go558a83nk

the Air speed test always seems to give low speeds to me.  what does this http://www.dslreports.com/speedtest say?

The following tests on Asus AC68 with Merlin firmware 378.54alpha4.  This version uses openvpn 2.3.6 with openssl 1.0.2a.  Connected to Singapore server.  My line speed is 35mbit/s.  All speed tests done from same server in Singapore and with UDP 443 tunnel.

Note that the system seems to have a narrow range of possible buffers - it won't go low or high, ignoring the custom options I input.  Also, there may be something interesting with using 0 (zero), though it's not as fast as the larger buffer.

no buffer options input
send/receive as shown in log 131072
speed 19.34/5.26 mbit/s

buffers set to "0"
send/receive as shown in log 122880
speed 23.49/5.28 mbit/s

buffers set to 65536
actual buffer used as shown in log 131072
no tested because duplicate

buffers set to 262144
actual used as shown in log 245760
speed 27.85/5.25 mbit/s

buffers set to 524288
actual used as shown in log 245760
not tested because duplicate
 

edited to add more info up top.

easiest way is to run VPN on a router so that clients to that router (Wii U) go through the VPN.

 

Are you sure you put the right link in? Clearly you can hide it from anyone who reads it, and Google too. Not one single IP you speak of here is in that link. (Yes, I checked thoroughly.) The link seems to be an IRC log of a discussion of coding. Nothing at all about networking unless I missed something.

 

And what makes you say "PIA Staff are closely monitoring this thread"? I use PIA, but I am certainly not staff. I am just a loudmouth on the Internet.

 

 

*** egrep <egrep!~egrepnix@gateway/vpn/privateinternetaccess/egrepnix> has quit IRC (Ping timeout: 256 seconds) 04:01 *** egrepnix <egrepnix!~egrepnix@108.61.68.155> has joined #sailfishos-porters 04:02 *** egrepnix is now known as egrep 04:02

*** egrep <egrep!~egrepnix@108.61.68.155> has quit IRC (Quit: Brb... switching to wired interwebs.)

 

 

108.61.68.155 - Vultr, the VPS provider from my above.

 

If you want to trust a provider that relies on managed infrastructure of other small companies, this is totally your choice.

That IP is in the range 108.61.64.0/19 the description of which is Choopa, LLC, not vultr http://bgp.he.net/AS20473#_prefixes

One point about the client area showing the client's real IP that must be made is in relation to tor.  If the user wants to make sure that Air does NOT see his/her real IP it's VERY nice to have that client area page so that the user can confirm that Air sees a tor IP.

Related to that, if a user connects with SSH or SSL tunnel (which PIA does not have) there is no IP address shown on the client area page.  I assume this is because the VPN server sees the connection coming from another Air IP but staff will have to correct me if I'm wrong.

the test is coming from that server, but outside the tunnel.  the point is to prove that the tunnel isn't degrading your speed (much) more than what encryption overhead necessitates.

the path to you can be vastly different server to server.  so, no, you should not expect out tunnel speed to be the same for every server.

@zhang888,

check out http://bgp.he.net/AS20473#_prefixes and look for london trust media.  those are PIA servers in choopa London.  vultr is indeed in the description for other IP ranges.

http://bgp.he.net/AS60485#_prefixes and http://bgp.he.net/AS57858#_prefixes Seems there are different AS for some of the IPs to which sweden resolves.  185.3.135.x are still shown in AS57858 in Estonia, description netroute.  Could that be an error?  The 5.157.38.0/24 range does say virtual in description

To propose that PIA moved in 1 day their servers to Leaseweb's datacenter in Germany just because of this thread is silly.

whoer.net/extended ??

which line shows your real IP, webRTC?

Have you modified anything to do with MTU or mssfix?

Re VPS usage, PIA staff have commented that all their servers are bare metal. I can't explain why the previous commentor has evidence to the contrary.

https://www.privateinternetaccess.com/forum/discussion/comment/27828/

Who, what, when, where are all lost once the VPN session is over if there is indeed no logging.  However, real-time monitoring occurs in every VPN network, no doubt.  No reputable VPN company wants their IPs to be involved in heinous things such as child porn.

how did you solve it?

The air client already uses iptables if the option is chosen. It also rewrites or rename/replaces the resolv.conf - dns option depending.

 

There's a rule set posted here that's similar.

https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/

Its not stateful but by simply adding the if not '!' eth+ ! -d it really doesn't need to be. -Unless someone try's to spoof the ip.

right, iptable usage to block whatever is certainly not novel.  but, looks like zorro is trying to make it easier for people to manage automatically with their script.

The only linux I've used for VPN is that on my router and it has its own coding to manage policy routing and block clients if the VPN tunnel is down...

I don't know if the following is a real problem, especially for those who use the Eddie client.  However, I thought I'd share.

https://zorrovpn.com/articles/linux-iptables-vpn-only

which leads into the manpage for the script they've made

The script is free to share and edit under GNU GPL.

There is a section dealing with allowing access (of course) to VPN server IP.  By default that section is geared towards zorrovpn since they are the maker.  However, I'm sure it can be edited by somebody who knows what they are doing to work for Air.

This new server is in AS60118 if the information I see is correct.

http://bgp.he.net/AS60118

I'm a little concerned about the connectivity of this new server.

They have basically 1 connection, voxility.  Are you not at all concerned about this?

hmmm..Maintenance taking longer than expected? 

freedom and liberty do not mean anarchy, yet people these days tend to think they do.

freedom can only go so far until it infringes on the rights of others.  here, for example, think of the personal drone of today.  more and more we hear of people flying their drones in ways that infringe on the rights of others.  a story out of the USA talks about a woman living in high-rise building seeing a drone outside her window.  this is too far.

no, freedom and liberty only work for the good of everybody if people are civil and ethical, if they do unto others what they would have done unto them.

that said, lack of freedom and liberty, because of an overbearing government, is no better.  the government are no doubt strongly lacking civlity and ethics and think of the common man as nothing more than bugs to be squashed or votes to be bought.

 

 

Please re-read my post.  I'm using stunnel on my router.

 

edit: anyway, I got it.  I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works.  noticibly less CPU usage and still a TLS1.2 cipher.

 

Ok, great! What is your firmware? Did you compile stunnel by yourself for your router or is it an already available version?

 

Kind regards

merlin asus 378.51 on AC68 with entware-arm installed.  stunnel is available in the entware-arm repository.

Hello!

 

Since our servers will accept a variety of ciphers for SSL this is possible by configuring stunnel. However, configuring parameters for stunnel is currently not implemented in Eddie. Please see for example:

https://www.stunnel.org/pipermail/stunnel-users/2013-February/004112.html

 

Anyway, you probably don't need to bother about that. Nowadays computer CPUs are so powerful that they are not loaded at capacity by the current stunnel and OpenVPN ciphers you're using (well, it also depends on how much load they have from other tasks...).

 

Kind regards

Please re-read my post.  I'm using stunnel on my router.

edit: anyway, I got it.  I just added a line to the ssl file "ciphers = DHE-RSA-AES128-SHA256" and it works.  noticibly less CPU usage and still a TLS1.2 cipher.

Thanks. I'd love to hear from staff an answer to my actual question.   I can pull 50mbit/s with my setup but just trying to get every bit I can.

I'm running stunnel 5.14 with openssl 1.0.2a on my router.  It seems the cipher that's negotiated is probably a little stronger than it needs to be (ECDHE-RSA-AES256-GCM-SHA384).  The config, AirVPN*.ssl, only has a NO_SSLv2 option which is fine, of course.  But, are there any other options I can input that will get stunnel to negotiate a cipher suite that's less CPU intensive?

thanks for the help

just enable DHT and peer exchage and go.  you don't need the public trackers.

that said, get a grip man.  port forwarding and public trackers access are no where near related. 

I'm also interested because this happens to me with every VPN service using OpenVPN UDP. It recovers after a few seconds but log doesn't show any interruption

one VPN service I've used has some servers that drop out like this with UDP connections.  But others of their servers work just fine.  It happens to me just using downthemall! extension for firefox with several segments enabled.

really weird.  Other VPN providers (including Air) along very similar routing have no problems at all.

I just tested it on my iOS8 iphone.  openvpn connect with TCP 443 profile.  connected right up, no problem, on both home internet (wifi) and cellular data.

I also tried same profile in guizmovpn and it worked as well.

we need to see the log