go558a83nk reacted to Staff in CHACHA20-POLY1305 on all servers ...
We're very glad to announce all VPN servers progressive upgrade to Data Channel CHACHA20-POLY1305 cipher and TLS 1.3 support.
UPDATE 18-Nov-2020: upgrade has been completed successfully on all AirVPN servers.
The upgrade requires restarting OpenVPN daemons and some other service. Users connected to servers will be disconnected and servers during upgrade will remain unavailable for two minutes approximately. In order to prevent massive, simultaneous disconnections, we have scheduled a progressive upgrade in 15 days, starting from tomorrow 5 Nov 2020. Please see the exact schedule at the bottom of this post, in the attached PDF file. Servers marked as "OK" have been already upgraded and you can use CHACHA20-POLY1305 with them right now.
When should I use CHACHA20-POLY1305 cipher on OpenVPN Data Channel? In general, you should prefer CHACHA20 over AES on those systems which do not support AES-NI (AES New Instructions). CHACHA20 is computationally less onerous, but not less secure, than AES for CPUs that can't rely on AES New Instructions. If you have an AES-NI supporting CPU and system, on the contrary you should prefer AES for higher performance.
How can I use CHACHA20-POLY1305 on AirVPN?
CHACHA20-POLY1035 on Data Channel is supported by OpenVPN 2.5 or higher versions and OpenVPN3-AirVPN library.
In Eddie Android edition, open "Settings" > "AirVPN" > "Encryption algorithm" and select CHACHA20-POLY1305. Eddie Android edition will then filter and connect to VPN servers supporting CHACHA20-POLY1305 and will use the cipher both on Control and Data channels.
In our web site Configuration Generator, after you have ticked "Advanced Mode", you can pick OpenVPN version >=2.5, and also select "Prefer CHACHA20-POLY1305 cipher if available". If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN.
In Eddie desktop edition, upgrade to 2.19.6 version first. Then select the above mentioned option. However, most desktop computers support AES-NI, so make sure to check first, because using CHACHA20-POLY1305 on such systems will cause performance harm when you go above 300 Mbit/s (if you stay below that performance, probably you will not notice any difference). Also note that if your system does not have OpenVPN 2.5 or higher version you will not be able to use CHACHA20-POLY1305.
If you wish to manually edit your OpenVPN 2.5 profile to prefer CHACHA20 on Data Channel when available: delete directive cipher add the following directive: data-ciphers CHACHA20-POLY1305:AES-256-GCM
Pending Upgrade Server Schedule
Kind regards and datalove
go558a83nk reacted to Clodo in Wireguard response from Mullvad ...
It is not mandatory to wait for next Debian version: we are already testing up to date WireGuard version.
When we'll make WireGuard available to customers, it will be on all servers.
Exactly, it's unavoidable.
With OpenVPN that's currently correct.
However, with WireGuard we need to keep it, because it's written in .conf file generated via Config Generator and stored by users. See below for users' option to change or invalidate it.
Some of our competitors do this.
Some accept only their official client software because of the issue. That's neither good nor acceptable for us, as we don't want to lock user into our software.
Therefore the change you mention might be an Eddie's additional feature but we will try to make Wireguard main branch as secure as Eddie's, whenever possible.
Yes, we still use ifconfig-pool-persist in OpenVPN. It's very different than Wireguard's addresses binary mapping, especially under a legal point of view.
When a client is connected, OpenVPN daemon necessarily needs to link clients' public and VPN IP addresses. As soon as the client disconnects the link is lost.
One of WireGuard controversies is that client's real IP address remains visible with 'wg show' even after client's disconnection. The issue is resolved by removing and re-adding the peer after a disconnection (disconnection in WireGuard is basically a handshake timeout).
Some current testing implementation features are:
Unique WireGuard IPv4 and IPv6 subnets across servers which don't conflict with OpenVPN subnets Assigning a non-conflicting, pseudo-random, local IP address for each customer's device (for AllowedIPs), similar to remotely forwarded port assignments Users can renew a local IP address for a device anytime. WireGuard .conf manually used in official client would become invalid. Eddie will automatically update. The same happens when a user regenerates OpenVPN client certificate and key pair: the action invalidates any previously stored OpenVPN profile.
We will offer an API to automate the above, letting users write a script that performs HTTPS calls to change local IP address, download updated .conf, and then wg-quick.
An API to obtain a .conf file (Config Generator without UI) is already in production for OpenVPN and it will be of course available for WireGuard too.
When a device's WireGuard local IP address changes, up to a 10 seconds wait is required. It's the time required to propagate device key onto all VPN servers, in order to update the AllowedIPs peer node.
No other solution allowing us to let our customers use the official WireGuard client with a simple .conf file and, at the same time, preserve their privacy currently exists.
Please keep the above information as a proposal: we are currently studying pros and cons and something may change before WireGuard public beta support in our VPN servers is available.
go558a83nk reacted to SumRndmDude in pfSense/OpenVPN ...
Nothing is more frustrating or satisfying simultaneously than answering your own questions. Apologize for another thread clogging up the forums unnecessarily, but I had been at this for a while and saw no mention of the issue. Turns out that pfSense's OpenVPN wizard for creating a server puts the allow inbound traffic firewall rule on the main OpenVPN tab, rather than the actual newly created server's LAN. So it was hijacking all traffic on any interface or LAN using OpenVPN, including my AIr connections. As many times as I had plugged away at this issue, I only just now realized it did that. Moving it over to the actual server's LAN resolved it.
FWIW, I appreciate the reply to at least say you had read my question.
go558a83nk reacted to Hoox in How To Set Up pfSense 2.3 for AirVPN ...
I did a new install in pfsense 2.4.5 following this guide. Everything looks good, but I cant seem to get ip from DHCP server on VLAN20 (VPN).
This is from the log:
Jul 4 14:22:09 dhcpd DHCPOFFER on 10.0.20.100 to 94:de:80:f8:59:d4 (VPN-PC) via igb2.20 Jul 4 14:22:09 dhcpd DHCPDISCOVER from 94:de:80:f8:59:d4 (VPN-PC) via igb2.20 So it seems like the DHCP server sees the client and offer an IP in the correct subnet, but there is no DHCPACK from the client afterwards. I tried with different machines also.
Other VLANs works fine. Clients gets IPs.
Something I forgot for VLAN20? Some firewall rule?
go558a83nk reacted to MrFricken in Guide - Configure pfSense VLAN with IPv6 ...
I just added in IPv6 support on my pfSense box, using AirVPN and a VLAN. Note that I already had the VPN VLAN setup and working correctly with IPv4, so this guide is only about what needed to be changed to add in IPv6 support.
Recently, AirVPN has implemented IPv6 across their servers. Provided you are running a recent version of OpenVPN (>= 2.4), and you adjust your client configuration properly, you will be assigned an IPv6 address along with the typical IPv4 address.
In my setup, I’m using pfSense as my firewall / router, and have several VLANs configured for various purposes. One of these VLANs is specifically for VPN usage.
So the question becomes, how to take the single IPv6 address assigned from AirVPN and make it usable on a VLAN, for multiple hosts. This setup is severely sub-optimal, as IPv6 was designed to avoid NAT (there are what, 3.4x10^38 available addresses?). Given that the design of the protocol and AirVPN’s implementation are at odds, there are some problems that you will encounter. The most annoying being that browsers don’t want to use your IPv6 address, and you will continue to use IPv4, despite having everything setup “correctly.” It may be possible to overcome this with some per-host modifications (on Linux, look to /etc/gai.conf), but that is perhaps not maintainable in the long run.
This problem stems from the fact that the address Air is providing is a Unique Local Address (ULA), which, by definition, is not globally routable. This address gets translated at Air’s servers into a normal, globally routable, address. But what the software on your machine sees is a ULA, and since that isn’t a globally routable IP address, the software will prefer the IPv4 address, where it is understood that NAT will probably be used.
Given this implementation, I am not convinced it is worth it to setup IPv6 in this type of configuration.
Having said all that, here is how I configured things to get IPv6 “working” with AirVPN on a pfSense VLAN:
1: Get an IPv6 address from AirVPN
Assuming you are running a recent release of pfSense, you should have the necessary OpenVPN version for this to work (I’m on pfSense 2.4.4, which is using OpenVPN 2.4.6).
Go into your OpenVPN client configuration and
set “Protocol” to “UDP IPv4 and IPv6 on all interfaces (multihome)”
scroll down to “Custom options” and make sure you have these 2 lines:
setenv UV_IPV6 yes;
Save, and possibly restart the service. You should now have both IPv4 and IPv6 addresses assigned to your VPN connection
2: Create a new Gateway
I can’t remember if the gateway was automatically created at this point. If not, Add a new gateway. If one was auto created, edit it. Then
Make sure Interface is set to the VPN
Address family is IPv6
Give it a name (VPN1_WAN_IPv6 in my case)
I’ve left everything else at default settings, then set a description, and
Save and reload
3: Modify your VPN VLAN
From the “Interfaces” menu, select your VPN VLAN entry, then
Set “IPv6 Configuration Type” to “Static IPv6”
Scroll down to the “Static IPv6 Configuration” section and set an address and prefix.
I chose a “random” ULA (FDxx:xxxx:xxxx:10::1). Obviously, choose hex characters in place of the “x”s and the “10” matches my vlan number. Set the prefix to /64
Leave the “use IPv4 connectivity” unchecked and the gateway set to “None”
Save and reload
4: Configure Router Advertisements and/or DHCPv6
From the “Services” menu, select “DHCPv6 Server & RA” - then choose your VLAN. In my setup, I’m not bothering with DHCP, just using SLACC, so I go directly to the “Router Advertisements” tab.
Set Router Mode to unmanaged
Priority to Normal
You may choose to put your IPv6 DNS server into the DNS configuration section (I believe Air’s server is fde6:7a:7d20:4::1
Leave everything else as is (blank)
Save and reload
5: Set NAT Rules
From the “Firewall” menu, select “NAT”, then go to the “Outbound” tab
Click the second “Add” button
Set “Interface” to your VPN gateway
“Address Family” is “IPv6”
Source type is “network”
Source network is the ULA you setup earlier (“Fdxx:xxxx:xxxx:10::/64”) I did this using an alias.
Note that the subnet drop down doesn’t list anything above a /32 (it’s meant for IPv4), so I left it at /32. Seems to work anyway.
The Translation Address should be set to “Interface Address”
Add in a description, if you wish, and
Save and reload
6: Set Firewall Rules
From the “Firewall” menu, select “Rules” and then the appropriate VLAN tab
Click the second “Add” button
“Action” is “Pass”
“Interface” is your VLAN
“Address Family” is “IPv6”
Set the rules appropriately for your situation. In my case, just to get things working, I set
“Protocol” to “Any”
“Source” to “[VLAN] net”
Click the “Display Advanced” button
Scroll down to “Gateway” and select your previously configured VPN IPv6 gateway
Save and reload
NOTE: Be sure to move the rule you just created into the correct spot in your rules list! Remember, the rules are checked in order, so if you have a deny rule above your new pass rule in the list, it won’t work.
At this point I rebooted pfSense and my VPN client machine. I now have an IPv6 address, assigned from the ULA block I setup. Visiting https://ipleak.net shows I have both IPv4 and IPv6 connectivity. Going to https://test-ipv6.com gives me a 10/10, but with the note that the browser is avoiding using the IPv6 address. See the note from AirVPN Staff about this: https://airvpn.org/topic/25140-the-issue-your-browser-is-avoiding-ipv6/
Hopefully this is helpful to someone out there.
go558a83nk reacted to Thrace in AsusWRT - OpenVPN Port Forwarding ...
Thanks for your time.
I have added iptables rules and all good now
I had entware at my stock asus router system for deluge torrent.
I guess i can run a script at router boot with entware to add those iptables.
Edit: I accomplished to add those iptables rules automatically after boot at stock AsusWRT.
So now my router forwards my AirVPN opened ports to my PC.
I had a 2 day trial to test it out.
And few mins ago i purchased for 3 years
go558a83nk reacted to NoiselessOwl in Wireguard response from Mullvad ...
This is, again, subjective. WireGuard don't have TCP protocol support, it only use UDP protocol to transmit (according to WireGuard's website). The problem with it is that UDP tend to be blocked often than TCP. K-12 and Higher Education Institutions usually have their network to block UDP and some ISPs put a block on UDP as well. It is worthless to use WireGuard if the network have UDP blocked. WireGuard will not be a new king on platforms if it doesn't support plethora of protocol. On the other hand, OpenVPN have ranges of protocol it can use to transmit which make it versatile to use.
go558a83nk reacted to Staff in AirVPN 10th birthday celebrations ...
Today we're starting AirVPN tenth birthday celebrations!
From a two servers service located in a single country providing a handful of Mbit/s, the baby has grown up to a wide infrastructure in 22 countries in three continents, providing now 240,000+ Mbit/s to tens of thousands of people around the world.
In 2019 and 2020, software development enhancement has paid off: now AirVPN develops on its own an OpenVPN3 forked library which resolves various problems from the main branch and adds new features. The library is used in Hummingbird, a free and open source software for Linux and Mac, known for its speed and compactness, in Eddie Android edition and in a new software which will be announced in June. Hummingbird has been released even for ARM based Linux devices, and runs fine for example in Raspberry PI.
Eddie Desktop edition has been extensively rewritten to improve performance, reliability and security. Now anything not related to the user interface is written in C++ and a lot of security hardening has been implemented. Total compatibility with macOS Catalina, Windows 10 and latest Linux distributions has been achieved, and specific packages for various, widespread Linux distributions are available for easier installation.
Eddie can act as a GUI for Hummingbird in Linux and Mac, while in Windows, Eddie can also be easily configured to run OpenVPN 2.5 with the wintun driver to achieve remarkable OpenVPN performance boost and put Windows on par with other systems OpenVPN throughput ability. Furthermore, the wintun driver resolves various problems which affected TAP-Windows driver.
Development for OpenBSD and FreeBSD has been unfortunately re-planned but we're glad to announce here that it will continue, starting from summer 2020.
All AirVPN applications and libraries are free and open source software released under GPLv3.
We think that it's somehow surprising that AirVPN not only survived, but even flourished for 10 years, in an increasingly competitive market and increasingly privacy hostile environment.
Thank you all, you users, customers, members of the community, moderators, developers: the small "miracle" happened because of you, because you saw something in AirVPN.
Kind regards and datalove
go558a83nk got a reaction from Lee47 in pfsense 2.4.5 on qotom Q375G4 with AirVPN and Virgin Media ...
those are old settings. AES-256-GCM is faster. and SHA512 is for tls-crypt configs.
go558a83nk reacted to sudoopenvpn in Wireguard response from Mullvad ...
Quite perplexed by the use of the wg protocol, to be honest. I can say that I saw good speeds with a debian iso but that was something out of the ordinary. IVPN, a provider praised for their speeds, has been nothing but a bummer for me. Torrents are around 7MB/s and with another I am at 20 MB/s. On IVPN I used wg and on the other it was ovpn.
But I cannot say that I don't understand the hype that wg goes through. But for me it is ovpn all the way. If you look at all the security issues and how providers are supposedly "fixing" them, I can only walk around with a huge question mark over my head. Why's wg needed anyway? What can it do that ovpn cannot do for us privacy minded folks? Why "fix" it when ovpn is still working as intended and always has? Surely, you wouldn't try to apply the use-case of an Volkswagen to an F1 car. With that said, I always liked AirVPN's approach to wg and that AirVPN kept prioritizing ovpn over wg.
Anyway, everybody can do as he likes, I for one will stick to ovpn in the meantime.
go558a83nk got a reaction from deguito18090 in IPLeak show only one DNS ...
not at all. what that's showing, and it's normal when using openvpn GUI on windows, is that when you use openvpn GUI instead of Eddie you have a DNS leak which is ruining some of the privacy you gain by using a VPN.
you want just the one (or two with ipv6) airvpn servers showing up as DNS servers.
go558a83nk reacted to Clodo in WINTUN replacement for Windows TAP driver ...
Hi to all, the latest Eddie 2.18.8 experimental released today, works with wintun, please test if interested.
Go to https://openvpn.net/community-downloads/, at bottom "OpenVPN 2.5_git wintun technology preview", click the "here" link and install.
If you already have the right "openvpn.exe", use it directly: Eddie will install the wintun driver when needed, and also create the adapter.
Eddie -> Settings -> Advanced -> OpenVPN Custom Path -> choose your "openvpn.exe" from 2.5, if already installed probably it is "C:\Program Files\OpenVPN\bin\openvpn.exe".
At this point, Eddie will use OpenVPN 2.5 (but still with standard TUN driver).
Eddie -> Settings -> OVPN directives -> Custom directives, add "windows-driver wintun".
At this point, Eddie will use the OpenVPN 2.5 with the newest Wintun driver.
go558a83nk reacted to arteryshelby in SARS-CoV-2: precautionary measures taken by AirVPN ...
Please stay healthy everyone!
go558a83nk reacted to Staff in SARS-CoV-2: precautionary measures taken by AirVPN ...
We would like to inform you that we have made every effort to ensure AirVPN full and efficient operation during the pandemic caused by SARS-CoV-2.
In order to reduce hazard and safeguard health, AirVPN staff and personnel work exclusively from home and worked from home well before the current situation appeared clearly as a pandemic Each member has a landline and one or more mobile lines, when possible in different infrastructures, to maximize likelihood to stay connected to the Internet 24/7 AirVPN system is more efficiently automated and basic functioning requires no manual interventions, even for several months (if kernel upgrades hadn't been necessary, we would have had servers uptime of 4 years or more) AirVPN inner staff members have now overlapping competences. Therefore if a key member, including a founder, is forced to stop working, the other ones can carry out his/her functions Emergency funds already secured in the past in different facilities as well as banks remain unaltered and ensure AirVPN financial health for a very long time even in very harsh scenarios. However, we would like to assure you that they are not needed at all currently, quite the contrary. In the last 10 days we have experienced a substantial increase in the growth of our customer base We have been informed by our most important partners and providers of housing and hosting in Europe, America and Asia they they are, and expect to, remain fully operational
go558a83nk got a reaction from Stan464 in Which is better for Pfsense setup? ...
Yes, even the i3 should be plenty. Just be sure to enable cryptographic hardware here /system_advanced_misc.php and then select that hardware in your openvpn config you create. Then AES-NI plus whatever else is on the CPU is in use.
go558a83nk reacted to Staff in New country: Estonia - New 1 Gbit/s server available ...
We're very glad to inform you that a new 1 Gbit/s server located in Tallinn (EE) is available: Alruba.
The AirVPN client will show automatically the new server; if you use any other OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").
The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP.
Just like every other "second generation" Air server, Alruba supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt.
Full IPv6 support is included as well.
As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.
You can check the server status as usual in our real time servers monitor:
Do not hesitate to contact us for any information or issue.
Kind regards and datalove
go558a83nk got a reaction from encrypted in Please Fix this Website ...
At least once a day I get the "our tubes are clogged" message. No other website I visit is as unreliable as this one. When it is down I can't get to my client area to configure my VPN. So, it is important that the website is working.
What's more, no other web site I frequent is as slow to respond as this one as I browse through the forum. I can literally check on other forums in the time I'm waiting for this site to respond.
All this is while using AirVPN VPN servers.
Thanks for your attention.
go558a83nk reacted to LevS in WINTUN replacement for Windows TAP driver ...
Please be aware that wintun support functionality has been reviewed and merged into openvpn master. You can get latest snapshots from https://build.openvpn.net/downloads/snapshots/.
For example, this is the current latest build.