go558a83nk

Does anybody know if Egypt is like some other countries that have stifled VPN usage in that VPN seems to work on some ISPs but on others they don't?

1 hour ago, Flx said:

From the article/link Yes I read that BTW:
"Some features are not compatible with DCO or are not relevant with DCO."
Now which one is it "compatible or relevant"?
And this is the part that confused the most:
"Per-peer data usage is not tracked properly"
 

yeah so usually your openvpn peers will show a total upload/download when looking at openvpn status.  but DCO clients currently do not.

BTW, I think the really speedy stuff with DCO is coming from machines that have QAT available not from AES-NI. 

26 minutes ago, Flx said:

Bingo ....don't forget to change the buffer-size.

are you sure buffer does anything with DCO?  The pfsense+ folks say it and some other things are not compatible with DCO but maybe that's just their implementation at this time?

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html#limitations

Or, if you're using Air's DNS based ad/malware blocking, could something be blocked with that that's "required"?

Maybe require users to select which server the port will be reserved on?  And if they want to switch servers for the port forward rule they can try but if it's already reserved by another user they'll have to choose a different port.

Maybe I'm totally wrong but I feel like the excuses for removing port forwarding (removing bad stuff from flowing through our servers) is just an excuse.  Instead I think that providers don't want to pay for the increased bandwidth usage that allowing port forwarding brings (e.g. torrenting) but they're not willing to admit that because they know their customers would riot.  I get it, costs have risen lately.  But, as the previous poster said, just increase prices for people who want port forwarding then.

3 hours ago, Peterom said:

Thanks for your reply.
Sadly I'm running the stock firmware, and I just checked: Asus Merlin WRT is not even available for my router device (yet).
So if I can't directly modify the ip-tables with the current stock firmware, I guess that leaves me no option to have the vpn running on the router then 😥

isn't ssh available even on stock firmware?

Did some testing from my pfsense+ box.  So far it works very well.  It's lovely to see all the openvpn work being done in kernel here and 600mbit/s from this great distance seems very respectable. 

12 hours ago, Antonio Quartulli said:

Hi, DCO does not support compression. It is already considered insecure and not recommended, therefore it didn't make sense to have support for it in DCO.
This said, OpenVPN should log an error when trying to use compression with DCO. However, if the option is pushed by the server, something may sneak in. A log may help understanding what is going on.

However, if you want DCO to work, you should definitely disable compression.

4 hours ago, OpenSourcerer said:

I add: You must absolutely explicitly disable it, and just as explicitly prevent the your client from pulling compression options.

comp-lzo no # <- you must remove this from the config, setting it to no is not enough
allow-compression off
pull-filter ignore comp-lzo
pull-filter ignore compress # <- don't need this with AirVPN

.

yes, I know that it doesn't support compression.  neither of my VPN providers uses compression and the only way I got AirVPN to connect was to have it ignore the comp-lzo push as opensourcerer wrote first elsewhere in this forum

19 minutes ago, oassQ9w4cbl4AySZhhth%p36x said:

1 hour ago, go558a83nk said:

I'm using wireguard with great speed now but will be in a nation where VPN access is known to be restricted soon so I was hoping for DCO.  The weird thing is I'm able to connect to my other VPN provider using DCO on my (client) end and it works fine as documentation said it would (that there will be benefit if even just the client has DCO enabled).  But when I do the same for AirVPN no traffic flows but logs say the connection initiated fine.  I doubt that other VPN provider has an updated openvpn version so I'm guessing it's some other little quirk with the VPN tunnel options.

hmm interesting, only thing i can think of is maybe tls-crypt being enabled on your airvpn one and not on the other or vice versa? compare and contrast the logs with some higher level logging and openvpn should tell you why

nope, I tried with a tls-auth config for Air and it still didn't work.  It may have to do with compression settings.  I had to use some advanced directives regarding compression to get it to even connect to Air.  I didn't have to do such for the other provider but neither use compression.  So, I'm betting there's a sweet spot in compression settings that'll get it to work for Air.  I just haven't played with it much.

6 hours ago, oassQ9w4cbl4AySZhhth%p36x said:

On 6/11/2023 at 11:59 AM, go558a83nk said:

How imminent is this deployment?    We're nearing 3 months since this post and I'm eager to test.

imminent is probably like a year or more away. if you are concerned about speeds (struggling to get over 300 mbps without openvpn going insane on latency, then consider migrating to wireguard. I've done that recently and can push 800 mbps through a single gateway. 

I'm using wireguard with great speed now but will be in a nation where VPN access is known to be restricted soon so I was hoping for DCO.  The weird thing is I'm able to connect to my other VPN provider using DCO on my (client) end and it works fine as documentation said it would (that there will be benefit if even just the client has DCO enabled).  But when I do the same for AirVPN no traffic flows but logs say the connection initiated fine.  I doubt that other VPN provider has an updated openvpn version so I'm guessing it's some other little quirk with the VPN tunnel options.

How wireguard is setup there I don't know for sure but on pfsense the gateway is the same as the interface address which is 10.144.77.131 for you in the screenshot.

I'd guess that server port is how to access it for control, like a web gui?

It looks like you need to just open 47854 47855 (obfuscated port) but you should not open/forward any ports on your tplink router unless your router *is* your VPN client.

edit: and disable nat-pmp

On 3/24/2023 at 4:26 AM, Staff said:

the imminent OpenVPN DCO deployment on selected AirVPN servers

 

How imminent is this deployment?    We're nearing 3 months since this post and I'm eager to test.

I was able to get DCO to connect with pfsense+ 23.05 (thanks to opensourcerer's notes about compression above) but no data actually transfers and after a bit I get a ping restart.  The client area session info also indicates no traffic moving.  Would something need to change on AirVPN's end?  My understanding that even if only the client is running DCO some improvement in throughput could be had so I figured it would just work without Air changing anything on their end.

29 minutes ago, dIecbasC said:

Plus also supports QAT which with a suitable processor should improive OpenVPN performance and/or reduce CPU utilization. 

good point but I don't think this little box supports it.  I'll find out.

I just realized that Pfsense+ software (which is still free for home users) has DCO capability while the pfsense CE software does not.  So I'm migrating to it today in preparation for testing DCO.  I believe I'll have need for openvpn (again) in the future and would love an openvpn that is faster on my pfsense box with one of those new N100 CPUs.  Wireguard is blazing fast, BTW, and the power usage is tiny.

So, can't wait for a DCO test to begin here!

well, I actually need more time.  only 81 days left.  I should have bought during the last sale.

did you mean to buy that much?  ;)

17 hours ago, Useranon99 said:

I noticed when I generate a router config file directly instead of using Eddie, at no point am I required to authenticate with my username and password. I assume because I am already logged into airvpn.org prior to generating the router config that my authentication is embedded in the private key that is generated? 

Otherwise, it seems odd that there is no username or way to authenticate as you'd need with a software VPN client. Obviously, I know little about security or would not be asking this question. 🙂

correct, you're logged into your account on the web site so it knows what certs/keys to put in the config file (takes the place of username/password) based on what "device" you selected in the config generator. 

42 minutes ago, OpenSourcerer said:

That's some interesting results for my ISP line. I get a whole ton of dubious positives there, sourced from resolving just five domains, with SERVFAILs on AAAA queries. Google is always mentioned, despite me knowing for a fact it's not configured anywhere. Presumably this will be reduced to only one result when using SurfShark. 

I get no leak from that surfshark test site.  It shows only the one DNS server that I have indeed configured.

It sounds like you have some policy routing going on, or maybe your web browser is using it's own "secure DNS".

6 minutes ago, Air4141841 said:

I use 10.4.0.1

With pfsense and opnsense 

where did you find that was a dns server?

I'm saying that the setting in the openvpn config will force your system to obey the pushed DNS server that it receives from the VPN server when connecting.  And if you're using policy routing it'll do that for only the rules routed through that VPN client.  The setting name is "accept DNS configuration"

In merlin you're able to set the DNS configuration in the openvpn client setup.  I suggest "exclusive".