Staff

Hello! We're very glad to inform you that AirVPN Suite version 2.1.0 alpha 1 is now available for x86-64 systems. Builds for ARM architectures will be available in the near future. AirVPN Suite 2.1.0 development focuses on bug fixes, improved IPv6 management and aims at a quick release. New features are planned for the major new version (probably 3.0.0) which is planned to offer complete AmneziaWG support. Main changes: very large routing table should not cause Bluetit to crash anymore more accurate detection of default gateway several IPv6 addresses management fixes more accurate detection of network availability (in progress) Changelog for the AirVPN Suite 2.1.0 (complete file available in the downloadable package): Version 2.1.0 alpha 1 - 23 April 2026 [ProMIND] updated to OpenVPN-AirVPN 3.12 (20260206) airvpntools [ProMIND] added new method capitalizeWord() network [ProMIND] getGatewayFromRouteTable(): msgBuf is now dynamically allocated (currently to 32KiB) [ProMIND] getGatewayFromRouteTable(): socket's receive buffer set to 1MiB [ProMIND] getGatewayFromRouteTable(): revised code for a more strict and reliable scan [ProMIND] added methods isValidIPAddress(), isValidIPv4() and isValidIPv6() [ProMIND] parseIpSpecification(): fixed IPv6 specification handling wireguardclient [ProMIND] setup(): check validity for both IPv4 and IPv6 gateways [ProMIND] profileNeedsResolution(): fixed IPv6 address handling [ProMIND] setConfiguration(): fixed IPv6 address handling [ProMIND] resolveProfile(): fixed IPv6 address handling URL to download the tarball (please note that packages for ARM architectures will be available in the near future): https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz SHA-2: https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz.sha512 $ sha256sum AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz fcc74f7941b6c1b4215e9820d2fc959fb17957fbbdb7d149a1a128930f05038d AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz If you wish to test, thank you very much! Please feel free to report here any bug and malfunction you find! Kind regards & datalove AirVPN Staff

@lexsilico Hello! We have AirVPN Suite 2.1.0 alpha 1 ready (only for x86-64 systems). It aims at addressing (in this alpha 1 or imminent versions) this problem. Would you like to test it and report back? It also includes IPv6 related fixes, but remember that it's still an alpha version so don't rely on it for serious purposes. ARM builds will be available soon, stay tuned. URL to download the tarball: https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz SHA-2: https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz.sha512 $ sha256sum AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz fcc74f7941b6c1b4215e9820d2fc959fb17957fbbdb7d149a1a128930f05038d AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz If you test, keep us posted! Kind regards

@Pi77Bull Hello! We have AirVPN Suite 2.1.0 alpha 1 ready (only for x86-64 systems). Although it does not address directly the main problem you mentioned with network gateway check, it is undergoing various changes that could resolve the issue (either in this early alpha 1 version or in the next ones). Would you ike to test it and report back? It also includes IPv6 related fixes, but remember that it's still an alpha version so don't rely on it for serious purposes. URL to download the tarball: https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz SHA-2: https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz.sha512 $ sha256sum AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz fcc74f7941b6c1b4215e9820d2fc959fb17957fbbdb7d149a1a128930f05038d AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz If you test, keep us posted! NOTE. Before proceeding, make sure that the directory /etc/netns exists on your system. If it does not, create it before testing traffic splitting. Currently, it is assumed that /etc/netns is a system directory on Linux distributions, so, if it was removed, you (as superuser) and not Bluetit must re-create it to let the system (and Bluetit) store configuration files for different network namespaces in isolated directories. Kind regards

@Posh1698 Hello! We have AirVPN Suite 2.1.0 alpha 1 ready (only for x86-64 systems). It aims at addressing this problem. Would you like to test it and report back? It also includes IPv6 related fixes, but remember that it's still an alpha version so don't rely on it for serious purposes. URL to download the tarball: https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz SHA-2: https://eddie.website/repository/AirVPN-Suite/2.1.0-alpha1/AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz.sha512 $ sha256sum AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz fcc74f7941b6c1b4215e9820d2fc959fb17957fbbdb7d149a1a128930f05038d AirVPN-Suite-x86_64-2.1.0-alpha-1.tar.gz If you test, keep us posted! Kind regards

Hello! A possible reason is that Eddie generates files compliant to the latest protocol specifications and you are using an older version. If that's the case, we can compare the two different profiles (remember to delete your key), i.e. the working one and the non-working one, and check the log of your software to find out the reason. Kind regards

Hello! You may get a lot of data from here: https://airvpn.org/forums/topic/65417-amneziawg-config-patcher-cps-db/ If you have an Android device or emulator, by running Eddie Android edition 4 you can generate ready to use AmneziaWG configuration files which are fully integrated with AirVPN (i.e. you can generate profiles for specific AirVPN servers, countries and so on), even relying on a large CPS QUIC database of real web sites if needed to bypass the blocks. You can then share them with your Windows machine. Important: Eddie Android edition generates files compatible with v2.0 Amnezia protocol, so you need this latest version. Kind regards

Hello! Possible causes: Streaming services (Netflix, YouTube, etc.) often rate-limit or deprioritize known VPN exit IP addresses, or IP addresses assigned to specific ASNs. Speed tests don’t trigger this, but video streams do. Try different AirVPN servers. Too large virtual network interface MTU causing excessive fragmentation, optionally with broken MTU path discovery. Streaming uses sustained flows that are more sensitive to MTU mismatches than bursty speed tests. Shrink MTU to 1280 bytes to check whether you get any improvement. If not, consider MSS clamping, just in case the PMTU discovery is broken upstream (not an uncommon case). Set MSS to 40 bytes less than MTU, for example MTU 1320 bytes, MSS 1280 bytes. On Asus routers you'll need to do this via iptables: as far as we know there's no option to do it on the Web UI. Asus Adaptive QoS or Bandwidth Limiter on the router. Check and disable such tools if they are active. If DNS is outside the VPN but traffic is inside you can hit far-away CDN nodes, causing slow streams. Make sure to enforce strict DNS settings on the router so that it will query only VPN DNS. Kind regards

@lexsilico Hello! Thank you. We now have all the data. We will update this thread when we have more definite information. In the meantime keep using the successful patch you have already applied. Kind regards

@72MqavduqVa286gd Hello! Nothing changed in Eddie's choice order about which firewall utility to run for the Network Lock rules. If both iptables-legacy and nft utilities are available Eddie picks iptables to avoid mixing up nft and iptables rules in various distributions running daemons at startup that, in turn, still run iptables (mixing up nft and iptables causes problems). You may force Eddie to use nft in "Preferences" > "Network Lock" windows, provided that the nft utility is in the command path. However this is probably irrelevant because, for Network Lock purposes, iptables and nft rules are identical. DNS leaks are not strictly related to network lock: we mean that in general there must be no DNS leak with or without Network Lock. Feel free to publish a system report generated by Eddie for further investigation. Kind regards

Hello! Thanks. Now let's see which route the kernel picks to reach WireGuard's EndPoint. Pick a specific server and verify that the connection takes place through wlan0. From your initial message we see that you may have picked a UK server, let's say Arber (entry-IP addresses 3: 141.98.100.148 and 2001:ac8:31:368:e619:164f:9446:ff2e). Connect to Arber (not to UK in general, connect to this specific server) and verify from the log that WireGuard picks wlan0. Disconnect, shut down Bluetit (sudo systemctl stop bluetit), and check the route the kernel picks on its own: ip route get 141.98.100.148 ip -6 route get 2001:ac8:31:368:e619:164f:9446:ff2e Publish the whole output. Kind regards

Hello! Please send also the output of ip a ip route show before you start Bluetit and/or WireGuard. Kind regards

Please re-read. Your question: "any plan ...?". Answer: "Yes ...". Kind regards

Hello! We're glad to know it. Consider that when OpenVPN finds two interfaces with the same default gateway it stops immediately by throwing a critical error due to the ambiguity. Can you publish the system's routing table and the various interface settings before WireGuard is launched? Kind regards

Solution. Kind regards

@lexsilico Hello! You still have the option to configure policy-based routing using ip to force WireGuard traffic to go through a specific interface, regardless of the default gateway metric. This specific configuration must be created by you as you have no options to force Bluetit to bypass WireGuard (kernel) decisions, and you have no option to tell WireGuard to do the same. You can add your command(s) on the PostUp and PostDown directives to ensure the correct interface is used during the WireGuard connection lifecycle. Note that in this case you will have to use your own profile with Hummingbird (or with Bluetit and Goldcrest), and not the AirVPN integrated Bluetit/Goldcrest connection mode. We will also consult with the Suite development team to study your case in more details and we will update this thread if necessary. We do not rule out the possibility to add in the future special options to compile PostUp and PostDown commands directly from within Bluetit run control file (possibly not via Goldcrest because WireGuard runs PostUp and PostDown specified executable files with root privileges). Kind regards

Hello! We already implemented it in 2021. Any domain which must be blocked includes all of its subdomains too. Besides, different matching methods are available for your additions and exceptions: Exact (exact FQDN), Domain (domain and its subdomains), Wildcard (with * and ? as wildcards), Contain, Start with, End with. Kind regards

Hello! Yes, AmneziaWG support on the server side. You do not need handshake and payload packet padding to circumvent blocks in Russia and China. Padding may be instrumental to make destination guessing from traffic pattern more difficult. Kind regards

Hello! The first main problem to resolve is setting a proper DNS that the container can query before the connection is established. Your system can't resolve the domain name of the end point (us3.vpn.airdns.org), so WireGuard does not even try to establish a VPN connection. Note how the service wg-quick@wg0.service exited because of that (temporary failure in name resolution). Please don't send screenshots whenever text is possible and suitable. Kind regards

Hello! We do agree and we are planning to implement on our software per app traffic splitting on Windows too. Currently you can enjoy per app traffic splitting on Linux (AirVPN Suite) and Android (Eddie Android edition). If the machine you use for Steam is based on Linux you can already have per app traffic splitting with our software. If you run Windows, in the meantime you can consider WireSock, which offers traffic splitting and reverse traffic splitting (on an application basis) and is fully compatible with our WireGuard servers. The Configuration Generator will generate the profiles you wish. Kind regards

Hello! Yes, it is definitely planned, but we can't give you a definite ETA. In the meantime, if you have an Android device or an Android emulator, you can use Eddie Android edition to generate configuration files (you can export them to any other system directly from Eddie's "Export" or "Open with" functions) or the Amnezia configuration patcher by @zimbabwe https://github.com/zimbabwe303/awg_conf_patch Eddie Android edition includes 30+ CPS pre-sets of real web sites, so this is the recommended solution currently to bypass blocks. Kind regards

@balkie31 Hello! For residential broadband (DSL / cable / FTTH), DHCP lease times are most commonly: ~12–24 hours (very common baseline) ~1–3 days (slightly less common) Occasionally up to ~7 days (less common, but happens) This aligns with general network guidance where stable networks use 1–7 day leases. Therefore, it is normal that you may need a re-connection every few days. You can consider to tell GlueTun to re-connect always to the same server, by setting the proper environment variable. You would be sure that your system would appear on the Internet always with the same IP address (the exit-IP address of the VPN server); on the other hand, if the specific VPN server goes down, GlueTun will be unable to re-connect as long as that server does not come up again. In any case, you may always need to re-start the torrent software as GlueTun will bring the virtual network interface down and up again. Kind regards

Hello! Not all programs support In CPS parameters. Eddie Android edition generates AmneziaWG profiles compliant to the latest official documentation and properly processed by the official Amnezia library latest release. Previous Amnezia 1.x specs may not support all the parameters. In the future we will offer Amnezia integration in our desktop software too. In the meantime you may try to update your software. Kind regards

Hello! If you wish that Bluetit starts but does not connect and does not touch the system in any way, setting the following directives to off on the run control file is all you need. From the manual: If you prefer to disable the daemon entirely, since Fedora is based on systemd: sudo systemctl stop bluetit sudo systemctl disable bluetit You can later re-enable it if needed with: sudo systemctl enable bluetit Yes, it can, obviously. Just reply no to the following questions: Do you want to enable bluetit.service units? [y/n] Do you want to start Bluetit service now? [y/n] Kind regards

Hello! We're very glad to announce that Eddie Android edition 4.0.0 has been released This is a major update: for the first time Eddie Android edition features AmneziaWG complete support. Eddie Android edition is a fully integrated with AirVPN, free and open source client allowing comfortable connections to AirVPN servers and generic VPN servers offering compatible protocols. Eddie 4.0.0 adds, besides the already available OpenVPN and WireGuard, a thorough and comfortable AmneziaWG support. Source code available on GitLab: https://gitlab.com/AirVPN/EddieAndroid AmneziaWG is a free and open source fork of WireGuard by Amnezia inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems. It can operate in several different ways, including a fallback, "compatibility mode" with WireGuard featuring anyway various obfuscation techniques. What's new in Eddie 4.0.0 AmneziaWG support Amnezia WireGuard API stronger anti-blocking logic: ability to log in to the service and download AirVPN infrastructure and user data while connected through a profile with a specific option on the left pane ability to read and use local user data when bootstrap servers are unreachable CPS packets database of 30+ real websites, currently allowing accurate QUIC + HTTP/3 traffic mimicry to and from real web sites through AmneziaWG CPS. Each entry is easily selectable and identified by a clear label support for wrapping both IPv4 and IPv6 traffic over an IPv6 tunnel with WireGuard and AmneziaWG (previously available only with OpenVPN) new "Open with..." option on top of the usual "Share" (now renamed "Export") option to manage and export comfortably generated profiles on any Android version with any suitable application updated AmneziaWG parameters allowed ranges support of latest AmneziaWG padding features vastly improved NetworkMonitor and Tile Service updated OpenSSL, OpenVPN3-AirVPN and WireGuard libraries full compatibility from Android 5.1 to Android 16, including Android TV bug fixes see the complete changelog here: https://gitlab.com/AirVPN/EddieAndroid/-/blob/master/ChangeLog.txt?ref_type=heads AmneziaWG overview From the official documentation: https://docs.amnezia.org/documentation/amnezia-wg AmneziaWG offers: Dynamic Headers for All Packet Types (compatibility with WireGuard: YES) During tunnel initialization, the library generates a set of random constants applied to each of the four WireGuard packet formats: Init, Response, Data, Under‑Load. These constants: As a result, no two clients have identical headers, making it impossible to write a universal DPI rule. Replace predictable WireGuard packet identifiers; Shift offsets of Version/Type fields; Modify reserved bits. Handshake Length Randomization and message padding (compatibility with WireGuard: NO) In WireGuard, the Init packet is exactly 148 bytes, and the Response packet is exactly 92 bytes. AmneziaWG adds message paddings: S1: int - padding of handshake initial message S2: int - padding of handshake response message S3: int - padding of handshake cookie message S4: int - padding of transport messages Offsets of the remaining fields are automatically adjusted, and MAC tags are recalculated accordingly. In order to keep backward compatibility with WireGuard, S1, S2, S3 and S4 must be set to 0. Obfuscation Packets I1-I5 (Signature Chain) & CPS (Custom Protocol Signature) (compatibility with WireGuard: partial, with fallback) Before initiating a "special" handshake (every 120 seconds), the client may send up to five different UDP packets fully described by the user in the CPS format. In this way AmneziaWG can mimic perfectly QUIC, DNS and other protocols adding powerful methods to circumvent blocks. QUIC is particularly interesting as HTTP/3 is built on it and currently, from Chrome and other compatible browsers, 50% of traffic to/from Google is QUIC traffic. Therefore, blocking QUIC may have major disruptions for any ISP. Note that a CPS database of 30+ real web sites is available in Eddie Android edition: you can activate CPS mimicking traffic to real web sites with a tap. Eddie will take care to compile properly Amnezia's In parameters for accurate mimicry. Junk‑train (Jc) (compatibility with WireGuard: YES) Immediately following the sequence of I-packets, a series Jc of pseudorandom packets with lengths varying between Jmin and Jmax is sent. These packets blur the timing and size profile of the session start, significantly complicating handshake detection. Under‑Load Packet (compatibility with WireGuard: YES) In WireGuard, a special keep-alive packet (“Under-Load”) is used to bypass NAT timeouts. AmneziaWG replaces its fixed header with a randomized one, the value of which can be set manually. This prevents DPI from filtering short ping packets, ensuring stable tunnel connections, especially on mobile networks. How to use Eddie with AmneziaWG To enable AmneziaWG mode, just tap the connection mode available in the main and other views. It will rotate between WireGuard, AmneziaWG and OpenVPN. Set it to AmneziaWG. In its default AmneziaWG mode, Eddie will use all the possible obfuscation, except protocol mimicking, that keeps WireGuard compatibility, thus allowing connections to AirVPN servers. The default settings choice was possible thanks to the invaluable support of persons living in countries where VPN blocks are widespread. Such settings have been tested as working and capable to bypass the current blocking methods in various countries. You may consider to modify them if they are ineffective to bypass "your" specific blocks. In Settings > Advanced, you will find, at the bottom of the page, a new "Custom Amnezia WG directives" item. By tapping it you will summon a dialog that will let you customize any possible AmneziaWG parameter. You can maintain backward compatibility with WireGuard in the dialog WireGuard section, or enable the full AmneziaWG support in the Amnezia section, which is not compatible (at the moment) with AirVPN WireGuard servers. This mode will be mostly valuable in a not distant future, when AirVPN servers will start to support AmneziaWG natively. You may also enable QUIC or DNS mimicking for additional obfuscation efficacy. In order to maintain WireGuard backward compatibility, with or without QUIC or DNS mimicking, you must set: S1 = S2 = S3 = S4 = 0 Hn ∈ {1, 2, 3, 4} H1 ≠ H2 ≠ H3 ≠ H4 Furthermore, do not exceed the valid limit of the J parameters (anyway Eddie will not let you do it). In this preview version, Eddie's formal control of the input data is based on the following document. We strongly recommend you read it if you need to modify manually parameters: https://github.com/amnezia-vpn/amneziawg-linux-kernel-module?tab=readme-ov-file#configuration Custom Protocol Signature with database included Working in AmneziaWG mode, Eddie implements QUIC and DNS mimicry and obfuscation packets for each specific "I" parameter (by using the corresponding "Generate" button). You can enable them with a tap on the proper buttons. You may mimic QUIC and DNS even to connect to WireGuard based servers. Please do not modify In parameters if you don't know exactly what you're doing. Eddie's CPS database is available at your fingertip for accurate mimicry of traffic to and from real web sites using HTTP/3 (other protocols may be added in the future), so you don't need to look for and enter specific sequences. Settings > Advanced > Custom AmneziaWG directives > Enable CPS > Presets > select the web site whose traffic must be imitated . Currently, you can find a database that contains more than 30 actual packet signatures and sequences of real web sites. Select one and Eddie will adjust all the parameters automatically and will use them in the next AmneziaWG connection. When you enable QUIC mimicking and you maintain WireGuard backward compatibility, you add a powerful tool against blocks, because the first packets will be actual QUIC packets. AmneziaWG will fall back to WireGuard compatibility very soon. However, when DPI and SPI tools, and demultiplexers in general, identify the initial QUIC flow, most of them will be unable to detect a WireGuard flow for several minutes. This has been tested thoroughly with deep packet inspection on Linux and FreeBSD based machines by AirVPN staff. Therefore, in different blocking scenarios the QUIC mimicry increases likelihood of successful block bypass. NOTE: the same does not happen with DNS mimicry. In this case DPI / SPI tools identify the stream initially as DNS, but are much quicker (just in a few dozens of packets) to identify the stream as WireGuard's, after the initial DNS identification. How to use Eddie in network where the "bootstrap" servers can not be reached Eddie downloads user and infrastructure data, essential to use the service, from special "bootstrap servers" through an encrypted flow inside HTTP. If the bootstrap servers are blocked or the underlying protocol to port 80 is filtered out, Eddie is unable to proceed. Starting from this Eddie 4 version, the ability to retrieve such data locally has been added. Whenever bootstrap servers are unreachable, Eddie can read the latest available local data to connect to a VPN server. Once connected the bootstrap servers are again reachable and the local data are immediately updated for future usage. The local data remain valid as long as you don't need to change user. On top of all of the above, Eddie can now retrieve such data through the login procedure that now can be started even when a connection to a VPN server was previously established via a profile. Therefore, when you are in a restrictive network that blocks access to bootstrap servers, you can connect through a profile generated by AirVPN web site Configuration Generator. After this first connection, log your account in to the service by selecting the specific option on the left pane, enter your AirVPN account credentials as usual and make sure that Remember me checkbox is ticked: Eddie will download all the necessary files and store them locally. This procedure is "once and for all", at least as long as you don't need to change account. After this initial connection, Eddie will be able to log your account in to the infrastructure, retrieve servers data and establish connections without profiles and without bootstrap servers, offering again full AirVPN integration even when bootstrap servers are unreachable. Only If you change account you must repeat the procedure. New: "Open with..." option added to "Export" option Different Android versions allow management of files with different restrictions. Different apps may support different intents on specific Android versions. To enlarge total compatibility, now Eddie offers two different options to export and manage files, including generated profiles. You will find the usual "Share" option (note: now renamed into "Export") coupled with a new "Open with..." option. Some apps support only one intent, other apps only specific intents on specific Android versions, and so on. By adding this option Eddie enlarges considerably the amount of apps you will be able to open and/or share files with. Download link, checksum and changelog Quick reference page: https://airvpn.org/android/eddie Eddie Android edition 4.0.0 APK direct download short URL: https://airvpn.org/tv Eddie Android edition 4.0.0 is also available on the Google Play Store. https://play.google.com/store/apps/details?id=org.airvpn.eddie Changelog is available here: https://gitlab.com/AirVPN/EddieAndroid/-/blob/master/ChangeLog.txt?ref_type=heads SHA-256 checksum if you prefer to download from our web site and side load the app: $ sha256sum EddieAndroid-4.0.0-VC38.apk 12322926f12d45f8e918173ae30f88cdef03f0fe323f30abf00cef6c033d8dae EddieAndroid-4.0.0-VC38.apk Kind regards & datalove AirVPN Staff

@zanon321 Hello! We can reach your SSH server from the Internet, so the setup of sshd on the office PC is just fine. You have a single key pair and a single port. When you connect your home PC to a VPN server, the DNS record of the domain name <your name>.airdns.org is updated to the exit IP address of the VPN server the home PC connected to, so the address of the office PC (behind the VPN server) is lost. In this case this setup could work only if the office PC is the last one to connect, so it's not a reliable scenario. You need to create a new key pair and use a unique key on each computer. Then, link DDNS and port <your port> to only one of the key pairs (in this case, the office PC key pair). Finally make sure that you connect PCs to different VPN servers. ALTERNATIVELY, just don't use DDNS but point ssh directly to the exit-IP address of the VPN server the office PC is connected to and make sure you connect each device to a different VPN server. How to manage key pairs and certificates: https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/ Kind regards