax is sent. These packets blur the timing and size profile of the session start, significantly complicating handshake detection. Under‑Load Packet (compatibility with WireGuard: YES) In WireGuard, a special keep-alive packet (“Under-Load”) is used to bypass NAT timeouts. AmneziaWG replaces its fixed header with a randomized one, the value of which can be set manually. This prevents DPI from filtering short ping packets, ensuring stable tunnel connections, especially on mobile networks. How to use Eddie with AmneziaWG To enable AmneziaWG mode, just tap the connection mode available in the main and other views. It will rotate between WireGuard, AmneziaWG and OpenVPN. Set it to AmneziaWG. In its default AmneziaWG mode, Eddie will use all the possible obfuscation, except protocol mimicking, that keeps WireGuard compatibility, thus allowing connections to AirVPN servers. The default settings choice was possible thanks to the invaluable support of persons living in countries where VPN blocks are widespread. Such settings have been tested as working and capable to bypass the current blocking methods in various countries. You may consider to modify them if they are ineffective to bypass "your" specific blocks. In Settings > Advanced, you will find, at the bottom of the page, a new "Custom Amnezia WG directives" item. By tapping it you will summon a dialog that will let you customize any possible AmneziaWG parameter. You can maintain backward compatibility with WireGuard in the dialog WireGuard section, or enable the full AmneziaWG support in the Amnezia section, which is not compatible (at the moment) with AirVPN WireGuard servers. This mode will be mostly valuable in a not distant future, when AirVPN servers will start to support AmneziaWG natively. You may also enable QUIC or DNS mimicking for additional obfuscation efficacy. In order to maintain WireGuard backward compatibility, with or without QUIC or DNS mimicking, you must set: S1 = S2 = 0 Hn ∈ {1, 2, 3, 4} H1 ≠ H2 ≠ H3 ≠ H4 Furthermore, do not exceed the valid limit of the J parameters (anyway Eddie will not let you do it). In this preview version, Eddie's formal control of the input data is based on the following document. We strongly recommend you read it if you need to modify manually parameters: https://github.com/amnezia-vpn/amneziawg-linux-kernel-module?tab=readme-ov-file#configuration Please do not modify In parameters if you don't know exactly what you're doing. Eddie implements QUIC and DNS mimicking and random obfuscation packets for each specific "I" parameter (by using the corresponding "Generate" button). You can enable them with a tap on the proper buttons. You may mimic QUIC and DNS even to connect to WireGuard based servers. When you enable QUIC mimicking and you maintain WireGuard backward compatibility, you add a powerful tool against blocks, because the first packets will be actual QUIC packets. AmneziaWG will fall back to WireGuard compatibility very soon. However, when DPI and SPI tools, and demultiplexers in general, identify the initial QUIC flow, most of them will be unable to detect a WireGuard flow for several minutes. This has been tested thoroughly with deep packet inspection on Linux and FreeBSD based machines by AirVPN staff. Therefore, in different blocking scenarios the QUIC mimicking increases likelihood of successful block bypass. NOTE: the same does not happen with DNS mimicking. In this case DPI / SPI tools identify the stream initially as DNS, but are much quicker (just in a few dozens of packets) to identify the stream as WireGuard's, after the initial DNS identification. If you decide to test, please report at your convenience any bug and problem in this thread. If possible generate a report from the app in a matter of seconds: by tapping the paper plane icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private). Download link, checksum and changelog https://eddie.website/repository/Android/4.0.0-Beta1/EddieAndroid-4.0.0-Beta-1.apk This is a build debug package and side load is mandatory. $ sha256sum EddieAndroid-4.0.0-Beta-1.apk 617269290a0406237646cc0885e5b10f3916252f89fe82ba9ccb947354980fcb EddieAndroid-4.0.0-Beta-1.apk Changelog 4.0.0 (VC 37) - Release date: 26 November 2025 by ProMIND Native Library [ProMIND] updated to version 4.0.0, API 10 [ProMIND] added Amnezia WireGuard API [ProMIND] updated to OpenVPN-AirVPN 3.12 (20251126) AirVPNUser.java [ProMIND] getWireGuardProfile(): added Amnezia support ConnectAirVPNServerFragment.java [ProMIND] showConnectionInfo(): added AmneziaWG logo display [ProMIND] onCreateContextMenu(): added AmneziaWG items [ProMIND] onContextItemSelected(): added AmneziaWG items [ProMIND] added method loadVPNProfile() ConnectVpnProfileFragment.java [ProMIND] added Amnezia support EddieLibraryResult.java [ProMIND] added Amnezia WireGuard API QuickConnectFragment.java [ProMIND] onCreateView(): added AmneziaWG logo display [ProMIND] updateStatusBox(): added AmneziaWG logo display SettingsActivity.java [ProMIND] added "Custom AmneziaWG directives" setting SettingsManager.java [ProMIND] added Amnezia specific settings and methods SupportTools.java [ProMIND] removed method getVPNProfile() VPN.java [ProMIND] added methods enableAmneziaWireGuard() and isWireGuardAmneziaEnabled() VPNManager.java [ProMIND] added method isWireGuardAmneziaEnabled() VPNProfileDatabase.java [ProMIND] added AMNEZIA type WebViewerActivity.java [ProMIND] EddieWebViewClient.shouldOverrideUrlLoading(): it now properly opens android asset files WireGuardClient.java [ProMIND] added WireGuard tunnel node to constructor [ProMIND] added methods for generating Amnezia's junk settings WireGuardTunnel.java [ProMIND] added support for Amnezia WireGuard [ProMIND] added Mode enum [ProMIND] added tunnel node to constructor EddieLibrary.java [ProMIND] added Amnezia WireGuard API Kind regards & datalove AirVPN Staff

Hello! Please follow this message to quickly resolve the issue: https://airvpn.org/forums/topic/26548-linux-ip-6-addr-add-failed/?do=findComment&comment=72069 The OP problem might be different so your case should not be discussed here. Kind regards

I mean, the guarantee is actually in mbps. I wish they guaranteed 4gbps!

May I request the addition of 10Gbps Tokyo and Singapore servers? Thank you.

Hello! This is interesting. We are gradually activating IPv6 on every server, but you have IPv6 disabled at OS level, and this causes a fatal error. For the moment, you can: - Reactivate IPv6 No good reason is known to disable IPv6 at OS level. If you are scared about IPv6 leak when connecting to servers without IPv6 support, a cleaner solution is simply blocking IPv6 traffic with ip6tables. OR - Append the following directives in your .ovpn files: pull-filter ignore "route-ipv6" pull-filter ignore "redirect-gateway ipv6" pull-filter ignore "dhcp-option DNS6" pull-filter ignore "tun-ipv6" pull-filter ignore "ifconfig-ipv6" redirect-gateway def1 bypass-dhcp This will skip IPv6 configuration of tunnel and avoid your error. We are considering related options to Config Generator. Kind regards

Hello! The AirVPN integration is kindly maintained by GlueTun developer. In brief, servers information is retrieved from the servers,json file which is updated several times a year. When starting up, Gluetun merges the hardcoded list and the contents of servers.json, preferring newer data and including any custom entries marked to be kept. For more details and a more accurate description please see here: https://deepwiki.com/qdm12/gluetun/6-server-management At this moment, while we're writing this message, the servers in Amsterdam have not yet been added. You can wait for the next update, or you may add them manually, by abiding to the json format. Alternatively you can point directly, through the proper environment variable, to the correct entry-IP address of the server you wish to connect to. In such cases you find all the information you need on the server status page https://airvpn.org/status and by generating a configuration file with the Configuration Generator. Here's an example for Vindemiatrix, only for WireGuard connections. This sub-block must be inserted in the correct position inside the airvpn block: study the file structure to quickly understand. Make sure to edit the file while no container is running. { "vpn": "wireguard", "country": "Netherlands", "region": "Europe", "city": "Amsterdam", "server_name": "Vindemiatrix", "hostname": "nl3.vpn.airdns.org", "wgpubkey": "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=", "keep": true, "ips": [ "94.228.209.212" ] }, You then need to restart the container(s) in order to merge the current list with the edited one. The "Keep": true line/flag (inside the server definition) ensures that the server will not be wiped out if you rebuild the server list. Kind regards

Hello! Hold on @Tech Jedi Alex, you hit the mark. You were just misled by this: 0777 is for a directory, but for data files the default is 0666, here's why the user ends up with 644: For the reader, if the umask is 022, the newly created file by root will get 644 (rw-r--r--) (the complement of 666 with 022 in octal) which causes the first problem. So that's why /sbin/bluetit doesn't have x even though it does in the extracted package. It doesn't matter that the original bluetit file has 755, the umask starts from 666. cp in the original script lacks the -p option so this problem should get resolved by your change with install (it should be solved even by adding "-p" to the cp command, or an additional chmod of course). It looks like a long time installation script issue that went strangely unnoticed. Noted down for a fix in the next release or a package hot fix, we'll see. Apparently there is another problem too but maybe it's not related to Suite's installation, we'll keep following the thread. Kind regards

Your best bet might be to request a reroute over the DE rerouting server. Kindly open a support request and give a few URLs to blocked content.

I'm running Linux Mint with a VM of Windows 7. Both have Eddie and going through the same physical Ethernet cable over Cable Internet. The latency on Linux start in the 40s whereas on the VM of Windows 7 running in that Linux start in the low 20s which. Included is the Linux on left and windows 7 VM on the right. Linux is a new install with Eddie 2.24.6 whereas the Win7 is running on Eddie 2.18.9.

Thanks a lot for your time and giving all these insights 👍 Learning a lot there.

Thanks @pit61. I've asked the staff to create a new How-To document based on this info. The old Tomato How-To is very dated and these settings worked very nicely.

Maximum of 7.3 Gb/s on Terebellum. I think most users are probably not using that much bandwidth to push the 10 Gb/s servers to their max.

I think so. My VPN functions the same as before, and I'm able to connect to blocked websites.

Hello! Great news! I captured the first QUIC packet accessing bing.com using Wireshark and used that packet to create a complete CPS, with I1-I5 parameters in the following file. Using this CPS, I successfully connected to a US server and achieved good speed and stability. In my network environment, this was more effective than random CPS packets. Everyone can test this set of parameters (it needs to be accessible without a VPN to bing.com). I welcome any better optimization suggestions from everyone. Jc = 8 Jmin = 86 Jmax = 892 S1 = 0 S2 = 0 H1 = 2 H2 = 3 H3 = 4 H4 = 1 I1 = ... I2 = ... I3 = ... I4 = ... I5 = ... CPS I1-I5(bing.com-initial QUIC).txt

With IPv6 allowing practically infinite IPs it should be possible to assign a dedicated IPv6 address to each connection, allowing incoming connections to any port to be forwarded. This would be a great way to circumvent the port forwarding restrictions on IPv4 that exist because multiple clients have to share the same exit IP, and I think would make for a nice optional feature.

Hello! Many thanks for all these information and insight. Indeed I completely agree with what you state. Meanwhile, I identified the culprit of plasmashell crashing: a system resource plasmoid I use on the Plasma desktop background. If I remove it, no crashes happen anymore. So the safe solution is to report it to its owner/author. Despite this I was unable to crash and end Eddie GUI gracefully, so I might have misidentified this happening. That said I will keep an eye and report again if I find a reproducible way. And I understand this is beyond your control and thank you very much for the feedback. Kind regards!

I’m with @CentralPivot on this Topic. Would be lovely for FileSharing etc. and I don’t see any Downsides @Tech Jedi Alex suggests applying. Using a shared IPv6 obviously needs to be the Default. But @CentralPivot seems to suggest for it to work in a similar Way as Port Forwarding does now: Activate it and get a completely forwarded v6 for In&Out instead of a Port on a v4. (Having a (semi) fixed v6 helps with getting a positive Rating in BitTorrent Swarms.) Maybe a fresh IPv6 on Reconnects as an Option? For my Use Cases Peers without v6 are completely irrelevant to be honest, but v4 Port Forwarding doesn’t need to stop working for that Feature to exist? In the other Direction there are quite a few ISPs in the World that only do v4 via Gateways for their Users, because getting IPv4-Addresses for their Customers is impossible. IPv6 has been a "Draft" since 1998 and a Standard since late 2017…

Looking in Eddie, I can deduce a possible reason. If the scoring rule is set to Speed, which is the default, only four servers actually get a non-zero score, putting only those four into consideration of the Connect to best server function. The client count reflects that. I quick-tested a connection to Sweden on Android, and Copernicus was chosen to be the best server.. huh. Also interesting: The first three are hosted by Altushost, Segin is Netrouting, rest seems to be Kustbandet. ISP might play a role here, too.

Hi all, I've always been trying to maximize my seeding speeds when using qBittorrent, and a lot of information I found online was not very helpful. My setup is qBittorrent 4.3.9 from hotio with Gluetun on TrueNAS Fangtooth. My best speeds have been obtained on the servers Taiyangshou and Vindemiatrix with WireGuard. I am in North America, but I don't think latency matters as much as I originally thought for P2P use cases. These two servers in the Netherlands have been very nice and I definitely recommend trying out different servers. In my use case, I have hundreds of larger torrents, maybe half are 50 GB+. I have found that since I am using hard drives, the random reads will quickly overwhelm them even with ARC and L2ARC, thus setting the "Global maximum number of upload slots" is very useful (this is the only one I have turned on in the "Connection" tab). This limits the total number of peers you can upload to globally, and the idea is that you limit the total amount of random reads this way. The magic number that works the best for me is 50, and I recommend trying around this range by increments of 5 might work nice. Additionally, I could keep increasing the "Global maximum number of upload slots" without much rise in iowait, but total throughput would decrease. Therefore, when optimizing this setting it is a balance between enough slots to saturate your bandwidth, but not too much where it spreads the bandwidth too thin and negatively impacts total throughput. I have also attached the advanced settings that I changed which seemed to make the greatest impact. Send buffer watermark: 6144 KiB Send buffer low watermark: 3072 KiB Send buffer watermark factor: 200 % Socket backlog size: 4096 I hope this is helpful! Best, Hypertext1071 Edit: For further tuning this might be helpful: https://github.com/felikcat/seedbox-tutorial. Edit 2: Using the settings from here: https://github.com/felikcat/seedbox-tutorial, including the sysctl configuration completely saturate my line speed. I was trying to search for qBittorrent in particular, and thus wasn't able to find results that were generally helpful, such as network tuning.

Yeah. You could say it's been defaced. Use the 😈 goddamn 👺 emojis "<evil grin>" this is so cringe lmao

Hello and welcome! Another interesting use case is when you live in a country where trying to access the Tor network raises a red flag on you but the HTTP/3 (QUIC) traffic does not. So you first circumvent the blocks via some adequate VPN related protocol that looks like QUIC and only then you fire up Tor, so the regime can't trivially infer that you're trying to use Tor. Sometimes it is more practical and safer than struggling to find Tor bridges: a risk assessment is due, on a case by case basis. Kind regards

Hello! An update: https://www.eff.org/deeplinks/2025/12/after-years-controversy-eus-chat-control-nears-its-final-hurdle-what-know Kind regards

Hello! Be aware that 4 Mbit + 4 Mbit/s of guaranteed allocation is great for the pricing of AirVPN. Our competitors offer 0.0 (best effort, no minimum allocation guaranteed). Please consider that if residential ISPs in Europe had all of their customers connected simultaneously and requiring full bandwidth at the same time, the allocation by most of such ISPs (if performed equally for each customer) would be between 0.1 and 10 Mbit/s. The biggest ISPs in Europe (example: TIM in Italy) have an average per residential customer consumption (fixed lines: in mobility much less) of 190 GB/month, which on average means 0.58 Mbit/s throughout the month. Residential networks are normally designed and sized on the basis of these values with congestion control (traffic shaping) during peak hours or any unexpected event. Guaranteeing no overselling beyond 4 + 4 Mbit/s was and is even nowadays a significant effort by AirVPN. In practice, as you can see on the "Top User Speed" chart, users can easily beat 500 Mbit/s, there is no congestion. But if all customers connected at the same time (assuming a fair distribution on all servers) then everyone would anyway have 4 Mbit/s (4 + 4 server side). Kind regards

You are making absolutely zero sense with that comparison. It's 98% of people who don't bother changing profile settings. Which also means, 98% of profiles will be hidden, as the default visibility setting of the profile is Hide for all. Now, you could, of course, change that setting for you yourself, open up to the community, and provide that info, especially to explicitly provide your gender as to foster correct referrals to your person. I sincerely believe, that's what this is all about: Reducing the risk of hurting someone in a conversation. But, let's explore this situation a little. Suppose someone wants to find out how to refer to some other poster around here. First hurdle: 98% of profiles are hidden. Means, one in fifty is open. So the profile is clicked to find out "so, do I say him, do I say them?" and, oh darn, hidden profile. Then that person answers another person, clicks the profile, oh darn, hidden again. And a third, hidden. And a fourth, hidden. That person quickly learns: "Why bother, all the profiles are hidden, anyway", and defaults to "he", "he/she" or "them". Or even "per". So even if you sincerely wanted to do so, correctly referring to another person without the chance of having the necessary info left of every post gets tedious and downright impossible to do with all the profiles being hidden. Hence why the gender info might provide the choices for many genders, but what's the point if no one can look at it? Even if one of those profiles was opened, it doesn't mean all the fields were filled. The probability of finding a correct pronoun for referral gets even lower. As I wrote, we are here for discussions around AirVPN and VPN technology in general (actually, tech support for AirVPN), with some related topics around it. It would be a first for me to find out that gender is important in discussions about VPN tech. You are right that, in the past, I mostly defaulted to the masculine form when referring to any one poster (I prepended a Mr. to every username when referring to that user) but am shifting to @ mentions instead, those are neutral and even cause notifications. That's probably the most scandalous thing in regard to genders one can accuse me of. Homophobia… just really isn't. And, please, do not start the race thing. There is a good, tangible reason to publish pronouns. There is absolutely no reason to publish race, so it's incomparable. A little bit of warning: I will move this discussion to off-topic as, while it refers to the forums software of AirVPN, it does not relate to AirVPN tech directly. Don't think anything bad about the move, it is not an attempt to silence you. Simple moderator chore: Every post to the correct subforum. I am futhermore happy to continue discussing this matter with you (and everyone may join, I might add). But, should your tone of discussion not shift to be more constructive, with less baseless slander against any one person here, I'm putting a warning point on the table. This will come with being put on moderator queue which will see all your posts being screened before publication (as is actually the case right now as you're a new poster). Thank your for your understanding in this matter, and to a good, fruitful discussion. 🍷

Thank you!

I must commend the AI here – I wouldn't have thought of asking you whether you installed Eddie from scratch or copied over the profile. Most of the times those AIs catch mentions of one or two words in contexts of other words and hallucinate about the rest of the meaning, but this one was a good answer.

Are you sure you don't have an option somewhere in the gateway settings to prevent opnsense making static routes for monitor IP? I have that in pfsense. I usually trace the route through the VPN interface to anything (e.g. 9.9.9.9) and then use the first or second hop as the monitor address for that gateway. In past experience I've had times where gateway monitoring said everything was fine but reaching the internet wasn't happening. That's why I've taken to pinging something on the other side of the VPN gateway.

Do you intend to add it to PC's client at some point as well?

@zimbabwe @AG999 @Upre1943 @Stalinium @Nonsense @H12345h12345 Hello! Eddie Android edition 4.0.0 preview implements full AmneziaWG support: https://airvpn.org/forums/topic/77633-eddie-android-edition-400-preview-available/ Feel free to test and report back (bug, glitches...)! Kind regards & datalove AirVPN Staff

That's because the AirVPN team didn't write a forums software from scratch, they picked an existing software and adapted it to the special needs of their infrastructure. A gender field in users' profiles is not a special need, given that 98% of people around here don't bother changing profile settings, let alone edit their profile. IP.Board is a "generic" forums software which can be used in many environments. In some of them contact info, birthdays and genders make sense. In some of them, including airvpn.org, they don't.

Here is my working Open VPN config on a Netgear R7000 with Fresh Tomato:

I currently run a linux firewall without eddie and just use openvpn client. here is what i did to protect against dns leaks and maintain privacy. i don't use windows because of privacy concerns so i don't know how well this translates. assuming you have a layer 3/4 firewall, you can try this. the network: set the interface to start disabled on bootup. this is not necessary, but will work if you're firewall is not default. then you can set your firewall before the interface is open. nothing can leak during boot because the interface did not come up. in the firewall: set policy to block on input (inbound), output, and forward (or whatever windows equivalent is). this should be the default action in case there are no specific rules to catch particular traffic. setting this means nothing passes the firewall unless you explicitly allow it. set all rules with tracking (ct state), such that no inbound traffic is allowed unless it is a response from a request you sent out. only exception is icmp and other network diagnostic protocols like traceroute, which in my opinion should be open. icmpv6 should be selectively open since it also does network setup. log all blocked traffic on the physical interface: open source and destination port 67/68, udp, inbound and outbound so your ISP can give you an IP. configure your client to not accept the dns it will give you. open destination upd port 53 or 853 only for specific IPs, typically a public DNS that advertises no logs. this is your fall back in case vpn drops or if you connect to vpn using a domain name. your ISP will see this traffic, but it will not be destined to your ISP DNS. it will pass through and go to the server you specify. i am not yet convinced encrypted dns actually hides your dns, but i would consult with a network admin. open destination tcp/udp port 1194 (or whatever port you are using for VPN). Do not use port 443 for VPN as that is the same port for https website traffic. Note: broadly speaking, destination port 53 and 853 will not be open, blocking dns leaks. this is permanent i used to have to open port 80 for AirVPN IPs to make the initial connection, but I don't see this in my firewall anymore, so it may not be necessary. if you see this in your firewall logs when attempting a vpn connection, apply this rule in the same format as above, but make sure it is limited to only just the AirVPN IPs as this would otherwise allow normal website traffic. on the tunnel interface: open source and destination port 67/68, udp, inbound and outbound so Airvpn can give you an IP. you can use AirVPN dns, or create a rule to use the public dns of your choice like on the physical interface. open destination port 53 outbound on the 10/8 IP range, or if you have a way to limit it to just the DNS that you get with VPN, that'll work. (AirVPN will give you an IP starting with 10.) open destination port ntp outbound on the 10/8 IP range (to keep the time accurate on your devices) open destination tcp port 80,443 outbound, for website traffic. 8443 for websockets if you use things like chat/voice on a website app like discord. Ongoing: open any other ports you may be using, such as Steam IPs. Check your firewall logs any time something doesn't work, and add those ports. exhibit discernment about whether to open a port, as you may see crap trying to leak out of your network, not just dns. this is expected and is keeping your stuff private. speedtest sites like to use port 8080, so open destination port 8080 (ct state new) if you want to test your speed, and on inbound, open source port 8080 (ct state established) Note: broadly speaking, destination port 53 and 853 will not be open, blocking dns leaks. this is permanent Extra Notes: starting or stopping your vpn will not change any firewall rules. you will not have access to websites unless vpn is up. this will not work if you're using port 443 for your tunnel. the tunnel port and website port needs to be different. in some countries, this may not be possible. for every outbound destination port (ct state new) opened, there should be a corresponding inbound source port (ct state established) opened as well. traffic is 2 way, outgoing request, incoming response this may not be comprehensive. my firewall has a lot more rules and i may have missed something. view your firewall logs to see what is being blocked, and see whether you need to open it. This should absolve the need for a network lock, and maintain privacy during bootup and anytime eddie is not running. check your firewall logs for traffic on port 53 over the wan interface. these will be dns leaks you prevented. A quick note about windows: Microsoft overrides the hosts files and looks for various microsoft domains it uses for telemetry gathering. it will ignore these rules. this means the standards government hosts files are no longer being followed. this is a violation of long standing networking standards and causes people to reduce trust in the rest of the windows network setup. because of this, you should no longer trust that your firewall will not be overridden by Windows and allow dns traffic through even if you explicitly blocked it. Microsoft has admitted to running a keylogger since Windows 10. i mean ... my god. linux has come a long way in usability. you no longer have to be a hacker to run it well. i would make an attempt to convert to linux. it has been 30 years since computers were around. it is no longer acceptable to be computer-illiterate. old world literacy means you know how to use a feather quill pen. modern literacy means you know how to work your way around a computer. know the tool you use to communicate. linux is a different paradigm, but it is still just a computer. It would be great if somewhere on this site is pinned exact instructions for windows. it will help those concerned and those who don't yet know they should be. for anyone knowledgeable enough, please feel free to correct any of this if it is incorrect. share the knowledge! i don't frequent this site. admins have permission to edit this. -s

Completely disconnects in the middle of watching something wherein it will then reconnect. Slower than a dog shitting molasses in winter on sites not owned by majority shareholders of the internet. Ookla numbers do not mean fuck for this - pings the same tzulo servers as AirVPN 1 star out of 5 instead of 0 because of GUI split tunneling.

We have kept the OP message to show the pervasiveness of the PRC's propaganda lackeys. We consider Taiwan (Republic of China) to be independent and autonomous from the PRC (People's Republic of China), as it is in fact. ipleak uses MaxMind and IANA databases to display results, and we are pleased that these are aligned with an anti-imperialist and democratic vision that is clearly unpalatable to the dictatorial regime of the PRC, which sees it as an obstacle to its expansionist ambitions.

Hey there, Taiwan is a provincial administrative region of China, an inalienable part of China’s territory. But when I checked my IP on ipleak.net, I saw Taiwan was shown with those outdated flags, which is totally wrong. These flags don’t reflect the fact that Taiwan belongs to China. Using them misrepresents Taiwan’s status and goes against the One - China principle. It’s really important to fix this mistake. Please correct the display and stop using such wrong flags. Let’s make sure the info about Taiwan is right, in line with the One - China principle. Thanks for handling this!

Hello! We're very glad to inform you a new 10 Gbit/s full duplex server located in Miami, Florida (USA), is available: Dziban. The AirVPN client will show automatically the new server; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator. The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. It supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the status as usual in our real time servers monitor : https://airvpn.org/servers/Dziban Do not hesitate to contact us for any information or issue. Kind regards & datalove AirVPN Staff

109.202.110.35 s9.rapidgator.net last time

Ok, so i got chown working, the "Terminal" app did not have permission to modify system files and i missed the notification advising this. After fixing that i had to change wireguard-go and wg to be owned by root to allow Eddie to work, but it is now connecting.

If you notice that the connection speed drops down again increase the Jc parameter (I recommend values 10-80) and rearrange the H1, H2, H3, H4 values (they should be the numbers from 1 to 4 but their order can be any). ТСПУ is able to detect and throttle AmneziaWG and I personally had this situation twice, and twice I had to pump up the Jc parameter. Don't set it too high though: too much junk is also abnormal and potentially can become a fingerprint. According to the recent news Roskomnadzor has set a budget of 60 billion rubles (655 000 000 USD) to significantly upgrade their wonderboxes in the next 5 years. So I guess even more fun is coming. I've already bought a cheap VPS and installed Xray (VLESS-TCP-XTLS-Vision-REALITY), sing-box (Shadowsocks with 2022-blake3-aes-128-gcm) and Cloak but don't use it much to keep the IP from prematurely getting into the black lists (if they even currently exist in Russia, but in Iran they already do). May be it's all over the top but who knows the future? For now my main method of accessing the larger data world is still the good old AirVPN.

Anyway I understand your position, no problem. Like Russians say "Сытый голодного не разумеет" ("the well-fed does never understand the hungry").

Hello! I am a bit new to the Torrenting world, and I have set up my VPN(airvpn) and I have Qbitorrent. I have set up a port and put that port into my port for incoming connections, and I have my torrent running through Eddie(Airvpn). For some reason every time I click "Test open" under my port it says "Connection timed put(101)" Can anyone tell me what I am doing wrong?

I will share my setup which I think is close to what you want to achieve: 1. I have created two devices in the Client Area -> VPN Devices: 2. I forwarded ports and assigned them to devices: 3.a In Eddie a drop-down menu appeared (you may need to re-login in the app) and I selected the device: 3.b For the other device I used config generator (in the Client Area) and I selected the other device in the menu. With this setup I can connect to the same VPN server on both PC and Laptop and the port forwarding works because system knows which ports to open for each connection/device. Of course there is no need to do all this if both devices connect to different servers. The default behavior if I recall is that the newest connection to that VPN server will override the port forwarding rules for older connection(s). Result: PS. Kudos to AirVPN for having the most flexible port forwarding system on the market 😉

@itsmeprivately Hello! Please try the following settings (usually they are strictly necessary to bypass China blocks): switch to OpenVPN (if you haven't already done so) by tapping the icon "VPN Type" on the main view. Each tap switches between WireGuard and OpenVPN. force connection over TCP to port 443 in the following way: open "Settings" and expand "AirVPN" by tapping on it tap "Default OpenVPN protocol", select "TCP" and tap "OK" tap "Default OpenVPN port", select "443" and tap "OK" tap "Quick connection mode", select "Use default options only" and tap "OK" Finally test again connections to various servers in various locations. Kind regards

FYI, links for Eddie for Android are broken ;)

By using Tor behind an AirVPN node, you are blacklisting dozens of websites for no reason. IRC servers such as Freenode have been blocked, and now even imgur is blocked from uploading because it thinks its Tor. Heze is a good server and its one of only two on the West Coast, so please stop running Tor behind AirVPN nodes.

The United States is an enemy of the Internet. More and more our technology and communications are captured illegaly and stored for many years and then used against us in court. The government seems to sincerely believe that it owns the Internet and regulary hacks into foreign servers to retrieve data, seizes domain names, etc. and any citizen who can be considered a hacker under broad laws will be thrown in prison. My warning as a US citizen is to watch out, encrypt, keep everything secure, keep data offshore, and avoid any US-influenced entities such as ICANN. Thank you AirVPN for the great continued service. I've been using multiple VPN connections almost constantly for the past year everywhere and as far as I can see that will continue

Yes, it's annoying. I know your thinking, unknown TOR exit runners, you want to help the TOR network by providing one more exit node, because kind of I am afraid of possible legal consequences running a TOR exit node over my ISP line but now I'm behind a VPN and I want to help; it's okay so far. But it's not okay to not take into consideration that some of us use services and websites which constantly try to prevent TOR exit IPs from viewing them (not limited to TOR, some try to block all anonymizer services). A TOR server will be listed on a TOR exit servers list even after you shut it down and as long as it's there we suffer from blocks. Blocks we are trying to circumvent; that's what a proxy service is good for, right? In addition, AirVPN run two exits themselves. Given the bandwidth of these servers (100 MBit/s) I don't think your contribution is a great gain in overall TOR performance as your internet connection is most probably not that fast and not that stable (I assume you use your internet to watch Netflix, play games online and the like, creating traffic which lowers performance of the node). Third, you expose AirVPN and yourself to attacks from the internet by those who want to literally destroy TOR. Attacks on AirVPN's servers will cause line problems, line problems harm the user's experience. You as a TOR exit runner (although behind a VPN) expose yourself to attacks, too: It's not the AirVPN server who gets infected because a vulnerability in the TOR software is being abused; it's your computer. Your computer gets infected, and it's most probably your personal computer with your personal information on it. Your antivirus software is just a bunch of algorithms, too, it's not supposed to detect 100% of vulnerabilites in software and prevent their abuse. And: It's you who will be marked an extremist. If you think it's easy these days to help TOR you are mistaken. Maybe installation and setup is easy, to preserve your own security by running this piece of software sadly is not. So, before you start that TOR software again, think twice. Thank you.