go558a83nk

Hello!
 
We're very glad to announce that we support the TorProject Open Observatory of Network Interference:
https://ooni.torproject.org

Our support includes, since July 2015 up to June 2016, monetary funding to aid project financial sustainability. See also https://airvpn.org/mission

Furthermore, we are sponsoring an important OONI event, Adina15 hackathon, which will be held in Rome on October the 1st and 2nd, 2015.
https://ooni.torproject.org/event/adina15
 
We'll be gladly providing all the awards and prizes to participants and winners of the Adina15 event.

Members of the AirVPN team will attend the event.
 
EDIT 27-SEP-15 - Only today it has been announced that the Adina15 hackathon event has been postponed to unknown date. https://lists.torproject.org/pipermail/ooni-dev/2015-September/000340.html
This decision is obviously outside our control (we sponsor the event, we have no role in its organization) and we regret it very much.

Kind regards and datalove
AirVPN Staff

If you don't understand things just rank the servers by stars (more stars are better) and connect to those servers.

If you don't understand things just rank the servers by stars (more stars are better) and connect to those servers.

With a fast internet connection and tools like Masscan, it only takes anywhere from a few minutes to a few hours to scan the entire internet for open ports.

This means that you can expect every port that's open to the internet to see some unexpected traffic rather sooner than later. That, in itself, is nothing to worry about unless you're running vulnerable services or weak authentication.
You might have picked a port especially interesting to some scanners, which may explain why you haven't seen such activity on your other ports (yet).

The connection attempt you saw is not related to APNIC, they are just the registry for that block of IPs.
Here's the actual whois info for your IP:

netname: UNICOM-BJ
descr: China Unicom Beijing province network

Some trivia: Besides the private bulletin board on port 443 (~ 20.000 registered users), the Linux server at IP 221.220.155.170 runs a number of other services: SSH, FTP, VNC, Telnet, and a Synology web interface. Looks like someone's personal server to me, or perhaps a server shared by a number of people. The FTP server greets you with a somewhat amusing message:
220 PLS DISCONNECT IF U HAVE NO IDEA WHERE U R AT!
 

Hello!

We're very glad to inform you that a new Eddie Air client version has been released: 2.10.

2.10 version is compatible with several Linux distributions. For very important notes about environments, please read here: https://airvpn.org/forum/35-client-software-platforms-environments
 
Integration with Windows 10 has been greatly improved as well.
 
Eddie 2.10 includes important bug fixes and changes meeting users' requests and preferences.
Please read the changelog: https://airvpn.org/services/changelog.php?software=client&format=html

Upgrade is strongly recommended.

Just like previous version 2.9, Eddie implements direct Tor support for OpenVPN over Tor connections. Eddie makes OpenVPN over Tor easily available to Linux and OS X users: no needs for Virtual Machines, middle boxes or other special configurations. Windows users will find a more friendly approach as well. This mode is not handled anymore as a generic connection to a socks proxy, but it is specifically designed for Tor and therefore solves multiple issues, especially in Linux and OS X, including the "infinite routing loop" problem (see for example http://tor.stackexchange.com/questions/1232/me-tor-vpn-how/1235#1235 )

As far as we know, Eddie is the first and currently the only OpenVPN wrapper that natively allows OpenVPN over Tor connections for multiple Operating Systems. https://airvpn.org/tor

We recommend that you upgrade Eddie as soon as possible.

Eddie 2.10 for GNU Linux can be downloaded here: https://airvpn.org/linux
Eddie 2.10 for Windows can be downloaded here: https://airvpn.org/windows
Eddie 2.10 for OS X Mavericks and Yosemite only can be downloaded here: https://airvpn.org/macosx

PLEASE NOTE: Eddie 2.10 package includes an OpenVPN version re-compiled by us from OpenVPN 2.3.8 source code with OpenSSL 1.0.2d for security reasons and to fix this bug: https://community.openvpn.net/openvpn/ticket/328

Eddie overview is available here: https://airvpn.org/software
Eddie includes a Network Lock feature: https://airvpn.org/faq/software_lock
Eddie 2.10.x is free and open source software released under GPLv3. GitHub repository https://github.com/AirVPN/airvpn-client


Kind regards & datalove
AirVPN Staff

https://github.com/RMerl/asuswrt-merlin/wiki
 
for openvpn the main improvement merlin has is policy routing.  this is what you are asking about in the previous post.

A very odd conclusion on the basis of what you have reported... On the contrary, all the leaks up to now confirm that NSA is not able to crack ciphers currently used by our service. That's exactly why they need backdoors or directly the keys. If you further read between the lines you'll also see what tremendous effort is putting NSA to bypass encryption, never to crack encryption directly, except for very special cases with very specific ciphers. They know the math very well.
 
Kind regards

I wouldn't feel too comfortable about available VPN standards in providing solid defences against anything more than low level to perhaps intermediate adversaries.
 
Why?
 
Here's Schneier's views on AES-256 for example (used in AirVPN) - probably not crackable, but it is the implementation of the protocols and so on that poses the actual risk. That is, advanced attackers don't break the crypto, they focus on weak-points, key leakages and so on:
 
​

Heard of Bullrun or Scarlet Fever? The spooks can already crack SSL/TLS traffic including VPNs for certain targets, presumably due to how it is implemented:
 
​

Other relevant attacks directed against VPNs include (by NSA codename): Gallantwave, Turmoil/Apex, Longhaul, Valiantsurf, Malibu, Poisennut, and SPIN9.

So yeah, running a VPN by itself ain't gonna do squat, if they are really interested. If you don't believe me, then read this from Der Spiegel:
 
​

Out of interest, why do we trust RSA either? See below - they have some explaining to do:
 
​

Experts also think successful attacks have been made against RC4, and that the NSA may be able to crack 1024-bit RSA keys....

 
​
​All of these factors are why I don't ever pretend that sitting behind a VPN is any good against the government minders, except to keep out script kiddies, Kali Linux wannabe hackers, and to stop some basic profiling/tracking by corporates.

Facebook has a Darknet address. So you should be able to register a new account while using Tor. I have not tried this tho.
 
https://facebookcorewwwi.onion/

This is a reliable way indeed, but it should not be up to the VPN provider to decide whether to block it or not.
I don't plan to use it on my network so I blocked it globally, but every user should decide on his own.
Those leaks sometimes bypass the entire VPN network entirely, so their work will not be enough.
 
I wonder what such providers will do in order to prevent DNS leaks. Block the entire udp/53 port on all servers?
This is not a good approach.

for this I use the extension for firefox called location guard.  I use its fixed location function and place that in the city where the VPN server is.

Perhaps a possible explanation is a VPN using a Data Channel cipher such as 128 bit BF-CBC, while Air uses AES-256-CBC. Since BF-CBC 128 requires less computational power than AES-256 (except during re-keying, that's slower with Blowfish) the resulting performance difference with consumers' routers CPUs can be significant. We have not implemented BF for some security concerns (a class of keys is particularly weak, 64 bit blocks are used - which can be a potential problem for users exchanging in a VPN big amounts of data - >32 GB in one session, not unusual with several customers of our) and Schneier himself (Blowfish creator) eight years ago recommended to not use Blowfish anymore.
 
See also http://crypto.stackexchange.com/questions/1098/is-blowfish-strong-enough-for-vpn-encryption (in particular, answer by "poncho").
 
Kind regards

Hello,
 
thank you for your question which provides us with an additional opportunity to clarify our rules and, once again, our mission.
We confirm that we do not monitor online activities of our OpenVPN clients and that we do not inspect traffic. However, it's perfectly possible to verify some infringements of our ToS without monitoring activities and without inspecting traffic.

Just two trivial examples to make it clear.

1) A customer runs a web site or an FTP server behind one of our VPN servers which infringes, or aids or abets infringement of, human rights as enshrined in the ECHR. A human rights defending organization or a jurisdictionally competent authority warns us or one of our providers about the infringement. We proceed, on the Internet (no connection to VPN servers required), to verify the claim and if we see that the claim of the infringement is correct, at our sole discretion, we start a procedure for violation of our ToS.

2) A customer runs a web site behind one of our VPN servers which surreptitiously tries to inject malware. We receive a complaint for that and we proceed as above.

It must be clear that we are configured as a mere conduit of information as providers of a service in the Information Society according to Directive 2000/31/EC (see below articles 12, 14 and 15).
 
When our service can be assimilated to "hosting" (this is possible due to remote port forwarding), an essential requisite to have exemption of liability for infringements perpetrated by users of our service, is acting "expeditiously" to put an end to an infringement when we are notified about it.
 
While a "notification" can be interpreted as an official notification by a jurisdictionally competent authority only, in cases of alleged infringements of human rights, malware injections, phishing services aimed to catch fraudulently personal data,, and services aiding or abetting infringements of human rights (including the fundamental right to privacy), we proceed to check claims even if they come from private entities, when such entities have (at our sole discretion) a good reputation and/or can provide (at our sole discretion) substantial proof. The general reasons for which we are willing to extend scope of article 14.3, even when we are not legally bound to do so:
 
a quick intervention can be essential when human rights are at stake and other critical activities are being performed a lack of intervention and/or a delayed intervention may imply a betrayal of our mission and/or cause substantial damage to human beings and/or harm safety of a human being
  Article 12
"Mere conduit"
1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
( does not select the receiver of the transmission; and
© does not select or modify the information contained in the transmission.
2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.
 
Article 14
Hosting
1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:
(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or
( the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.
2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.
 
Article 15
No general obligation to monitor
1. Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.
2. Member States may establish obligations for information society service providers promptly to inform the competent public authorities of alleged illegal activities undertaken or information provided by recipients of their service or obligations to communicate to the competent authorities, at their request, information enabling the identification of recipients of their service with whom they have storage agreements.
Kind regards
 

UPDATE 24-JUL-15: SERVER WILL BE WITHDRAWN
 
Hello!

We're very glad to inform you that a new 200 Mbit/s server located in the Republic of Korea (South Korea) is available:  Dsiban.
 
The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts connections on ports 53, 80, 443, 2018 UDP and TCP.

Just like every other Air server, Dsiban supports OpenVPN over SSL and OpenVPN over SSH.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.
 
Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

https is a joke?

Of those I've been a customer of Air and PIA.  I typically use my router for VPN but when I've used apps on my windows 7 machine I've had more trouble with Air leaking DNS than with PIA's app.  PIA has a DNS leak protection switch that works perfectly every time that I've used it.
 
Edit: if you're talking about WebRTC leak then you should make another column.  DNS leaks and WebRTC protection are completely and totally different.
 
Edit2: you make negative remarks for the use of google DNS and yet you're using a google doc spreadsheet and have a gmail address.

It wasn't long ago when the only thing you got after signing up with any vpn provider was config files.
Client side security was the responsibility of the user.
 
-grr @ the push button generation.

I would encourage you to switch to the latest Merlin firmware.  However, when you do it you MUST do a factory reset of the router coming from the stock firmware.
 
http://www.snbforums.com/forums/asuswrt-merlin.42/
 
latest is 378.54_2

Hello!

We're very glad to inform you that a new 1 Gbit/s server located in Phoenix, AZ (USA) is available: Peacock.
 
The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").
 
The server accept connections on ports 53, 80, 443, 2018 UDP and TCP.
 
Just like every other Air server, Peacock supports OpenVPN over SSL and OpenVPN over SSH.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

You guys have some serious issue with bandwidth costs
Last time I checked, the only provider with reasonable prices in AU was Exigent,
http://www.exigent.com.au/premium-dedicated-servers
 
Where you get only 1TB of b/w included with all servers, and in AU it's considered "alot".
An extra 10TB will cost additional $560, now think that Air will probably need 100TB...
 
I don't think it's going to happen anytime soon...
 
 
P.S.
Cloudflare posted a nice article about this some time ago:
https://blog.cloudflare.com/the-relative-cost-of-bandwidth-around-the-world/
 

My thoughts:
 
That **** uTorrent is leaky as hell (for example it doesn't respect proxy settings) and the devs have no ethics. Get the latest version of qBittorrent and stick to it. It's light, open source and has good privacy options. 
 
Disable UPnP and NAT-PMP in the options. 
 
Set maximum peers to 1250 global and 250 per torrent.
 
Set the download port to one you have forwarded via Air's client area. Do NOT open the port on your router.
 
If you're paranoid you can also set qBittorrent to anonymous mode which prevents incoming connections and changes the client ID. That could (but might not) limit your speeds somewhat. 
 
Set Eddie (Air's client) to automatically apply network lock, and then once you're connected to an Air server open qBittorrent. Go to advanced in the options and bind qBittorrent to the tun0 interface (might be different in Windows). That will mean only the VPN can be used by qBt. An extra safety net if you will.
 
You can keep DHT enabled provided you're behind the VPN and running qBittorrent.
 
You'll be fine after that. Air is safe.

Hello!

We're very glad to inform you that a new 1 Gbit/s server located in Philadelphia, PA (USA) is available: Metallah.
 
The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").
 
The server accept connections on ports 53, 80, 443, 2018 UDP and TCP.
 
Just like every other Air server, Metallah supports OpenVPN over SSL and OpenVPN over SSH.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team
 

There is a very popular script called PHP looking glass,
https://github.com/telephone/LookingGlass
 
Demo:
http://lg.iamtelephone.com/
 
it can be nice to have it available on every server, within the status page or just https://servername.airvpn.org
 
Lots of useful network troubleshooting can be done with it.

But maybe you are right and my text is indeed misleading. I've edited my post and added a warning.

Hello,
 
different world visions. We have enough consideration for our customers to firmly believe that they can understand that a program that's not running can not do anything, even less can it reply to incoming packets. Writing that a program that's not running can't run until it is run is somehow insulting.
 
Of course momentary lapse of reasons are always possible but just like in your case they will be spotted soon and they will be functional to inner growth.
 
Kind regards