Staff

Hello! We're very glad to announce that Eddie Android edition 4.0.0 has been released This is a major update: for the first time Eddie Android edition features AmneziaWG complete support. Eddie Android edition is a fully integrated with AirVPN, free and open source client allowing comfortable connections to AirVPN servers and generic VPN servers offering compatible protocols. Eddie 4.0.0 aims primarily at adding, besides the already available OpenVPN and WireGuard, a thorough and comfortable AmneziaWG support. Source code available on GitLab: AmneziaWG is a free and open source fork of WireGuard by Amnezia inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems. It can operate in several different ways, including a fallback, "compatibility mode" with WireGuard featuring anyway various obfuscation techniques. What's new in Eddie 4.0.0 AmneziaWG support Amnezia WireGuard API stronger anti-blocking logic: ability to log in to the service and download AirVPN infrastructure and user data while connected through a profile with a specific option on the left pane ability to read and use local user data when bootstrap servers are unreachable CPS packets database of 30+ real websites, currently allowing accurate QUIC + HTTP/3 traffic mimicry to and from real web sites through AmneziaWG CPS. Each entry is easily selectable and identified by a clear label support for wrapping both IPv4 and IPv6 traffic over an IPv6 tunnel with WireGuard and AmneziaWG (previously available only with OpenVPN) new "Open with..." option on top of the usual "Share" (now renamed "Export") option to manage and export comfortably generated profiles on any Android version with any suitable application updated AmneziaWG parameters allowed ranges support of latest AmneziaWG padding features vastly improved NetworkMonitor and Tile Service updated OpenSSL, OpenVPN3-AirVPN and WireGuard libraries full compatibility from Android 5.1 to Android 16, including Android TV bug fixes see the complete changelog here: https://gitlab.com/AirVPN/EddieAndroid/-/blob/master/ChangeLog.txt?ref_type=heads AmneziaWG overview From the official documentation: https://docs.amnezia.org/documentation/amnezia-wg AmneziaWG offers: Dynamic Headers for All Packet Types (compatibility with WireGuard: YES) During tunnel initialization, the library generates a set of random constants applied to each of the four WireGuard packet formats: Init, Response, Data, Under‑Load. These constants: As a result, no two clients have identical headers, making it impossible to write a universal DPI rule. Replace predictable WireGuard packet identifiers; Shift offsets of Version/Type fields; Modify reserved bits. Handshake Length Randomization and message padding (compatibility with WireGuard: NO) In WireGuard, the Init packet is exactly 148 bytes, and the Response packet is exactly 92 bytes. AmneziaWG adds message paddings: S1: int - padding of handshake initial message S2: int - padding of handshake response message S3: int - padding of handshake cookie message S4: int - padding of transport messages Offsets of the remaining fields are automatically adjusted, and MAC tags are recalculated accordingly. In order to keep backward compatibility with WireGuard, S1, S2, S3 and S4 must be set to 0. Obfuscation Packets I1-I5 (Signature Chain) & CPS (Custom Protocol Signature) (compatibility with WireGuard: partial, with fallback) Before initiating a "special" handshake (every 120 seconds), the client may send up to five different UDP packets fully described by the user in the CPS format. In this way AmneziaWG can mimic perfectly QUIC, DNS and other protocols adding powerful methods to circumvent blocks. QUIC is particularly interesting as HTTP/3 is built on it and currently, from Chrome and other compatible browsers, 50% of traffic to/from Google is QUIC traffic. Therefore, blocking QUIC may have major disruptions for any ISP. Note that a CPS database of 30+ real web sites is available in Eddie Android edition: you can activate CPS mimicking traffic to real web sites with a tap. Eddie will take care to compile properly Amnezia's In parameters for accurate mimicry. Junk‑train (Jc) (compatibility with WireGuard: YES) Immediately following the sequence of I-packets, a series Jc of pseudorandom packets with lengths varying between Jmin and Jmax is sent. These packets blur the timing and size profile of the session start, significantly complicating handshake detection. Under‑Load Packet (compatibility with WireGuard: YES) In WireGuard, a special keep-alive packet (“Under-Load”) is used to bypass NAT timeouts. AmneziaWG replaces its fixed header with a randomized one, the value of which can be set manually. This prevents DPI from filtering short ping packets, ensuring stable tunnel connections, especially on mobile networks. How to use Eddie with AmneziaWG To enable AmneziaWG mode, just tap the connection mode available in the main and other views. It will rotate between WireGuard, AmneziaWG and OpenVPN. Set it to AmneziaWG. In its default AmneziaWG mode, Eddie will use all the possible obfuscation, except protocol mimicking, that keeps WireGuard compatibility, thus allowing connections to AirVPN servers. The default settings choice was possible thanks to the invaluable support of persons living in countries where VPN blocks are widespread. Such settings have been tested as working and capable to bypass the current blocking methods in various countries. You may consider to modify them if they are ineffective to bypass "your" specific blocks. In Settings > Advanced, you will find, at the bottom of the page, a new "Custom Amnezia WG directives" item. By tapping it you will summon a dialog that will let you customize any possible AmneziaWG parameter. You can maintain backward compatibility with WireGuard in the dialog WireGuard section, or enable the full AmneziaWG support in the Amnezia section, which is not compatible (at the moment) with AirVPN WireGuard servers. This mode will be mostly valuable in a not distant future, when AirVPN servers will start to support AmneziaWG natively. You may also enable QUIC or DNS mimicking for additional obfuscation efficacy. In order to maintain WireGuard backward compatibility, with or without QUIC or DNS mimicking, you must set: S1 = S2 = S3 = S4 = 0 Hn ∈ {1, 2, 3, 4} H1 ≠ H2 ≠ H3 ≠ H4 Furthermore, do not exceed the valid limit of the J parameters (anyway Eddie will not let you do it). In this preview version, Eddie's formal control of the input data is based on the following document. We strongly recommend you read it if you need to modify manually parameters: https://github.com/amnezia-vpn/amneziawg-linux-kernel-module?tab=readme-ov-file#configuration Custom Protocol Signature with database included Working in AmneziaWG mode, Eddie implements QUIC and DNS mimicry and obfuscation packets for each specific "I" parameter (by using the corresponding "Generate" button). You can enable them with a tap on the proper buttons. You may mimic QUIC and DNS even to connect to WireGuard based servers. Please do not modify In parameters if you don't know exactly what you're doing. Eddie's CPS database is available at your fingertip for accurate mimicry of traffic to and from real web sites using HTTP/3 (other protocols may be added in the future), so you don't need to look for and enter specific sequences. Settings > Advanced > Custom AmneziaWG directives > Enable CPS > Presets > select the web site whose traffic must be imitated . Currently, you can find a database that contains more than 30 actual packet signatures and sequences of real web sites. Select one and Eddie will adjust all the parameters automatically and will use them in the next AmneziaWG connection. When you enable QUIC mimicking and you maintain WireGuard backward compatibility, you add a powerful tool against blocks, because the first packets will be actual QUIC packets. AmneziaWG will fall back to WireGuard compatibility very soon. However, when DPI and SPI tools, and demultiplexers in general, identify the initial QUIC flow, most of them will be unable to detect a WireGuard flow for several minutes. This has been tested thoroughly with deep packet inspection on Linux and FreeBSD based machines by AirVPN staff. Therefore, in different blocking scenarios the QUIC mimicry increases likelihood of successful block bypass. NOTE: the same does not happen with DNS mimicry. In this case DPI / SPI tools identify the stream initially as DNS, but are much quicker (just in a few dozens of packets) to identify the stream as WireGuard's, after the initial DNS identification. How to use Eddie in network where the "bootstrap" servers can not be reached Eddie downloads user and infrastructure data, essential to use the service, from special "bootstrap servers" through an encrypted flow inside HTTP. If the bootstrap servers are blocked or the underlying protocol to port 80 is filtered out, Eddie is unable to proceed. Starting from this Eddie 4 version, the ability to retrieve such data locally has been added. Whenever bootstrap servers are unreachable, Eddie can read the latest available local data to connect to a VPN server. Once connected the bootstrap servers are again reachable and the local data are immediately updated for future usage. The local data remain valid as long as you don't need to change user. On top of all of the above, Eddie can now retrieve such data through the login procedure that now can be started even when a connection to a VPN server was previously established via a profile. Therefore, when you are in a restrictive network that blocks access to bootstrap servers, you can connect through a profile generated by AirVPN web site Configuration Generator. After this first connection, log your account in to the service by selecting the specific option on the left pane, enter your AirVPN account credentials as usual and make sure that Remember me checkbox is ticked: Eddie will download all the necessary files and store them locally. This procedure is "once and for all", at least as long as you don't need to change account. After this initial connection, Eddie will be able to log your account in to the infrastructure, retrieve servers data and establish connections without profiles and without bootstrap servers, offering again full AirVPN integration even when bootstrap servers are unreachable. Only If you change account you must repeat the procedure. New: "Open with..." option added to "Export" option Different Android versions allow management of files with different restrictions. Different apps may support different intents on specific Android versions. To enlarge total compatibility, now Eddie offers two different options to export and manage files, including generated profiles. You will find the usual "Share" option (note: now renamed into "Export") coupled with a new "Open with..." option. Some apps support only one intent, other apps only specific intents on specific Android versions, and so on. By adding this option Eddie enlarges considerably the amount of apps you will be able to open and/or share files with. Download link, checksum and changelog Eddie Android edition 4.0.0 APK direct download quick link: https://airvpn.org/tv Eddie Android edition 4.0.0 is also available on the Google Play Store. https://play.google.com/store/apps/details?id=org.airvpn.eddie Changelog is available here: https://gitlab.com/AirVPN/EddieAndroid/-/blob/master/ChangeLog.txt?ref_type=heads SHA-256 checksum if you prefer to download from our web site and side load the app: $ sha256sum EddieAndroid-4.0.0-VC38.apk 12322926f12d45f8e918173ae30f88cdef03f0fe323f30abf00cef6c033d8dae EddieAndroid-4.0.0-VC38.apk Kind regards & datalove AirVPN Staff

@zanon321 Hello! We can reach your SSH server from the Internet, so the setup of sshd on the office PC is just fine. You have a single key pair and a single port. When you connect your home PC to a VPN server, the DNS record of the domain name <your name>.airdns.org is updated to the exit IP address of the VPN server the home PC connected to, so the address of the office PC (behind the VPN server) is lost. In this case this setup could work only if the office PC is the last one to connect, so it's not a reliable scenario. You need to create a new key pair and use a unique key on each computer. Then, link DDNS and port <your port> to only one of the key pairs (in this case, the office PC key pair). Finally make sure that you connect PCs to different VPN servers. ALTERNATIVELY, just don't use DDNS but point ssh directly to the exit-IP address of the VPN server the office PC is connected to and make sure you connect each device to a different VPN server. How to manage key pairs and certificates: https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/ Kind regards

Hello! Can you publish the whole terminal output when you try to run the installation script? Just copy and paste everything. Kind regards

Hello! Or that any "Network Lock" mode is disabled by setting "Network Lock" box to "None" in "Preferences" > "Network Lock" window (default: "Automatic"), as it is indeed the case according to the system report (important option not at default: netlock.connection false) and considering that the user's system does have nft and iptables-* installed. Splitting the different cases with different messages and logging them will be suggested to devs. Kind regards

Hello! Please check Network Lock "Mode" combo box in "Preferences" > "Network Lock" window and make sure that it is set to "Automatic". If it's set to "None" or other values, re-set it to "Automatic", click "Save" and verify whether the problem gets resolved or not. Kind regards

@0bacon Hello! Bluetit is correctly forbidding connections to servers of the country you are in. Resolve it by setting forbidquickhomecountry off in /etc/airvpn/bluetit.rc (or build a white list of servers outside your home country). From the manual: From your tests we see that the traffic doesn't flow in the WireGuard tunnel - it could be a block enforced your ISP, but make sure that you disable firewalld first just in case and test again: sudo systemctl stop firewalld If the problem persists let's check with OpenVPN. Try OpenVPN over UDP and over TCP. Kind regards

Hello! So, the AirVPN Suite works fine as expected. The problem causing the traffic not flowing in the tunnel must lie elsewhere. First, let's determine whether the traffic is completely blocked is it is only apparently blocked. Try to resolve names and ping destinations without names resolution and let's examine the outcome. Examples: ping -c 4 8.8.8.8 dig google.com Also, can you please test a connection over OpenVPN? Please set airvpntype openvpn on /etc/airvpn/bluetit.rc file, re-start Bluetit and test again a connection. If it fails too, switch to TCP by setting airproto tcp, re-start Bluetit and test again connections. Kind regards

Hello! Welcome aboard. 1. Yes, correct. 2. Yes, correct. 3. With a port linked to "All devices" this is not possible, because you create an unsupported case in forwarding rules, i.e. the same packet to a specific VPN server public IP address port should be forwarded to the port of multiple VPN IP addresses. This is not implemented and also poses a technical challenge in our infrastructure that's not trivial. To overcome this situation you must use unique key pair for each device and take care to link each port to a single device. Alternatively, a simpler solution is just connecting each device to a different VPN server (your 2nd scenario). Kind regards

Hello! In this case there's something wrong in setup. The configuration file is correct: AllowedIPs = 0.0.0.0/0, ::/0 This line tells WireGuard to tunnel the entire IPv4 and IPv6 address space. Any leak is caused by wrong binding or bad routing table together with absence of "network lock" leaks prevention. Use the AirVPN Suite to get rid of these problems, but it would be interesting to investigate further, if you don't mind. We could start by examining the routing table, the network interface settings and the firewall rule set during a connection, while the problem is occurring. Tracing IPv6 routes can provide valuable clues too. This is what I do, and while it does hide my ISP-provided IPv4 perfectly, the situation is different for IPv6, where my ISP-provided IPv6 is leaked to the tracker and my peers. This is a symptom hinting at a serious mis-configuration (or some previously un-detected qBittorrent bug, but it's unlikely as something so important would have been immediately noticed). Network Lock would prevent this situation but your case is very interesting and in our opinion deserves further investigation. In this case your setup is plausibly the source of the problem. Traffic splitting on an application basis requires some care to avoid those very leaks that you are experiencing. Consider running the AirVPN Suite for a safe traffic splitting on an application basis. AirVPN Suite resources: https://airvpn.org/forums/topic/79336-airvpn-suite-resources/ Kind regards

Hello! Note the discrepancy. Goldcrest may read both ~/goldcrest.rc and ~/.config/goldcrest.rc, no problems, but be aware that you might have two different files. Very well, this is essential to allow network lock to work properly. That's fine, it means that Network Lock blocks the traffic to your system DNS. In this case it's not really true because the system DNS has the same gateway IP address, whose traffic will be allowed in any case (you can verify by pinging 192.168.1.1 for example). About the log, we would like a clarification, we see that, multiple times, soon after a connection you order a disconnection, for example:  9:11:45 AM bluetit: Requested method "bluetit_status -> Bluetit is connected to VPN (WireGuard)"  9:11:45 AM bluetit: Requested method "stop_connection"  9:11:45 AM bluetit: Stopping WireGuard synchronous connection Why do you order the disconnection immediately (or just a few seconds) after the connection was established? Note (just in case) that you're running goldcrest in synchronous mode, so if you destroy the window of goldcrest terminal emulator parent, it will receive a SIGTERM and in turn will require Bluetit to disconnect. So, is the disconnection ordered by you voluntarily? If so, is it because you see that no traffic flows? As a side note, you have defined a white list of only one server. If this is intentional it's fine, but please test more, different servers, just in case there is a problem that's specific between you and Fang. You can define a white list of servers through a list of comma separated server names in the air-white-server-list option in your goldcrest.rc file. Kind regards

Hello! We're very glad to announce that Eddie Android edition 4.0.0 Release Candidate 1 is now available. New CPS QUIC database: now Eddie features a CPS database of more than 30 real web sites allowing accurate QUIC + HTTP/3 mimicry of real services through AmneziaWG. Each database entry is identified by a clear label for immediate selection in the app's settings. Eddie will take care to compile AmneziaWG In parameters accordingly: no need for manual input, which anyway remains an available option. This addition significantly bolsters Eddie's arsenal against blocks. New: IPv4 and IPv6 traffic can now be wrapped over an IPv6 tunnel with WireGuard and AmneziaWG too. Minor bug fixes The original message of this thread has been updated accordingly. You will find on it the new download link and checksum, as well as detailed Amnezia description. If you decide to test, please report at your convenience any bug and problem in this thread. If possible generate a report from the app in a matter of seconds: by tapping the paper plane icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private). Kind regards & datalove AirVPN Staff

Hello! The idea is correct, but you must omit --interface option for the previously explained reasons. However this is a necessary but not sufficient condition to prevent traffic leaks. Binding qBittorrent to the VPN interface is a perfect solution. Our software Network Lock feature is another one. You may apply both settings for additional safety. Please note that some qBittorrent versions could handle only IPv6 or only IPv4 traffic, but we think that qBittorrent devs resolved this limitation recently. Kind regards

Hello! Well, the problem seems different though... the OP should be able to enjoy IPv6 over an IPv4 tunnel with the published configuration file. @nicoco First of all, there is an error in how you use curl. You must not specify the VPN interface: the interface must manage an IPv4 tunnel. IPv6 must be wrapped over it. If you bind curl to the VPN interface, you bypass the routing table and you prevent the system from picking the correct source IPv6 address. You don't see this problem with curl -4 --interface <VPN interface> probably because there is no ambiguity in selecting IPv4 source address when curl binds to the VPN interface, in spite of the routing table bypass (i.e. lucky case). Just omit this option and you should be fine (alternative: follow @Tech Jedi Alex solution, you will have an IPv6 tunnel over which you can tunnel IPv4 too and the problem could be "specular" with v4 when you use curl). Side note: the option --interface is not supported in Windows. If the problem persists: are you sure that your curl -6 tests are directed toward an IPv6 HTTP supporting service? Try https://ipv6.google.com for a cross-check, and ping6 too. If the problem still persists, please make sure that IPv6 support is enabled on your system and your network interfaces. Kind regards

Hello! Well, not totally true thanks to SIMD, especially AVX and AVX-512. AVX is commonly available on CPUs since 2011, while AVX-512 came out around 2016. By the way: WireGuard already saturates our servers (2.6 Gbit/s per client on the server, recently...) so the physical limit of our lines is reached before kernel performance becomes a problem. We would also like to see how the new DCO beats properly configured WireGuard on real life usage, not from a paper written by the same DCO developer. But anyway DCO changed incarnations and compatibilities many times. Having followed each iteration at the beginning, we wasted a significant amount of time and this situation had to be ended. No more, thank you... we are inclined to use the NEW DCO only when we have our infrastructure running on a mainline kernel that includes the module (in other words, starting from Debian 14, which is due to be released in 2027). On the other hand we also acknowledge the decision of important competitors to drop OpenVPN completely in the recent past. It's a delicate matter that we must take into consideration. Additionally, OpenVPN keeps a relevant superiority over WireGuard with some important features: DHCP enabled, ability to connect over SSH and TLS additional tunnels, and over socks and http proxies. But we do not need DCO for such strategic options (which by themselves hit performance heavily) so its adoption is not compelling. Our customers' choice is clear: OpenVPN usage dropped from 80% to 23% in just a year and a half. Note that just two weeks ago we had 24%, now it's 23%, the decline is fast. So what? DCO is not a replacement for blocks circumvention and does not feature AmneziaWG abilities, including CPS, handshake and payload packets padding, junk packets. We see DCO as a WireGuard competitor, but not at all as an AmneziaWG alternative, which in turn is aimed at lower performance for better blocks circumvention. Kind regards

Hello! We're not ignoring it, did you read the update on the first message of this thread? Kind regards

Hello! Note: we asked for the Bluetit log and you never sent it. In this case it's no more necessary because there is no problem at all, but in the future you should reply to requests, otherwise you prevent us from supporting you properly. This is expected and correct. air-server option requires a server name, not a list. If you want to define a list of servers you need air-server-white-list option, which expects a list of server names separated by a comma. When you define a white list of server, leave air-server commented out and do not specify it in the command line. The software will pick the "best" server among the white listed ones. As a peculiar case, when you invoke Goldcrest you can still specify --air-server <server name> just in case you want a connection to a specific server included in the white list. However, you can not force a server that's not in the white list. Nothing in /etc/airvpn/bluetit.rc must contradict goldcrest.rc as Bluetit directives and policy, that can be enforced only by root, take precedence. Kind regards

RTFM

Hello! Thanks, now it's clear. It's a typical LLM hallucination. We strongly recommend you do not trust them: the free model for the casual consumer hallucinates so often in this regard that we have already documented disasters much more serious than the small incident you had. We also have to fix frequently threads and the support team claims that they have every day bizarre reports clearly caused by wrong assumptions based on LLM hallucinations. Please read the manual instead. There are typically two ways, one of them compliant to Unix and Linux conventions (sending a signal). Everything is documented on the manual. Stopping Goldcrest requires a second, either in synchronous or asynchronous mode. Note that stopping Goldcrest (the client) does not imply stopping Bluetit (the daemon), so if you stop Goldcrest and you have persistent network lock by Bluetit, you will not disable network lock (and rightly so!). Apparently all of your problems were born from an LLM hallucination. Just read the manual, it was written with care. When you can see what the Suite can do you may change your mind. You're wrong in the sense that by default Bluetit keeps traffic splitting disabled: it is opt-in. Read the manual and you'll see. Here we're talking about per-app reverse traffic splitting based on dedicated namespace, which is a safe way to split traffic on an app basis. In a desktop environment, both X.Org and Wayland are supported. This is not true, and anyway it's not buggy. Probably you have not understood the "issue" so far, never mind. If you read the manual you'll get the whole picture and you might even re-consider the software suite. If you don't, never mind and just keep going on: as usual AirVPN can be used normally without our software and we will never force proprietary software usage. Of course not, for the same reasons. Kind regards

Hello! Where exactly? We would like to fix it but no search engine can find it as far as we see. Can you give us a link? Please determine whether the problem is connectivity or only names resolution and report back at your convenience. Also answer to our previous questions to let us help you properly. Not a big deal. As you can read on the manual your case can be resolved immediately. It can be triggered by a "kill -9" command or analogous situations. How to recover network settings is described here. https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/README.md?ref_type=heads#recover-your-network-settings If you purged Bluetit, however, you may have destroyed the whole /etc/airvpn directory so you deleted the resolv.conf backup copy too that is kept protected there. Again, not a big deal. In this case just rebuild your resolv.conf file manually or via your DNS management tool (for example network-manager, systemd-resolved...). Kind regards

Hello! Yes, but you are using it improperly according to your first message. Note how you are exposed between the connection and the manual execution of the script (not to mention in case a failure occurs etc.). A good mitigation of the main problem would be integrating leaks prevention in WireGuard PostUp / PostDown events or just coding a whole script of your own that executes and checks for errors everything. In order to pick the "best" server in New Zealand, you can rely on nz3.vpn.airdns.org domain name. The Configuration Generator will also take care to put it in the profile end point line if you select "New Zealand" country or "Oceania" continent during the selection. NOTE: we did not examine the script, so we are not implying that it works or doesn't work. Kind regards

@zedik Hello! sudo bluetit stop is not a valid command to stop Bluetit. Can you tell us where you found this "fanciful" information? Please read the user's manual here to know how to stop Bluetit: https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/README.md?ref_type=heads#controlling-bluetit-daemon If the problem persists after you have stopped Bluetit for real and after you have READ THE MANUAL please feel free to state your Linux distribution name and version and publish Bluetit's log to let us investigate. Kind regards

Hello! Sorry for the typo. Oceania continent code for Bluetit is OCE, not OC. Bluetit follows IOC continent code convention used by the International Olympic, since there is no ISO code for them. Or you could just specify the whole name, Oceania. NZ is recognized correctly though, so your report is incorrect in this regard. Just keep in mind that you don't have many features, such as integration or namespace management for safe traffic splitting, and above all be aware that you don't have a leaks prevention feature (network lock). If you deem it necessary take care to reproduce it. If you don't, please do not complain about traffic leaks. Kind regards

@mcducktits Hello! All the URLs you mention don't exist, where did you find them? Use the web site to find the correct ones, or start from here: https://airvpn.org/windows Also, where did you get the idea of this "ports tab"? There's no such thing in Eddie. Remote inbound port forwarding is managed through the web site and is also client-independent. Kind regards

Hello! We're glad to know that you managed to resolve the problem. For this new purpose tell Goldcrest to connect generically to Oceania (or New Zealand, since in OC we have servers only in NZ because of the infamous "anti-encryption" legal framework in Australia). Example: goldcrest --air-connect --air-country OC Note that "air-country" accepts continent codes too. Kind regards

Hello! This a wrong assumption. Soulseek clients (like Nicotine+) do not randomly change ports on their own if properly configured. Of course you need to re-start the software if you change listening ports. After the re-start, no new ports are assigned. If this happens something wrong is going on, for example the configuration was not saved, or you forgot to disable some random port selection option (from picking random ports to negotiating via UPnP etc.). As a side note, please remember to configure GlueTun environment variables properly, in particular environment: - FIREWALL_VPN_INPUT_PORTS=PORT1,PORT2 That's the environment variable telling the containers firewall to allow incoming packets on listed ports of the VPN adapter. Kind regards