Jump to content
Not connected, Your IP: 44.201.68.86

go558a83nk

Members2
  • Content Count

    1970
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    31

Reputation Activity

  1. Like
    go558a83nk reacted to TheHellSite in [COMPLETED] WireGuard beta testing available   ...
    As OPNsense and pfSense are/where pretty much the same, I am also interested in this!

    Looking at pictures of the pfSense WireGuard user interface (VPN --> WireGuard --> Tunnel Configuration) it seems that there is no field which would allow setting an MTU or MSS value for the tunnel.
    It looks like you only have the option to set the MTU (and MSS) value in the pfSense interface section.

    However on OPNsense there is an extra field (VPN --> WireGuard --> Local --> "Tunnelname") to set the MTU value directly in the WireGuard config but also no field for the MSS value.
    In the OPNsense interface section it also of course possible to define the MTU (and MSS) value. The interface section also overwrites any setting configured in the WireGuard tunnel configuration.

    Also reading through this tutorial and the linked reddit thread it seems that it is best to just set these values in the interface section of OPNsense/pfSense and not in the tunnel configuration.
    I will try this out and report back here.
      Update
    It is best to declare the MTU value at the interface configuration and also in the tunnel configuration. The latter is necessary because each reload of the interface configuration and each reload of the WireGuard package will reapply the MTU value to the interface.
    Setting the MTU=1420 and MSS=1420 in the interface configuration of the interface assigned to the WireGuard tunnel and also MTU=1420 in the tunnel configuration resolved both the speed and SSL issues.
      Note
    I personally have to use MTU=1412 since my WAN requires the use of PPPoE, which adds another 8 byte of overhead that needs to be substracted of the theoretical maximum MTU=1420.
    WireGuard MTU for PPPoE = 1420 - 8 = 1412
    Details see here: https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html
      Note
    Setting the MSS value the same as the MTU value is specific to OPNsense and pfSense! Both firewalls automatically reduce the value entered in the MSS field by 40 bytes.
    On other systems the MSS value has to be entered 40 bytes lower than the MTU value.
    OPNsense / pfSense: MTU entered = actual MTU applied to the interface
    OPNsense / pfSense: MSS entered = MSS entered - 40 bytes = actual MSS applied to the interface
  2. Like
    go558a83nk reacted to khalfdan in Europe config file sends me to the US??   ...
    my hat is off to you sir, a. didn't occur to me that that could happen and b. wouldn't have known how to trace it out in any event. Much obliged
  3. Thanks
    go558a83nk got a reaction from dr_loloto in Possible to route all network traffic trough VPN?   ...
    https://www.gl-inet.com/products/gl-ax1800/   look into that.  it'll run wireguard plenty fast.
  4. Like
    go558a83nk got a reaction from khalfdan in Europe config file sends me to the US??   ...
    simply just outdated geolocation databases cause errors like this.  When I trace to the IP, I can see that it's in Brussels or nearby that, although there is a PTR error at line 14 because it claims to be in Los Angeles. 
     
    |------------------------------------------------------------------------------------------| | WinMTR statistics | | Host - % | Sent | Recv | Best | Avrg | Wrst | Last | |------------------------------------------------|------|------|------|------|------|------| | 10.128.0.1 - 0 | 4 | 4 | 7 | 7 | 8 | 7 | | 23.103.107.254 - 0 | 4 | 4 | 8 | 8 | 8 | 8 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | be2978.ccr41.dfw03.atlas.cogentco.com - 0 | 4 | 4 | 8 | 8 | 8 | 8 | | be2763.ccr31.dfw01.atlas.cogentco.com - 0 | 4 | 4 | 8 | 8 | 9 | 9 | | be2432.ccr21.mci01.atlas.cogentco.com - 0 | 4 | 4 | 18 | 39 | 62 | 60 | | be2831.ccr41.ord01.atlas.cogentco.com - 0 | 4 | 4 | 30 | 30 | 30 | 30 | | be2717.ccr21.cle04.atlas.cogentco.com - 0 | 4 | 4 | 121 | 121 | 122 | 121 | | be2889.ccr41.jfk02.atlas.cogentco.com - 0 | 4 | 4 | 124 | 124 | 125 | 125 | | be2317.ccr41.lon13.atlas.cogentco.com - 0 | 4 | 4 | 123 | 124 | 127 | 123 | | be12194.ccr41.ams03.atlas.cogentco.com - 0 | 4 | 4 | 123 | 123 | 124 | 123 | | be3676.rcr21.bru01.atlas.cogentco.com - 0 | 4 | 4 | 124 | 127 | 135 | 124 | | 149.11.170.218 - 0 | 4 | 4 | 119 | 120 | 124 | 119 | | vlan2909.as02.lax1.us.m247.com - 0 | 4 | 4 | 131 | 133 | 139 | 131 | | vlan2911.as01.bru1.be.m247.com - 0 | 4 | 4 | 120 | 120 | 120 | 120 | | 155.251.187.194.in-addr.arpa - 0 | 4 | 4 | 119 | 119 | 120 | 119 | |________________________________________________|______|______|______|______|______|______| WinMTR v1.00 GPLv2 (original by Appnor MSP - Fully Managed Hosting & Cloud Provider)
  5. Like
    go558a83nk reacted to Staff in VPN companies relationship mesh   ...
    Yes, a very nice one.
     
    Apparently it is perfectly formulated, because it's 100% true and accurate, and it's not formulated here, but there.
     
    It's mentioned because Crossrider/Kape was founded by a member of Unit 8200, a cyber spy agency, and its (Crossrider's) primary business was facilitating malware and computer infections. Recently it acquired major VPNs (such as Private Internet Access, Express VPN and CyberGhost) as well as review web sites.
     
    In reality in the FT article you mention you can read the interview to Lempert (chairman of the Unit 8200 alumni association and CEO of MER mobile comms group) who claims that 8200 is focusing (the article is 7 years old) on huge data mining, which is exactly extensive surveillance of the Internet, and we could also mention the documents leaked by Snowden, which revealed how Unit 8200, referred to as ISNU, receives raw, unfiltered data of U.S. citizens, as part of a secret agreement with the NSA.
    https://en.wikipedia.org/wiki/File:Israel_Memorandum_of_Understanding_SIGINT.pdf

    Are US citizens "bad neighbors" too?

    Anyway. It's irrelevant whether the purposes of Kape match those of Unit 8200. Kape could be or not a puppet of 8200, you don't know and we don't know, and perhaps it's not,  and still that's not the point. The relevance of a member of 8200 founding a company spreading malware and now controlling VPN is the relationships and competence acquired by that member during his/her previous job, used against citizens unconditionally, since Kape operated essentially in browser hijacking, ad injectors and other remunerative computer infections worldwide.

    Remember for example Gericke ("strangely", he is also ExpressVPN CIO), Adams and Baier: they used their great competence acquired while they worked for US intelligence agencies to assist UAE regime to crack journalists, activists, monarchy political opponents phones and computers, to help UAE suppress or control any possible dissident or uncomfortable journalist. Officially it was not CIA or USIC interest to do that (and actually all three of them have been charged by DoJ for that "job") but anyway they greatly succeeded in their UAE job because they were trained by and had the knowledge of and access to certain technology from their former employers.
    https://www.justice.gov/opa/pr/three-former-us-intelligence-community-and-military-personnel-agree-pay-more-168-million

    Kind regards
     
  6. Thanks
    go558a83nk reacted to Staff in VPN companies relationship mesh   ...
    Hello!

    Very interesting analytical and investigative work by Windscribe disclosing ties (even hidden ones) between VPN companies, publishers, review web sites. Click on node icons to read more details. Very sinister situation at a glance. Note for example how Crossrider (now Kape), well known malware company co-founded by a member of israeli Defense Forces Unit 8200, nowadays controls major VPNs and review web sites:
    https://embed.kumu.io/9ced55e897e74fd807be51990b26b415#vpn-company-relationships/control-d

    Kind regards
     
  7. Thanks
    go558a83nk got a reaction from mazurka7 in AirVPN DNS setup in Asus router problem   ...
    for Asus merlin set WAN DNS to something other than the VPN DNS (10.4.0.1) and in the openvpn configuration set the DNS setting to exclusive.  Then it'll switch to VPN DNS when the VPN connects.

    10.4.0.1 won't work unless you're connected to VPN because 10.4.0.1 is only accessible through the VPN not from public.
  8. Thanks
    go558a83nk reacted to Staff in [RESOLVED] PayPal: delayed plan activation   ...
    EDIT: problem has been resolved around 12.00 2022-06-16 UTC
     
     
    Hello!

    We're sorry to inform you that a PayPal ongoing malfunction is causing a serious issue with purchase validations and plan activation. IPN (Instant Payment Notification) is not sent, so we must validate PayPal payments manually one by one. PayPal has been notified hours ago. We apologize for the delayed activation but the problem is out of our responsibility and control. Hopefully PayPal will resolve the problem very soon. If you have paid via PayPal and you don't see your plan activation within a few hours feel free to open a ticket as we are struggling to keep the pace on the long run.

    If you are reading this message before you made a purchase, please consider to pay via Stripe, Amazon Pay or Bitcoin for a faster and automated plan activation.

    This thread will be updated as new information comes in.

    Kind regards
     
  9. Confused
    go558a83nk reacted to Staff in Two new 1 Gbit/s servers available (US)   ...
    Hello!

    We're very glad to inform you that two new 1 Gbit/s full duplex servers located in New York City are available: Haedus and Iklil. They are going to replace Dimidium and Gliese.

    The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637 UDP for WireGuard.

    Haedus and Iklil support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

    You can check the status as usual in our real time servers monitor:
    https://airvpn.org/servers/Haedus/
    https://airvpn.org/servers/Iklil/

    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
  10. Like
    go558a83nk reacted to Staff in [ENDED] AirVPN 12th birthday celebrations   ...
    Hello!

    Today we're starting AirVPN twelfth birthday celebrations offering special, strong discounts on longer term plans.
     
    From a two servers service located in a single country providing a handful of Mbit/s, the baby has grown up to a wide infrastructure in 23 countries in four continents, providing now 240,000+ Mbit/s to tens of thousands of people around the world.

    We still define it as a "baby", but AirVPN is now the oldest VPN in the market which never changed ownership, and it's one of the last that still puts ethics well over profit, a philosophy which has been rewarded by customers and users.

    During the last year, AirVPN added important features, even according to customers requests:
    integrated and full WireGuard support on all VPN servers optional lists selection to block spam, ads, trackers and other malicious sources, featuring a unique and fine grained customization which is exclusive on the nowadays market improved inbound remote port forwarding interface and implementation
    The infrastructure saw a robust power up in Tokyo, where we have now 14000 Mbit/s available (7000 Mbit/s full duplex), with more powerful hardware, and a small addition in Ireland. The VPN servers and the back service ones have had some minor security improvements as well as ordinary system updates as usual. Optimized software, and also WireGuard implementation, allowed our server to deliver high performance more smoothly, thanks to the improved balancing between threads and of course the good WireGuard scalability.
    On the software side, all AirVPN applications and libraries are still free and open source software released under GPLv3. WirteGuard has been fully integrated in the Desktop edition of Eddie, while Eddie Android edition will support it in the next version which is imminent (a public alpha release will be ready in June). All the applications are continuously developed and updated to provide an even better experience and performance.
     
    Kind regards and datalove
    AirVPN Staff 
  11. Thanks
    go558a83nk reacted to 7481217113 in No x509 Verification?   ...
    Why is this important?

    This works exactly like your browser when you access a HTTPS website. Say you visit reddit.com, when you enter the URL into your address bar, your browser connects to the Reddit servers which sends a TLS certificate over the wire for reddit.com. Your browser then checks the certificate to see if reddit.com is indeed present in the common name or SANs (subject alternative names), that it is not expired, and that it was signed by a publicly trusted certificate authority (CA). If these conditions are true the website will load. If they are not true then you will be presented with an insecure connection error.

    The OpenVPN client, by default, does NOT verify that the server you are connecting to is the server that you expect it to be (ie. the hostname you connect to is in the certificate’s common name). The only thing it does is verify is:

    The certificate has been issued/signed by the Certificate Authority that is trusted inside the <ca> block in the config
    The certificate is not expired

    Unless x509 verification is in place, the client will trust ANY server that presents a certificate that was generated by the Certificate Authority as long as it’s not expired. With that in mind, a breach of a single server, regardless of the unique certificate being deployed there, gives the attacker the ability to impersonate ANY other server for that VPN provider.
  12. Like
    go558a83nk reacted to Staff in No x509 Verification?   ...
    Hello!

    WireGuard does not support authentication via certificate at all. OpenVPN does, and we have it implemented of course, but not with specific fields. If we implemented it we would force all of our customer to change certificate every time they change server, which is not a viable solution in most router and pfSense machines. Totally unacceptable.

    You must also consider that in order to impersonate a server, not only would the attacker need to steal the secret WireGuard key or the various OpenVPN certificate/key pairs, but she would also need to cage the target and hijack route via IP addresses, because the target can not be actively reached (forbidden in OpenVPN settings). Also, DH keys are unique in each VPN server, so the attacker can't even try an impersonation from another server while the connection is ongoing to a real server.

    Kind regards
     
  13. Like
    go558a83nk reacted to Staff in Privacy Notice and Terms   ...
    Addendum: Piwik main options have been always remained unused by us, so why keep it when it can cast such doubts even in a long time customer like you? Therefore it has been disabled, so anybody with doubts like yours can now have peace of mind and usual confidence in every field handled by AirVPN.
     
    Kind regards
    AirVPN founders
  14. Thanks
    go558a83nk got a reaction from mazurka7 in AirVPN DNS setup in Asus router problem   ...
    *if* you're using IP address in the VPN server field instead of a domain then putting 10.4.0.1 in the WAN DNS setting might be OK.  Because there's no domain to resolve the router doesn't need to reach 10.4.0.1 prior to connection.
  15. Thanks
    go558a83nk got a reaction from mazurka7 in AirVPN DNS setup in Asus router problem   ...
    If you're using merlin asus and set the openvpn config in policy routing mode there's an option to not allow traffic if the VPN goes down.

    I'd use policy routing mode, set the DNS option in the openvpn config to exclusive and not put AirDNS in the WAN settings.
  16. Thanks
    go558a83nk got a reaction from mazurka7 in AirVPN DNS setup in Asus router problem   ...
    for Asus merlin set WAN DNS to something other than the VPN DNS (10.4.0.1) and in the openvpn configuration set the DNS setting to exclusive.  Then it'll switch to VPN DNS when the VPN connects.

    10.4.0.1 won't work unless you're connected to VPN because 10.4.0.1 is only accessible through the VPN not from public.
  17. Like
    go558a83nk reacted to wunderbar in RT blocked from some EU servers   ...
    Hello.
    Absolutely not. Censorship of any legal free speech is totally unacceptable and must be completely rejected in all cases.
    If you prevent other people from speaking, you are no better than the ones you claim to be protecting other people from.
  18. Like
    go558a83nk reacted to Staff in Ukraine Server Future?   ...
    Hello!

    Unfortunately there's nothing we can do during these grim and tragic days. Russians are actively destroying various infrastructural resources and might enter Kyiv any time. Our deepest sorrow is caused by the uncertain fate of the Ukrainian people. Who cares about a single server, but we will keep operating it, even as a symbol, as long as the infrastructure works, and it will remain displayed in the servers status page with the Ukraine flag.

    Kind regards
     
  19. Like
    go558a83nk reacted to Staff in Server replacement (LV)   ...
    Hello!

    We inform you that the following servers in Latvia:
    Meissa Phact Schedir Shaula
    have become suddenly nonoperational because the upstream of our provider blocked all traffic. They should come back online within a couple of days, due to new deals with a new transit provider. However, all IP addresses will change. We have decided that this is a good moment to switch to new lines and servers: we are changing the previous 100 Mbit/s lines with 1 Gbit/s lines and ports, and replacing the hardware with more powerful CPU. The four 100 Mbit/s servers will be replaced by three 1 Gbit/s servers. Location will not change, the new servers will be in Riga.

    We should be able to announce the new servers in the next days.
    EDIT 2022/02/02: replacement has been completed.

    Kind regards and datalove
    AirVPN Staff
     
  20. Like
    go558a83nk reacted to thetechdude in Logging for DNS   ...
    There are a few misconceptions here.  There is a difference between logging DNS queries temporarily and logging VPN traffic.  It's possible to enable logs on DNS for like 5 minutes and then turn it off.  Let's say I'm trying to go to a site that Easylist, or any other list, blocks.  Wouldn't it be nice to know that, so that you could then make an exclusion?  This is something that every other DNS filtering service allows; ControlD, NextDNS, AdGuard Home, etc.  So, what I'm asking for is nothing new or scandalous in any way.
  21. Like
    go558a83nk reacted to Staff in New 1 Gbit/s server available (IE)   ...
    Hello!

    We're very glad to inform you that a new 1 Gbit/s full duplex server located in Dublin, Ireland, is available: Minchir.

    The AirVPN client will show automatically the new server; if you use any other OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637 UDP for WireGuard.

    Minchir supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

    You can check the server status as usual in our real time servers monitor:
    https://airvpn.org/servers/minchir

    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
  22. Like
    go558a83nk got a reaction from Jacker@ in PFsense OpenVPN is no longer connecting   ...
    looks like this is all confusion around which entry IP are tls-crypt and which are tls-auth.  tls-auth entry points use sha1.  tls-crypt entry points use sha512 and tls encryption+auth.

    so, keep an eye on which config you make.  details matter.
  23. Like
    go558a83nk reacted to Staff in When will AirVPN implement tls-crypt-v2?   ...
    @ciudad

    Hello!

    It's not planned at the moment because it's more comfortable for us the current single tls-crypt key. tls-crypt 2 doesn't change anything for the client, while on the server side, in our specific case, it would be useless because we maintain tls-auth for backward compatibility,. Any denial attempt would remain potentially possible via tls-auth, hence we would have a complication for nothing. However  when we drop tls-auth (we're afraid not in the near future because of the amount of old OpenVPN versions connecting to our service) then tls-crypt-2 will become attractive indeed.. 

    Kind regards
     
  24. Like
    go558a83nk got a reaction from Staff in speedtest comparison   ...
    Really thrilled with the wireguard speed.  That's me on Mensa.  https://i.gyazo.com/277f20acfb21cea8c41a8db164713063.png
  25. Like
    go558a83nk reacted to Nummer1 in My review   ...
    It has been a few months since i've last used this VPN, but my experience was great. This vpn might look complicated but its really not and you won't regret getting it.
    Even back a few months it was awsome, probably my favourite out of the ones i've used, great VPN.
×
×
  • Create New...