go558a83nk

Hello!

Today we're starting AirVPN twelfth birthday celebrations offering special, strong discounts on longer term plans.
 
From a two servers service located in a single country providing a handful of Mbit/s, the baby has grown up to a wide infrastructure in 23 countries in four continents, providing now 240,000+ Mbit/s to tens of thousands of people around the world.

We still define it as a "baby", but AirVPN is now the oldest VPN in the market which never changed ownership, and it's one of the last that still puts ethics well over profit, a philosophy which has been rewarded by customers and users.

During the last year, AirVPN added important features, even according to customers requests:
integrated and full WireGuard support on all VPN servers optional lists selection to block spam, ads, trackers and other malicious sources, featuring a unique and fine grained customization which is exclusive on the nowadays market improved inbound remote port forwarding interface and implementation
The infrastructure saw a robust power up in Tokyo, where we have now 14000 Mbit/s available (7000 Mbit/s full duplex), with more powerful hardware, and a small addition in Ireland. The VPN servers and the back service ones have had some minor security improvements as well as ordinary system updates as usual. Optimized software, and also WireGuard implementation, allowed our server to deliver high performance more smoothly, thanks to the improved balancing between threads and of course the good WireGuard scalability.
On the software side, all AirVPN applications and libraries are still free and open source software released under GPLv3. WirteGuard has been fully integrated in the Desktop edition of Eddie, while Eddie Android edition will support it in the next version which is imminent (a public alpha release will be ready in June). All the applications are continuously developed and updated to provide an even better experience and performance.
 
Kind regards and datalove
AirVPN Staff 

Why is this important?

This works exactly like your browser when you access a HTTPS website. Say you visit reddit.com, when you enter the URL into your address bar, your browser connects to the Reddit servers which sends a TLS certificate over the wire for reddit.com. Your browser then checks the certificate to see if reddit.com is indeed present in the common name or SANs (subject alternative names), that it is not expired, and that it was signed by a publicly trusted certificate authority (CA). If these conditions are true the website will load. If they are not true then you will be presented with an insecure connection error.

The OpenVPN client, by default, does NOT verify that the server you are connecting to is the server that you expect it to be (ie. the hostname you connect to is in the certificate’s common name). The only thing it does is verify is:

The certificate has been issued/signed by the Certificate Authority that is trusted inside the <ca> block in the config
The certificate is not expired

Unless x509 verification is in place, the client will trust ANY server that presents a certificate that was generated by the Certificate Authority as long as it’s not expired. With that in mind, a breach of a single server, regardless of the unique certificate being deployed there, gives the attacker the ability to impersonate ANY other server for that VPN provider.

Hello!

WireGuard does not support authentication via certificate at all. OpenVPN does, and we have it implemented of course, but not with specific fields. If we implemented it we would force all of our customer to change certificate every time they change server, which is not a viable solution in most router and pfSense machines. Totally unacceptable.

You must also consider that in order to impersonate a server, not only would the attacker need to steal the secret WireGuard key or the various OpenVPN certificate/key pairs, but she would also need to cage the target and hijack route via IP addresses, because the target can not be actively reached (forbidden in OpenVPN settings). Also, DH keys are unique in each VPN server, so the attacker can't even try an impersonation from another server while the connection is ongoing to a real server.

Kind regards
 

Addendum: Piwik main options have been always remained unused by us, so why keep it when it can cast such doubts even in a long time customer like you? Therefore it has been disabled, so anybody with doubts like yours can now have peace of mind and usual confidence in every field handled by AirVPN.
 
Kind regards
AirVPN founders

*if* you're using IP address in the VPN server field instead of a domain then putting 10.4.0.1 in the WAN DNS setting might be OK.  Because there's no domain to resolve the router doesn't need to reach 10.4.0.1 prior to connection.

If you're using merlin asus and set the openvpn config in policy routing mode there's an option to not allow traffic if the VPN goes down.

I'd use policy routing mode, set the DNS option in the openvpn config to exclusive and not put AirDNS in the WAN settings.

for Asus merlin set WAN DNS to something other than the VPN DNS (10.4.0.1) and in the openvpn configuration set the DNS setting to exclusive.  Then it'll switch to VPN DNS when the VPN connects.

10.4.0.1 won't work unless you're connected to VPN because 10.4.0.1 is only accessible through the VPN not from public.

Hello.
Absolutely not. Censorship of any legal free speech is totally unacceptable and must be completely rejected in all cases.
If you prevent other people from speaking, you are no better than the ones you claim to be protecting other people from.

Hello!

Unfortunately there's nothing we can do during these grim and tragic days. Russians are actively destroying various infrastructural resources and might enter Kyiv any time. Our deepest sorrow is caused by the uncertain fate of the Ukrainian people. Who cares about a single server, but we will keep operating it, even as a symbol, as long as the infrastructure works, and it will remain displayed in the servers status page with the Ukraine flag.

Kind regards
 

Hello!

We inform you that the following servers in Latvia:
Meissa Phact Schedir Shaula
have become suddenly nonoperational because the upstream of our provider blocked all traffic. They should come back online within a couple of days, due to new deals with a new transit provider. However, all IP addresses will change. We have decided that this is a good moment to switch to new lines and servers: we are changing the previous 100 Mbit/s lines with 1 Gbit/s lines and ports, and replacing the hardware with more powerful CPU. The four 100 Mbit/s servers will be replaced by three 1 Gbit/s servers. Location will not change, the new servers will be in Riga.

We should be able to announce the new servers in the next days.
EDIT 2022/02/02: replacement has been completed.

Kind regards and datalove
AirVPN Staff
 

There are a few misconceptions here.  There is a difference between logging DNS queries temporarily and logging VPN traffic.  It's possible to enable logs on DNS for like 5 minutes and then turn it off.  Let's say I'm trying to go to a site that Easylist, or any other list, blocks.  Wouldn't it be nice to know that, so that you could then make an exclusion?  This is something that every other DNS filtering service allows; ControlD, NextDNS, AdGuard Home, etc.  So, what I'm asking for is nothing new or scandalous in any way.

Hello!

We're very glad to inform you that a new 1 Gbit/s full duplex server located in Dublin, Ireland, is available: Minchir.

The AirVPN client will show automatically the new server; if you use any other OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637 UDP for WireGuard.

Minchir supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the server status as usual in our real time servers monitor:
https://airvpn.org/servers/minchir

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

looks like this is all confusion around which entry IP are tls-crypt and which are tls-auth.  tls-auth entry points use sha1.  tls-crypt entry points use sha512 and tls encryption+auth.

so, keep an eye on which config you make.  details matter.

@ciudad

Hello!

It's not planned at the moment because it's more comfortable for us the current single tls-crypt key. tls-crypt 2 doesn't change anything for the client, while on the server side, in our specific case, it would be useless because we maintain tls-auth for backward compatibility,. Any denial attempt would remain potentially possible via tls-auth, hence we would have a complication for nothing. However  when we drop tls-auth (we're afraid not in the near future because of the amount of old OpenVPN versions connecting to our service) then tls-crypt-2 will become attractive indeed.. 

Kind regards
 

Really thrilled with the wireguard speed.  That's me on Mensa.  https://i.gyazo.com/277f20acfb21cea8c41a8db164713063.png

It has been a few months since i've last used this VPN, but my experience was great. This vpn might look complicated but its really not and you won't regret getting it.
Even back a few months it was awsome, probably my favourite out of the ones i've used, great VPN.

don't open a port on your router for eddie.  it's not needed for anything if everything's going through the VPN tunnel.

you might want to just use wireguard on pfsense.   No doubt it'll be faster for you.  This is the video I used to help me setup wireguard. 

https://www.youtube.com/watch?v=wYe7FzZ_0X8

You need to create another "device" which will allow you to generate configs with a different tunnel IP address. https://airvpn.org/devices/

As far as changing the /10 to /32 I do that in the interface settings of the wireguard tunnel. First I setup tunnel and peer for wireguard handshake, then setup interface and gateway for that wireguard tunnel.

I just enrolled in the WireGuard Beta and decided to run benchmarks to check if there was any performance difference compared with OpenVPN.

Specs:
Ubuntu 20.04 LTS with OpenVPN 2.5.1, WireGuard. CPU has AES-NI but weak single-core performance. 1 Gbps line.

Methodology:
1. Find a server with low load.
2. Connect to it via OpenVPN 2.51 with cipher AES-256-CBC and additional directives --fragment 0 --mssfix 0 --rcvbuf 0 --sndbuf 0.
3. Load 10 well-seeded Linux torrents (Ubuntu, Fedora, Arch Linux, etc.)
4. Observe average and top speeds.
5. Repeat immediately afterwards using WireGuard with the same AirVPN server and torrents.

Results:
OpenVPN: 350 Mbps average, 410 Mbps peak
WireGuard: 800 Mbps average, 1064 Mbps peak

I cannot believe how much faster WireGuard is. Literally a 2.5 times improvement in speed free of charge, and my 1 Gbps line is now the bottleneck.

Hello!

We're glad to introduce a new feature in AirVPN infrastructure: DNS block lists.

By default, AirVPN DNS remains neutral in accordance with our mission. However, from now on you have the option to enforce block lists which poison our DNS, in order, for example, to block known sources of ads, spam, malware and so on.

You can manage your preferences in your account Client Area ⇨ DNS panel https://airvpn.org/dns/.

We offer only lists released with licenses which grant re-distribution for business purposes too.

The system is very flexible and offers some exclusive features never seen before in other VPN services:
You can activate or de-activate, anytime, any combination of lists. You can add customized exceptions and/or additional blocks. Any specified domain which must be blocked includes all of its subdomains too. Lists which can return custom A,AAAA,CNAME,TXT records are supported. You can define any combination of block lists and/or exceptions and/or additions for your whole account or only for specific certificate/key pairs of your account (Client Area ⇨ Devices ⇨ Details ⇨ DNS) Different matching methods are available for your additions and exceptions: Exact (exact FQDN), Domain (domain and its subdomains), Wildcard (with * and ? as wildcards), Contain, Start with, End with. An API to fetch every and each list in different formats (see Client Area ⇨ API ⇨ dns_lists service) is active Any change in your selected list(s), any added exception and any added block is enforced very quickly, within few tens of seconds. You don't need to disconnect and re-connect your account. You can define your own lists and discuss lists and anything related in the community forum here
Essential requisite to enjoy the service is, of course, querying AirVPN DNS while your system is connected to some VPN server, which is by the way a default setup if you run any of our software.

Kind regards & datalove
AirVPN Staff

I got this on my pfsense box just now . Very nice. . May have even been a little limited by my traffic shaper

https://www.speedtest.net/result/12249912075.png

That CPU does have AES-NI which is important for good speeds with openvpn.  But running it in a VM may keep AES-NI from getting used?  I don't know.

You could try to use the chacha20 data cipher option that AirVPN supports if your client supports it.  It's usually faster on weaker devices.

It's probably a bottleneck on your CPU but without knowing what the CPU is in the device I can't say for sure.

Hello!

Please be aware that the core router serving our servers in Dallas (TX, USA) will be replaced on Saturday October the 9th at 18.00 UTC (20.00 CEST). Expected downtime of all of our servers is approximately 1 hour.

Kind regards