Jump to content
Not connected, Your IP: 34.237.124.210

Leaderboard


Popular Content

Showing content with the highest reputation since 01/25/21 in Posts

  1. 2 points
    It's more than necessary, maybe not for regular users but for those who are building networks for users to use. Whoever told you that v6 is unnecceary is probably such an user him/herself. Those leaks you mentioned are nothing but VPN configuration errors and don't appear outside the VPN context – why should they, after all. Every IP host needs a globally unique IP. When the internet was an infant, designed as a research network, 255^4 - 2 IP addresses were probably enough for a second lifetime of the earth, they said. But the core belief was still that every participant in this network needed a unique IP to be directly addressable. Nothing changed with IPv6, every participant still needs a unique IP. And thus NAT was born: The idea that multiple devices of the same network/house/company/whatever can use the internet through a machine in the middle which will forward their requests and return the answers. Pro: 100+ hosts need just one public IP. Con: You get to deal with port forwarding and other stuff. That's what AirVPN's "privacy" is all about: You use the internet as if you were the AirVPN server. It's pseudonymous, not anonymous. The IPv6 challenge for VPN providers is that IPv6 does not need NAT anymore as it was explicitly made to tackle this IPv4 address space exhaustion. There's no such thing as a v6 address exhaustion (yet), so we can again afford to assign public IPs to all hosts out there. The engineers wanted it to be as easy as possible, so they used the MAC address of the interfaces to automatically build part of that IPv6 address. The problem: This MAC address is supposed to be globally unique as well (it's not exactly, but still). Another problem is that by the time v6 started to be more or less widely adopted, the online ad train was already speeding and looking for more data points to use in the targeting algorithms. A unique IP which is not changed even after a reconnect is almost equivalent to finding the Holy Grail in targeted advertising. That's what gets people around communities like this spooked. And thus the v6 Privacy Extensions were born which are now the default on all platforms: The hosts themselves simply randomize this address, and no one really needs to know how they do it as long as the address is in fact addressable. Makes them less of a target for those ads, and in my humble opinion that should be enough, but people are still spooked by the addressing possibility by MAC so they avoid it in a privacy context. Not to mention the loudest argument of them all: "I can't memorize those long addresses!" Now, IPv6 can be configured to be NATed, just like v4. AirVPN did just that: v6 is NATed like v4 so your exit IPv6 address is that of the AirVPN server, not an address calculated by your own machine. It works and is what happens if you don't disable IPv6.
  2. 2 points
    Staff

    Linux: AirVPN Suite 1.0.0 released

    @frpergflf Hello! Allowing access to those directories to group "airvpn" is a choice of each superuser. For security reasons, by default the installer sets them belonging to root user and root or wheel group to comply to the best security practices consolidated in UNIX in the last 30 years. In general, as an optimal security solution, we want that Bluetit files can be edited only by root and sudo-ers, while Goldcrest files (but not Goldcrest binary) can be changed only by users belonging to airvpn group. The lock file removal failure after Bluetit clean stop order by systemd is unexpected. When the problem re-occurs, would you be so kind to send us Bluetit log? sudo journalctl | grep bluetit @asdfasdfasdfasdfasdf No, it is not. If you proceed to implement, don't forget that Bluetit is a daemon. @dL4l7dY6 @airvpnclient A source of Bluetit instability in OSMC and Raspbian 32 bit has been detected, and it's libcurl . The linked library explodes now and then. The problem has been resolved with specific libcurl linking. Development is now focused on a new Network Lock approach, to make the whole environment more secure especially during a system bootstrap. Once it is implemented (a matter of just a few days) we will be ready for testing and soon after a new release will follow, perfectly compatible with OSMC too. Kind regards
  3. 2 points
    @Maggie144 Hello! Since Network Lock is enforced via pf rules, which act directly on the kernel filtering table, it is not plausible that Apple services can bypass them. Leaks observed on Catalina and Big Sur with other software (not our software) take place because filtering rules are enforced via specific network API. The specific network filtering exceptions (for Apple programs) hard coded in macOS Catalina and Big Sur filtering API, which caused a lot of controversies (and rightly so), allow the horrendous behavior. Actually, lack of traffic leaks when Eddie or Hummingbird Network Lock is active on Intel Mac has been thoroughly verified by us through external network sniffers. We confirm that nothing, including Apple services and apps, is able to bypass the firewall (pf) rules. We can perform the same verification on Mac M1 in the near future. The problem in iOS is worse and can't be resolved, because in iOS devices you are not in control of the device filtering table (and you are not in control of the device in general). Anyway we do not write software for iOS, as you know. Should, in the future, "Apple Silicon" platforms evolve in iOS-like system which the user can not control, then they will be unsuitable for purposes where privacy and a layer of anonymity are a priority. We doubt anyway that Apple will expel its own customers from administrative device control like it did with iOS, but let's wait and see. Kind regards
  4. 2 points
    Auri

    Eddie Desktop 2.19.7 released

    me too, but only on my laptop. My PC works just fine with version 2.19.7. Both have Windows 10 Pro 20H2 fully updated. Both have TAP-Windows 9.24.2 installed. Both use ESET Internet Security. In Computer Settings-> Services and Applications-> Services-> Eddie Elevation Service, I'm unable to start it on my laptop. One difference: my PC runs on AMD Ryzen 7 3700X 8-Core and my laptop runs on Intel Core-i7-6700HQ CPU. PROBLEM SOLVED!! ... The Eddie Elevation Service was present even when Eddie had been de-installed, and it was not possible to start this service manually. Installing OpenVPN did not help so I de-installed it too. By this time TAP-Windows 9.24.2 had disappeared. I then deleted the following key manually in the Registry Editor: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EddieElevationService. (There are cleaner ways to remove Services.) After that, installing Eddie 2.19.7 worked perfectly. Note that before this I had been using Eddie 2.18.9 (and earlier versions) for ages without a problem.
  5. 2 points
    Staff

    New 10 Gbit/s server available (CH)

    For the readers: Ain in Stockholm has been upgraded to 10 Gbit/s line and port. https://airvpn.org/forums/topic/48885-upgrade-ain-becomes-a-10-gbits-server-se/ Kind regards
  6. 1 point
    The newest pfSense how to for 2.5 is this and works perfect https://nguvu.org/pfsense/pfsense-baseline-setup/
  7. 1 point
    @busybee911 Hello! After you have stopped and disabled systemd-resolved you should generate your own resolv.conf file before running Eddie, or restart networking and let network-manager do that (via DHCP etc.) if you wish to query the router. The new resolv.conf file will then be the file that Eddie will restore when its job is finished. Kind regards
  8. 1 point
    Hello This was already in my custom option, what's your view on removing these custom options from: client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64; to... client;persist-key;persist-tun;remote-cert-tls server;prng sha256 64;mlock;auth-nocache; Thank you!
  9. 1 point
    I have a reason to believe that M247 is falsifying a few of its server locations which it sells to VPN companies such as AirVPN. Disclaimer: I am not accusing AirVPN of participating in this falsification, I believe that AirVPN staff has the integrity and honesty to only purchase servers in locations they know are correct as advertised. My hypothesis is that AirVPN was merely duped into buying thse falsified locations because M247 claimed that they were real locations and AirVPN did not have any reason to suspect anything to the contrary. I noticed recently that the M247 "Phoenix" location seems to really be located in Los Angeles, M247 "Barcelona" location seems to really be in Madrid, and the M247 "Berlin" location seems to really be in Frankfurt. Traceroute shows identical routes between each of these false locations and the real location they are in, not to mention that neither Phoenix, Barcelona, or Berlin appear on M247's list of locations on their website Disclaimer 2: All of the data below is shown as it was generated, with the only thing being edited is the redaction of my ISP's traceroute hops for protection of my privacy. Exhibit A: "Phoenix" is really Los Angeles. Traceroute and ping to Indus , allegedly in M247 Phoenix Traceroute to Indus server traceroute to indus.airservers.org (193.37.254.26), 30 hops max, 38 byte packets [Redacted my ISP's traceroute hops] 8 * * * 9 ae-5.r01.lsanca20.us.bb.gin.ntt.net (129.250.6.49) 73.593 ms 68.449 ms 69.689 ms 10 ce-0-1-0-0.r01.lsanca20.us.ce.gin.ntt.net (128.241.6.1) 66.818 ms 71.847 ms 72.087 ms 11 * irb-0.agg1.lax1.us.m247.com (77.243.185.149) 89.481 ms et-0-0-49-0.agg1.lax1.us.m247.com (77.243.185.145) 79.797 ms 12 vlan2921.as09.lax1.us.m247.com (193.9.115.167) 123.200 ms 71.520 ms vlan2909.as09.lax1.us.m247.com (193.9.115.169) 74.228 ms 13 * * * 14 * * * Traceroute from Indus to Google traceroute to google.com (172.217.5.110), 30 hops max, 60 byte packets 1 10.32.6.1 (10.32.6.1) 69.597 ms 69.603 ms 69.595 ms 2 vlan177.as09.lax1.us.m247.com (193.37.254.1) 69.687 ms 69.711 ms 69.778 ms 3 irb-0.agg1.lax1.us.m247.com (193.9.115.168) 633.031 ms 633.038 ms 633.034 ms 4 37.120.220.170 (37.120.220.170) 69.490 ms 69.452 ms 69.546 ms 5 72.14.204.180 (72.14.204.180) 69.661 ms te-4-3-0.bb1.lax1.us.m247.com (82.102.29.110) 69.769 ms 69.821 ms 6 10.252.217.158 (10.252.217.158) 69.615 ms 72.14.204.180 (72.14.204.180) 67.888 ms 10.23.211.158 (10.23.211.158) 68.754 ms 7 10.252.234.254 (10.252.234.254) 67.871 ms 142.250.228.74 (142.250.228.74) 68.216 ms 10.252.234.254 (10.252.234.254) 68.221 ms 8 108.170.247.244 (108.170.247.244) 68.254 ms 108.170.237.114 (108.170.237.114) 68.228 ms 108.170.247.244 (108.170.247.244) 68.243 ms 9 108.170.247.211 (108.170.247.211) 68.818 ms 108.170.247.148 (108.170.247.148) 68.598 ms 68.843 ms 10 108.170.230.123 (108.170.230.123) 68.806 ms 108.170.230.133 (108.170.230.133) 69.010 ms 172.253.75.217 (172.253.75.217) 76.905 ms 11 172.253.75.217 (172.253.75.217) 76.921 ms 172.253.70.153 (172.253.70.153) 80.406 ms 74.125.253.148 (74.125.253.148) 75.588 ms 12 142.250.234.59 (142.250.234.59) 81.965 ms 108.170.243.1 (108.170.243.1) 78.518 ms 80.377 ms 13 108.170.236.61 (108.170.236.61) 75.650 ms 75.356 ms 108.170.243.1 (108.170.243.1) 77.960 ms 14 sfo03s07-in-f14.1e100.net (172.217.5.110) 82.906 ms 108.170.236.63 (108.170.236.63) 77.106 ms sfo03s07-in-f110.1e100.net (172.217.5.110) 103.936 ms Ping to Indus PING 193.37.254.26 (193.37.254.26) 56(84) bytes of data. 64 bytes from 193.37.254.26: icmp_seq=1 ttl=57 time=69.5 ms 64 bytes from 193.37.254.26: icmp_seq=2 ttl=57 time=68.8 ms 64 bytes from 193.37.254.26: icmp_seq=3 ttl=57 time=69.1 ms 64 bytes from 193.37.254.26: icmp_seq=4 ttl=57 time=68.0 ms 64 bytes from 193.37.254.26: icmp_seq=5 ttl=57 time=69.3 ms 64 bytes from 193.37.254.26: icmp_seq=6 ttl=57 time=68.5 ms 64 bytes from 193.37.254.26: icmp_seq=7 ttl=57 time=70.0 ms 64 bytes from 193.37.254.26: icmp_seq=8 ttl=57 time=69.2 ms 64 bytes from 193.37.254.26: icmp_seq=9 ttl=57 time=69.7 ms 64 bytes from 193.37.254.26: icmp_seq=10 ttl=57 time=68.1 ms Hmm, I wonder why all the M247 router hops are all labelled as "LAX1" for a "Phoenix" location??? Now we will compare this to Groombridge, a server in M247 Los Angeles Traceroute to Groombridge traceroute to groombridge.airservers.org (37.120.132.82), 30 hops max, 38 byte packets [Redacted my ISP's traceroute hops] 7 * * * 8 ae-2.r25.lsanca07.us.bb.gin.ntt.net (129.250.3.189) 74.561 ms 97.764 ms * 9 ae-5.r01.lsanca20.us.bb.gin.ntt.net (129.250.6.49) 73.048 ms 70.967 ms 73.707 ms 10 ce-0-1-0-0.r01.lsanca20.us.ce.gin.ntt.net (128.241.6.1) 65.112 ms 73.968 ms 71.939 ms 11 irb-0.agg1.lax1.us.m247.com (77.243.185.149) 77.359 ms * * 12 vlan2926.as15.lax1.us.m247.com (89.44.212.37) 75.003 ms 73.769 ms 217.138.223.35 (217.138.223.35) 67.763 ms 13 * * * 14 * * * Traceroute from Groombridge to YouTube traceroute to youtube.com (216.58.195.78), 30 hops max, 60 byte packets 1 10.15.134.1 (10.15.134.1) 71.514 ms 71.502 ms 71.493 ms 2 vlan170.as15.lax1.us.m247.com (37.120.132.81) 71.810 ms 71.986 ms 72.005 ms 3 * * * 4 37.120.220.198 (37.120.220.198) 75.969 ms te-1-2-0.bb1.nyc1.us.m247.com (77.243.185.18) 76.140 ms 37.120.220.198 (37.120.220.198) 75.971 ms 5 72.14.204.180 (72.14.204.180) 76.149 ms 76.154 ms te-4-3-0.bb1.lax1.us.m247.com (82.102.29.110) 75.138 ms 6 10.252.173.62 (10.252.173.62) 78.254 ms 72.14.204.180 (72.14.204.180) 73.797 ms 73.781 ms 7 209.85.254.86 (209.85.254.86) 73.773 ms 10.252.50.62 (10.252.50.62) 73.975 ms 108.170.247.193 (108.170.247.193) 74.551 ms 8 108.170.237.114 (108.170.237.114) 73.937 ms 108.170.247.193 (108.170.247.193) 74.759 ms 108.170.247.243 (108.170.247.243) 74.214 ms 9 * 108.170.247.244 (108.170.247.244) 74.196 ms 108.170.234.124 (108.170.234.124) 74.648 ms 10 209.85.254.229 (209.85.254.229) 86.701 ms * 108.170.234.27 (108.170.234.27) 72.588 ms 11 216.239.58.214 (216.239.58.214) 80.460 ms 142.250.234.56 (142.250.234.56) 81.648 ms 172.253.70.155 (172.253.70.155) 83.700 ms 12 108.170.242.241 (108.170.242.241) 80.580 ms 66.249.94.28 (66.249.94.28) 79.787 ms 108.170.242.241 (108.170.242.241) 81.349 ms 13 72.14.239.97 (72.14.239.97) 80.326 ms 108.170.242.241 (108.170.242.241) 81.308 ms 72.14.239.43 (72.14.239.43) 84.462 ms 14 72.14.239.43 (72.14.239.43) 82.598 ms sfo07s16-in-f78.1e100.net (216.58.195.78) 80.463 ms 81.950 ms Ping to Groombridge PING groombridge.airservers.org (37.120.132.82) 56(84) bytes of data. 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=1 ttl=57 time=68.8 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=2 ttl=57 time=68.8 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=3 ttl=57 time=68.9 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=4 ttl=57 time=68.0 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=5 ttl=57 time=70.4 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=6 ttl=57 time=69.0 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=7 ttl=57 time=70.4 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=8 ttl=57 time=67.6 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=9 ttl=57 time=68.3 ms 64 bytes from 82.132.120.37.in-addr.arpa (37.120.132.82): icmp_seq=10 ttl=57 time=68.0 ms Hmm, looks suspiciously similar to me... Routes are both the same, ping is near-equal Exhibit B: "Barcelona" is really Madrid Traceroute and ping to Eridanus, allegedly in Barcelona Traceroute to Eridanus traceroute to eridanus.airservers.org (185.183.106.2), 30 hops max, 38 byte packets [Redacted my ISP's traceroute hops] 7 * * * 8 be2332.ccr32.bio02.atlas.cogentco.com (154.54.85.246) 83.833 ms 82.655 ms 83.244 ms 9 be2325.ccr32.mad05.atlas.cogentco.com (154.54.61.134) 86.389 ms 85.839 ms 86.422 ms 10 quantum-sistemas.demarc.cogentco.com (149.6.150.130) 110.559 ms 171.268 ms 118.386 ms 11 * * * 12 * * * Traceroute from Eridanus to YouTube traceroute to youtube.com (216.58.211.46), 30 hops max, 60 byte packets 1 10.16.134.1 (10.16.134.1) 89.066 ms 89.077 ms 89.072 ms 2 * * * 3 xe-1-2-3-0.bb1.mad1.es.m247.com (212.103.51.62) 89.002 ms 88.997 ms 88.992 ms 4 mad-b1-link.telia.net (213.248.95.33) 89.157 ms 89.176 ms 89.172 ms 5 google-ic-314668-mad-b1.c.telia.net (62.115.61.14) 89.168 ms 89.324 ms 89.328 ms 6 * * * 7 142.250.239.26 (142.250.239.26) 92.637 ms 72.14.233.124 (72.14.233.124) 91.657 ms 142.250.62.202 (142.250.62.202) 91.548 ms 8 108.170.234.221 (108.170.234.221) 92.059 ms 74.125.242.178 (74.125.242.178) 91.787 ms 144.397 ms 9 108.170.253.225 (108.170.253.225) 91.930 ms muc03s14-in-f14.1e100.net (216.58.211.46) 91.631 ms 108.170.253.225 (108.170.253.225) 91.934 ms Hmm, I wonder why M247's router hops in the "Barcelona" location are all labelled as "MAD1" Ping to Eridanus PING 185.183.106.2 (185.183.106.2) 56(84) bytes of data. 64 bytes from 185.183.106.2: icmp_seq=1 ttl=56 time=89.4 ms 64 bytes from 185.183.106.2: icmp_seq=2 ttl=56 time=85.9 ms 64 bytes from 185.183.106.2: icmp_seq=3 ttl=56 time=84.9 ms 64 bytes from 185.183.106.2: icmp_seq=4 ttl=56 time=85.5 ms 64 bytes from 185.183.106.2: icmp_seq=5 ttl=56 time=86.4 ms 64 bytes from 185.183.106.2: icmp_seq=6 ttl=56 time=85.0 ms 64 bytes from 185.183.106.2: icmp_seq=7 ttl=56 time=85.3 ms 64 bytes from 185.183.106.2: icmp_seq=8 ttl=56 time=87.1 ms 64 bytes from 185.183.106.2: icmp_seq=9 ttl=56 time=85.8 ms 64 bytes from 185.183.106.2: icmp_seq=10 ttl=56 time=85.3 ms Comparing this to Mekbuda, a server in Madrid M247 Traceroute to Mekbuda [Redacted my ISP's traceroute hops] 7 * * * 8 be2332.ccr32.bio02.atlas.cogentco.com (154.54.85.246) 83.761 ms 82.333 ms 82.102 ms 9 be2325.ccr32.mad05.atlas.cogentco.com (154.54.61.134) 86.121 ms 85.032 ms 86.308 ms 10 quantum-sistemas.demarc.cogentco.com (149.6.150.130) 94.879 ms 87.337 ms 88.230 ms 11 * * * 12 * * * Route from Mekbuda to Youtube traceroute to youtube.com (216.58.215.142), 30 hops max, 60 byte packets 1 10.21.198.1 (10.21.198.1) 87.692 ms 87.693 ms 87.686 ms 2 vlan29.bb2.mad1.es.m247.com (185.93.182.161) 87.696 ms 87.690 ms 87.750 ms 3 xe-1-1-0-0.bb1.mad1.es.m247.com (82.102.29.25) 87.762 ms 87.758 ms 87.753 ms 4 mad-b1-link.telia.net (213.248.95.33) 87.956 ms 88.558 ms 87.931 ms 5 google-ic-314668-mad-b1.c.telia.net (62.115.61.14) 87.836 ms 87.992 ms 87.988 ms 6 * * * 7 mad41s04-in-f14.1e100.net (216.58.215.142) 86.846 ms 74.125.242.177 (74.125.242.177) 98.934 ms 98.992 ms Ping to Mekbuda PING mekbuda.airservers.org (185.93.182.170) 56(84) bytes of data. 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=1 ttl=56 time=87.0 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=2 ttl=56 time=88.4 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=3 ttl=56 time=86.2 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=4 ttl=56 time=88.4 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=5 ttl=56 time=86.7 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=6 ttl=56 time=85.7 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=7 ttl=56 time=85.7 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=8 ttl=56 time=87.1 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=9 ttl=56 time=88.3 ms 64 bytes from 185.93.182.170 (185.93.182.170): icmp_seq=10 ttl=56 time=88.2 ms Once again, everything is near-identical, with only a slight difference in Youtube traceroute. Exhibit C: "Berlin" is really in Frankfurt First we will test ping and traceroute to Cujam, a Berlin M247 server Traceroute to Cujam [Redacted my ISP's traceroute hops] 6 * * * 7 ae-9.r20.londen12.uk.bb.gin.ntt.net (129.250.6.146) 73.904 ms ae-11.r20.parsfr04.fr.bb.gin.ntt.net (129.250.4.195) 78.812 ms 75.580 ms 8 ae-1.r21.londen12.uk.bb.gin.ntt.net (129.250.2.183) 79.099 ms ae-2.r21.parsfr04.fr.bb.gin.ntt.net (129.250.3.46) 85.715 ms ae-1.r21.londen12.uk.bb.gin.ntt.net (129.250.2.183) 78.384 ms 9 ae-16.r20.frnkge13.de.bb.gin.ntt.net (129.250.3.13) 91.553 ms ae-11.r21.frnkge13.de.bb.gin.ntt.net (129.250.5.26) 91.521 ms ae-16.r20.frnkge13.de.bb.gin.ntt.net (129.250.3.13) 94.728 ms 10 ae-0.a00.frnkge13.de.bb.gin.ntt.net (129.250.2.25) 92.855 ms 89.619 ms 90.740 ms 11 ae-8-501.a00.frnkge13.de.ce.gin.ntt.net (213.198.52.62) 91.869 ms 92.824 ms 93.136 ms 12 37.120.220.131 (37.120.220.131) 90.856 ms vlan2945.agg2.fra4.de.m247.com (193.27.15.241) 92.015 ms 37.120.220.116 (37.120.220.116) 89.007 ms 13 vlan2925.as03.fra4.de.m247.com (83.97.21.17) 88.304 ms vlan2901.as03.fra4.de.m247.com (82.102.29.155) 93.828 ms vlan2925.as03.fra4.de.m247.com (83.97.21.17) 89.713 ms 14 * * * 15 * * * Traceroute from Cujam to YouTube 1 10.11.102.1 (10.11.102.1) 89.968 ms 89.978 ms 89.972 ms 2 37.120.217.241 (37.120.217.241) 90.041 ms 90.036 ms 90.134 ms 3 vlan2925.agg2.fra4.de.m247.com (83.97.21.16) 89.915 ms 89.910 ms 89.905 ms 4 37.120.220.130 (37.120.220.130) 90.078 ms 193.27.15.240 (193.27.15.240) 89.956 ms 37.120.220.130 (37.120.220.130) 90.199 ms 5 vlan2906.bb1.ams1.nl.m247.com (37.120.128.248) 90.252 ms 90.009 ms 37.120.128.253 (37.120.128.253) 90.176 ms 6 37.120.128.253 (37.120.128.253) 90.171 ms no-mans-land.m247.com (185.206.226.71) 89.888 ms 37.120.128.253 (37.120.128.253) 89.597 ms 7 no-mans-land.m247.com (185.206.226.71) 89.851 ms 10.252.43.30 (10.252.43.30) 89.962 ms 10.252.45.126 (10.252.45.126) 89.649 ms 8 108.170.252.1 (108.170.252.1) 90.496 ms 108.170.235.248 (108.170.235.248) 89.578 ms 10.252.73.190 (10.252.73.190) 89.598 ms 9 108.170.252.83 (108.170.252.83) 90.067 ms 108.170.252.18 (108.170.252.18) 90.020 ms 108.170.252.65 (108.170.252.65) 90.430 ms 10 * * 209.85.252.77 (209.85.252.77) 90.872 ms 11 216.239.50.187 (216.239.50.187) 99.430 ms * 209.85.252.149 (209.85.252.149) 97.794 ms 12 108.170.230.210 (108.170.230.210) 98.329 ms 72.14.238.52 (72.14.238.52) 97.997 ms 97.910 ms 13 108.170.244.161 (108.170.244.161) 97.921 ms 108.170.235.98 (108.170.235.98) 98.316 ms 108.170.244.225 (108.170.244.225) 98.802 ms 14 108.170.232.125 (108.170.232.125) 97.839 ms 98.060 ms 98.173 ms 15 108.170.234.51 (108.170.234.51) 98.067 ms par10s27-in-f206.1e100.net (216.58.198.206) 97.811 ms 98.150 ms Ping to Cujam PING cujam.airservers.org (37.120.217.242) 56(84) bytes of data. 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=1 ttl=53 time=90.3 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=2 ttl=53 time=91.8 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=3 ttl=53 time=91.7 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=4 ttl=53 time=92.5 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=5 ttl=53 time=91.3 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=6 ttl=53 time=92.1 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=7 ttl=53 time=90.5 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=8 ttl=53 time=91.3 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=9 ttl=53 time=90.0 ms 64 bytes from 37.120.217.242 (37.120.217.242): icmp_seq=10 ttl=53 time=92.1 ms I wonder why there's no mention of "Berlin" in the traceroute hops, instead says FRA4 for Frankfurt.... Next we will compare this to Mirfak, a M247 Frankfurt server Traceroute to Mirfak [Redacted my ISP's traceroute hops] 5 * * * 6 if-ae-66-8.tcore1.l78-london.as6453.net (80.231.130.194) 93.049 ms if-ae-66-9.tcore1.l78-london.as6453.net (80.231.130.21) 92.427 ms if-ae-66-8.tcore1.l78-london.as6453.net (80.231.130.194) 92.662 ms 7 * if-ae-3-2.tcore1.pye-paris.as6453.net (80.231.154.142) 94.296 ms * 8 * * if-ae-11-2.tcore1.pvu-paris.as6453.net (80.231.153.49) 92.280 ms 9 * if-ae-49-2.tcore2.pvu-paris.as6453.net (80.231.153.21) 91.508 ms * 10 if-ae-55-2.tcore1.fr0-frankfurt.as6453.net (80.231.245.7) 100.752 ms 91.321 ms 92.308 ms 11 if-ae-55-2.tcore1.fr0-frankfurt.as6453.net (80.231.245.7) 88.325 ms 195.219.50.23 (195.219.50.23) 96.137 ms 94.877 ms 12 vlan2946.agg1.fra4.de.m247.com (193.27.15.243) 94.155 ms 37.120.220.116 (37.120.220.116) 93.367 ms 37.120.220.118 (37.120.220.118) 91.790 ms 13 vlan2917.as11.fra4.de.m247.com (212.103.51.191) 101.641 ms vlan2945.agg2.fra4.de.m247.com (193.27.15.241) 90.441 ms vlan2917.as11.fra4.de.m247.com (212.103.51.191) 93.836 ms 14 * vlan2917.as11.fra4.de.m247.com (212.103.51.191) 94.359 ms vlan2919.as11.fra4.de.m247.com (212.103.51.151) 96.080 ms 15 * * * 16 * * * The only difference in this traceroute is that the traffic goes through TATA instead of NTT which the Cujam server goes through, but the destination for both is the same: M247 in Frankfurt Traceroute to YouTube from Mirfak traceroute to youtube.com (172.217.17.46), 30 hops max, 60 byte packets 1 10.27.230.1 (10.27.230.1) 96.778 ms 96.764 ms 96.774 ms 2 vlan27.as11.fra4.de.m247.com (141.98.102.177) 97.067 ms 97.135 ms 97.329 ms 3 vlan2917.agg1.fra4.de.m247.com (212.103.51.190) 96.705 ms 96.704 ms 96.699 ms 4 37.120.128.148 (37.120.128.148) 97.120 ms 193.27.15.242 (193.27.15.242) 97.724 ms 37.120.128.148 (37.120.128.148) 97.107 ms 5 37.120.128.253 (37.120.128.253) 96.833 ms 96.835 ms vlan2906.bb1.ams1.nl.m247.com (37.120.128.248) 96.894 ms 6 no-mans-land.m247.com (185.206.226.71) 97.037 ms 37.120.128.253 (37.120.128.253) 95.349 ms 95.494 ms 7 no-mans-land.m247.com (185.206.226.71) 95.615 ms 10.252.45.190 (10.252.45.190) 98.342 ms 10.252.45.158 (10.252.45.158) 96.818 ms 8 216.239.47.244 (216.239.47.244) 96.897 ms 108.170.252.65 (108.170.252.65) 97.534 ms 142.250.46.244 (142.250.46.244) 96.712 ms 9 108.170.252.18 (108.170.252.18) 97.041 ms 108.170.251.144 (108.170.251.144) 97.279 ms 108.170.252.18 (108.170.252.18) 96.977 ms 10 * * * 11 209.85.244.158 (209.85.244.158) 104.649 ms * * 12 216.239.42.171 (216.239.42.171) 104.672 ms 216.239.42.102 (216.239.42.102) 116.455 ms 216.239.43.37 (216.239.43.37) 104.324 ms 13 216.239.42.171 (216.239.42.171) 104.748 ms 104.733 ms 216.239.43.37 (216.239.43.37) 115.898 ms 14 108.170.236.135 (108.170.236.135) 104.245 ms 104.183 ms 108.170.236.137 (108.170.236.137) 104.074 ms 15 ams16s29-in-f46.1e100.net (172.217.17.46) 103.791 ms 103.813 ms 102.372 ms Ping to Mirfak PING mirfak.airservers.org (141.98.102.234) 56(84) bytes of data. 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=1 ttl=53 time=89.3 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=2 ttl=53 time=89.8 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=3 ttl=53 time=89.1 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=4 ttl=53 time=90.6 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=5 ttl=53 time=89.6 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=6 ttl=53 time=89.2 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=7 ttl=53 time=90.0 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=8 ttl=53 time=90.0 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=9 ttl=53 time=87.6 ms 64 bytes from 234.102.98.141.in-addr.arpa (141.98.102.234): icmp_seq=10 ttl=53 time=88.9 ms Again, everything is near-identical, suggesting that these Berlin, Phoenix, and Barcelona locations are just falsified geolocation information and nothing more. With near-identical traceroutes, and ping values that don't differ by more than 1-2ms , it is extremely unrealistic that these servers are in the locations they claim to be. If you think my data is wrong/inaccurate, then feel free to repeat my experiment yourself, you will find the same thing. I would like to reiterate that I believe that AirVPN has no part in this falsification and that they have no ill will, I think they were duped/deceived by M247 to believe that the Phoenix, Berlin and Barcelona locations are actually real physical locations M247 has their servers located in. I think after these findings, AirVPN should have a long discussion with M247 staff about this falsification that took place.
  10. 1 point
    OpenSourcerer

    Eddie GUI and/or CLI?

    This statement is correct.
  11. 1 point
    I read a while ago that someone had their bank account locked by their bank security due to making an online card purchase while using their VPN connected to servers in say Holland for example. A little later while not on the VPN they used their card again and the account was locked due to two purchases in such a short time from two different countries. Apparently it took a while to get it sorted out. For that reason I only do banking while not being connected to the VPN.
  12. 1 point
    NaDre

    OpenVPN Config

    The order of these lines does not matter. Each can be anywhere in the config file. You can have them included in every config file at the time you generate them. In the config generator check "Advanced Mode" and then paste those lines into the " OpenVPN custom directives:" text box.
  13. 1 point
    OpenSourcerer

    Overview

    Since OMEMO is an implementation of the protocol Signal uses, yes, it's on par with Signal, barring implementation errors, that is.
  14. 1 point
    grammarye

    AirVPN Suite -- Well Done

    I'll second this. I barely know my way around the deeper details of a Linux system and getting the suite going, including automatic connection on boot, was very simple. Awesome work and I completely agree on the superb documentation; so rare to see this. I'd love to see this as a package at some point. Some greater guidance on password security might not go amiss.
  15. 1 point
    Staff

    Eddie Desktop 2.19.7 released

    Hello! We're very glad to inform you that a new stable release of Eddie is now available for Linux (various ARM based architectures included), Mac, Windows. Eddie is a free and open source (GPLv3) OpenVPN GUI and CLI by AirVPN with many additional features such as: traffic leaks prevention via packet filtering rules DNS handling optional connections over Tor or a generic proxy customizable events traffic splitting on a destination IP address or host name basis complete and swift integration with AirVPN infrastructure white and black lists of VPN servers ability to support IPv4, IPv6 and IPv6 over IPv4 What's new in Eddie 2.19.7 enhanced wintun support in Windows, resolving TAP driver adapter issues and boosting performance Hummingbird 1.1.1 support in Linux and macOS for increased performance (up to 100% boost in macOS i7 systems when compared against OpenVPN 2) portable version for macOS which does not require Mono package installation nftables support by Network Lock in Linux via nft new aarch64 support through a Raspberry OS 64 bit beta specific build improved IPv6 support many bug fixes Eddie GUI and CLI now run with normal user privileges, while only a "backend" binary, which communicates with the user interface with authentication, gains root/administrator privileges, with important security safeguards in place: stricter parsing is enforced before passing a profile to OpenVPN in order to block insecure OpenVPN directives external system binaries which need superuser privileges (examples: openvpn, iptables, hummingbird) will not be launched if they do not belong to a superuser Eddie events are no more run with superuser privileges: instead of trusting blindly user's responsibility and care when dealing with events, now the user is required to explicitly operate to run something with high privileges, if necessary Backend binary is written in C++ on all systems (Windows included), making the whole application faster. Settings, certificates and keys of your account stored on your mass storage can optionally be encrypted on all systems either with a Master Password or in a system key-chain if available. Eddie 2.19.7 can be downloaded here: https://airvpn.org/linux - Linux version https://airvpn.org/macos - Mac version https://airvpn.org/windows - Windows version Eddie is free and open source software released under GPLv3. Source code is available on GitHub: https://github.com/AirVPN/Eddie Complete changelog can be found here. Kind regards & datalove AirVPN Staff
  16. 1 point
    OpenSourcerer

    DDNS issues

    Yes.
  17. 1 point
    Personally I'm using gufw for linux, and it works very well. However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel). Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off. With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES. What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste. My rule approach goes like this: Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot) Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot) Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot) Allow connections IN FROM the 192.168.1.0/24 network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW) Allow connections OUT FROM the eth0 interface TO the 192.168.1.0/24 network (enable home networking, also on the eth0 interface, YELLOW) Block ALL other traffic (by choosing DENY/DENY in gufw) When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local 192.168.1.0/24 network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks. Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw. For example: "sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN. "sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through. Tips: - the order of the rules is very important - mimic mine on the screenshot attached - to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3. - when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule - the UFW manual is well worth reading, although you may not need any more information than offered in this post - with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es). Let me know how this works for ya
  18. 1 point
    SteiferFinger

    Unable to start (No socket)

    Hello, I installed AirVPN with the Eddit Client on my Windows10 machine. Since I retstarted my computer I get following error message when trying to open the EddiUI: Unable to obtain elevated privileges (required): Unable to start (No socket) I dont know what to do, could someone help?
  19. 1 point
    @Terry Stanford Hello! If you run Eddie GUI, you can configure Eddie to activate Network Lock at startup, check "Activate Network Lock at start" in "Preferences" windows. You can also configure Eddie to connect when it is launched. If you run Eddie CLI, in a screen or tmux session run something like "sleep n && eddie-cli <options here>" where n is in seconds. Kind regards
  20. 1 point
    O.S. Sie sind der mann. What a superb explanation. I read it carefully twice, I now understand v6 addressing. I did know the history of it was due to exhaustion of v4, but beyond that I had no clue, I didn't know MAC addresses were involved (usually anyway), and I can see why that would scare people. So it should too, as you said, it's a golden ticket for targeted advertisers. Brilliant write up, thank you so much. I will turn ipv6 back on
  21. 1 point
    I connect to AirVPN from one of my VPSes. I only wanted to route particular apps through the VPN though (so eg. SSH connections and system updates still go to the internet directly) and ended up doing that via Docker. I was already using Docker for deployment of most apps on this particular server, so it worked out well. If you're okay with using Docker, and the apps you want to route through the VPN are available as Docker containers (or you're okay learning how to create your own Docker containers), one approach is to use the openvpn-client Docker container (https://hub.docker.com/r/dperson/openvpn-client). This lets you selectively route only particular Docker containers through the VPN tunnel. If you go this route, I'd recommend using docker-compose to configure the containers.
  22. 1 point
    Staff

    Linux: AirVPN Suite 1.0.0 released

    @frpergflf Hello! SELinux correctly prevents systemd to delete the lock file. That's an illegal operation that systemd wants to perform and that tells something on how systemd is designed. Bleutit crash is caused by the fact that systemd bombards with SIGTERM Bluetit (and in general any real daemon). Under specific circumstances, i.e. when 2 or more SIGTERM signals are sent to Blueit almost simultaneously, Bluetit crashes, because the promise object has been already depleted when the 2nd or nth SIGTERM is received. Again, this incomprehensible behavior tells something about how systemd is designed, but at least it made us find a bug which might cause crashes in any other similar circumstance (imagine if you manage to send SIGTERM from two "kill" commands synced to be executed almost simultaneously). Fix will be of course implemented in the next, imminent version. Kind regards
  23. 1 point
    @GrandeGiovanni I'm pretty sure you're right, and it's fairly trivial to verify. I have a server physically located in Los Angeles, in Psychz Networks' data center. If I ping Indus from that server, I get pings as low as ~0.40ms: $ ping indus.airservers.org PING indus.airservers.org (193.37.254.26) 56(84) bytes of data. 64 bytes from 193.37.254.26 (193.37.254.26): icmp_seq=1 ttl=59 time=0.421 ms 64 bytes from 193.37.254.26 (193.37.254.26): icmp_seq=2 ttl=59 time=0.554 ms 64 bytes from 193.37.254.26 (193.37.254.26): icmp_seq=3 ttl=59 time=0.450 ms 64 bytes from 193.37.254.26 (193.37.254.26): icmp_seq=4 ttl=59 time=0.403 ms ^C --- indus.airservers.org ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 0.403/0.457/0.554/0.058 ms I don't want to post any links because I'm afraid the forum system will mark this reply as spam, but you can verify this result by searching Google for "Psychz looking glass" and going to their Los Angeles looking glass. It'll let you send pings from their LA network. I can guarantee you that you will not get <0.5ms pings to a server that's physically in another location. I can't even get pings that low from one Los Angeles data center to othrer data centers in Los Angeles (ColoCrossing and QuadraNet)! Even the best networks are limited by the speed of light. Ping times are round-trip time, so a ping of 0.4ms means it takes 0.2ms to reach the server. Even if you assume a perfect network where data can flow at the speed of light with zero delays (which in reality is not possible), 0.2ms multiplied by the speed of light is only around 60 kilometers. That's less than 1/10 of the distance from Los Angeles to Phoenix! Fremont is around the same distance from Los Angeles as Phoenix. If I ping Aquila from the same server, the results are more what you'd expect for that distance: $ ping aquila.airservers.org PING aquila.airservers.org (199.249.223.129) 56(84) bytes of data. 64 bytes from 199.249.223.129 (199.249.223.129): icmp_seq=1 ttl=57 time=10.5 ms 64 bytes from 199.249.223.129 (199.249.223.129): icmp_seq=2 ttl=57 time=10.4 ms 64 bytes from 199.249.223.129 (199.249.223.129): icmp_seq=3 ttl=57 time=9.98 ms 64 bytes from 199.249.223.129 (199.249.223.129): icmp_seq=4 ttl=57 time=9.89 ms 64 bytes from 199.249.223.129 (199.249.223.129): icmp_seq=5 ttl=57 time=10.5 ms ^C --- aquila.airservers.org ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 9.885/10.258/10.544/0.270 ms From what I've seen so far, I can pretty much guarantee you that the servers are not in that data center. I've tried traceroutes from several providers using Cogent transit. If your VPN servers were actually on Cogent's network in Phoenix, I'd expect them to reach a Cogent router in Phoenix before seeing M247 in the traceroute, as Cogent will keep the traffic in their backbone network for as long as possible. However, in every single case I've seen, the traffic is only routed to Los Angeles on Cogent's network, before moving onto M247's network. Perhaps the most telling is doing a traceroute from somewhere east of Phoenix. Here's a traceroute I did from Chicago to Indus via Cogent's looking glass: traceroute to indus.airservers.org (193.37.254.26), 30 hops max, 60 byte packets 1 gi0-0-0-15.99.agr21.ord01.atlas.cogentco.com (66.250.250.89) 0.733 ms 0.731 ms 2 be2522.ccr42.ord01.atlas.cogentco.com (154.54.81.61) 1.145 ms 1.150 ms 3 be2831.ccr21.mci01.atlas.cogentco.com (154.54.42.165) 12.541 ms be2832.ccr22.mci01.atlas.cogentco.com (154.54.44.169) 16.431 ms 4 be3036.ccr22.den01.atlas.cogentco.com (154.54.31.89) 23.957 ms be3035.ccr21.den01.atlas.cogentco.com (154.54.5.89) 23.820 ms 5 be3046.ccr21.elp01.atlas.cogentco.com (154.54.0.45) 36.725 ms be3047.ccr21.elp01.atlas.cogentco.com (154.54.1.125) 36.957 ms 6 be2930.ccr32.phx01.atlas.cogentco.com (154.54.42.77) 44.976 ms be2929.ccr31.phx01.atlas.cogentco.com (154.54.42.65) 44.659 ms 7 be2932.ccr42.lax01.atlas.cogentco.com (154.54.45.162) 56.892 ms 56.898 ms 8 be3359.ccr41.lax05.atlas.cogentco.com (154.54.3.70) 56.621 ms be3243.ccr41.lax05.atlas.cogentco.com (154.54.27.118) 56.532 ms 9 38.104.85.170 (38.104.85.170) 56.920 ms 56.904 ms 10 * * 11 vlan2909.as09.lax1.us.m247.com (193.9.115.169) 56.739 ms vlan2921.as09.lax1.us.m247.com (193.9.115.167) 56.890 ms 12 * * 13 * * 14 * * Notice how hop 7 is going from Phoenix to Los Angeles? If the server was physically in Phoenix, there would be no reason to do that. All signs point to this server being physically located in Los Angeles. There's a possibility that they terminate the network in Los Angeles and then have private backhaul (like a GRE tunnel) from LA to Phoenix, but I wouldn't bet on it, especially with the 0.4ms pings from Los Angeles.
  24. 1 point
    I still use AirVPN. The latest version of these commands is here: https://github.com/tool-maker/VPN_just_for_torrents/wiki/Maintaining-SSH-Access-Using-a-VPN-on-a-Remote-Linux-Server The scripts there are the ones I currently use. They support IPv6 too. If you use AirVPN's client, be sure you turn off "network lock".
  25. 1 point
    Staff

    ios persistent vpn

    @tomMarvoloRiddle Hello! openvpn-connect can be configured as a VPN On Demand application. "VPN-On-Demand ... allows a VPN profile to specify the conditions under which it will automatically connect." Setup is not trivial and requires some patience and time, please see here: https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/#can-i-use-ios-6-vpn-on-demand-with-openvpn Not all OpenVPN services meets "VPN on Demand" requirements. The necessary requisites are met by AirVPN. Kind regards
  26. 1 point
    Staff

    Eddie 2.19.7 unable to run, missing c++

    @MortenM Hello! Eddie 2.19.7 for Windows 7 has just been re-packaged, please re-download and the problem should be sorted out. Kind regards
  27. 1 point
    Staff

    Linux: AirVPN Suite 1.0.0 released

    @airvpnclient Thanks! The new issue you reported in OSMC is confirmed and under investigation too. Kind regards
  28. 1 point
    Staff

    ANSWERED speedtest comparison

    @pfolk Hello! Settings to use wintun driver are correct. A specific Data Channel cipher can be defined by directive "data-ciphers". Check your Eddie log to see which Data Channel cipher is used (if in doubt please open a ticket and send a log to the support team). Eddie can accept custom directives in "Preferences" > "OVPN Directives" window. Some examples with ciphers supported by our servers (enter only ONE directive): data-ciphers AES-256-GCM data-ciphers AES-128-GCM data-ciphers CHACHA20-POLY1305 (do not use in AES-NI supporting machines, i.e. desktop computers usually, because performance will be lower). Kind regards
  29. 1 point
    Hello! We're very glad to inform you that a server located in Stockholm (SE) has been upgraded: Ain. Server is now connected to a 10 Gbit/s line and port, while the motherboard has been replaced with a more powerful CPU. IP addresses remain the same. You don't need to re-generate configuration files, even if you don't run our software. As usual the server includes load balancing between daemons to squeeze as much bandwidth as possible from the 10 Gbit/s line. The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other Air server, Ain supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/Ain Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team
  30. 1 point
    Staff

    CHACHA20-POLY1305 on all servers

    Hello! We're very glad to announce all VPN servers progressive upgrade to Data Channel CHACHA20-POLY1305 cipher and TLS 1.3 support. UPDATE 18-Nov-2020: upgrade has been completed successfully on all AirVPN servers. The upgrade requires restarting OpenVPN daemons and some other service. Users connected to servers will be disconnected and servers during upgrade will remain unavailable for two minutes approximately. In order to prevent massive, simultaneous disconnections, we have scheduled a progressive upgrade in 15 days, starting from tomorrow 5 Nov 2020. Please see the exact schedule at the bottom of this post, in the attached PDF file. Servers marked as "OK" have been already upgraded and you can use CHACHA20-POLY1305 with them right now. When should I use CHACHA20-POLY1305 cipher on OpenVPN Data Channel? In general, you should prefer CHACHA20 over AES on those systems which do not support AES-NI (AES New Instructions). CHACHA20 is computationally less onerous, but not less secure, than AES for CPUs that can't rely on AES New Instructions. If you have an AES-NI supporting CPU and system, on the contrary you should prefer AES for higher performance. How can I use CHACHA20-POLY1305 on AirVPN? CHACHA20-POLY1035 on Data Channel is supported by OpenVPN 2.5 or higher versions and OpenVPN3-AirVPN library. In Eddie Android edition, open "Settings" > "AirVPN" > "Encryption algorithm" and select CHACHA20-POLY1305. Eddie Android edition will then filter and connect to VPN servers supporting CHACHA20-POLY1305 and will use the cipher both on Control and Data channels. In our web site Configuration Generator, after you have ticked "Advanced Mode", you can pick OpenVPN version >=2.5, and also select "Prefer CHACHA20-POLY1305 cipher if available". If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN. In Eddie desktop edition, upgrade to 2.19.6 version first. Then select the above mentioned option. However, most desktop computers support AES-NI, so make sure to check first, because using CHACHA20-POLY1305 on such systems will cause performance harm when you go above 300 Mbit/s (if you stay below that performance, probably you will not notice any difference). Also note that if your system does not have OpenVPN 2.5 or higher version you will not be able to use CHACHA20-POLY1305. If you wish to manually edit your OpenVPN 2.5 profile to prefer CHACHA20 on Data Channel when available: delete directive cipher add the following directive: data-ciphers CHACHA20-POLY1305:AES-256-GCM Pending Upgrade Server Schedule Kind regards and datalove AirVPN Staff
  31. 1 point
    decided to switch on my Pfsense router just now. running a ARM Cortex-A9 r4p1 processor on the latest version: 2.5.0-DEVELOPMENT (arm) built on Fri Nov 27 06:54:52 EST 2020 FreeBSD 12.2-STABLE not having ANY performance hits so far whatsoever. if anything it seems more responsive
  32. 1 point
    OpenSourcerer

    Split Tunnelling using Eddie

    No, point 1 is actually the right way. Did you add the routes before connecting? Can you please try the current beta which is 2.19.6?
  33. 1 point
    Hello, after I posted some suggestions for Eddie's CLI version in this thread and received some helpful information there, I set out to write my own little interface in bash for it to implement the suggestions. Being no programmer it turned out to be quite a project for me, and I would like to share it here in case anybody else prefers to run Eddie in the terminal rather than as a full GUI application. This script still uses Eddie itself, it's just a wrapper to make it as easy to use in the command line as it is as a desktop application. Screenshots are attached. Some features and advantages: uses less resources (top shows usually 0.3% CPU usage compared to 4-5% for the desktop version) can be exited without disconnecting interactive, sortable server list option to connect to another VPN with openconnect (since I need to do that from time to time, but it should be easy to add other connection methods as well) option to lock down the system's network traffic by default, so even without Eddie running with its own network lock there will be no leaks What to watch out for: The default network lock works with direct rules in firewalld because I'm using Fedora. It should be easy to change it to use iptables directly on other distributions since firewalld's direct rules are just a way to directly manipulate iptables. Once activated, the lock will stay in place until manually deactivated (also surviving reboots), so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. AirVPN's network lock overwrites the default network lock, so there will be no interference. Check your /etc/resolv.conf file while not running Eddie (because Eddie's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it. To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules. The rules for airvpn.org can be copied and adjusted. I haven't yet included an option to pass command line arguments to Eddie. So if you need to set more advanced options like black-/whitelists, use of certain protocols etc., you need to set them manually in the connect_server function. All the possible options can be found in 'man eddie-ui'. You need to insert your own API key in line 5. It can be found in your account under Client Area -> API. Without this, connections will still work, but user info and connection status in the main window will not be properly updated. I tried to only use basic system tools. The script relies mostly on dialog, awk and curl (and firewalld as described and openconnect if needed), so it should work on most systems, but I'm not sure. And, lastly, VERY IMPORTANT: As I said, I'm no programmer and new to this, so even though I tried my best to make this script secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works well for me, but better check it yourself. Feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time. UPDATE: A new version which uses Hummingbird and has been improved in many aspects (including automatic connection at boot) can be found here. #!/bin/bash # an interactive shell script to control the command line version of the AirVPN Eddie client and openconnect more comfortably PROFILE_PATH="$HOME/.airvpn/default.xml" API_KEY="<your api key>" DIALOG_OK=0 DIALOG_CANCEL=1 DIALOG_EXTRA=3 DIALOG_ESC=255 HEIGHT=0 WIDTH=0 BACKTITLE="VPN Control" FORMAT="text" URL="https://airvpn.org/api/" PID=$$ function check_sudo { # check if user has sudo privileges sudo -vn &> /dev/null # gain sudo privileges for commands that need it (better than running everything with sudo) if [ $? = "1" ] then unset EXIT_STATUS_SUDO PASS_PROMPT="Establishing VPN connections and changing network traffic rules requires root privileges. Please enter your password:" until [ "$EXIT_STATUS_SUDO" = "0" ] do dialog \ --backtitle "$BACKTITLE" \ --title "Password Needed" \ --output-fd 1 \ --insecure \ --passwordbox "$PASS_PROMPT" 11 35 | xargs printf '%s\n' | sudo -Svp '' &> /dev/null EXIT_STATUS_PIPE=( "${PIPESTATUS[@]}" ) EXIT_STATUS_DIALOG="${EXIT_STATUS_PIPE[0]}" EXIT_STATUS_SUDO="${EXIT_STATUS_PIPE[2]}" EXIT_SUDO_TEST="${EXIT_STATUS_PIPE[2]}" PASS_PROMPT="The password you entered is incorrect. Please try again:" case $EXIT_STATUS_DIALOG in $DIALOG_CANCEL|$DIALOG_ESC) return 1 ;; esac done # keep sudo permission until script exits or permissions are revoked (e.g. when computer goes to sleep) while [ "$EXIT_SUDO_TEST" = "0" ]; do sudo -vn; EXIT_SUDO_TEST=$?; sleep 60; kill -0 "$PID" || exit; done &> /dev/null & fi return 0 } function get_list { SERVICE_NAME="status" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\" }" timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" > "/tmp/.eddie_server_list.txt" } function sort_list { # pipe server status list to awk, filter out unnecessary stuff, # combine lines that relate to same server into single lines which are saved as array, # loop through array to format info, # print array and sort according to options, # add numbers to list for menu LIST=$(awk -F '[.]' \ 'BEGIN{OFS=";"} \ /^servers/ && !/ip_/ && !/country_code/ {c=$2; \ if (c in servers) servers[c]=servers[c] OFS $3; \ else servers[c]=$3; \ for (k in servers) gsub(/;bw=/, " :", servers[k]); \ for (k in servers) gsub(/;bw_max=/, "/", servers[k]); \ for (k in servers) gsub(/;currentload=/, " :", servers[k]); \ for (k in servers) gsub(/;health=/, "%:", servers[k]); \ for (k in servers) gsub(/;.*=/, ":", servers[k]); \ for (k in servers) gsub(/^.*=/, "", servers[k])} \ END{ \ for (c in servers) print servers[c]}' "/tmp/.eddie_server_list.txt" | sort -t ":" $1 | awk -F '[;]' 'BEGIN{OFS=":"} {print v++";"$1}') } function get_userinfo { SERVICE_NAME="userinfo" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\", \"key\":\"$API_KEY\" }" # filter specific lines, save values to variables after protecting whitespace read U_LOGIN U_EXP U_CONNECTED U_DEVICE U_SERVER_NAME U_SERVER_COUNTRY U_SERVER_LOCATION U_TIME <<< $( \ timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" | \ awk -F '[=]' \ 'BEGIN{ORS=";"} \ /^user.login|^user.expiration_days|^user.connected|^sessions.*device_name|^connection.server_name|^connection.server_country=|^connection.server_location|^connection.connected_since_date/ \ {print $2}' | \ sed 's/\ /\\\ /g' | sed 's/;/\ /g' \ ) if [ "$U_CONNECTED" = "1" ] then U_CONNECTED="connected" U_SERVER_FULL="$U_SERVER_NAME ($U_SERVER_LOCATION, $U_SERVER_COUNTRY)" U_TIME=$(date -d "$U_TIME UTC" +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="not connected" U_SERVER_FULL="--" U_TIME="--" fi } function connect_server { if [ "$KILLED" = "true" ] then # create pipes to process status of client if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi if [ ! -p "/tmp/.eddie_fifo2" ] then mkfifo "/tmp/.eddie_fifo2" fi # run eddie in background and detached from current window, pipe output to named pipe (sudo eddie-ui --cli --netlock --connect --server="$1" --profile="$PROFILE_PATH" | tee "/tmp/.eddie_fifo2" &> "/tmp/.eddie_fifo1" &) cat "/tmp/.eddie_fifo2" | dialog --backtitle "$BACKTITLE" --title "Connecting to AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo1" INIT_EXIT=$? pkill -f cat.*eddie_fifo2 if [ $INIT_EXIT = "0" ] then get_userinfo else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_TIME="--" fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi } function disconnect_server { # check for running instance of eddie pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then # kill process and wait for confirmation from process output if [ -p "/tmp/.eddie_fifo1" -a -p "/tmp/.eddie_fifo2" ] then sudo pkill -2 -f mono.*eddie-ui & cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Disconnecting AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 10 grep -q -m 1 "Shutdown complete" "/tmp/.eddie_fifo2" else # in case connection was started without this script sudo pkill -2 -f mono.*eddie-ui sleep 5 fi # give some time to completely close process, without sleep it's too early for new connection sleep 3 pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 1 ] then KILLED1="true" else KILLED1="false" fi else KILLED1="true" fi # check for running instance of openconnect pgrep -f "openconnect.*--" &> /dev/null if [ $? = 0 ] then sudo pkill -2 -f "openconnect.*--" sleep 1 pgrep -f "openconnect.*--" &> /dev/null if [ $? = 1 ] then KILLED2="true" # somehow openconnect doesn't receive SIGINT and shuts down improperly, # so vpnc can't restore resolv.conf by itself sudo cp "/var/run/vpnc/resolv.conf-backup" "/etc/resolv.conf" else KILLED2="false" fi else KILLED2="true" fi if [ "$KILLED1" = "true" -a "$KILLED2" = "true" ] then KILLED="true" else KILLED="false" fi } function define_lock { if [ "$1" = "activate" ] then GAUGE_TITLE="Activating Network Lock" RULE_ACTION="add-rule" elif [ "$1" = "deactivate" ] then GAUGE_TITLE="Deactivating Network Lock" RULE_ACTION="remove-rule" else return 1 fi GAUGE_BODY="$1" IPRULES=(\ #allow loopback "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -i lo -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -o lo -j ACCEPT" \ #allow lan (out) and broadcasting/dhcp "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT" \ # allow tun device to communicate (so any VPN connection should be possible, also without Air, but respective DNS requests must be allowed) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -o tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -i tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT" \ # optional masquerade rule (NAT/ports) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE" \ # allow ipv4 only to airvpn.org for status update # allow DNS query to resolve hostname (hex string reads "06 airvpn 03 org" - numbers are counting bits), # restrict packet length to length of this specific request package (might change?) to avoid hijacking # of query (very unlikely I guess, but who cares if we're already being paranoid for the fun of it), # whitelist destination IP for TCP handshake "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ # add rules for other domains you wish to allow DNS requests to here (packet length can be determined with e.g. wireshark) and adjust array index # # allow SYN request to whitelisted IP to initiate handshake, remove IP from whitelist "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT" \ # allow outgoing connection to Air's IP "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT" \ # add rules for other IPs you wish to allow connections to here # # allow communication "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" \ # drop outgoing ipv4 (if not specifically allowed by other rules) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 999 -j DROP" \ # block incoming ipv4 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 999 -j DROP" \ # drop all ipv6 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter OUTPUT 0 -j DROP" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter INPUT 0 -j DROP" \ # reload and restart firewalld to activate permanent rule changes "sudo firewall-cmd --reload" \ "sudo systemctl restart firewalld"\ ) toggle_lock } function toggle_lock { PERCENTAGE_STEP=$(awk -v rules="${#IPRULES[@]}" 'BEGIN {print 100/rules}') PERCENTAGE=0 COUNTER=0 # initial window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" for i in "${IPRULES[@]}" do RESULT["$COUNTER"]=$(eval $i) (( COUNTER++ )) PERCENTAGE=$(awk -v per="$PERCENTAGE" -v per_step="$PERCENTAGE_STEP" 'BEGIN {print per+per_step}') # progress window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" done # final window to show results dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" sleep 2 unset RESULT check_lock } function check_lock { # check for success (not really though, needs improvement) LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 16 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi } function yesno { dialog \ --backtitle "$BACKTITLE" \ --title "$1" \ --clear \ --yesno "$2" \ $HEIGHT $WIDTH EXIT_STATUS=$? } check_sudo if [ $? = "1" ] then clear exit fi get_userinfo # if currently connected by openconnect, set status to unknown (connection could have been established outside of this script) pgrep openconnect &> /dev/null if [ $? = 0 ] then U_CONNECTED="connected (openconnect)" U_SERVER_FULL="unknown" U_TIME="unknown" fi check_lock while true; do exec 3>&1 selection=$(dialog \ --cr-wrap \ --backtitle "$BACKTITLE" \ --title "Main Menu" \ --clear \ --cancel-label "Quit" \ --menu "This is a control script for VPN connections, primarily for Eddie, the AirVPN client.\nThis script can be exited and re-entered without affecting a running connection.\n\nUser: $U_LOGIN\nDays Until Expiration: $U_EXP\n\nDefault Network Lock: $LOCK_ACTIVE\n\nStatus: $U_CONNECTED\nServer: $U_SERVER_FULL\nConnected Since: $U_TIME\n\nPlease select one of the following options:" $HEIGHT $WIDTH 6 \ "0" "Connect to Recommended Server" \ "1" "Connect to Specific Server" \ "2" "Connect via openconnect" \ "3" "Disconnect" \ "4" "Refresh User Info" \ "5" "Toggle Default Network Lock" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) yesno "Quit" "Exit Script?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) break ;; esac ;; esac case $selection in 0 ) check_sudo if [ $? = "0" ] then disconnect_server connect_server "" fi ;; 1 ) while true; do exec 3>&1 SERVER_SORT=$(dialog \ --backtitle "$BACKTITLE" \ --title "Sort Server List" \ --no-collapse \ --ok-label "sort ascending" \ --extra-button \ --extra-label "sort descending" \ --menu "Please choose how you want to sort the server list." \ 14 0 7 \ "1" "Name" \ "2" "Country" \ "3" "Location" \ "4" "Continent" \ "5" "Bandwidth" \ "6" "Users" \ "7" "Load" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) break ;; $DIALOG_EXTRA) SERVER_SORT_OPTION="r" ;; $DIALOG_OK) SERVER_SORT_OPTION="" ;; esac if [ "$SERVER_SORT" = "5" -o "$SERVER_SORT" = "6" -o "$SERVER_SORT" = "7" ] then SERVER_NUM_OPTION="n" else SERVER_NUM_OPTION="" fi if [ ! -f "/tmp/.eddie_server_list.txt" ] then get_list fi while true do sort_list "-k$SERVER_SORT,$SERVER_SORT$SERVER_SORT_OPTION$SERVER_NUM_OPTION" IFS=$';\n' exec 3>&1 SERVER_NMBR=$(dialog \ --backtitle "$BACKTITLE" \ --title "Server List" \ --colors \ --no-collapse \ --extra-button \ --extra-label "Refresh List" \ --column-separator ":" \ --menu "Choose a server from the list to connect to it. (Press ESC to go back.)\n\n\Zb # Name Country Location Continent Bandwidth Users Load Health\ZB" \ 40 102 31 $LIST 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- IFS=$' \t\n' case $EXIT_STATUS in $DIALOG_CANCEL) break 2 ;; $DIALOG_ESC) break ;; $DIALOG_EXTRA) get_list ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then SELECTED_SERVER=$(printf -- '%s\n' "${LIST[@]}" | grep "^$SERVER_NMBR;" | cut -d ";" -f 2 | cut -d ":" -f 1) disconnect_server connect_server "$SELECTED_SERVER" break 2 fi ;; esac done done ;; 2 ) exec 3>&1 # adjust field lengths if necessary CONNECT_INFO=$(dialog \ --backtitle "$BACKTITLE" \ --title "VPN via openconnect" \ --insecure \ --mixedform "Please provide your login credentials to connect to a VPN via openconnect:\n(Leave unneeded fields blank and type options as in command line, separated by space.)" $HEIGHT $WIDTH 6 \ "Server:" 1 1 "" 1 21 25 0 0 \ "Group:" 2 1 "" 2 21 25 0 0 \ "User:" 3 1 "" 3 21 25 0 0 \ "Password:" 4 1 "" 4 21 25 0 1 \ "Additional Options:" 5 1 "" 5 21 25 0 0 \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi ALT_SERVER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 1) ALT_GROUP=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 2) ALT_USER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 3) ALT_PASS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 4) ALT_OPTS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 5) echo "$ALT_PASS" | (sudo openconnect $ALT_OPTS --authgroup=$ALT_GROUP --user=$ALT_USER --passwd-on-stdin $ALT_SERVER &> "/tmp/.eddie_fifo1" &) timeout --signal=SIGINT 3 cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Connecting via openconnect..." --timeout 5 --programbox 20 80 U_CONNECTED="connected" U_SERVER_FULL="$ALT_SERVER" U_TIME=$(date +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi fi ;; esac ;; 3 ) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then get_userinfo else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi if [ -p "/tmp/.eddie_fifo1" ] then rm "/tmp/.eddie_fifo1" fi if [ -p "/tmp/.eddie_fifo2" ] then rm "/tmp/.eddie_fifo2" fi fi ;; 4 ) get_userinfo ;; 5 ) pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then dialog --backtitle "$BACKTITLE" --title "Toggle Network Lock" --timeout 3 --msgbox "You need to be disconnected to change network traffic rules." 10 35 else if [ "$LOCK_ACTIVE" = "inactive" ] then yesno "Toggle Network Lock" "Are you sure you want to activate the default network lock and block all connections while not connected to (any) VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "activate" fi ;; esac else yesno "Toggle Network Lock" "Are you sure you want to deactivate the default network lock and allow all connections, even when not connected to a VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "deactivate" fi ;; esac fi fi ;; esac done clear
  34. 1 point
    freak

    AirVPN is faster than NordVPN but...

    @Staff The 'cipher AES-256-GCM' also works well. Thanks! It is difficult to see whether it is better - but it definitely also works fine.
  35. 1 point
    Staff

    Probs with Port / Eddi / hummingbird

    @tami Hello! Hummingbird has a tiny RAM footprint if compared to Eddie (a dozen MB against hundreds of MB), even because it does not need Mono and does not have a GUI, so if you don't need a GUI use Hummingbird. CPU usage is high when traffic encryption/decryption is necessary and that's also why you can't beat some throughput limit. Hummingbird 1.1.0 is linked against mbedTLS library. New Hummingbird 1.1.1 (you can already test it, RC 1 was out some days ago) is linked against OpenSSL, which now provides higher performance than mbedTLS, at the price of a little more needed RAM. Please test it if you can and check whether the problem remains. -N off disables "Network Lock" feature. If disabling "Network Lock" resolves the problem, why Network Lock activation prevents you from connecting remains to be seen. If the problem persists with Hummingbird 1.1.1, would you like to post the complete log? If you post it, please make sure not to delete VPN server IP address as you did. It's an important information and does not compromise your privacy. Since Raspberry CPU does not support AES-NI, you can boost performance by connecting with cipher CHACHA20-POLY1305. New Hummingbird 1.1.1 is linked against our latest OpenVPN 3 AirVPN library release, which supports data-ciphers directive and is updated to comply to OpenVPN 2.5 (which runs in our servers) specifications, so you can enforce CHACHA20 and any other supported cipher with a proper profile, or by command line option. To download Hummingbird 1.1.1 please see here: https://airvpn.org/forums/topic/48435-linux-new-software-airvpn-suite-10-beta/ Hummingbird is included in the suite (of course feel free to test Goldcrest+Bluetit too). Kind regards
  36. 1 point
    solved. I'm unable to replicate the issue now, as this seems like an issue only at initial setup. When eddie was first run, the 'main window' is automatically shown in order to provide login credentials. This window is NOT able to be brought to focus by using the gui/mouse. No amount of clicking on the window (even quitting the program or restarting the computer) would give the window focus. Only by going to the menu bar and selecting the option 'Show main window' will give the window focus and allow me to enter the credentials. Once this was done I was able to get logged in/connected. Now, the 'main window' does not show automatically on launch. The only way to get to the window is with the menu bar selection. FYI this is the last series of intel i5 macbook prior to the M1 release running Big Sur 11.1
  37. 1 point
    @fkeriviavcxjhvjke Hello! You have three options. 1) Run AirVPN Suite 1.0.0. It will take care properly of DNS push even when systemd-resolved is configured to work in on-link mode bypassing resolv..conf and even when it works together with network-manager. Tested successfully under new Fedora 33 default settings. The suite is free and open source software by AirVPN, based also on a robust client-daemon architecture, and offers Network Lock (for traffic leaks prevention) which works fine even in Fedora 33. See here: https://airvpn.org/forums/topic/48435-linux-new-software-airvpn-suite-10-beta/ 2) Disable systemd-resolved and re-create /etc/resolv.conf file to work with global DNS as usual, instead of the questionable and dangerous per-link basis mode. After that, you can either run AirVPN Suite 1.0.0, OpenVPN with update-resolv-conf script, or Eddie. Eddie is a free and open source software by AirVPN with a GUI running in Mono. Only when systemd-resolved is disabled or re-configured to respect /etc/resolv.conf, can Eddie be used in Fedora 33. If you choose to run OpenVPN directly, remember that OpenVPN does not handle DNS push on Linux on the client side, so use the mentioned script. Please see here: https://airvpn.org/forums/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/ 3) Not recommended. Run OpenVPN with script update-resolved-systemd. Again see https://airvpn.org/forums/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/ Kind regards
  38. 1 point
    Staff

    Wireguard plans

    @Flx The first message was approved by some moderator in the wrong thread, not a big deal. Then we moved the message on its own thread, this one. Then user "wireguard" posted more messages which were all approved by some moderator. @Brainbleach Of course. We were replying to "wireguard" who invites surreptitiously to punish AirVPN because AirVPN uses and develops actively OpenVPN: "Needless to say, investing in AirVPN means investing in OpenVPN, and that's not acceptable to me at this point," . He/she also kept claiming that "it's time to retire OpenVPN" (sic), that OpenVPN is a "truly disgusting hack" (sic) and so on,. showing his/her embarrassing ignorance and lack of good faith. Nothing to do with your messages. Funny how bogus account writers are so eager to become from time to time AirVPN software lead developers, general managers for AirVPN strategies, marketing directors and more. 😀 We wanted to prove beyond any reasonable doubt that his/her claim are unreasonable and based on wrong assumptions and terrible omissions, showing how Wireguard can not replace OpenVPN for a significant percentage of our customers and how our OpenVPN development has been beneficial for many users around the world. That said, we claimed that Wireguard needed to be developed and tested further years ago, so at the time our claim was totally reasonable. We also claimed years ago that the problem was not with CHACHA20 which to the best of nowadays knowledge is a very robust and secure cipher. Now the problems are different because Wireguard is asked to offer something which it was not designed for, i.e. providing some kind of anonymity layer. Such problems include lack of DNS push, lack of dynamic IP address assignment (with subsequent problems with client key-private address static correspondence, a very tough legal problem for us but above all for our customers), need of keeping client real IP address stored in a file. We have resolved them one by one with external software and internal work around. Once the problems are resolved in a robust way, which means testing thoroughly the adopted work-around, we can offer Wireguard, not earlier. Kind regards
  39. 1 point
    Thank you for the quick answer. I disabled the service using those commands : $ sudo systemctl stop systemd-resolved $ sudo systemctl disable systemd-resolved Now I can use the default configuration for Eddie, and it doesn't leak DNS anymore according to ipleak.net . I'll wait for an update to use systemd-resolved in the future, which seems to bring new features. Kind regards.
  40. 1 point
    Staff

    ANSWERED Eddie Checking DNS failed.

    @McLoEa Good to know, thank you for the info. We are checking how to address the issue with systemd-resolved working in that specific mode. Kind regards
  41. 1 point
    Staff

    ANSWERED Eddie Checking DNS failed.

    @McLoEa Hello! We don't know if it was you who pointed the support team to the following article in a ticket: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VPACQVWRG5HCWRPBIOTBAENRT6V6PRA4/ If not, the relevant part is: systemd-resolved has four operational modes and neither Eddie nor Hummingbird, at the moment, can handle properly the "on link" mode bypassing resolv.conf and relying on nss-resolve. In Fedora 33 systemd-resolved is configured by default in a way that Eddie and Hummingbird do not handle correctly. Disabling systemd-resolved, in such a case, should resolve any issue with Eddie, Hummingbird and OpenVPN DNS push. In a few words, the key is going back to handle DNS via resolv.conf file as usual. If you wish to disable systemd-resolved: sudo systemctl stop systemd-resolved sudo systemctl disable systemd-resolved (restart network-manager service if necessary). Kind regards
  42. 1 point
    Input file is optional, it expects stdin if no input file is presented. I was more or less just toying with the idea of piping so it would be possible to do something like "cat AirVPN.ovpn | ./airvpn_remotes.sh > AirVPN_new.ovpn". But you're right, considering some people may not care for the script's functionality of inline replacing those lines it would probably be better to handle lack of an input-file and stdin as just generating without the original config, which then the user could manually add to their config. I've made that change to the script and updated the OP (which resolves both your improvement suggestion and your remark). Other possible improvements I've considered: allowing the script to update the config's IP protocol. e.g. using IPv6 or IPv4 exclusively (I'm not well versed with OpenVPN configurations so I'd just have to compare the configs I generate from AirVPN's terminal) giving a flag for transport protocol tcp/udp to update / add that respective line more comprehensive scanning of the IPs, instead of a simple ICMP the script could also (optionally) check TCP + UDP availability on the supplied port - granted at some point this evolves from a simple availability checking script to a port scanning script which would get you flagged by your ISP, which I want to avoid. so maybe not the best idea validate the provided port against possible ports instead of requiring the user to specify the DNS query being made explicitly (should they not want the default) and requiring them to refer to AirVPN's FAQ page to figure out which FQDN they need to ping, I could instead have preset options/values. It would make it less flexible though. could add an option to query ALL vpn servers used by AirVPN (the earth.all.vpn.airdns.org record), test them, then add filtering options to either filter by maximum remotes desired (e.g. 20 by default) or by maximum ping allowed Ultimately though I made the script to accomplish my goal, and then got lost refining it to make it pretty. Most of my possible improvements provide no benefit to me and probably minimal benefit for other users, so I'll probably just keep it as is. Additionally, the script itself has the main drawback of specifically using their IPs for single servers and not their DNS records that update every 5 minutes to load balance their servers (which isn't really a drawback in a case like mine where some of their servers are completely blocked). Thanks for taking a look, the compliments, and the advice!
  43. 1 point
    you don't need to import any cert for stunnel to work. 1) install stunnel package from package manager 2) Create the stunnel tunnel here in services>stunnel. /pkg.php?xml=stunnel.xml Select client mode use 127.0.0.1 as listening IP listen on port doesn't matter but you'll just use whatever you put here in the openvpn client setup certificate is default redirect IP is found in the .ssl file that you can download for stunnel in the config generator redirect port is also found in that ssl file (in the name of the file too) save the stunnel tunnel your status_logs.php should show stunnel activity to let you know it's running 3) Create or edit an openvpn config for AirVPN keeping everything the same as usual but changing the following protocol is TCP only interface is any server address is 127.0.0.1 server port is what you setup as listening port for the stunnel tunnel in the custom options box input route <server IP address> 255.255.255.255 net_gateway; where <server IP address> is the same as in point 5 above Now in my experience it'll connect then disconnect, perhaps a few times before finally staying connected. Just be patient.
  44. 1 point
    festus8888

    Turning off sound effects

    Is there an easy way to turn off the sound effects when connecting, disconnecting, etc. ?
  45. 1 point
    Hello! Nowadays, traffic shaping is a common practice. Several ISPs have evaluated that investing in traffic shaping techniques is better than investing in infrastructure expansion. Overselling becomes easier and the devastating congestion impact gets mitigated by enforcing penalties to all protocols which are rarely used by the majority of customers or that are more onerous for the infrastructure. Protocols and traffic types are discovered in real time via SPI and DPI. A VPN impairs traffic shaping techniques because it makes both SPI and DPI impotent. Therefore, ISPs that share the above vision (wild overselling and traffic shaping) need to shape VPN themselves, unconditionally. OpenVPN has a typical fingerprint, so it's easy to identify it with DPI. However, we provide connection modes which make OpenVPN not discernible. The most effective and at the same time efficient is a connection with "tls-crypt" which encrypts the whole OpenVPN Control Channel. It is available on entry-IP addresses 3 and 4 of our VPN servers. Please test the following one (in Eddie desktop edition): - from Eddie main window select "Preferences" > "Protocols" - untick "Automatic" - select the line with entry-IP address 3, port 443, protocol TCP. The row will be highlighted in blue - click "Save" tls-crypt will circumvent specific OpenVPN shaping, while TCP will get rid of UDP shaping, which is another commonly targeted protocol. UDP might be shaped or not in your line, so it's worth that you try it too. Eddie Android edition 2.0 connects to entry-IP address 3 by default. You might anyway need to change the protocol from UDP to TCP in the "Settings" if UDP is throttled. Kind regards
  46. 1 point
    Fuck it. If you want to make a fool of yourself go right ahead. I have repeatedly told you why this thread shouldn't exist, but if you want to infer that I'm practically a book burning Nazi, then go right ahead. You can voice your opinion all you want . But you should be prepared for the rest of us to use our opinions to shit on yours.
  47. 1 point
    They explain a problem you will encounter and then (if you follow more links) ways of solving the problem. As I said in the same post, I DO this! It IS possible. If you want me to provide a customized recipe just for you here in this thread, I am going to disappoint you. UPDATE: ======= I changed my mind. Here is a recipe. I did not actually explain the problem above. The problem is that the default gateway gets changed by OpenVPN, and that breaks your current SSH connection unless you set up appropriate routes before you start OpenVPN. It is assumed here that the default gateway interface before OpenVPN is started is "eth0". This is the usual convention for Linux systems. It should ensure that when a connection to eth0 is made, even if eth0 is not the default gateway interface anymore, response packets for the connection go back on eth0 again. # set "connection" mark of connection from eth0 when first packet of connection arrives sudo iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 # set "firewall" mark for response packets in connection with our connection mark sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 # our routing table with eth0 as gateway interface sudo ip route add default dev eth0 table 3412 # route packets with our firewall mark using our routing table sudo ip rule add fwmark 4321 table 3412=== UPDATE to UPDATE: The above works fine for me on Debian Jessie. But on an older Wheezy system I have just found that I need to add "via" to the routing table entry: # our routing table with eth0 as gateway interface sudo ip route add default dev eth0 via 12.345.67.89 table 3412There "12.345.67.89" must be the original non-VPN gateway.
  48. 1 point
    I wrote a script to do this for multiple websites for use with Network Manager's dispatcher service. See https://www.mankier.com/8/NetworkManager #!/bin/bash URL_LIST=("smtp.secureserver.net" "anothersite.com" "space-delimited.net") GATEWAY="192.168.0.1" IP_LIST=() for url in $URL_LIST do ip=`dig +short $url` IP_LIST+=("$ip") done for ips in $IP_LIST do ips=(`echo $ips | tr " " "\n"`) for ip in $ips do ip route add $ip via $gateway done doneAdd in the URLs you need, save it as root in /etc/NetworkManager/dispatcher.d as whatever you want to call it and it will run after connecting to a network.
  49. 1 point
    Probably because they decided not to use women and children as suicide bombers, or fire rockets indiscriminately into civilian areas. But this isn't really the place to discuss it.
  50. 1 point
    Probably because they decided not to use women and children as suicide bombers, or fire rockets indiscriminately into civilian areas. But this isn't really the place to discuss it.
×
×
  • Create New...