pfSense_fan

To each their own, I found it easier having just one file haha. Keep in mind I dowloaded the windows file. The OVPN files for linux etc look different, have different options we don't need. I don't know the issue here though. You still enter everything between the placeholders noted, even though the certs look different now. I just have not got around to editing the guide, probably wont have the time for a month yet. @anonym, make sure there are no blank lines/spaces etc before/above the cert or at the end of the cert you paste

Why not just add the networking capability to an existing PC? Is there a defined list of reasons why it's better to use a stand alone unit? There are countless reasons why its better. One that hit home for me was last year when the TOR browser was compromised. If you were behind openvpn on pfsense, even if it exposed your "IP address" it sent home the 10.4.0.X ip address assigned by the VPN and not your ISP. If you used a consumer router... exposed. TOR + OpenVPN on WIndows? Would have been exposed. That's just one reason. There are many security reasons, is it isn't compromised by other software on the system. There are performance reasons, if you care about that too. That's not even mentioning that it is a REAL firewall, not a false sense of security consumer routers are. It really comes down to whether one cares about taking all precautions in security and privacy. If you intend to take it seriously there is no questions, you are leaps and bounds better off with a dedicated appliance. But if one is going to go that route, it needs to be taken seriously. You need good equipment to use it proper. Fast memory, good (Intel) NICs, and a 2+ ghz processor with AES and in that order of importance. I don't care what you read elsewhere, I can take screenshots of how much resources it actually takes to utilize the features you need to be secure and private. I'm using 9 gigs of memory using Snort and pfblocker. If I set up snort for another VPN connection I might be up to 13 gigs of memory. Now if you have an old pc around and all parts required to get started, sure why not use it and learn. I just will never recomend buying second hand unless it is currrent generation equipment at a deal. Just my 2 cents.

As far as I know, 2.2 alpha has not been patched for heartbleed. You may want to look into that. I have 2.2 installed on another hard drive... quite buggy still. You have been warned haha. I've never bothered with wifi on the box, I just use a wireless router in AP mode. That being said, you should just set it up as any other interface. You Intel nics will show up as em0 and em1, the wificard will have a different name, thats all. It will be dead with my method, but pfsense will remain connected so you can at least investigate why. Any VPN connected interface simply gets cut off. The firewall should have clear net access. There are reasons for this... a number of reasons. Functional and security reasons. But if you still prefer it to all together disconnect it can be done. I don't recommend it. If air were to go down extended you would be forced to change settings, having to change settings is not good policy, this is how mistakes end up happening. Just my opinion! You also can't use any url based air entry addresses such as country or continent entry addresses. Ip based only. Absolutely.

Thank you! The feedback is much apprciated. I'm glad it helped. I noticed this recently too. I downloaded my certs after the 4096 bit upgrade and they still had that chain of data. I then downloaded a new server the other day and it looked different. Checked more and they all looked different. I don't know why, have not asked staff yet, but i will have to just edit that part. It is still everything in between the place setters noted though. Nice setup! I found it very useful to set the VOIP on it's own subnet, I have very strict firewall rules on that interface that only allow connections to IP addresses used by the service provider. Very useful as there are malicious attempts to connect through the same ports as used by VOIP. If you use Snort even better, it isolates those specific attempts. You probably need more memory to use snort though. Same with my gaming subnet. Easy to maintain specific firewall rules. Welcome to the big leagues! It's nice to have equipment that does what you expect of it, is it not? Be sure to have a proper burial for your old equipment after you take years of frustration out on it! Again you are most welcome! It was my hope in writing this that it would empower others to understand their hardware and software so as a community we can all learn together and share what we learn as we all go along! There are additions to the guide coming soon, and for you with such a powerful machine there are many tweaks to do! First thing you should do is disable hyperthreading in your bios! There are a few reasons for this on a firewall, security the first, latency the second. For the rest stay tuned and keep us informed of your adventures in pfSense!

Correct, just input the appropriate ports and ip for that device. As soon as I get a little free time I plan to add this section to the guide. I need to clarify a few things first.

As per the other guide, I couldn't have said, I never looked at it. Was this for bittorrent? If so did you use the tool to check your bittorrent address?

You should not have to do anything to the outbound NAT for a port forward. Our outbound settings were taken care of in the guide. No further mods are necessary unless you are doing some other sorts of selective routing to a different gateway.. I whipped together a port forward guide, but have not had anyone test it yet. You can try it if you like. If you don't see the redirect target ip, you may be in the wrong section. As far as the "router" ip address, those settings are "drop down" menus. Pick the one listed in my guide, EXACTLY. Aside from your redirect to your internal computer, tick for tick exactly as stated. VPN Port Forwarding The following is a basic guide on how to port forward on your AirVPN connection to a service running on your network. This will work for those of you using bittorrent, as I know how much you all like to download and share your favorite Linux and BSD distributions... 1.) The first thing we need to do is log into airvpn.org and forward our port or ports. 2.) Next we need to navigate to Firewall > NAT > Port Forward Go To: http://192.168.1.1/firewall_nat.php -or- https://192.168.1.1/firewall_nat.php 3.) Set as follows: Disabled = [_] (unchecked) No RDR (NOT) = [_] (unchecked) Interface = [ AirVPN_WAN ▼] Protocol = [ TCP/UDP ▼] (TCP, UDP or TCP/UDP depending on your uses) Source = [_] not (unchecked) Type: [ any ▼] Address: [______]/[ 31 ▼](Blank/Greyed out) Source port Range = from: [ Any ▼] to: [ Any ▼] Destination = [_] Not (UNCHECKED) Type: [ AirVPN_WAN address ▼] Address: [______]/[ 31 ▼](Blank/Greyed out) Destination port Range = from: [ (other) ▼] [ NOTE *1] to: [ (other) ▼] [ NOTE *2 ] *1: Port, first port of a range or Alias of ports you forwarded at AirVPN.org *2: Same port as above or ending port of a range you forwarded at AirVPN.org Redirect target IP = [ NOTE *3 ] *3: IP of your target pc/device. This is best if you have your device assigned to a static IP Redirect target port = [ (other) ▼] [ NOTE *4 ] *4: Same port as “Destination port Range = from:” as entered above (Note 1) Description = [✎ WHATEVER NAME YOU CHOOSE ] No XMLRPC Sync = [_] (unchecked) NAT reflection = [ Use system default ▼] Filter rule association = [ Create new associated rule ▼] 4.) Click [ Save ] 5.) Click [ Apply Changes ] MORE INFO AT PFSENSE DOCS EDIT: Also, after setting the port forward, go over to your AirVPN_WAN firewall rules and make sure the associated rule is above/on top any other rules you may have, if any. EDIT 2: Also consider you need to have the ports you forwarded on pfSense also opened on the firewall of the pc you have, if it has a firewall. Edit 3: You also need to set the external AirVPN IP address (as shown on the overview page when you log into the client area on airvpn.org) in you bittorrent, FTP program etc or else it does not broadcast the proper return address.

You at the very least want to run it on both your WAN_DHCP and AirVPN_WAN gateways. I don't know where you read that, but it's not true. I run it just fine like that, snort sees it inside pfSense before/after encryption/decryption. Unfortunately I have no advice further then that, Snort is far to involved for me to get into teaching others. The only thing I will say is that the AC-NQ setting, from what i have read, is the only setting that actually stops bad connections BEFORE they enter your system. Good luck! Also, thank you, it's good to know that step has proved useful!

http://www.supermicro.com/wheretobuy/europe.cfm?rgn=132 http://www.supermicro.com/products/motherboard/ATOM/ It is harder to find the 2558 based boards, you have to look at places that sell servers etc. The standard consumer circles don't carry these. You certainly could use those cards provided you have pci slots for them, however they do not support the same offloading features as the i354 nic's onboard those Atoms. If you have a 150Mb connection, it might be a consideration seeing you will be using a VPN. OK from what I've found so far it's going to cost in the region of five times more for the Rangeley setup than it would for Kabini/Jaguar re-using my existing Intel Pro NICs. Unfortunately I'm going to have to rule out Rangelely at least for now. Although I appreciate the improved quality and flexibility, C2558 boards would cost me about $450 to $500 equivalent whereas the same in Kabini/Jaguar would be $75 to $80 at most. Looks like I'm going to have to 'make do'. Our prices must differ greatly being accross the pond. Can you link me to some of these AMD boards you speak of? I've been piecing info together for my guide as far as hardware and I can find no such hardware as you speak of. The motherboards I find for amd are ~$100+ (For one worth it's salt for running 24 hours a day), the processors ~$150, they don't have compatible NIC's ( I know you have some spare) and they all are half the Mhz and take double the Electricity of the Rangely. Meanwhile, I can find a rangely 2558 for ~$220.

Before I came here to comment I went and verified a port forward was working on my end and it was. I'm not sure what has changed from your previous settings. Select routing as in a split subnet or specific url's? You can still do that but you would have to set different rules for outbound NAT and the firewall than my guide. You would also need to create an alias for your url's. My guide is only one way to set it up, and it has in mind completely separating VPN and clear-net connected devices from each other. At the time of writing I felt this type of setup (selective routing) would cause too much confusion amongst beginners, which this guide is aimed at. Although I use "route-nopull;" it is for different reasons. All of the settings the the server tries to push - the gateway, DNS and route are set manually by us, and according to my logs those push settings are never successful and cause errors. I have been testing "route-nopull;" for some time now and have considered adding it to the settings I list in the guide for this reason. That is to say; nothing goes through the vpn without the appropriate rules anyway. That's just how it is set up on pfSense. For your port forward... do you have: Interface = AirVPN_WAN Filter rule association = Create new associated filter rule? Do you have the redirect targeted to a static ip for your device?

pfSense 2.1.3 RELEASE Now Available!!! Various other fixes. Of note: Which could very well fix the issue many were having with interface looping (Which appears in the OpenVPN logs as "write UDPv4: No buffer space available (code=55)"). It remains to be see if it does indeed fix it, however it seems promising. Back up your settings and update ASAP!!!

I will be testing this config option for the next few days to see if it fixes this issue.

http://www.supermicro.com/wheretobuy/europe.cfm?rgn=132 http://www.supermicro.com/products/motherboard/ATOM/ It is harder to find the 2558 based boards, you have to look at places that sell servers etc. The standard consumer circles don't carry these. You certainly could use those cards provided you have pci slots for them, however they do not support the same offloading features as the i354 nic's onboard those Atoms. If you have a 150Mb connection, it might be a consideration seeing you will be using a VPN.

My apologies. I hadn't slept a whole day/night/day when I replied and completely missed that. I appreciate you taking time to reply and confirming I'm OK to buy AMD. I run IPFire myself, rather than pfSense, but I'm considering moving over as although IPFire is decent it's a little glitchy recently. I'm wanting to build a Jaguar (AM1 SoC) router to replace my old IPFire box, and now I know it supports AES also, my mind is made up. Thanks again for the reply. If you are going to be starting from scratch buying a new board, I don't recommend AMD. Not because the processor is bad, but because most motherboards don't have network cards compatible with pfSense. The current ideal platform is the C2558 or c2578 based Supermicro Intel Atom boards (Rangely). They have quad Intel Server class network interfaces. For AMD you would need to purchase a separate network card, and the ones you need can be expensive. You'll find the price difference for an AMD build to be similar, but you will be getting much higher end equipment for the same price with a Rangely board. Just my thoughts!

First, you clicked on the wrong [+]. I know this because it would have automatically deleted the AirVPN_WAN_VPN4. If you want to not see the ipv6 one you have to disable ipv6 entirely out of your system. I don't have the time at this monet to explain that. Again, you clicked on the wrong [+] and it therefor automatically deleted your WAN.. You will likely have to start over with a re-install. Pay close attention to exactly which [+] I scpecify. Mouse over them to see what they are titled. They are different. You are the second person to do this, I will have to clarify this section. Subnet and net are the same. I wrote this when the current version was 2.1, for whatever reason they changed this for 2.1.2 Leave the anti lockout rule alone. It is gray for a reason.Back in 2.1 it did not allow you to modify this, now they linked it t where you can. I also need to clarify this. I suggest you re-install and pay PRECISE attention to everything you click considering what I told you here.

A number of users of pfSense have all shared a single error in our logs ever since the 4096 bit config upgrade. ​ ​ write UDPv4: No buffer space available (code=55)​ ​We have been searching, testing and tweaking trying to figure it out since then. Although we made our systems run better, we never quite got rid of the error. Finally I came accross an answer at the pfSense forums and also the same conclusion at a tunnelblick forum. ​ ​ ​This is affecting many pfSense users. Staff, is there any option we can add to our configs to prevent this? ​ ​https://forum.pfsense.org/index.php?topic=40405.msg208614#msg208614 ​ ​https://code.google.com/p/tunnelblick/issues/detail?id=44#c16 Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 16:57:34 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 16:57:34 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 16:57:34 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 16:57:34 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 16:57:34 openvpn[.....]: write UDPv4: No buffer space available (code=55) Apr 29 16:34:14 openvpn[.....]: Initialization Sequence Completed Apr 29 16:34:14 openvpn[.....]: /sbin/route add -net 10.30.0.1 10.30.x.x 255.255.255.255 Apr 29 16:34:14 openvpn[.....]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system Apr 29 16:34:14 openvpn[.....]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1558 10.30.x.x 10.30.x.x init Apr 29 16:34:14 openvpn[.....]: /sbin/ifconfig ovpnc2 10.30.x.x 10.30.x.x mtu 1500 netmask 255.255.255.255 up Apr 29 16:34:14 openvpn[.....]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Apr 29 16:34:14 openvpn[.....]: TUN/TAP device /dev/tun2 opened Apr 29 16:34:14 openvpn[.....]: TUN/TAP device ovpnc2 exists previously, keep at program end Apr 29 16:34:14 openvpn[.....]: ROUTE: default_gateway=UNDEF Apr 29 16:34:14 openvpn[.....]: Could not retrieve default gateway from route socket:: No such process (errno=3) Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: route options modified Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: --ifconfig/up options modified Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: LZO parms modified Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: timers and/or timeouts modified Apr 29 16:34:14 openvpn[.....]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.30.0.1,comp-lzo no,route 10.30.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.30.x.x 10.30.x.x' ​

Considering the nature of how and why people use a VPN, myself and others consider such a simple step a necessity. This guide is meant for those who do not know what they are doing, and that is something they should know. It is simply a matter of perspective. Perhaps you see it as arbitrary, but I simply have not had time to update the entire guide.That rule will be added to the non VPN side too, but is not a priority. I explain in the preface that this is not a "leak" like is so often talked about on these forums. I always have. In time this guide will encompass writing the image to a USB, How to install, thoughts and considerations on hardware selection and a much more in depth look at other settings to set on the operating system as well as other OpenVPN options. We disagree on the necessity of that rule. People who would make such decisions will not need my guide. The same rule is in place on the Comodo guide for windows, and I would posit it should be used by anyone using any method. The addition of that layer, as well as the "Block All" rule was a choice I made to add to the guide because I believe security is part of a guide covering how to use a VPN. I wouldn't set this up for a friend or neighbor without such rules, and I would not teach a newb anything else. The point of a system such as pfSense is to strictly not allow ANY traffic we do no explicitly allow. Just teaching someone how to connect and not teaching them the basics of securing that connection is irresponsible in my opinion. I don't. I just hope it does not cause confusion amongst those who don't know the first thing about security. Those who become more acclimated, like yourself, certainly can choose for themselves later on, how to secure their system best. For beginners though, jumping to pfSense from consumer software and equipment can be a daunting jump. There is little documentation out there on how to set up the basics, let alone how to set up a VPN. What info I did find never explained why to set things the way they did. I choose to take an educational approach to my guide. I put a disclaimer in the preface that each individual should do their own research and decide if this is for them or not.

I have a 152Mbps connection and find this interesting. Can anyone please confirm whether the instruction 'AES' in AMD CPUs is the same (or at least, has the same function) as the AES-NI in Intel chips? In other words, can I buy an AMD chip to do this job or is it Intel only? Many thanks in advance. Wikipedia - Supporting CPU's Also, if it has "AES" instructions, it is the same thing. EDIT: ...and then I saw that the post you quoted had the same link I provided. None the less, using an AES enabled chip helps tremendously. This has been discussed in depth amongst those of us using pfSense to connect. For you to get the most of your connection you will want to use an AES chip.

Fixed, thank you for that. Yesterday was a long day. Sorry I missed that important detail.

You are correct that if a request goes out, it is still going out through the VPN Tunnel and is therefor "anonymized". However.... and it is a big "however". It does not stop a malicious attack from hijacking your browser. Imagine for a moment an adversary wants to expose VPN users. They can see that a very popular destination for VPN users is a message board for animated cat gifs. So this adversary posts some pictures at lolcatgifs-com, but with his link he inserts some malicious javascript which directs your browser to his servers dns. He now serves you up false version of lolcatgifs-com, and subsequently has control now what dns you use. This attacker watrches your web browsing and see you visit airvpn's web page. He now serves you up a false front page where you enter and submit your username and pass, possibly multiple times trying to get it to work. But for a time period it doesn't allow you to log in. In the coming days you log into your email as well as your bank and credit card to pay your bills. Same thing, it doesn't work for short period. Then one day you can't come online because all of your identity has been stolen. Or if you are a whistle-blower a high level adversary has targeted your home. These scenarios may be far fetched in the eyes of some, but they are possible. EDIT: Had you blocked all other avenues for dns other than the one you intended, it would block the attempt. You would receive errors and pages wouldn't load, and when you investigate your logs you would see why. Read up on DNS Hijacking and DNS Rebinding attacks. Not just at Wikipedia... search it out. In the end of all things, if you decide to trust another DNS that is on you, but you should still use the firewall rule, just with your DNS of choice. Most will want to use AirDNS for the anti geo-blocking. You can make an alias if you need to enter more than one address.

PLEASE NOTE: MAIN GUIDE HAS BEEN AMENDED!!! NO MAJOR UPDATES TO FUNCTIONALITY WERE MADE SOME STEPS CLARIFIED, SOME STEPS HAVE BEEN CONSOLIDATED STEP TO INTERNALLY CHECK FOR DNS LEAKS/HIJACKING ADDED (STEP 8) PLEASE REVIEW: PREFACE - ON THE SUBJECT OF DNS LEAKS STEP 6 - DNS FORWARDER STEP 8 - AirVPN_LAN (CONSOLIDATED FIREWALL RULES) STEP 8 - AirVPN_LAN (ADDED STEP TO TEST DNS LEAKS) Functionally everything is the same. I was able to create one less firewall rule on the AirVPN_LAN interface and achieve the exact same function by using the "NOT" inverse feature. There are now three firewall rules instead of four. I also added a small section for novices on how to verify the DNS resolver is working at the end of the DNS Forwarder section. I have not had time to make the same updates to the dual (2) NIC addition, but will soon. I also added a proof of concept and How-To on internally testing for DNS LEAKS / HIJACKING. Some forum members could not see the point of the firewall rules I listed in my guide for "BLOCKING DNS LEAKS" and went on to poo-poo the idea of using them. The point always was that malware or an adversary could hijack your DNS request and potentially expose a VPN user without such rules in place. So for those of you that indeed want to be as secure as possible, you will want to continue using them or start using them if you are not. I no longer consider this a redundancy. Test for yourself and decide for yourself. Verifying Our BLOCK_DNS Rule is Functioning (Optional - For Windows and WINE Users) For this step we will need to download a program called “DNSBench”. This step is meant as a proof of concept to show that without the BLOCK_DNS firewall rules, a malicious program could indeed hijack your DNS requests. This program is a safe program, and one that I otherwise find very useful in finding low latency DNS servers. We will not however be using it as it is intended, but it is the best program I have found to simulate a program sending out DNS requests not received from the DHCP settings. Go to: https://www.grc.com/dns/benchmark.htm (click on the picture of the program to download it.) 1.) When you open it it will say: • • • Verifying Internet Access • • • 2.) Then, if up to this point it is working it will then say: Internet DNS Access Trouble 3.) Find and click the button toward the top that says [ Ignore Test Failure ] 4.) Then it will show: DNS Benchmark Domain Name System Benchmark Utility 5.) Find and click the "Nameservers" tab toward the top. If the DNS Blocking rules are enabled, entered correctly and functioning you should see this: Only the 10.4.0.1 entry should be green (signifying it can be contacted). All other entries should be red. If you view your firewall logs on pfSense now, it should have quite a few blocks triggered by destination port 53 on the AirVPN_LAN interface. If any other DNS servers are contacted and show up as Green, review the firewall settings and correct any discrepancies you find. If you find none and otherwise cannot correct the leak, feel free to ask for help by posting to this thread. For those of you that wish to verify the proof of concept, feel free to temporarily disable the BLOCK_DNS rule and verify this yourself (You have to close and re-open DNSBench, don't worry, testing this is quite safe). You will see that had this been a malicious program it could indeed hijack your browser. Be sure to re-enable the firewall rule after!

I agree with those two gentlemen. And no, I don't like the people at LibreSSL. Would you change your girlfriend just because she accidentally sprained your leg? Your leg will be okay somewhen, and you can't know your new girlfriend's secrets. Sure it's important to have a choice and maybe they are doing the right thing with "cleaning OpenSSL's code" (their own words). But let's just sit down, make a camp fire, sing a song and relax. Let's just find out the destiny of LibreSSL. If security researchers and the time likewise explicitly say "yes, we recommend everyone prefering LibreSSL over OpenSSL" then we can think about funding it. To me it's a newborn and doesn't deserve much attention for now; at least that's what I say. I figured many would think my suggestion was premature. Part of me does as well.... however... To play along with your analogy: Imagine you are a fitness and health guru and you met a lovely young lady that shared your passion for fitness. This girl is everything you have been looking for. Attractive, intelligent and the time you spend together is magic. You share your every bit of being. She's the only one for you. Now imagine that once she got you hooked, knowing you loved her every bit of being, she no longer had to try. She's "the only show in town" and she knows it. She stops going to the gym with you. She stops jogging with you. She stops the healthy eating lifestyle you one shared. She lets herself go and is no longer the fitness queen you wanted to share your life with. She becomes "bloated". To top it off, now she ignores you, and starts to pay attention to other men. Do you continue to hope she will get back to the woman you fell in love with? Do you look for alternatives? It's hard because we become invested in our relationships, and want/hope for the best concerning those we care about. But you have to do what is best for you. That is what dating is supposed to be about, finding out who is right for us. Sometimes, after dating the beauty queen who didn't appreciate you, you will give more attention to the nerdy girl who appreciates you back... Privacy and security is our fitness and health passion, and OpenSSL is that girl that seemed to be everything you were looking for. They were not keeping up with you, and they were taking on code for government compatibility programs and code for systems that 99.9999% of the internet don't use and could potentially open vulnerabilities for you. Whether or not OpenSSL gets fixed, I do not believe we can continue to trust to put all of our eggs in one basket. A little competition, if anything, will be good to drive change at this time. It will encourage them to keep "fit" knowing they could lose their partners. Whether one "likes" them or not is irrelevant, the code that the OpenBSD Foundation puts out has time and time again stood out as some of the best and most secure out there. Most people use code regularly that OpenBSD Foundation created, it even appears in some windows firewall software. PF is regarded as the most secure firewall, and many people rely on OpenSSH. Yet they almost had to shut down a year ago until a billionaire donated a decent sum. They still only brought in about $60,000 to use on hosting fees and fund developers. It would be a huge loss to the well being and security of ALL OF US and the internet as a whole if they had to "close shop". My suggestion was not just for LibreSSL, it was for the OpenBSD Foundation in general. I hope you all will take a moment to think about that, and the opportunity that security and privacy minded individuals that we all are have to drive change, rather than sit around and be taken for a ride by the same pretty girl who keeps hurting us. That all being said, My vote won't count (I don't disagree with it either) if option 2 is a requirement, and I don't expect an exception to be made for me. I am most definitely a premium member, but I do not and would not post to the forums from any account I actually connected to the VPN with - I consider it a layer of "plausible deniability". Call me paranoid, but I doubt I am the only one who thinks that way considering how many lurkers there are each day. So just some food for thought.

From some research done by myself and another user, this error: write UDPv4: No buffer space available (code=55) is caused by maxing out the speed capability of a tunnel. That being said, we found this to be caused by the specific server we were connected to. In my case, my ISP was throttling on the server I was connected to. Try a different server or protocol if it persists. The Control and Data chanel messages are normal operation.

SSL Certificate checking with Perpectives Project ​ ​https://addons.mozilla.org/en-US/firefox/addon/perspectives/ ​http://perspectives-project.org/ ​https://en.wikipedia.org/wiki/Perspectives_project Personally, I would like to see a perspectives notary added to each AirVPN server. Would add a "trusted" notary for Air users. ​ ​It's evolution, Convergence (by Moxie Marlinspike, based on Perspectives Project) seems to have even more promise, but doesn't seem to be continually supported. http://convergence.io/ https://en.wikipedia.org/wiki/Convergence_(SSL) https://www.youtube.com/watch?v=i9e4g7SV244 (Moxie Marlinspike Speaks Part 1) https://www.youtube.com/watch?v=EYv3bTTNF1w (Moxie Marlinspike Speaks Part 2) There is someone trying to update Convergence though, not many users at this point. https://addons.mozilla.org/en-us/firefox/addon/convergence-extra/

Ask this question in my tutorial thread. Then, as I answer this question, it is there for anyone asking the same in the future, I will get back to you in the coming days. There has been some other discussion on this topic that you can search for in the main thread, it ended up in PM's though. I will share what info was researched in that thread as i have time in the coming days.