Jump to content
Not connected, Your IP: 18.232.146.112

go558a83nk

Members2
  • Content Count

    1894
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    24

Reputation Activity

  1. Like
    go558a83nk reacted to zhang888 in Can AirVPN be installed on my router?   ...
    Do yourself a favor and install OpenWRT on it:
    https://openwrt.org/toh/mikrotik/mikrotik_rb750gr3
     
    Mikrotik's OpenVPN client support is still horrible in 2019 and requires too many steps.
  2. Like
    go558a83nk got a reaction from 2975863j in DNS issues when using AirVPN on Router   ...
    When you generate configs select the option on the bottom right that says resolved hosts in ovpn file.  That way you can connect without having to resolve the server name - it puts IP address in instead of name.
  3. Like
    go558a83nk reacted to Guest in So Private Internet Access are INCREASING their prices to €63 a year!   ...
    $10 (€8.84)/month (from $6.95).
    $71.88 (€63.60)/year (from $39.95).
    $83.76 (€74.10)/2 year (from $69.95).
     
    Their one year plan works at €63, which was more expensive than Air's 1 year even before they decreased the prices. What the hell are they thinking? They are obviously desperate to 'lock in' users before the increase hits.
     
    Add to the fact PIA spend more than any other provider on marketing it appears (I see ads for them on Youtube like Linus Tech Tips or sites like Torrentfreak) and you wonder how they can justify this cost. Their "3000+" servers are probably rubbish VPS cloud servers and they probably don't actually have 3000 but a system to autoscale up/down based on demand (with a script to setup more servers as required using an API).
     
    Terrible. AirVPN basically has no competition at their new price point. They have the best clients by a long mile (with the most amount of configurable options and IP's). I hope the staff (in private anyway...) are laughing at how absurdly stupid their biggest competitor is right now.
  4. Like
    go558a83nk reacted to Staff in New 1 Gbit/s server available (UK)   ...
    Hello!

    We're very glad to inform you that a new 1 Gbit/s server located in Manchester, UK, is available: Westerlund.

    The AirVPN client will show automatically the new server. If you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP.

    Just like every other "second generation" Air server, Wsterlund supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt.

    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

    You can check the server status as usual in our real time servers monitor:
    https://airvpn.org/servers/westerlund

    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
  5. Like
    go558a83nk reacted to Staff in New 1 Gbit/s server available (US)   ...
    Hello!

    We're very glad to inform you that a new 1 Gbit/s server located in New York City (NY, US) is available: Gliese.
     
    The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    Just like every other "second generation" Air server, Gliese supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt.
     
    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses..
     
    You can check the server status in our real time servers monitor:
    https://airvpn.org/servers/gliese
     
    Gliese will replace Miaplacidus while Rasalas will be replaced by Dimidium. Rasalas and Miaplacidus failed to meet our technical requirements since a couple of months ago.
     
    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
  6. Like
    go558a83nk got a reaction from Mad_Max in A Newbie PfSense question   ...
    SSD isn't necessary.  What is necessary is two ethernet ports.  Yes, I'd certainly recommend pfsense on that laptop over a high end router.
     
    As far as wifi AP you just need coverage and speed that you want.  You'll want something that can run in AP mode and not router mode, so that pfsense can handle your network.
  7. Like
    go558a83nk got a reaction from pfolk in Does custom DNS Server expose real IP ?   ...
    You seem to understand things properly.
  8. Like
    go558a83nk got a reaction from giganerd in Does custom DNS Server expose real IP ?   ...
    Sure, they are recursive DNS that Air runs but the requests they make to authoritative DNS are not tied back to you.
     
    If you use another DNS like 1.1.1.1 you also still have some anonymity since you're one of dozens of people using the VPN server.
  9. Like
    go558a83nk reacted to Staff in New 1 Gbit/s server available (US)   ...
    Hello!

    We're very glad to inform you that a new 1 Gbit/s server located in New York City (NY, US) is available: Dimidium.
     
    The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    Just like every other "second generation" Air server, Dimidium supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt.
     
    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses..
     
    You can check the server status in our real time servers monitor:
    https://airvpn.org/servers/dimidium
     
    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
  10. Like
    go558a83nk reacted to Staff in New 1 Gbit/s server available (JP)   ...
    Hello!

    We're very glad to inform you that a new 1 Gbit/s server located in Japan is available: Taphao.
     
    The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    Just like every other "second generation" Air server, Taphao supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt.
     
    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses..
     
    You can check the server status in our real time servers monitor:
    https://airvpn.org/servers/taphao
     
    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
  11. Like
    go558a83nk reacted to Staff in Two new 1 Gbit/s servers available (UK)   ...
    Hello!

    We're very glad to inform you that new 1 Gbit/s servers located in UK are available: Arion and Orbitar, respectively in London and Manchester.

    The AirVPN client will show automatically the new servers. If you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP.

    Just like every other "second generation" Air server,  Arion and Orbitar support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt.
     
    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.
     
    Arion and Orbitar replace Algedi and Nunki, which will be withdrawn as they consistently failed to meet the quality of service we require.
     
    You can check the servers status as usual in our real time servers monitor:
    https://airvpn.org/servers/arion
    https://airvpn.org/servers/orbitar
     
    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
  12. Like
    go558a83nk reacted to nwlyoc in Interactive Wrapper for Eddie's CLI version   ...
    Hello,
    after I posted some suggestions for Eddie's CLI version in this thread and received some helpful information there, I set out to write my own little interface in bash for it to implement the suggestions. Being no programmer it turned out to be quite a project for me, and I would like to share it here in case anybody else prefers to run Eddie in the terminal rather than as a full GUI application. This script still uses Eddie itself, it's just a wrapper to make it as easy to use in the command line as it is as a desktop application. Screenshots are attached.
     
    Some features and advantages:
    uses less resources (top shows usually 0.3% CPU usage compared to 4-5% for the desktop version) can be exited without disconnecting interactive, sortable server list option to connect to another VPN with openconnect (since I need to do that from time to time, but it should be easy to add other connection methods as well) option to lock down the system's network traffic by default, so even without Eddie running with its own network lock there will be no leaks What to watch out for:
    The default network lock works with direct rules in firewalld because I'm using Fedora. It should be easy to change it to use iptables directly on other distributions since firewalld's direct rules are just a way to directly manipulate iptables. Once activated, the lock will stay in place until manually deactivated (also surviving reboots), so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. AirVPN's network lock overwrites the default network lock, so there will be no interference. Check your /etc/resolv.conf file while not running Eddie (because Eddie's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it. To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules. The rules for airvpn.org can be copied and adjusted. I haven't yet included an option to pass command line arguments to Eddie. So if you need to set more advanced options like black-/whitelists, use of certain protocols etc., you need to set them manually in the connect_server function. All the possible options can be found in 'man eddie-ui'. You need to insert your own API key in line 5. It can be found in your account under Client Area -> API. Without this, connections will still work, but user info and connection status in the main window will not be properly updated. I tried to only use basic system tools. The script relies mostly on dialog, awk and curl (and firewalld as described and openconnect if needed), so it should work on most systems, but I'm not sure. And, lastly, VERY IMPORTANT: As I said, I'm no programmer and new to this, so even though I tried my best to make this script secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works well for me, but better check it yourself. Feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time.

    UPDATE: A new version which uses Hummingbird and has been improved in many aspects (including automatic connection at boot) can be found here.
     
    #!/bin/bash # an interactive shell script to control the command line version of the AirVPN Eddie client and openconnect more comfortably PROFILE_PATH="$HOME/.airvpn/default.xml" API_KEY="<your api key>" DIALOG_OK=0 DIALOG_CANCEL=1 DIALOG_EXTRA=3 DIALOG_ESC=255 HEIGHT=0 WIDTH=0 BACKTITLE="VPN Control" FORMAT="text" URL="https://airvpn.org/api/" PID=$$ function check_sudo { # check if user has sudo privileges sudo -vn &> /dev/null # gain sudo privileges for commands that need it (better than running everything with sudo) if [ $? = "1" ] then unset EXIT_STATUS_SUDO PASS_PROMPT="Establishing VPN connections and changing network traffic rules requires root privileges. Please enter your password:" until [ "$EXIT_STATUS_SUDO" = "0" ] do dialog \ --backtitle "$BACKTITLE" \ --title "Password Needed" \ --output-fd 1 \ --insecure \ --passwordbox "$PASS_PROMPT" 11 35 | xargs printf '%s\n' | sudo -Svp '' &> /dev/null EXIT_STATUS_PIPE=( "${PIPESTATUS[@]}" ) EXIT_STATUS_DIALOG="${EXIT_STATUS_PIPE[0]}" EXIT_STATUS_SUDO="${EXIT_STATUS_PIPE[2]}" EXIT_SUDO_TEST="${EXIT_STATUS_PIPE[2]}" PASS_PROMPT="The password you entered is incorrect. Please try again:" case $EXIT_STATUS_DIALOG in $DIALOG_CANCEL|$DIALOG_ESC) return 1 ;; esac done # keep sudo permission until script exits or permissions are revoked (e.g. when computer goes to sleep) while [ "$EXIT_SUDO_TEST" = "0" ]; do sudo -vn; EXIT_SUDO_TEST=$?; sleep 60; kill -0 "$PID" || exit; done &> /dev/null & fi return 0 } function get_list { SERVICE_NAME="status" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\" }" timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" > "/tmp/.eddie_server_list.txt" } function sort_list { # pipe server status list to awk, filter out unnecessary stuff, # combine lines that relate to same server into single lines which are saved as array, # loop through array to format info, # print array and sort according to options, # add numbers to list for menu LIST=$(awk -F '[.]' \ 'BEGIN{OFS=";"} \ /^servers/ && !/ip_/ && !/country_code/ {c=$2; \ if (c in servers) servers[c]=servers[c] OFS $3; \ else servers[c]=$3; \ for (k in servers) gsub(/;bw=/, " :", servers[k]); \ for (k in servers) gsub(/;bw_max=/, "/", servers[k]); \ for (k in servers) gsub(/;currentload=/, " :", servers[k]); \ for (k in servers) gsub(/;health=/, "%:", servers[k]); \ for (k in servers) gsub(/;.*=/, ":", servers[k]); \ for (k in servers) gsub(/^.*=/, "", servers[k])} \ END{ \ for (c in servers) print servers[c]}' "/tmp/.eddie_server_list.txt" | sort -t ":" $1 | awk -F '[;]' 'BEGIN{OFS=":"} {print v++";"$1}') } function get_userinfo { SERVICE_NAME="userinfo" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\", \"key\":\"$API_KEY\" }" # filter specific lines, save values to variables after protecting whitespace read U_LOGIN U_EXP U_CONNECTED U_DEVICE U_SERVER_NAME U_SERVER_COUNTRY U_SERVER_LOCATION U_TIME <<< $( \ timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" | \ awk -F '[=]' \ 'BEGIN{ORS=";"} \ /^user.login|^user.expiration_days|^user.connected|^sessions.*device_name|^connection.server_name|^connection.server_country=|^connection.server_location|^connection.connected_since_date/ \ {print $2}' | \ sed 's/\ /\\\ /g' | sed 's/;/\ /g' \ ) if [ "$U_CONNECTED" = "1" ] then U_CONNECTED="connected" U_SERVER_FULL="$U_SERVER_NAME ($U_SERVER_LOCATION, $U_SERVER_COUNTRY)" U_TIME=$(date -d "$U_TIME UTC" +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="not connected" U_SERVER_FULL="--" U_TIME="--" fi } function connect_server { if [ "$KILLED" = "true" ] then # create pipes to process status of client if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi if [ ! -p "/tmp/.eddie_fifo2" ] then mkfifo "/tmp/.eddie_fifo2" fi # run eddie in background and detached from current window, pipe output to named pipe (sudo eddie-ui --cli --netlock --connect --server="$1" --profile="$PROFILE_PATH" | tee "/tmp/.eddie_fifo2" &> "/tmp/.eddie_fifo1" &) cat "/tmp/.eddie_fifo2" | dialog --backtitle "$BACKTITLE" --title "Connecting to AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo1" INIT_EXIT=$? pkill -f cat.*eddie_fifo2 if [ $INIT_EXIT = "0" ] then get_userinfo else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_TIME="--" fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi } function disconnect_server { # check for running instance of eddie pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then # kill process and wait for confirmation from process output if [ -p "/tmp/.eddie_fifo1" -a -p "/tmp/.eddie_fifo2" ] then sudo pkill -2 -f mono.*eddie-ui & cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Disconnecting AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 10 grep -q -m 1 "Shutdown complete" "/tmp/.eddie_fifo2" else # in case connection was started without this script sudo pkill -2 -f mono.*eddie-ui sleep 5 fi # give some time to completely close process, without sleep it's too early for new connection sleep 3 pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 1 ] then KILLED1="true" else KILLED1="false" fi else KILLED1="true" fi # check for running instance of openconnect pgrep -f "openconnect.*--" &> /dev/null if [ $? = 0 ] then sudo pkill -2 -f "openconnect.*--" sleep 1 pgrep -f "openconnect.*--" &> /dev/null if [ $? = 1 ] then KILLED2="true" # somehow openconnect doesn't receive SIGINT and shuts down improperly, # so vpnc can't restore resolv.conf by itself sudo cp "/var/run/vpnc/resolv.conf-backup" "/etc/resolv.conf" else KILLED2="false" fi else KILLED2="true" fi if [ "$KILLED1" = "true" -a "$KILLED2" = "true" ] then KILLED="true" else KILLED="false" fi } function define_lock { if [ "$1" = "activate" ] then GAUGE_TITLE="Activating Network Lock" RULE_ACTION="add-rule" elif [ "$1" = "deactivate" ] then GAUGE_TITLE="Deactivating Network Lock" RULE_ACTION="remove-rule" else return 1 fi GAUGE_BODY="$1" IPRULES=(\ #allow loopback "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -i lo -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -o lo -j ACCEPT" \ #allow lan (out) and broadcasting/dhcp "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT" \ # allow tun device to communicate (so any VPN connection should be possible, also without Air, but respective DNS requests must be allowed) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -o tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -i tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT" \ # optional masquerade rule (NAT/ports) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE" \ # allow ipv4 only to airvpn.org for status update # allow DNS query to resolve hostname (hex string reads "06 airvpn 03 org" - numbers are counting bits), # restrict packet length to length of this specific request package (might change?) to avoid hijacking # of query (very unlikely I guess, but who cares if we're already being paranoid for the fun of it), # whitelist destination IP for TCP handshake "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ # add rules for other domains you wish to allow DNS requests to here (packet length can be determined with e.g. wireshark) and adjust array index # # allow SYN request to whitelisted IP to initiate handshake, remove IP from whitelist "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT" \ # allow outgoing connection to Air's IP "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT" \ # add rules for other IPs you wish to allow connections to here # # allow communication "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" \ # drop outgoing ipv4 (if not specifically allowed by other rules) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 999 -j DROP" \ # block incoming ipv4 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 999 -j DROP" \ # drop all ipv6 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter OUTPUT 0 -j DROP" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter INPUT 0 -j DROP" \ # reload and restart firewalld to activate permanent rule changes "sudo firewall-cmd --reload" \ "sudo systemctl restart firewalld"\ ) toggle_lock } function toggle_lock { PERCENTAGE_STEP=$(awk -v rules="${#IPRULES[@]}" 'BEGIN {print 100/rules}') PERCENTAGE=0 COUNTER=0 # initial window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" for i in "${IPRULES[@]}" do RESULT["$COUNTER"]=$(eval $i) (( COUNTER++ )) PERCENTAGE=$(awk -v per="$PERCENTAGE" -v per_step="$PERCENTAGE_STEP" 'BEGIN {print per+per_step}') # progress window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" done # final window to show results dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" sleep 2 unset RESULT check_lock } function check_lock { # check for success (not really though, needs improvement) LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 16 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi } function yesno { dialog \ --backtitle "$BACKTITLE" \ --title "$1" \ --clear \ --yesno "$2" \ $HEIGHT $WIDTH EXIT_STATUS=$? } check_sudo if [ $? = "1" ] then clear exit fi get_userinfo # if currently connected by openconnect, set status to unknown (connection could have been established outside of this script) pgrep openconnect &> /dev/null if [ $? = 0 ] then U_CONNECTED="connected (openconnect)" U_SERVER_FULL="unknown" U_TIME="unknown" fi check_lock while true; do exec 3>&1 selection=$(dialog \ --cr-wrap \ --backtitle "$BACKTITLE" \ --title "Main Menu" \ --clear \ --cancel-label "Quit" \ --menu "This is a control script for VPN connections, primarily for Eddie, the AirVPN client.\nThis script can be exited and re-entered without affecting a running connection.\n\nUser: $U_LOGIN\nDays Until Expiration: $U_EXP\n\nDefault Network Lock: $LOCK_ACTIVE\n\nStatus: $U_CONNECTED\nServer: $U_SERVER_FULL\nConnected Since: $U_TIME\n\nPlease select one of the following options:" $HEIGHT $WIDTH 6 \ "0" "Connect to Recommended Server" \ "1" "Connect to Specific Server" \ "2" "Connect via openconnect" \ "3" "Disconnect" \ "4" "Refresh User Info" \ "5" "Toggle Default Network Lock" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) yesno "Quit" "Exit Script?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) break ;; esac ;; esac case $selection in 0 ) check_sudo if [ $? = "0" ] then disconnect_server connect_server "" fi ;; 1 ) while true; do exec 3>&1 SERVER_SORT=$(dialog \ --backtitle "$BACKTITLE" \ --title "Sort Server List" \ --no-collapse \ --ok-label "sort ascending" \ --extra-button \ --extra-label "sort descending" \ --menu "Please choose how you want to sort the server list." \ 14 0 7 \ "1" "Name" \ "2" "Country" \ "3" "Location" \ "4" "Continent" \ "5" "Bandwidth" \ "6" "Users" \ "7" "Load" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) break ;; $DIALOG_EXTRA) SERVER_SORT_OPTION="r" ;; $DIALOG_OK) SERVER_SORT_OPTION="" ;; esac if [ "$SERVER_SORT" = "5" -o "$SERVER_SORT" = "6" -o "$SERVER_SORT" = "7" ] then SERVER_NUM_OPTION="n" else SERVER_NUM_OPTION="" fi if [ ! -f "/tmp/.eddie_server_list.txt" ] then get_list fi while true do sort_list "-k$SERVER_SORT,$SERVER_SORT$SERVER_SORT_OPTION$SERVER_NUM_OPTION" IFS=$';\n' exec 3>&1 SERVER_NMBR=$(dialog \ --backtitle "$BACKTITLE" \ --title "Server List" \ --colors \ --no-collapse \ --extra-button \ --extra-label "Refresh List" \ --column-separator ":" \ --menu "Choose a server from the list to connect to it. (Press ESC to go back.)\n\n\Zb # Name Country Location Continent Bandwidth Users Load Health\ZB" \ 40 102 31 $LIST 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- IFS=$' \t\n' case $EXIT_STATUS in $DIALOG_CANCEL) break 2 ;; $DIALOG_ESC) break ;; $DIALOG_EXTRA) get_list ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then SELECTED_SERVER=$(printf -- '%s\n' "${LIST[@]}" | grep "^$SERVER_NMBR;" | cut -d ";" -f 2 | cut -d ":" -f 1) disconnect_server connect_server "$SELECTED_SERVER" break 2 fi ;; esac done done ;; 2 ) exec 3>&1 # adjust field lengths if necessary CONNECT_INFO=$(dialog \ --backtitle "$BACKTITLE" \ --title "VPN via openconnect" \ --insecure \ --mixedform "Please provide your login credentials to connect to a VPN via openconnect:\n(Leave unneeded fields blank and type options as in command line, separated by space.)" $HEIGHT $WIDTH 6 \ "Server:" 1 1 "" 1 21 25 0 0 \ "Group:" 2 1 "" 2 21 25 0 0 \ "User:" 3 1 "" 3 21 25 0 0 \ "Password:" 4 1 "" 4 21 25 0 1 \ "Additional Options:" 5 1 "" 5 21 25 0 0 \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi ALT_SERVER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 1) ALT_GROUP=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 2) ALT_USER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 3) ALT_PASS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 4) ALT_OPTS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 5) echo "$ALT_PASS" | (sudo openconnect $ALT_OPTS --authgroup=$ALT_GROUP --user=$ALT_USER --passwd-on-stdin $ALT_SERVER &> "/tmp/.eddie_fifo1" &) timeout --signal=SIGINT 3 cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Connecting via openconnect..." --timeout 5 --programbox 20 80 U_CONNECTED="connected" U_SERVER_FULL="$ALT_SERVER" U_TIME=$(date +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi fi ;; esac ;; 3 ) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then get_userinfo else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi if [ -p "/tmp/.eddie_fifo1" ] then rm "/tmp/.eddie_fifo1" fi if [ -p "/tmp/.eddie_fifo2" ] then rm "/tmp/.eddie_fifo2" fi fi ;; 4 ) get_userinfo ;; 5 ) pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then dialog --backtitle "$BACKTITLE" --title "Toggle Network Lock" --timeout 3 --msgbox "You need to be disconnected to change network traffic rules." 10 35 else if [ "$LOCK_ACTIVE" = "inactive" ] then yesno "Toggle Network Lock" "Are you sure you want to activate the default network lock and block all connections while not connected to (any) VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "activate" fi ;; esac else yesno "Toggle Network Lock" "Are you sure you want to deactivate the default network lock and allow all connections, even when not connected to a VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "deactivate" fi ;; esac fi fi ;; esac done clear





  13. Like
    go558a83nk reacted to giganerd in FYI: Official NordVPN Android app transmits personal data to third parties   ...
    A german IT security blogger recently discovered that NordVPN's official android app transmits personally identifiable information to NordVPN and a few third parties.
     
    The checked version of their app is v3.9.8 which seems a few versions behind the current branch but still fairly recent.
    The blogger discovered that a user's Google mail address along with the advertising ID and a bit of other info are sent to Iterable, AppsFlyer and Tune along with some Google services like Analytics - all seemingly without the user's consent and even without mentioning it in the app's ToS.
     
    Of course customer support has been asked as well. Their answer was not satisfactory:
     
     
    Everyone interested in some of the HTTP POSTs discovered can look at them in the article linked above. The article itself is German-language, but it doesn't contain more info than this, only a bit of the writer's opinion which I share: It's very questionable that a "no-log" or even "privacy-centered" VPN provider like NordVPN is bold enough to state "marketing reasons" as their justification to track users of their Android app. Even worse that this tracking is performed by third parties who will most likely use this data in cross-referencing...
     
    Try to avoid NordVPN. Searching for "NordVPN" in this forum alone will yield more than enough reason. One in three newly created threads is about them.
  14. Like
    go558a83nk got a reaction from giganerd in Does custom DNS Server expose real IP ?   ...
    Sure, they are recursive DNS that Air runs but the requests they make to authoritative DNS are not tied back to you.
     
    If you use another DNS like 1.1.1.1 you also still have some anonymity since you're one of dozens of people using the VPN server.
  15. Like
    go558a83nk got a reaction from giganerd in Does custom DNS Server expose real IP ?   ...
    Sure, they are recursive DNS that Air runs but the requests they make to authoritative DNS are not tied back to you.
     
    If you use another DNS like 1.1.1.1 you also still have some anonymity since you're one of dozens of people using the VPN server.
  16. Like
    go558a83nk got a reaction from lordlukan in High Performance VPN-Router   ...
    There's a guide for pfsense on this website/forum, or there are others around the web.
     
    The hardware build doesn't have to be spectacular.  Just an AES-NI CPU, small amount of RAM, small hard drive, dual network card, power supply and motherboard, of course.  I was building pfsense box at lowest cost and what was cheapest for me was a regular tower case sort of setup.  Putting the parts together wasn't difficult.  If you've never done it, you can certainly find help online.  Anyway, I'm talking only like $150 was spent but it'll do at least 430mbit/s with AirVPN.  I don't know how much higher because that's my ISP max.
     
    Some people need the box to be small and pretty and I don't know how to accomplish that except to just buy one.
  17. Like
    go558a83nk reacted to corrado in Alternative AirVPN client with provider-independent double-hop support (GNU/Linux)   ...
    Qomui 0.8.1 is out and it should fix the Airvpn auto-download feature. Here's the full changelog:
     
    - [change] option to restart qomui-service from gui if it crashes
    - [change] added exceptions for all DBus calls
    - [change] improved support for non-systemd distributions
    - [change] detecting and closing simultaneously running instances
    - [bugfix] Airvpn auto-download fixed
     
     
    Thanks, a lot! I'll do that, this would really help :-)
     
    @pjnsmb: I did a fresh install of Debian Siduction in a VM and could install Qomui without any issues. Only thing to be aware of: You have to choose a release that matches your Python version. The latest Ubuntu package worked fine for me. But this wouldn't explain the dpkg error you are getting. Maybe something's wrong with your dpkg configuration.
  18. Like
    go558a83nk reacted to Staff in Christmas 2018 special deals   ...
    Hello!
     
    We're very glad to announce a special promotion on most of our Premium plans.
     
    You can get prices as low as 2.45 €/month with a two years plan, which is a 65% discount when compared to monthly plan price of 7 €.
     
    Special deals involve three and six months plans, as well as one and two years plan.
     
     

     
     
    If you're already our customer and you wish to stay aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.
     
    Please check the exact prices of each plan on https://airvpn.org and https://airvpn.org/plans
     
    Kind regards & datalove
    AirVPN Staff
  19. Like
    go558a83nk reacted to corrado in Alternative AirVPN client with provider-independent double-hop support (GNU/Linux)   ...
    Qomui is still alive and version 0.8.0 has just been released. Among other things it adds the option to create custom connection profiles and support for custom scripts.
     
    Full changelog:
     
    - [new] connection profiles
    - [new] support for custom scripts
    - [change] configurations for Airvpn are now downloaded directly
    - [change] removed minimize option if system tray not available
    - [change] download new Mullvad config/certificates  
    - [change] added scroll areas to some tabs
    - [change] added options for profiles to tray menu
    - [change] window state now recognized correctly
    - [bugfix] improved stability and reliability of network detection
    - [bugfix] manually imported WireGuard servers don't connect
    - [bugfix] Qomui crashes when downloading Airvpn configs
    - [bugfix] fixed Mullvad & Windscribe configs
     
  20. Like
    go558a83nk reacted to Staff in Black Friday 2018 Week   ...
    Hello!
     
    "Same thing" is frankly offensive for AirVPN. It's also astonishing that someone can have the idea to compare such profoundly different services. Power of marketing fluff aimed to gullible people, we guess.
     
    Just to make a few examples, NordVPN lacks separate entry and exit IP addresses on many servers (various types of correlation attacks become possible), does not support IPv6, provides a ridiculous/non-existent servers monitor, provides fake servers locations, infringes net neutrality (does not allow any p2p protocols on a wide range of servers), does not provide dynamic remote port forwarding, does not provide DNS inside the VPN whose address matches the VPN gateway (exposing to DNS poisoning through route hijacking), is not GDPR compliant, is owned by a Lithuanian data mining company and has ties with Russian oligarchs.
     
    AirVPN prices are competitive even without a special deal, check our new two years plan and anyway stay tuned for Christmas special deals.
     
    Kind regards
  21. Like
    go558a83nk got a reaction from LZ1 in 11,000   ...
    Online Sessions: 15973 - BW: 71229 Mbit/s
     

  22. Like
    go558a83nk reacted to Moat in Wireguard + post-quantum cryptography   ...
    I'm not a tech user, but search in trying to understand. I read, and wished I copied the URL's, on various blogs that:
    - wireguard lists IP addresses of users on the server in the clear while connected, one of the current providers claimed to have asked Jason to code soft to counter that apparently.
    - wireguard needs logs on the server linking IP to user credentials, permanently, for it to work. Err, how you do no longs on that? This could be solved by client software registering credentials anew every time a connection establishes, and allow for this to only be of temporary nature (while the connection lasts) But, that requires a client soft and adaptation to the server, so I read.
    - wireguard does not allow any random server selection, credentials are server specific.
     
    Credentials could be the same for all servers, imagine service providers like avpn assigning some 15000 IP addresses, one to each individual user, and then telling each of their servers IP X is user Y. Alternatively pre-allocate 15000 ip's each on 90 servers, do the match ... and do it dynamically between soft and server while the thing originally is not programmed to do that ...
     
    No thanks.
     
    I did try wireguard, and have to say on low level routers where openvpn gives lousy performance wireguard maxed out the connection speed and improved the connection stability, even when compared to no tunnel. That makes it very alluring, the rest is stay away from it.
  23. Like
    go558a83nk reacted to Guest in Wireguard + post-quantum cryptography   ...
    Well, now we have a list of VPN's of whom never to trust, and I'd consider them compromised for daring to deploy software that has not had the scrutiny OpenVPN has over the last 20 years. Sure, WG is less LoC, but really, who cares? What we care about first and foremost is how secure the software is.
     
    It's a matter of who you trust: Staff have outlined a number of points about the weaknesses in the protocol and how it's basically not ready for deployment, yet certain providers do it anyway? If that's how they operate their business (deploy shiny new thing without due care) then maybe it's worth reconsidering just how seriously they take your security.
     
    I'd cancel Air if they dared deploy Wireguard for many years before it's actually ready and fully tested. The other big name provider (PIA) has also not deployed Wireguard, which is the only and correct course of action.
     
    This thread should be locked, the discussion is meaningless; Wireguard isn't touching Air for a long time to come.
  24. Like
    go558a83nk reacted to Staff in Wireguard + post-quantum cryptography   ...
    Hello!
     
    it looks like you still miss the point. Wireguard, in its current state, not only is dangerous because it lacks basic features and is an experimental software, but it also weakens dangerously the anonymity layer. Our service aims to provide some anonymity layer, therefore we can't take into consideration something that weakens it so deeply.
     
    We will gladly take Wireguard into consideration when it reaches a stable release AND offers at least the most basic options which OpenVPN has been able to offer since 15 years ago. The infrastructure can be adapted, our mission can't.
     
    We provided a list of missing features causing real, objective security flaws in Wireguard (when meant to provide specific features). We will expand them here below since it looks like you missed the huge implications of the mentioned issues.
     
     
    It's not a matter to "cover their asses" as you say.
     
    First, it's a matter of security. If you followed some basic IT security principle, you would know how wrong and dangerous a claim like the one quoted here above is. If you are really in the position to certify that "Wireguard is fine", then do it officially. If you can't do it officially, your words must be considered irrelevant, because they go against the claims of the very Wireguard developers themselves.
     
    Second, it is a matter of lacking features that are essential for any service which aims to provide a decent layer of anonymity.
     
    Wireguard, in its current state, does not meet our requirements. Here below, once again, some points which need to be considered and addressed:
     
    Wireguard lacks dynamic IP address management. The client needs to be assigned in advance a pre-defined VPN IP address uniquely linked to its key on each VPN server. The impact on the anonymity layer is catastrophic; Wireguard client does not verify the server identity (a feature so essential that it will be surely implemented when Wireguard will be no more an experimental sofware); the impact on security caused by this flaw is very high; TCP support is missing (third party or anyway additional code is required to use TCP as the tunneling protocol, as you suggest, and that's a problematic regression when compared to OpenVPN); there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods.  
    Kind regards
  25. Like
    go558a83nk reacted to Staff in Two new 1 Gbit/s servers available (CA)   ...
    Hello!

    We're very glad to inform you that two new 1 Gbit/s servers located in Vancouver (Canada) are available: Telescopium and Titawin.

    The AirVPN client will show automatically the new servers; if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

    Servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP.

    Just like every other "second generation" Air server, Telescopium and Titawin support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt.

    Full IPv6 support is included as well.

    As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

    You can check the server status as usual in our real time servers monitor:
    https://airvpn.org/servers/Telescopium
    https://airvpn.org/servers/Titawin

    Do not hesitate to contact us for any information or issue.

    Kind regards and datalove
    AirVPN Team
×
×
  • Create New...