go558a83nk

If only users had a gigabit line to leverage… *cries in DSL*

Yeah, in the last few months (since other VPN providers stopped providing port forwarding) the usage of the Dallas servers has gone from negligible to huge.  They certainly could use some attention.

P.S. if you look at Dallas server usage don't trust the "bar" of bandwidth used.  Go into the server page and look at the daily usage charts.  For some reason the Dallas servers often report incorrect instantaneous usage.

New record! 1.02 Gbit/s on Haedus (2.04 Gbit/s on server's side for a single client).

Kind regards





 

been this way for years that some Air servers didn't resolve with that domain pattern but that's the one I always try to use so I forget the "proper" way.  apparently it's superba.airservers.org

No for Qat but IPsec-MB its possible, I go tested that option. Never activated before.
Finally I will be able to answer you 

Better new values of 320 Mb/s in download and 340 Mb/s in upload.

too many USA servers but the servers are busy?  sounds like there aren't enough USA servers then. ;)

Hello!

We're glad to inform you that upgrade of server Haedus in New York City is complete. The server is now connected to a 10 Gbit/s full duplex port and line. The upgrade includes a new board with a more powerful CPU. IPv4 addresses and IPv6 block remain the same.

This improvement completes the infrastructure upgrade in New York City for the summer answering to the increased bandwidth demand in the area.

Kind regards and datalove
AirVPN Staff

Thank you go558a83nk and benfitita

After setting the MTU and MSS I get values of 250 Mb/s in download and 300 Mb/s in upload.

MTU: 1420
MSS: 1420

Good for you

Hello!

We're very glad to inform you that a new 10 Gbit/s (full duplex) server located in Toronto (Canada) is available: Wurren.

The AirVPN client will show automatically the new server; if you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637 and 47107 UDP for WireGuard.

Wurren supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses and 4096 bit DH key not shared with any other VPN server.

You can check the status as usual in our real time servers monitor:
https://airvpn.org/servers/Wurren

Do not hesitate to contact us for any information or issue.

Kind regards and datalove

too many USA servers but the servers are busy?  sounds like there aren't enough USA servers then. ;)

too many USA servers but the servers are busy?  sounds like there aren't enough USA servers then. ;)

difficult to say but it seemed like CPU load is less with AES than with chacha yet chacha was a little faster.  pfsense and using IPsec-MB

Maybe I'm totally wrong but I feel like the excuses for removing port forwarding (removing bad stuff from flowing through our servers) is just an excuse.  Instead I think that providers don't want to pay for the increased bandwidth usage that allowing port forwarding brings (e.g. torrenting) but they're not willing to admit that because they know their customers would riot.  I get it, costs have risen lately.  But, as the previous poster said, just increase prices for people who want port forwarding then.

it wasn't clear but my comment was in reference to AES-128-GCM being fast with DCO.  and even faster if you have a QAT machine.

@StaffCan you deploy a server in Canada or US for this test-phase?(if possible) 
Reason: Max speed qbit(~60-80MB/s) to Marsic(Mars I see). Need another server to compare speed-wise(etc).
 

This is where AirVPN's superiority becomes overwhelming. From single port randomly assigned per-session to inability to selectively link ports to devices and keys and other missing options (such as remapping), the other services are now lagging fatally behind airvpn.

Excellent job!
Testing OpenVPN + DCO with pfSense 23.05 with IPsec-MB Crypto: Yes (active), on fiber 1000/300. 
 

Did some testing from my pfsense+ box.  So far it works very well.  It's lovely to see all the openvpn work being done in kernel here and 600mbit/s from this great distance seems very respectable. 

Hello!

We're glad to inform you that we have just released:
"Road To OpenVPN 2.6" migration plan - https://airvpn.org/road_to_openvpn26/ A new version of Config Generator with options related to OpenVPN 2.6 A new Eddie Desktop beta release (2.23.0) related to the road above, feature-locked to reach stable release https://airvpn.org/forums/topic/56428-eddie-desktop-223-beta-released/ A new server (Marsic), the first running OpenVPN 2.6 powered by DCO (server-side) and ready for client-side DCO.
Kind regards & datalove
AirVPN Staff
 

@galbeedee

Thank you for your review!

We would like to point out some features of our service that you probably missed according to your review, so that you will be able to use them.
 
You can use per-session WireGuard key, to overcome the questionable design of WireGuard under this respect (WireGuard does not offer dynamic address management at all). It's not very important that your private key is held by you when WireGuard demands that, server side, each public key is linked in files to the VPN IP address and to the public IP address of the client. Therefore, thanks to our design, you are able to use a one session key if necessary. You can renew your key either through the web site or through the API in order to patch this problem. On our side, we actively remove WireGuard entries to public IP addresses when a session is over. We do not understand the link you claim between the key and your browser, feel free to clarify if you wish so.
 
File names of the generated profiles are very descriptive and they reflect community requirements. Community majority currently prefers descriptive file names and wants that the system is not tweaked to accommodate terrible WireGuard design under this respect (WireGuard wants to name the virtual interface with the file name regardless of the system limits). This is an understandable point of view and we will respect it. We will change according to community suggestions. Far from being "best practice", in our opinion, and in the current opinion of the community, that would be the practice to lower a service standard to meet the terrible design of somebody else, something reminding the old, awful but widespread, practice to develop flawed web sites to circumvent Internet Explorer bugs and accommodate its non-W3C compliant dialect. That said, we can of course add some options to make life more comfortable for anyone who should be wearied by the exhausting effort of renaming a set of files. The QR code anyway is already available for Android and iOS (in the Configuration Generator), so you don't need renaming in mobility, just shoot the code from inside wg.
 
This is a key which is necessary when you want an additional encryption layer, and this is a great WireGuard feature. Useful for example in a post-quantum world, when a decent cryptographic algorithm is found (as the wg core has ciphers hard coded by design). Read the WireGuard documentation for more details. Currently pre-shared keys are implemented because a significant part of the community insisted that we got prepared to beat powerful quantum computers, not because we strongly believe that a post-quantum world is imminent. Relevant considerations on the topic can be found here: https://airvpn.org/forums/topic/45608-quantum-computing-and-encryption/?do=findComment&comment=218988 It is anyway considered best practice by various experts to get prepared. Since you mention Mullvad as your opinion of service operating in accordance with best practices, then be informed that pre-shared keys have been recently implemented by them too.
 
We offered this option 13 years ago, well before WireGuard or many other VPN companies even existed. Then they were inspired by our CG. You can pick zip, 7zip, tarball, and compressed tarballs (tar.gz, tar.xz, tar.bz2). You can operate either through the API or web site, as you prefer, to generate and download the package(s) containing the profiles. Note that today the button which would let you select all the servers at once is disabled because of work in progress, but it will be re-enabled very soon.
 
It's a good performance in our infrastructure, but you can improve it (check the top user speed table in the server status page and open a ticket to fine tune WireGuard).

About the infrastructure, in 2009 the industry standard was between 20 and 100 Mbit/s, and we are very careful to offer an excellent balance between price and service quality. Since you mention iVPN as an example to follow, please compare AirVPN prices with theirs. Lupus in fabula, the following message by one of our fans reminds us of the consequences of an unwise investment policy. https://airvpn.org/forums/topic/56425-two-new-1-gbits-servers-available-us/?do=findComment&comment=223857 Remember that AirVPN is the only one offering a rigorous no overselling commitment shown by a transparent and verifiable server monitor, that's why most users enjoy higher throughput than with any competitor, and after all we are pleased to see that you are an unsatisfied customer but with 600 Mbit/s throughput and with some requirements for features that are already available. Criticisms help us improve our service, except when required features are already available, as in that case we can't implement them twice.

Kind regards
 

I have no opinion on the compression method. Just anything standard. tar.gz whatever...

Another thing about WireGuard that I really should not have overlooked. Config gen, gens the private and public key. This is an enormous no no. Perhaps the number one violation of best practice. Either the customer should hand a pubkey to config gen or, as many due, local script does it without the privkey ever leaving your browser.

I am also unsure what the deal with generating a preshared WireGuard key. I have never seen this done anywhere else. It seems like another divergence from best practice of never passing non-pubkeys.
 
It's not really "a small number". There are *zero* in all of North America. No 10G servers in at least the largest US subsea cable points (NY, Seattle, and LA) is just not meeting par.

Ashburn, VA (AWS East) would also be good as it's some ungodly percent of US web in one place. Also with gobs of express paths to subsea cable systems.

1/ 10G servers. What is this 2009..? Nearly all your servers should be 10G by now. I can't get more than 400-600Mbit from the least loaded severs.

2/ The WireGuard files names are *horrible*. WireGuard .conf files should conform to linux interface naming specs as best practice is to name the tunnel interface after the .conf file name.
air-{2 digit country code}-{2 or 3 digit region code}{number}.conf  example: air-us-va4.conf DONE

3/ WireGuard conf download should just give me every server config as a zip file. I can pick which one later.

These are all basic table stakes best practices that many competitors(Mullvad, iVPN, etd) have had for years. 

4/ The port forwarding setup is pretty good. Really no complaints there.

Overall I give AirVPN D+ or C- (Honestly if not for port forwarding there would be no reason at all to choose AirVPN over its competitors)
 

Hello!

DCO must enter a phase where radical changes will not be applied. After that, it must reach a stable release. We will inform you about a new deployment plan which depends on when DCO becomes stable. Check also https://github.com/OpenVPN/ovpn-dco/issues and when the important note on https://github.com/OpenVPN/ovpn-dco is lifted ** NOTE ** ovpn-dco is currently under heavy development, therefore neither its userspace API nor the code itself is considered stable and may change radically over time. Kind regards

 

From https://proton.me/blog/protesters-free-speech, I can see that Proton thinks democracy means freedom. Democracy is a form of government. Government doesn't mean freedom. Government is a form of authority.
The so-called democratic governments demanded information on an activist from proton mail. Proton gave his information to the authorities. The governments worked together to put the activist in prison.
The democratic governments work together to oppress people. A democratic authority is still an authority that oppresses people to varying degrees in different regions. There is no democracy without authority. Kingship is a form of government. Democracy is a form of government. All of them are different forms of authority.
You can choose the left wing or the right wing, but both wings belong to the same bird called authority. I don't like that particular bird.

Proton will probably yield to the demands of democratic governments without resistance again in the future? At least, mullvad resisted governments once and then gave up on port forwarding partially because mullvad chose wrong network providers that do not want port forwarding.

Linking mail with VPN is a big mistake?

If local port is different from external port, then local port is ignored and is made the same as the external port.

I verified it with wireshark. I had to redirect external port to local port on my machine's firewall.

I use wireguard on linux.