go558a83nk
-
Content Count
2093 -
Joined
... -
Last visited
... -
Days Won
37
Posts posted by go558a83nk
-
-
-
3 minutes ago, Panja said:
What size do you suggest?
I'm already using 512KB.
The problem seems to be always happening in the evening hours (CET).
Just tried 3 of the recommended (server status page) servers in NL and all give me max 30mbit.
On my laptop without AirVPN I'm hitting 250mbit without problems.
quit trying the same NL datacenter. obviously your route is poor and is especially congested during peak hours (evening).
try other datacenters. -
you don't need to import any cert for stunnel to work.
1) install stunnel package from package manager
2) Create the stunnel tunnel here in services>stunnel. /pkg.php?xml=stunnel.xml- Select client mode
- use 127.0.0.1 as listening IP
- listen on port doesn't matter but you'll just use whatever you put here in the openvpn client setup
- certificate is default
- redirect IP is found in the .ssl file that you can download for stunnel in the config generator
- redirect port is also found in that ssl file (in the name of the file too)
- save the stunnel tunnel
- your status_logs.php should show stunnel activity to let you know it's running
- protocol is TCP only
- interface is any
- server address is 127.0.0.1
- server port is what you setup as listening port for the stunnel tunnel
-
in the custom options box input
route <server IP address> 255.255.255.255 net_gateway;
where <server IP address> is the same as in point 5 above
-
router CPU can't do openvpn very fast at all.
only a few can, if they have the proper firmware and an AES-NI CPU. -
No, it's not more secure for the actual data. It's more resistant to hostile networks.
It doesn't take appreciably more power to use and performance might be a little better depending on the network used. They may not throttle it like they might other openvpn connections.
It's not the default because some old devices may not support tls-crypt? I'm not sure. -
tls-crypt means that the control channel of openvpn is encrypted from the start. all servers support this at entry IP 3 or 4.
-
you need to try different datacenters for different routes. all the NL servers are in the same datacenter I think.
Does your CPU support AES-NI? -
33 minutes ago, flat4 said:anything going thru suddenlink is horrible, I should know that's my ISP
my ISP too -
48 per year is pretty cheap.
-
you can create gateway groups and have multiple tiers within the gateway group. the rule for the group can be such that when one tier is down it falls back to the next tier.
the only problem, last I tested, is that once the higher tier gateway is back up it won't automatically fall "up" to it. -
html5 geolocation.
it can be disabled in browser. about:config -
destination IP is your camera IP. if you used just the built in port forwarding of the router that forwards from WAN to LAN. You need to forward from TUN to LAN.
If port forwarding was working then it wasn't working through the VPN. -
if you are running the openvpn client on your router then you do need to use iptables such as the above.
Just make sure to correct the tun device number -
https://www.speedtest.net/result/c/2b63a577-e5a5-4205-98db-bb25ab01c371
There are a lot of places where slowness comes from but speed can happen. I use a pfsense box to run openvpn for the whole house. The speedtest machine is my laptop on wifi, which is an area of slowness itself. -
Horrible routing to these new servers..
4 [19108] [SUDDE] 173-219-233-235.suddenlink.net (173.219.233.235) 27.6ms
5 [19108] [SUDDE] 173-219-233-250.suddenlink.net (173.219.233.250) 26.9ms
** [neglected] no reply packets received from TTL 6
7 [6461] [ABOVENET] ae3.cs2.dfw2.us.zip.zayo.com (64.125.26.204) 33.0ms
8 [6461] [ABOVENET] ae28.er1.dfw2.us.zip.zayo.com (64.125.26.15) 28.2ms
9 [6461] [ABOVENET] zayo-comcast.dfw2.us.zip.zayo.com (64.125.13.186) 128.5ms
10 [7922] [COMCAST-16] be-12495-cr02.dallas.tx.ibone.comcast.net (68.86.85.193) 125.1ms
11 [7922] [COMCAST-16] be-12124-cr02.1601milehigh.co.ibone.comcast.net (68.86.84.229) 144.7ms
12 [7922] [COMCAST-16] be-10521-cr02.350ecermak.il.ibone.comcast.net (68.86.85.169) 160.7ms
13 [7922] [CABLE-1] be-1302-cs03.350ecermak.il.ibone.comcast.net (96.110.36.105) 163.0ms
14 [7922] [CABLE-1] be-2311-pe11.350ecermak.il.ibone.comcast.net (96.110.33.202) 163.9ms
15 [46844] [ST-CHI] comcast-100ge.3-2.19.chi.il.sharktech.net (208.98.0.37) 160.0ms
** [neglected] no reply packets received from TTLs 16 through 17
18 [11878] [TZULO] [target] static-68-235-48-107.cust.tzulo.com (68.235.48.107) 159.8ms
-
17 minutes ago, ghostp said:Ok, that's a step forward but any idea what's going on and how to fix it?
Usually the temporary fix is to disable the route checking in settings. The real fix would be to find out why that's happening. Since are running a beta it could be that you need to report this in the beta thread as a bug. -
UDP connects just fine but something goes wrong with checking route.
-
6 hours ago, jeuia3e9x74uxu6wk0r2u9kdos said:I'm using this topic than opening another one just to keep the topic under the same umbrella.
I'm fully aware that AIRVPN has its own DNS servers and DNS addresses, that any request to them is protected because processed inside the tunnel (except for the leaks of course) and I know that the relationship between a user and his VPN provider is mainly a matter of trust (I'm not complaining about this).
Recently, it has come up that DNS queries are a possible privacy issue because Internet Service Providers can eavesdrop and manipulate them; thus Mozilla and Google have looked out for a way to mitigate the problem and the solution they found is the so-called DNS-over-HTTP (DoH). Cloudflare thought this was not enough so it also proposed to encrypt the Server Name Identification that it is still in an experimental phase.
As written here https://www.eff.org/it/deeplinks/2018/09/esni-privacy-protecting-upgrade-https "Hosting providers and CDNs (like Cloudflare) still know which sites users access when ESNI is in use" so maybe it wouldn't a great deal to implement it on AIR but it is also written that "ESNI can also potentially work over VPNs or Tor, adding another layer of privacy protections."
Now, I know that AIRVPN does not store the DNS queries and does not eavesdrop them, but for the aforementioned reasons I wanted to ask if could it be technologically feasible to fully implement the RFC 8484 (proposed) standard and Encrypted Server Name Identification thus increasing user privacy and security by preventing "possible" eavesdropping and manipulation of DNS data? (I want to repeat it again, just to be crystal clear and not being misunderstood: I am totally happy with AIRVPN and I think the Staff is doing a great job. Period)
I'm neither asking to implement DoH and ESNI now and here nor to implement them in the future but just to talk about the topic, think on it and understand if it could be something reasonable to implement when the Staff will believe it is the right moment, something over-killing or totally useless.
Is this necessary if there are no logs kept anyway? -
UDP entry IP 3 or 4 don't work? Have you tried all the ports? Is this a restricted network you're on?
-
Well, I'd try UDP entry IP 3 or 4 first. If that doesn't work like it should then try TCP entry IP 3 or 4. If that doesn't then resort to stunnel. I'll be glad to try to help should it come to that. But it's a last resort because it's just not going to have much speed either. I'm really surprised you saw more than 200mbps with the SSL tunnel. What OS was doing the testing back then?
-
Before you go the stunnel route have you tried using tls-crypt configs?
-
6 hours ago, TDJ211 said:
Oh lookie at mister big shot over here. You sir are an absolute douchebag.
I give no fucks if it may have been common knowledge or a stupid question. At least I put in the work in figuring it out myself and not pestering the boards with my inferior intellect..
I was just simply following up with my solution in case anyone in the future stumbles upon this thread with a similar problem. There's nothing more frustrating than scouring all corners of the internet to finally find someone else with the same problem but they were too lazy and inconsiderate to update with the solution. It's like how can you expect help if youre not willing to return the favor? And in this instance, its the entire community and anyone else who visits in the future.
That being said, my apologies, I didnt mean to interrupt you wacking off to yourself in the mirror with your countless IT certs in the background.
I'm no big shot but I don't take the time to post and reply to others without hoping that it's appreciated and that the forum search is used. That's the big no no around here - not using the forum search.
You see, here's an example of me helping another user with the same problem. Note that my post is marked as the answer. I'm not bragging. What I'm saying is that the help was already here. But, instead you acted like you'd come to a novel solution and needed to brag to the whole community with a new post of your own.
-
depends heavily on what operating system you're using. then your CPU.
-
yes, it's normal
ANSWERED pfsense / SSL Tunnel specific guide?
in General & Suggestions
Posted ...
I edited my post to confirm you create a stunnel tunnel in services>stunnel. Once that's running you can edit your openvpn config to connect to the listening stunnel daemon, which is step 3.