Jump to content
Not connected, Your IP:


  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by go558a83nk

  1. Merlin firmware modifies the stock asus firmware.  So, benefit to that is that you're getting a firmware that's made specifically for your hardware.  I'm not sure but I think the NAT acceleration capability is only available with asus or merlin asus firmware.  You'll also get other asus firmware things like the trendmicro protections.  The late versions of merlin firmware have policy routing mode for the openvpn client so you can control which LAN clients go through the VPN tunnel.

  2. I'm thinking you're second router is hijacking any dns requests and forcing them.


    Sent from my LG-D850 using Tapatalk


    need to wait to hear back from him/her after the router switch.  it does sound like a router was being used for VPN.  in that case there are some questions re how DNS resolution was implemented.  I've seen some policy routing setups where LAN clients were routed through the VPN tunnel created by the openvpn client on the router but DNS queries were sent to the router which was in turn querying DNS outside the tunnel.  It's better to push to LAN clients via DHCP the actual DNS to use.  That way you can be sure their DNS queries are going through the tunnel.

  3. valuable tool there.  I use the addon for firefox called SSleuth.  https://github.com/sibiantony/ssleuth/


    I am wondering how SSL Labs is getting their data for gmail.  When I visit gmail site SSleuth reports


    Cipher suite
        Key exchange: Elliptic curve Diffie-Hellman.
        Authentication: ECDSA.
        Bulk cipher: AES GCM 128 bits.
        HMAC: SHA-256.
    Perfect Forward Secrecy: Yes
    SSL/TLS Version: TLSv1.2
    Connection status: Secure
        Extended validation: No
        Signature: SHA-256/RSA
        Key: 256 bits ECDSA
        Common name: mail.google.com
        Issued to: Google Inc
        Issued by: Google Inc
        Validity: 5/6/2015 12:05:46 PM -- 8/4/2015 0:00:00 AM
        Fingerprint: 57:53:78:A6:01:EF:98:DF:6A:56: 35:4F:94:9E:C9:77:FA: :E0:1B


    which seems to contradict.  I wonder why the discrepancy? 


    Posteo.de info from SSleuth for comparison

    Cipher suite
    Key exchange: Elliptic curve Diffie-Hellman.
    Authentication: RSA.
    Bulk cipher: AES GCM 128 bits.
    HMAC: SHA-256.
    Perfect Forward Secrecy: Yes
    SSL/TLS Version: TLSv1.2
    Connection status: Secure
    Extended validation: Yes
    Signature: SHA-256/RSA
    Key: 2048 bits RSA
    Common name: www.posteo.de
    Issued to: Posteo e.K.
    Issued by: StartCom Ltd. StartCom Certification Authority
    Validity: 4/16/2014 13:03:06 PM -- 4/16/2016 16:23:04 PM
    Fingerprint: 3A:89:D8:AD:DC:A7:23:5C:8F:44: E9:DD:2E:85:6A:31:D2:D3:C9:70

  4. Somehow in my case this test is showing only Out-Tunnel speeds, while it shows "0 - error -" for both In-Tunnel Up and Down speeds:


    Down: 12.958 Mbit/s Out, 0.000 Mbit/s In (0%), 20MB - Up: 44.215 Mbit/s Out, 0.000 Mbit/s In (0%), 20MB - Date: Fri, 05 Jun 2015 23:53:44 GMT - Buffers: 20MB/20MB - Laps: 3, Time: 30.77 secs


    ...I tried several times.


    At the same time speedtest.net shows: 47,68 Mbits down, and 47,54 Mbits up.


    P.S> these are the results I got in Linux with Eddie 2.8


    are you using the browser extension noscript?

  5. Hm, did you actually read my answer? Where do I write that you need to open a port on the router/ firewall in order to get port forwarding working through AirVPN? In fact what I explain in my text is the difference between port forwarding on AirVPN and port forwarding on a router


    OK, maybe I misunderstood what you were trying to say. 

  6. My suggestion is that in the route checking page there be an option to actually see the route trace from a server we select to the IP address we've asked to be tested. 


    Sometimes I have problems where latency is low but the actual route used is through routers that are not optimal.  However, I don't see what route is used until I connect to the VPN server then trace the route back to my IP.


    I know many will say I can trace the route to the server from my computer.  The problem is that routes are often NOT symmetric.  Since download speed would be affected by the route from server to me, I'd like to see that route easier.



  7. if running a client on


    Well I think as much as I had to laugh about your answer it does not really hit the nail on it's head. According to my understanding soup123 and TACD fell for something different. On routers and with software firewalls it works like this:


    1. You need to open a port

    2. You need to forward that port to a certain IP/ MAC address


    Only after that the corresponding pc will be reachable over the internet. What's more if you run a port scan that port is always open, it does not matter if an application is actually listening on that port or not. There is only open or closed.


    With AirVPN on the other hand it works differently. Correct me if I'm wrong but the way I understand it a port is not always open and forwarded, even if you forward it correctly. It stays closed/ not forwarded unless an application listening on that port triggers it. That would also be the reason why port scanners recognize ports as closed even if they are actually forwarded.


    One last word on ports and forwarding them. I know that with some routers opening ports and forwarding them unfortunately is the same (best and most common example are the FritzBoxes). But that's incomplete or you could even say it's simply wrong. Actually opening the port is nothing more than telling the firewall to allow incoming traffic on that port (which otherwise would be blocked). But that alone does not help since even if the port is open you cannot reach any pc behind the router since you don't know it's network internal IP. In order to being able to reach a certain pc (web server for example) behind a router you need to forward the corresponding port to that pc. By doing this you tell the router to direct any incoming traffic on port x to pc y. Only then you will be able to reach the server.


    NO.  If you're running *any openvpn client* on a machine in your LAN do NOT open ports on your router.  All the router sees is a tunnel (whatever port and protocol you chose for the tunnel) and cannot at all affect any changes on that tunnel as it's encrypted.  Trying to open ports within that tunnel would be impossible.  With this kind of setup if you do open ports you're opening them to "clear" internet and that's not what you want.


    If running VPN on the router then you have to create some DNAT iptables to forward from the TUN device to the IP of the machine on your LAN.


    Soup123 was not detailed enough in his/her post for us to say much.  TACD simply didn't have the daemon listening when testing if the port was open.

  8. The following tests on Asus AC68 with Merlin firmware 378.54alpha4.  This version uses openvpn 2.3.6 with openssl 1.0.2a.  Connected to Singapore server.  My line speed is 35mbit/s.  All speed tests done from same server in Singapore and with UDP 443 tunnel.


    Note that the system seems to have a narrow range of possible buffers - it won't go low or high, ignoring the custom options I input.  Also, there may be something interesting with using 0 (zero), though it's not as fast as the larger buffer.


    no buffer options input
    send/receive as shown in log 131072
    speed 19.34/5.26 mbit/s

    buffers set to "0"
    send/receive as shown in log 122880
    speed 23.49/5.28 mbit/s

    buffers set to 65536
    actual buffer used as shown in log 131072
    no tested because duplicate

    buffers set to 262144
    actual used as shown in log 245760
    speed 27.85/5.25 mbit/s

    buffers set to 524288
    actual used as shown in log 245760
    not tested because duplicate

    edited to add more info up top.


    Are you sure you put the right link in? Clearly you can hide it from anyone who reads it, and Google too. Not one single IP you speak of here is in that link. (Yes, I checked thoroughly.) The link seems to be an IRC log of a discussion of coding. Nothing at all about networking unless I missed something.


    And what makes you say "PIA Staff are closely monitoring this thread"? I use PIA, but I am certainly not staff. I am just a loudmouth on the Internet.



    *** egrep <egrep!~egrepnix@gateway/vpn/privateinternetaccess/egrepnix> has quit IRC (Ping timeout: 256 seconds) 04:01 *** egrepnix <egrepnix!~egrepnix@> has joined #sailfishos-porters 04:02 *** egrepnix is now known as egrep 04:02

    *** egrep <egrep!~egrepnix@> has quit IRC (Quit: Brb... switching to wired interwebs.)


  - Vultr, the VPS provider from my above.


    If you want to trust a provider that relies on managed infrastructure of other small companies, this is totally your choice.


    That IP is in the range the description of which is Choopa, LLC, not vultr http://bgp.he.net/AS20473#_prefixes

  10. One point about the client area showing the client's real IP that must be made is in relation to tor.  If the user wants to make sure that Air does NOT see his/her real IP it's VERY nice to have that client area page so that the user can confirm that Air sees a tor IP.


    Related to that, if a user connects with SSH or SSL tunnel (which PIA does not have) there is no IP address shown on the client area page.  I assume this is because the VPN server sees the connection coming from another Air IP but staff will have to correct me if I'm wrong.

  11. the test is coming from that server, but outside the tunnel.  the point is to prove that the tunnel isn't degrading your speed (much) more than what encryption overhead necessitates.


    the path to you can be vastly different server to server.  so, no, you should not expect out tunnel speed to be the same for every server.

  12. @zhang888,


    check out http://bgp.he.net/AS20473#_prefixes and look for london trust media.  those are PIA servers in choopa London.  vultr is indeed in the description for other IP ranges.


    http://bgp.he.net/AS60485#_prefixes and http://bgp.he.net/AS57858#_prefixes Seems there are different AS for some of the IPs to which sweden resolves.  185.3.135.x are still shown in AS57858 in Estonia, description netroute.  Could that be an error?  The range does say virtual in description


    To propose that PIA moved in 1 day their servers to Leaseweb's datacenter in Germany just because of this thread is silly.

  13. Who, what, when, where are all lost once the VPN session is over if there is indeed no logging.  However, real-time monitoring occurs in every VPN network, no doubt.  No reputable VPN company wants their IPs to be involved in heinous things such as child porn.

  14. The air client already uses iptables if the option is chosen. It also rewrites or rename/replaces the resolv.conf - dns option depending.


    There's a rule set posted here that's similar.


    Its not stateful but by simply adding the if not '!' eth+ ! -d it really doesn't need to be. -Unless someone try's to spoof the ip.


    right, iptable usage to block whatever is certainly not novel.  but, looks like zorro is trying to make it easier for people to manage automatically with their script.

  • Create New...