go558a83nk

The air client already uses iptables if the option is chosen. It also rewrites or rename/replaces the resolv.conf - dns option depending.

 

There's a rule set posted here that's similar.

https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/

Its not stateful but by simply adding the if not '!' eth+ ! -d it really doesn't need to be. -Unless someone try's to spoof the ip.

right, iptable usage to block whatever is certainly not novel.  but, looks like zorro is trying to make it easier for people to manage automatically with their script.

The only linux I've used for VPN is that on my router and it has its own coding to manage policy routing and block clients if the VPN tunnel is down...

I don't know if the following is a real problem, especially for those who use the Eddie client.  However, I thought I'd share.

https://zorrovpn.com/articles/linux-iptables-vpn-only

which leads into the manpage for the script they've made

The script is free to share and edit under GNU GPL.

There is a section dealing with allowing access (of course) to VPN server IP.  By default that section is geared towards zorrovpn since they are the maker.  However, I'm sure it can be edited by somebody who knows what they are doing to work for Air.

This new server is in AS60118 if the information I see is correct.

http://bgp.he.net/AS60118

I'm a little concerned about the connectivity of this new server.

They have basically 1 connection, voxility.  Are you not at all concerned about this?

hmmm..Maintenance taking longer than expected? 

freedom and liberty do not mean anarchy, yet people these days tend to think they do.

freedom can only go so far until it infringes on the rights of others.  here, for example, think of the personal drone of today.  more and more we hear of people flying their drones in ways that infringe on the rights of others.  a story out of the USA talks about a woman living in high-rise building seeing a drone outside her window.  this is too far.

no, freedom and liberty only work for the good of everybody if people are civil and ethical, if they do unto others what they would have done unto them.

that said, lack of freedom and liberty, because of an overbearing government, is no better.  the government are no doubt strongly lacking civlity and ethics and think of the common man as nothing more than bugs to be squashed or votes to be bought.

 

 

Please re-read my post.  I'm using stunnel on my router.

 

edit: anyway, I got it.  I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works.  noticibly less CPU usage and still a TLS1.2 cipher.

 

Ok, great! What is your firmware? Did you compile stunnel by yourself for your router or is it an already available version?

 

Kind regards

merlin asus 378.51 on AC68 with entware-arm installed.  stunnel is available in the entware-arm repository.

Hello!

 

Since our servers will accept a variety of ciphers for SSL this is possible by configuring stunnel. However, configuring parameters for stunnel is currently not implemented in Eddie. Please see for example:

https://www.stunnel.org/pipermail/stunnel-users/2013-February/004112.html

 

Anyway, you probably don't need to bother about that. Nowadays computer CPUs are so powerful that they are not loaded at capacity by the current stunnel and OpenVPN ciphers you're using (well, it also depends on how much load they have from other tasks...).

 

Kind regards

Please re-read my post.  I'm using stunnel on my router.

edit: anyway, I got it.  I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works.  noticibly less CPU usage and still a TLS1.2 cipher.

Thanks. I'd love to hear from staff an answer to my actual question.   I can pull 50mbit/s with my setup but just trying to get every bit I can.

I'm running stunnel 5.14 with openssl 1.0.2a on my router.  It seems the cipher that's negotiated is probably a little stronger than it needs to be (ECDHE-RSA-AES256-GCM-SHA384).  The config, AirVPN*.ssl, only has a NO_SSLv2 option which is fine, of course.  But, are there any other options I can input that will get stunnel to negotiate a cipher suite that's less CPU intensive?

thanks for the help

just enable DHT and peer exchage and go.  you don't need the public trackers.

that said, get a grip man.  port forwarding and public trackers access are no where near related. 

I'm also interested because this happens to me with every VPN service using OpenVPN UDP. It recovers after a few seconds but log doesn't show any interruption

one VPN service I've used has some servers that drop out like this with UDP connections.  But others of their servers work just fine.  It happens to me just using downthemall! extension for firefox with several segments enabled.

really weird.  Other VPN providers (including Air) along very similar routing have no problems at all.

I just tested it on my iOS8 iphone.  openvpn connect with TCP 443 profile.  connected right up, no problem, on both home internet (wifi) and cellular data.

I also tried same profile in guizmovpn and it worked as well.

we need to see the log

I'm not sure how much this issue can be pushed onto Air staff.  They can't control what routing a datacenter has but they can set standards for what datacenters they use so that routing is most likely good for everybody.

Examples of datacenters that VPN companies use in Singapore

Leaseweb Singapore  - http://bgp.he.net/AS59253#_peers

Softlayer Singapore - http://bgp.he.net/AS36351#_peers

Digital Ocean Singapore - http://bgp.he.net/AS133165#_peers

8 to Infinity Singapore - http://bgp.he.net/AS45470#_peers

(only two real peers, but iptransit and Telin are enough)

Buy AFAIK you should import user.cer certificate and select it on that window together with user and pass.

There is also a HMA videotutorial that explains how to set OpenVPN on mikrotik

If user and password are used isn't ca.crt the certificate that's needed?  Is that type of connection even possible with Air?

will there be another Dallas server eventually?  Your post in the USA servers cancellation thread said "a couple" Dallas servers were on the way.

I agree we need more asian servers. Very slow at the moment and 2 isn't enough.

I just checked out Antares (Singapore) and Hadar (HK) 5 minute average charts for today.  Earlier today Antares reached a peak of about 240mbit/s inbound and outbound (480mbit/s total) while Hadar is barely used.  They are 1000mbit/s servers.  I don't know if that's 1000mbit/s total or in each direction.  Staff will have to answer that.  If total, then that would mean that the 240mbit/s peak on Antares was still only half capacity (240 inbound + 240 outbound).  If 1000 each way then it's only 1/4 capacity.  So, I don't think any slowness can be blamed on Air.

two more in Sweden??

nice!

those are just basic iptables.  if those don't work in the latest tomato then the whole router shouldn't work

 

I get 150Mbps down on NL servers using the same ISP, so it shouldn't be hard for you to resolve. Are you connecting using Eddie (Air's software)? What version? What's your OS? How is your network set up? Are you using a superhub, superhub 2 or superhub 2 AC? Are you wired or wireless? How are you testing the speeds you quoted?

 

As a test try turning connecting to the superhub via ethernet (wire) if you aren't already, put the SH into modem only mode and restart the PC. Then connect to an NL server using port 443 UDP. Then download an Ubuntu torrent or download the Ubuntu ISO from Ubuntu.com and see what speeds you get.

 

Im on windows 7 

Virgin Media SuperHub (100Mb Connection) 

Connected using the Airvpn Eddie 2.8.8 

Connected Via Wireless as i never use the Ethernet wire. 

SSH Tunnel Port 22 using Eddie 2.88 

 

 

Any help guys? 

is your superhub in modem only mode as suggested to try?

 admit that my ISP routing to leaseweb singapore is off and on.  just in the last couple days I'm back to going through NTT router direct to Antares.  However, I went several months with routing going through USA before this.

I'm still not convinced it's the fault of anybody but my ISP.  Leaseweb probably feels they are covered by the peerage they have.  The peerage of Pacnet and NTT is impressive.

You could also try forcing the kernel (not openvpn) to adjust the packet size by disabling mssfix with "mssfix 0" in case the other options don't work.

what operating system does the OP use?

the quote is wrong.  I didn't say that.

but anyway, routing to a server is a complicated matter.  there is a very good chance your ISP is who's really at fault for bad routing.

The current SG server is slow through Leasweb, the previous ones were very fast and they were Softlayer servers.

 

The HK is even worse it's got the third worst latency for Asia.

 

I'm thinking about cancelling with Air we can't use the net as this slow speed and what is the point of using USA servers.

can you show an MTR to Antares and Hadar?