go558a83nk

Does anybody know if Egypt is like some other countries that have stifled VPN usage in that VPN seems to work on some ISPs but on others they don't?

yeah so usually your openvpn peers will show a total upload/download when looking at openvpn status. but DCO clients currently do not.

BTW, I think the really speedy stuff with DCO is coming from machines that have QAT available not from AES-NI.

are you sure buffer does anything with DCO? The pfsense+ folks say it and some other things are not compatible with DCO but maybe that's just their implementation at this time? https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html#limitations

Or, if you're using Air's DNS based ad/malware blocking, could something be blocked with that that's "required"?

Maybe require users to select which server the port will be reserved on? And if they want to switch servers for the port forward rule they can try but if it's already reserved by another user they'll have to choose a different port.

Maybe I'm totally wrong but I feel like the excuses for removing port forwarding (removing bad stuff from flowing through our servers) is just an excuse. Instead I think that providers don't want to pay for the increased bandwidth usage that allowing port forwarding brings (e.g. torrenting) but they're not willing to admit that because they know their customers would riot. I get it, costs have risen lately. But, as the previous poster said, just increase prices for people who want port forwarding then.

isn't ssh available even on stock firmware?

Did some testing from my pfsense+ box. So far it works very well. It's lovely to see all the openvpn work being done in kernel here and 600mbit/s from this great distance seems very respectable.

yes, I know that it doesn't support compression. neither of my VPN providers uses compression and the only way I got AirVPN to connect was to have it ignore the comp-lzo push as opensourcerer wrote first elsewhere in this forum

hmm interesting, only thing i can think of is maybe tls-crypt being enabled on your airvpn one and not on the other or vice versa? compare and contrast the logs with some higher level logging and openvpn should tell you why nope, I tried with a tls-auth config for Air and it still didn't work. It may have to do with compression settings. I had to use some advanced directives regarding compression to get it to even connect to Air. I didn't have to do such for the other provider but neither use compression. So, I'm betting there's a sweet spot in compression settings that'll get it to work for Air. I just haven't played with it much.

imminent is probably like a year or more away. if you are concerned about speeds (struggling to get over 300 mbps without openvpn going insane on latency, then consider migrating to wireguard. I've done that recently and can push 800 mbps through a single gateway. I'm using wireguard with great speed now but will be in a nation where VPN access is known to be restricted soon so I was hoping for DCO. The weird thing is I'm able to connect to my other VPN provider using DCO on my (client) end and it works fine as documentation said it would (that there will be benefit if even just the client has DCO enabled). But when I do the same for AirVPN no traffic flows but logs say the connection initiated fine. I doubt that other VPN provider has an updated openvpn version so I'm guessing it's some other little quirk with the VPN tunnel options.

How wireguard is setup there I don't know for sure but on pfsense the gateway is the same as the interface address which is 10.144.77.131 for you in the screenshot.

I'd guess that server port is how to access it for control, like a web gui? It looks like you need to just open 47854 47855 (obfuscated port) but you should not open/forward any ports on your tplink router unless your router *is* your VPN client. edit: and disable nat-pmp

How imminent is this deployment? We're nearing 3 months since this post and I'm eager to test.

I was able to get DCO to connect with pfsense+ 23.05 (thanks to opensourcerer's notes about compression above) but no data actually transfers and after a bit I get a ping restart. The client area session info also indicates no traffic moving. Would something need to change on AirVPN's end? My understanding that even if only the client is running DCO some improvement in throughput could be had so I figured it would just work without Air changing anything on their end.

good point but I don't think this little box supports it. I'll find out.

I just realized that Pfsense+ software (which is still free for home users) has DCO capability while the pfsense CE software does not. So I'm migrating to it today in preparation for testing DCO. I believe I'll have need for openvpn (again) in the future and would love an openvpn that is faster on my pfsense box with one of those new N100 CPUs. Wireguard is blazing fast, BTW, and the power usage is tiny. So, can't wait for a DCO test to begin here!

well, I actually need more time. only 81 days left. I should have bought during the last sale.

did you mean to buy that much? ;)

correct, you're logged into your account on the web site so it knows what certs/keys to put in the config file (takes the place of username/password) based on what "device" you selected in the config generator.

I get no leak from that surfshark test site. It shows only the one DNS server that I have indeed configured.

It sounds like you have some policy routing going on, or maybe your web browser is using it's own "secure DNS".

I'm saying that the setting in the openvpn config will force your system to obey the pushed DNS server that it receives from the VPN server when connecting. And if you're using policy routing it'll do that for only the rules routed through that VPN client. The setting name is "accept DNS configuration"

In merlin you're able to set the DNS configuration in the openvpn client setup. I suggest "exclusive".