Jump to content
Not connected, Your IP: 34.237.138.69

go558a83nk

Members2
  • Content Count

    1894
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    24

Reputation Activity

  1. Like
    go558a83nk reacted to neverfox in Port forwarding not working anymore   ...
    False alarm. The daemon that was connecting on that port had apparently died (and since the port check only succeeds if your configured application is using the port, the check failed).
  2. Like
    go558a83nk reacted to zqwvyx in Bypass VPN for specific domain names (Netflix, Hulu) via custom configuration in OpenVPN (Tomato, DD-WRT,router)   ...
    I wrote a quick Lua script that parses the address ranges from ipinfo.io and converts them to OpenVPN routes. Here's a link to the code: http://bit.ly/2Gu8Q2Y
    Here's a list of routes that covers all the current Netflix ranges: https://pastebin.com/raw/zRyv6KDj
  3. Like
    go558a83nk reacted to Staff in Rebuttal of article "Don't use VPN services."   ...
    Hello!
     
    DISCLAIMER: this post has been written by an AirVPN co-founder (Paolo) and merges the information and the points of view elaborated by the Air founders in more than seven years. Other Air VPN staff members might add additional comments in the future.
     
    We have been asked via Twitter to reply to the following post:
    https://gist.github.com/joepie91/5a9909939e6ce7d09e29
     
    We see that the issues raised by the aforementioned article may be of general interest, so we have decided to post a detailed rebuttal here, meant to fix the remarkable amount of technical misunderstandings and errors which have led the writer to astonishingly wrong conclusions and worrying generalizations.
     
    The rebuttal is based on AirVPN only; we can not and we do not want to write in the name of any other service, since most of the considerations you will read here may or may not (and sometimes we know that they will not) apply to other "VPN services". Anyway, it is our right to reply as if the writer were talking about us too, because he/she repeatedly claims that ALL VPN services act in the same way.

     
     
     
    A "VPN in this sense" is NOT a proxy. Our service encrypts and tunnels all of the client system TCP and UDP traffic to and from the VPN server. Moreover, our service, when used with our free and open source software, also makes additional steps to prevent traffic leaks outside the VPN tunnel.
     
    A proxy tunnels (and not necessarily encrypts) only TCP traffic (proxies can not support UDP), and only the traffic of those applications which are configured to connect to a proxy. UDP traffic, system traffic and traffic of applications which may be started by the system and that you failed to configure (or that you can't even configure in Windows, in some cases) are not necessarily tunneled to the proxy. Not even your system DNS queries are necessarily tunneled over the proxy.

     
     
    If we were really interested in logging our clients traffic, we would not allow connections to and from Tor, proxies and other VPNs. We have always made very clear how to bypass the problem of "trust us" when you can't really afford to do that, and our answer has always been "partition of trust".  Please see for example our post dated March 2012 (!) about it:
    https://airvpn.org/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745

     
    There's more. We work under a legal framework where the safe harbors for the mere conduits are very rigidly and clearly defined (specifically, by the 2000/31/EC, the E-Commerce Directive, articles 12, 13, 14 and 15).
    https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32000L0031
     
    The liability exemption for the mere conduit status would not exist if we were not mere conduits. If we inspected traffic and/or modified traffic (e.g. through content injection) and/or selected source and destination of the communications, we would not be mere conduits and we would lose the legal protection on liability exemptions.

    We have also two decisions of the Court of Justice of the European Union which clearly define indiscriminate data retention as infringing the fundamental rights of the citizens of the EU:
    https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf
    https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf
     
    Therefore:
    under a legal point of view, logging and/or monitoring and/or inspecting and/or modifying the content of our customers traffic without the customers explicit and written consent would be a criminal infringement, also subject to civil prosecution by the customers themselves under a business point of view, that would be simply suicidal (more on this later)  
     
    It is enigmatic how the writer can make such claims.
     
    We charge less than 10 USD per month for our services and we can pay a whole legal firm, 250 servers (physical, bare metal servers), the whole staff, including a tiny team of programmers. We also regularly donate money to organizations and projects whose activities are compatible with AirVPN mission.
    https://airvpn.org/mission
    https://airvpn.org/status
     
    We're not here only for the money, but if the writer wants to talk about money, so be it. He/she may rest assured that we have planned seriously a business model which remains robust if not rock solid.
     
    It is obvious that we must keep our business model solid, because our infrastructure has become large and we have duties toward the people working with us and toward our customers. At the same time we never forget that our customers have transformed into reality the dream to build a rather big project based on and aimed to privacy protection in a time when the whole world was going to the opposite direction. By changing now direction and pointing to a business based on privacy infringements and personal data commerce would not only betray our beliefs and mission and customers, but we would become a goldfish in an ocean of sharks, we could not even think to compete.
     
    After 7 years, we have the right and knowledge to claim that a privacy protection mission is not incompatible with the price the writer mentions and with a strictly agnostic network where no traffic inspection or monitoring is enforced.
     
    We can also claim confidently that any business plan based on data protection and privacy infringements not declared in the terms of service would crash dramatically in the short-term in the EU: remember the legal framework we live in and feel free to do your own research on real cases and incidents in the recent past.
     
    Last but not least, please do your own math and compute the costs to store and "hand a customer traffic data over": they imply costs of losing the mere conduit status, added to the costs of civil lawsuits from that and potentially other tens of thousands customers. Then compare them to the "costs" (in reality benefits) of no monitoring at all added to the peace of mind to strictly act in a legal/lawful way.
     
    Given all of the above, you can easily discern that the quoted assumption is false for AirVPN. The logical, unavoidable conclusion is that AirVPN best interest, even under a purely cynical, business point of view, is to NOT log (in the most extensive sense of the term) customers traffic and not commerce with their data.
     
     
    This is partially, only partially, true. HideMyAss was really risking to go out of serious privacy protection business soon after the incident occurred: check the massive uproar caused by the event. The AVG acquisition, with the disruptive marketing power of AVG, has probably covered the issue, but the old HideMyAss management hurried to sell the whole Privax company. Who knows, maybe just in time, maybe before the value could be hit too seriously by the incident. We can't know for sure, and the writer can't as well. Anyway, if the writer wants to claim that marketing is powerful, we agree (what a discovery!).
     
    The logical jump from HMA incident to the assumption that every service does what HMA did is long. Do not forget that what HMA did would pose a huge amount of legal problems to us, as explained.
     
    HideMyAss targeted the same persons who are happily using the new Facebook VPN. We respect the intelligence of our customers and we don't have the arrogance to think that we can change people mind and competence all over the world in a few years (or ever), and we don't even think that we can oppose the marketing power. More importantly, that's a problem pertaining to HideMyAss. It is not only unfair, but even defamatory to surreptitiously imply that the behavior (good or bad) of certain services is the same behavior of any other service, in the same field or not.
     
    We have been providing AirVPN services since 2011, when we offered the service as a beta version totally free. Now we challenge the writer of the article to provide any single proof that any single user identity has been compromised by us through a betrayal of our terms of service and our mission and/or through traffic logging or inspection and/or by any infringement of the EU legal framework on privacy and personal data protection. 
     
     
    False. We provide our users with any tool to never make their "real" IP address appear to our servers. We have also integrated AirVPN over HTTP proxy, AirVPN over SOCKS proxy, and AirVPN over Tor usage in our free and open source software. We don't even block connections from competitor VPN servers. Finally, we accept not only Bitcoin, but Monero and ZCash as well, which are designed to provide a robust anonymity layer on the transactions.
     
    If you really don't trust us, you can easily make your IP address never visible to our servers.
     
    This is particularly important even if you trust us, but you can't afford (for the sensitivity of the data you need to transmit, for example) to assume that our servers are not monitored by hostile entities, an event that can happen with ANY service, not only VPN services. The fact that we have made every human effort to provide effective and easily usable protections against such occurrences is a proof of our interest in the protection of our customers privacy.

     
     
    This is ambiguous, because we would need the writer to define security scope and context exactly. Is he/she referring to integrity and security of data between your node and our servers? Or security of your system? Surely, our service is not meant as a security tool to protect against virus and spyware, and this is clearly stated at the very beginning of our Terms of Service. AirVPN can't do anything if your system is compromised.
     
    However, the above does not imply in any way that our service is a glorified proxy. See the reasons we mentioned above and verify how a loose security mention does not change anything. Additionally, while OpenVPN is the core of our service, it is complemented by an important series of features aimed to protect privacy and data in all of those cases which OpenVPN alone has not been designed for.
     
    Even if you don't run our free and open source software, we and our community have made any effort to provide guides and insights on how to get the most from our service to integrate it in a comprehensive environment aimed to protect your data and identity. We are very grateful to our community for the invaluable contributions throughout the years.
     
    If we were a "malicious VPN provider", does the writer really think that we would have allowed our forums to become a golden source of information for privacy, identity and data protection? Do you really think that we would have been provided monetary support to TorProject, OpenBSD, European Digital Rights, Tor infrastructure, etc. etc.?

     
     
    A part of this has been widely rebutted in our previous reply. Here it will be sufficient to add that even if you don't use end-to-end encryption, even if you don't use Tor on top of an AirVPN connection, a MITM who sniffs the packets in any point between the VPN server and the final destination (including the final destination itself of course) will see those packets coming from the VPN server exit-IP address, NOT from your real IP address and NOT from the entry-IP address of the VPN server you connect to. This is a paramount point which is incompetently (intentionally?) ignored by the writer. It is so important that in some extreme cases it makes the difference between imprisonment and freedom, or even between life and death.
     
    Imagine the case of a whistleblower giving out relevant information via VoIP or other applications relying on UDP to a self proclaimed journalist who then betrays the confidentiality of the source, or even to a serious journalist who is unaware of the fact that his/her computer is compromised, or that his/her line is wiretapped. The whistleblower can't use a proxy reliably. The journalist, or the wiretapping entity, can trace the source IP address and the identity of the whistleblower can be disclosed (just to make a trivial example which does not require any wiretapping or compromised system, think of Skype exploit, for which any party could discover the IP address of the other party). In most of these cases, end-to-end encryption would have been irrelevant for the whistleblower.
     
    Whenever the source can't trust the destination integrity, whether the recipient is in good faith or not, our service makes a vital difference.

     
     
    True. We have never said or written the contrary. In addition to changing IP address, which is anyway important in spite of the writer claims, further steps are strictly necessary to prevent profiling, from "separation of identities" to script blocking, from browser fingerprint changes to system settings obfuscation. Our community has widely covered this issue and provided precious suggestions.
     
    Here the writer makes a totally irrational shift: first he/she wants to make you think that our service is just a "glorified proxy", then he/she wants to insinuate that our service is useless because it is not some sort of supernatural system capable to protect users from their own behavior and from every possible tracking system which exploits the user system, not the service.


     
     
    The first case is true, and it is very important.
     
    However, it is totally false that you can safely rely on a proxy for the second case purpose. Many applications, including torrent software, can:
    bind to the physical network interface, or do some dangerous UPnP use UDP (not supported by a proxy) send DNS queries out of the proxy include the assigned "real" IP address inside their layer of communications, example: https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea In the aforementioned cases, correct usage of our service will fulfill the purpose to never disclose your real IP address and/or the UDP traffic and/or the DNS queries. A proxy will not and you can be potentially tracked back, either by copyright trolls or any hostile entity.
     
    Additionally, our service has many more use cases:
    tunneling UDP traffic (not available with a proxy or Tor) circumventing censorship based on IP addresses block circumventing censorship based on DNS poisoning preventing injection of forged packets (not necessarily available with a proxy even in TCP, and surely not when you need UDP flow integrity) using Tor anyway when Tor usage is blocked or triggers interest of ISP or any hostile entity about you protecting your identity when the final recipient of your communications is compromised (not available with end-to-end encryption alone, and not available with Tor when you need UDP, imagine if you need to stream a video in real time which requires source identity protection) making your services (web sites, torrent clients, FTP servers for example) reachable from the Internet when your ISP does not allow port forwarding (not available with a proxy), without exposing your IP address having a static exit-IP address bypassing various types of traffic shaping tunneling simultaneously the traffic of all the devices in your local network, even with remote port forwarding, and even those which can't run OpenVPN provided that you have a device acting as a gateway to the VPN (typical examples a pfSense box or a DD-WRT / AsusWRT / Merlin / Tomato etc. router or any computer configured to work as a router) and maybe you can see more use cases which we have missed here.
     
    The fact that the writer omitted all of the above says a lot about his/her competence and/or good faith.

     
     
    This is hilarious, and not only because the whole point of the writer's post ends up into advertising LowEndBox.
     
    We will not insult our readers' intelligence with an explanation of why that is a terrible idea when you seek more privacy and some anonymity layer in your interactions with the Internet.
     
    Draw your own conclusions.
     
    Kind regards and datalove
    Paolo
    AirVPN co-founder
  4. Like
    go558a83nk reacted to Staff in Bitcoin accepted directly   ...
    Hello!
     
    We're very glad and proud to announce that from now on we are able to accept Bitcoin directly. Any intermediary acting as a payment processor is no more required.
     
    We feel that  this is an important step, since some payment processors have taken or are taking steps which are not totally privacy friendly. Moreover, cutting out any intermediary is very coherent with Bitcoin spirit and unleashes the potential of the cryptocurrency.
     
    Kind regards and datalove
    AirVPN Staff
  5. Like
    go558a83nk reacted to securvark in How To Set Up pfSense 2.3 for AirVPN   ...
    If you read this, can you please let us know whether you're still using AirVPN?
    I'd use your referral when I need to resub, but only if you're still using it.
     
    Thanks!
  6. Like
    go558a83nk reacted to gabariala in Does AirVPN use 'Perfect Forward Secrecy' in Manual OpenVPN configurations?   ...
    I just wish to reiterate for the second time, I had asked 3 different staff members whether the aforementioned company used pfs outside their app, all of them said no. I just asked another giant VPN provider (censored), not ExperssVPN, very mountain like vpn, if they used perfect forward secrecy on Reddit, they replied "No. You need to download the root.der certificate, install that CA and then setup an IKEV2 VPN connection in the OS. Strongswan on Linux or through network manager in windows. OpenVPN and the app use normal VPN standards, 256 bit encryption and RSA2048."
  7. Like
    go558a83nk reacted to NL99 in My impression after a few months   ...
    A few months ago i realized that torrenting with your isp ip is not a very good idea, so i read some stuff about vpn. Compared vpn providers and started a trial with one of the big well known providers, Easy to setup, good price, decent speeds and good support..i thought. Lots of positive reviews, must be good. So i tried it for a week. Many many servers in every part of the world..but only a few usable for p2p. Hmm well who cares, as long they are fast. But it turned out that around 40megabit was the maximum and there are no alternative ports to chose from besides the standard port. So i asked them for support, tips and tricks to get higher speeds. I was told that i should reinstall the client, and otherwise it would be my isp that is capping some ports. I stopped the trial and started looking for another provider. Someone at a techforum told me i should try a 3 days air-trial for an euro. Well why not?
     
    So in installed the client , was happily surprised that i could choose the port and protocol i want to use, did some speedtesting, tried some torrents and bam! >225 megabit. So it was possible. Time to get a low-energy consuming torrentpc. Connected both the torrentpc and the desktop to a router that i configured for openvpn. Hmm 10 megabit, something must go wrong. I read some fora and learned that vpnspeed is all about cpu-power and you need some decent single core perfomance, so it`s better to turn a pc into a router/firewall and connect your lan trough that tunnel.
    So i bought some new fanless mini itx hardware and an Intel dual nic and installed Pfsense, read lots of guides and how-to`s, encountered lots of problems, got some help on the airvpnforum and after a few days - connected! I`m totally noob with networkingstuff, so if i can get it working with some help and reading, i`m sure everyone can. My pfsense computer is even behind a non-bridged isp modemrouter but that seems no real problem. I can forward ports for torrents in pfsense and it works. Also have a gigabit wireless router behind the pfsense-box so my phone etc, is now behind the vpn as well.
     
    Hardware:
    Intel® Celeron® CPU J3355 @ 2.00GHz
    Current: 2000 MHz, Max: 2001 MHz
    2 CPUs: 1 package(s) x 2 core(s)
    ES-CBC,AES-XTS,AES-GCM,AES-ICM
    Memory usage 5% of 3715 MiB
     
    Speed:
    ISP: max 250mbit
    Most speedtests give 200+ while connected trough vpn
    Real life test: See screenshot below. Normally somewhere between 20 and 29 megabyte/s if some well seeded torrents are running. Cpu at pfsense box does 60~65% then.
     
    Thanks AIR


  8. Like
    go558a83nk reacted to NL99 in Recommendations for OpenVPN Router   ...
    I tried pfsense a few weeks ago, and i`m a total noob with networking and firewall stuff. Bought some hardware for a mini-itx system, an Intel dual nic card and it took many days of reading and trying to get it working. But now it works like i wanted (that`s almost 30MB/s trough vpn for the whole lan), without fans or moving parts so it`s totally silent, small and low-energy consuming.
  9. Like
    go558a83nk reacted to Staff in Alternative for China 2018 (a second VPN)   ...
    Hello!
     
    OpenVPN over SSL works just fine and you don't need anything else.
     
    However, we're also interested in trying to bypass some blocks in UDP, where UDP is not blocked globally, or in TCP without the aid of an additional TLS tunnel.
     
    For such purpose tls-crypt might help. It is now available in Chara and Castor, and will be deployed onto most or all servers in a month or so. We would be glad to receive feedbacks (not here, only in private tickets) from China or Iran. Please run Eddie 2.14 to support the new feature or re-generate properly the configuration files to test. UPDATE: tls-crypt is now available on all servers, please see next messages in this thread.
     
    Kind regards
  10. Like
    go558a83nk got a reaction from atelier23 in New 1 Gbit/s server available (US)   ...
    you must be new to VPN.  errors within the several geolocation databases companies like speedtest use are so common.  and it takes time for a change to propagate. 
     
    the server really is in Chicago no matter where speedtest says it is.
  11. Like
    go558a83nk got a reaction from LZ1 in Ports no longer forwarded   ...
    Some people run an openvpn client on their router, etc.  In that case, ports do need to be opened on the router.  But, not using the usual port forward which goes from WAN to LAN but with iptables so you can specify TUN to LAN.
     
    When running Eddie on a PC the encrypted tunnel goes from your PC to the VPN server.  Your router only sees the 1 connection your PC and the VPN server communicate on.  Everything happens inside that 1 encrypted connection.  Thus it's called "tunnel".  So, please understand that your router isn't even capable of selectively allowing connections to be established from "outside" through that VPN tunnel because it doesn't even see all the connections happening inside that tunnel.
     
    Anyway, port forwarding is working for thousands of people as I write this.  If it were not so we'd see a LOT more posts about it.
  12. Like
    go558a83nk got a reaction from LZ1 in Ports no longer forwarded   ...
    Does any traffic flow to/from utorrent even if port forwarding isn't working?  Or is it completely not working?  You didn't happen to mess with proxy settings or something?
     
    It's probably time to switch to qbittorrent anyway, considering the fact that utorrent is in big trouble for a security vulnerability.
     
    Qbittorrent can be bound to the TAP adapter which is another level of security as you don't have to worry about it trying to make connections outside the VPN tunnel.
  13. Like
    go558a83nk got a reaction from LZ1 in Ports no longer forwarded   ...
    All proper guides on this site say you DO NOT forward ports on your router if you are using AirVPN Eddie on your PC.
  14. Like
    go558a83nk reacted to Staff in Why so many servers in Texas   ...
    On top of all the good arguments already brought on, we would like to add that in Dallas we have a better protection against © trolls and other entities. Any VPN service operating servers in the United States must take into account the cowardliness of datacenter owners who prefer to just shut lines and services than analyzing claims from copyright industry and other entities.
     
    Actually, check our competitors: you will see that even giants like Private Internet Access do not have the guts to allow (just to make an example) p2p protocols in the United States (they re-route outside the USA).
     
    Or think of NordVPN which does not allow p2p at all in servers in the USA, in spite of their promises of Net Neutrality, no traffic discrimination, no traffic monitoring etc.
     
    They do monitor and discriminate traffic to re-route your p2p traffic outside the USA, or to block it altogether. They re-route or ban an entire class of protocols because through a couple of them copyright infringements might be easier.
     
    At the end of the day, please evaluate all the services we provide and all the promises we keep. You will get an explanation about why we focus on carefully picked locations to host our servers instead of basing our business on marketing fluff aimed to gullible people.
     
    Kind regards
  15. Like
    go558a83nk reacted to Shiver Me Whiskers in false advertising   ...
    I'm getting speeds of over 160-180mbps right now.
    I got up to 350mbps on occasion, which is near the max of what my internet line is ( 400mbps )
     
    (Server name censored for privacy reasons)

  16. Like
    go558a83nk got a reaction from Blade Runner in false advertising   ...
    I guess all those people getting great speeds as seen on the status page don't matter.  You're the proof that AirVPN is slow.
  17. Like
    go558a83nk reacted to Fly AirVPN in Why so many servers in Texas   ...
    This might help. It explains the reason Texas is a major data center state in the USA. Texas enacted House Bills to provide data centers with major tax exemptions. PDF is attached for convenience.
     
    Frisco Texas site: friscoedc.com
     
    Site PDF: http://friscoedc.com/sites/default/files/files/SelectUSA-Investors/snapshots_datacenters.pdf
     
    snapshots_datacenters.pdf
  18. Like
    go558a83nk got a reaction from LZ1 in Asus RT-AC86U won't resolve europe.vpn.airdns.org   ...
    1) It's just best to pick a server that works well for you and stick to it, using IP address, not a name.
     
    2) What you're using for DNS servers are not DNS servers.  That's why your name resolution isn't working.
     
    3) If you're not using merlin asus (https://asuswrt.lostrealm.ca/) already I strongly recommend that you do.  You'll have much more control over your openvpn client on the router, including the ability to do policy routing.  It also gives you a choice on how to handle DNS - you can force the use of AirVPN DNS resolver when the tunnel is up or you can disable DNS switching and continue to use the DNS resolver of your choice when the tunnel is up.  The best mix of security, privacy, and ease is to just force the use of AirVPN DNS resolver.
  19. Like
    go558a83nk reacted to litesp33d in Comparisons   ...
    U mad bro? Express and Nord: for f*'s sake, they do not have port forward, give you closed source software and don't care about security, check their config and see.
     
    Express even supports pptp, holy s*
  20. Like
    go558a83nk got a reaction from hawkflights in Multi key support and management available   ...
    Interesting.  The new keys are SHA512, not SHA1.
  21. Like
    go558a83nk got a reaction from zhang888 in IPv6 support - Experimental phase   ...
    Where's everybody who's been begging for IPv6?  Not testing or just not posting here? 
  22. Like
    go558a83nk reacted to Staff in Well ...   ...
    Hello!
     
    Understood. You need to consider the slow adoption of DNSSEC. A remarkable amount of registrars do not offer DNSSEC option, and those who do, do not offer any support for creating and signing DNSSEC keys. See https://www.statdns.com/
     
    This is an executive summary (with the omission of inessential details for the readers) of a brief report elaborated last time we had to assign a priority to DNSSEC support. It was an overview not entering the technical, operational challenges in details. Such challenges were postponed to when the general benefit-cost ratio were deemed as acceptable when compared to all the other priorities (keep in mind that not only we do not outsource customers support, but obviously we never outsource any management or configuration of our machines).
     
    Pros:
    obvious: increased reliability of names resolution with the authoritative DNS supporting DNSSEC preventing tampering of resolutions between our DNS server and the authoritative DNS of those names [which are signed] (...) unfortunately a low percentage, as you can see in the charts (...) the increased traffic flow of queries and replies will be 2-4% (...) negligible. Challenges:
    frequent outages of DNSSEC worldwide (see report) will impact user experience. (...) What to do: Google DNS fails with SERVFAIL but:"However, if the impact is significant (e.g. a very popular domain is failing validation), we may temporarily disable validation on the zone until the problem is fixed." (sic, official from Google). How can our resolvers decide properly which domain is "very popular"? How should we disable DNSSEC for an entire zone without making DNSSEC a cause for a false sense of security? (...) Manual intervention will be overwhelming (....) not viable Carefully configured negative trust-anchors, provided they are sufficiently reliable to rule out malicious activity, should be mandatory as long as the outages remain frequent.   enlargement of surface attack (see enclosed Akamai security bulletin), specifically (...) DNS amplification DDoS (...) requires configuration attention and even higher than current analysis of DNS resolvers vulnerabilities "Careful with that axe, Eugene!"   re-consider micro-routing in order to preserve it Cons:
    misconfiguration of a significant percentage of DNSSEC (...) can lead often to names resolution failures, impacting user experience: what to do when DNSSEC is active, but not RFC compliant, causing issues to the resolver? A solution should be found for (...) a significant percentage of customers will not be able to understand or discern the fact the we should not be deemed "guilty" for third-party misconfigurations when [users] can't resolve names that they could normally resolve before. A reaction to seriously consider is that DNSSEC could be seen as a degradation of our service quality (...) We should not rely on the hope that suddenly [so many] misconfigured [systems] will be all efficiently fixed. Dubious:
    re-consider anti-ICANN/ICE censorship circumvention with illegally seized domain names etc. in order to not affect the system consider the report from RIPE (...) higher CPU load for names resolutions. While the percentage of DNSSEC-compliant names is little an impact assessment is probably necessary anyway given the fact that we are already pushing CPUs to provide 1 Gbit/s AES-256 throughput etc. to multiple ovpn clients. (...) Impact on throughput, which is essential to most of our users and a founding basis of a comfortable experience, should maintain the current, high priority.. RIPE provides some data (...) about 5% higher CPU load for resolutions. If confirmed, impact on our servers is acceptable if not negligible. More data on outages:
    https://ianix.com/pub/dnssec-outages.html
     
    Fringe view (not in the original report):
    https://sockpuppet.org/blog/2015/01/15/against-dnssec/
    https://sockpuppet.org/stuff/dnssec-qa.html
     
     
    and so on. At that time, the DNSSEC issue was given a priority lower than IPv6 deployment, improvement of Eddie, patch of OpenVPN bugs, and many more features you have seen implemented during 2017, because the benefit-cost ratio appeared not as good as other matters which were objectively more urgent.
     
    Please note that the report has been elaborated a year ago so we will re-discuss the matter, of course, because some of the problems might have been mitigated after a year (maybe misconfigurations have been fixed, maybe outages have become rare) AND because after IPv6 deployment we will switch to (in our opinion) better DNS resolver. We will probably re-schedule the whole matter after IPv6 and DNS resolver deployment.
     
    As a side note, we have received a private question from one of our users which shows a potential confusion, so we underline that all the DNSSEC issue has nothing to do with the reliability with the DNS queries and replies to and from our DNS servers. Each VPN server runs its DNS server and all the queries and replies to/from your node are encrypted (tunneled in the VPN) so nobody in the middle (not even your ISP), i.e. between your node and our server, can tamper them.
     
    Kind regards
  23. Like
    go558a83nk reacted to zhang888 in Make SSH tunneling obfuscated?   ...
    The idea of SSH is not to hide the evidence of it's existence, quite the opposite, it's idea is to make OpenVPN look like SSH.
    So any modification to SSH behavior will do more bad than good.
  24. Like
    go558a83nk reacted to iwih2gk in Ubuntu Network Lock Deactivated when Eddie Closed   ...
    I would just like to mention that the users can proactively protect themselves by closing down via UFW accordingly:  I set UFW (frontend for IP tables) to permanently deny all outgoing and incoming and disable routed and logging.  Now when I initiate Eddie and use network lock the client handles the new tables temporarily leaving only tun0 access to the internet.  When I reboot the next day I have no internet access UNTIL Eddie because again UFW has everything blocked.  This would handle any circumstance where a non-Eddie connection is attempted.  Works without fail on my family machines.  I don't use Eddie's network lock on my other machines because I want to manually control any and all connections.  Part of why I like this configuration is that "family" cannot connect to the internet without going through Air.  Slick and sure fire!
  25. Like
    go558a83nk reacted to Staff in Multi key support and management available   ...
    Hello!
     
    We're very glad to announce that a new option has been added in your account "Client Area". You will find a menu item labeled "Devices / Keys".
     
    The "Devices / Keys" tab provides you with access to a new panel to administer your client certificate/key pairs. The panel lets you use a new multi-key support from AirVPN, a comfortable and convenient feature. From now on, you will be able to have multiple keys, renew them and issue completely new keys. From each device of yours you will be free to use any key you like.
     
    Therefore you can keep all of your keys under control, administer them and also connect multiple devices to the same server and port by using a different key on each device. Eddie 2.13.6 (current stable release) already implements in the Overview window a menu which will let you choose a key before you start a connection. It will appear automagically when you create a new key from your account control panel.
     
    The Configuration Generator has been modified as well, to let you generate configuration files with the certificate/key pair you wish.
     
    Let's see in details how to use the "Devices/Keys" options.
    Device Name and Description: this is a free name or description that you can associate to any key for your comfort. Columns Type, Creation date, Last renew date and Last VPN connection are informative. Renew: this is an action button. When you click it, the corresponding certificate/key pair will be revoked, and new ones will be issued. Delete: this action button will revoke the corresponding certificate, without issuing a new one. Add a new key: this action button will create a totally new certificate/key pair which will be added without revoking or renewing any pre-existing key. View history will toggle with View Active to provide you with any relevant information on the history of your actions about keys and the current active list.   
    Some caution when using these new features:
    if you revoke or renew a certificate/key which is being used by some connected device, that device will soon be disconnected in Eddie, you will need to log your account out and then in again to force Eddie to pick a different key (new or old)  
    Kind regards and datalove
    AirVPN Staff
×
×
  • Create New...