Staff

@monstrocity Hello! We will investigate. Can you confirm that the problem does not occur in HB 1.1.0? Please note that Bluetit 1.0.0 RC 1 does not have the ability to enforce network lock and a connection at system bootstrap. Bluetit 1.0.0 stable release will have this ability, but of course it will be optional. Can you also send us whole terminal output after you have pressed CTRL-C (or have sent a SIGTERM to HB process), as well as the content of /etc/airvpn? ls -l /etc/airvpn Kind regards

@freak Hello! Good, the infamous bottlenecks caused by the OpenVPN TAP driver should be resolved. However it's strange that CHACHA20 provides you with higher performance than AES does. A possible explanation is that your system does not support AES-NI. Your CPU does, though, so you should beat CHACHA20 performance with AES-GCM, if you can enable AES-NI. Wireguard must be faster than OpenVPN with CHACHA20, because Wireguard runs in the kernel space and CHACHA20-POLY1305 implementation should be fine,. Running in the kernel space, however, has security implications that must be considered. OpenVPN with AES, in an AES-NI supporting system, linked against latest OpenSSL which includes assembly code (at least for Linux), is faster than Wireguard according to our tests, even though OpenVPN runs in the userspace. Wireguard offer is planned, but as you know it's a wreck lacking many basic features: no DNS push, no dynamic IP address assignment, no AES or other ciphers support, no TCP support, fixed bijection of real IP addresses onto client keys/VPN address, clients real IP address storage in a file, thus posing paramount privacy as well as technical issues. Many people will be disappointed and worried when they understand the implications of all of the above. Many other people will not be able to use Wireguard at all (mobile ISPs blocking or shaping UDP, countries blocking or shaping UDP etc.). We will release software aimed at patching, when possible, those numerous problems, but we need to keep approaching and offering Wireguard with care. Kind regards

@tami Hello! Hummingbird has a tiny RAM footprint if compared to Eddie (a dozen MB against hundreds of MB), even because it does not need Mono and does not have a GUI, so if you don't need a GUI use Hummingbird. CPU usage is high when traffic encryption/decryption is necessary and that's also why you can't beat some throughput limit. Hummingbird 1.1.0 is linked against mbedTLS library. New Hummingbird 1.1.1 (you can already test it, RC 1 was out some days ago) is linked against OpenSSL, which now provides higher performance than mbedTLS, at the price of a little more needed RAM. Please test it if you can and check whether the problem remains. -N off disables "Network Lock" feature. If disabling "Network Lock" resolves the problem, why Network Lock activation prevents you from connecting remains to be seen. If the problem persists with Hummingbird 1.1.1, would you like to post the complete log? If you post it, please make sure not to delete VPN server IP address as you did. It's an important information and does not compromise your privacy. Since Raspberry CPU does not support AES-NI, you can boost performance by connecting with cipher CHACHA20-POLY1305. New Hummingbird 1.1.1 is linked against our latest OpenVPN 3 AirVPN library release, which supports data-ciphers directive and is updated to comply to OpenVPN 2.5 (which runs in our servers) specifications, so you can enforce CHACHA20 and any other supported cipher with a proper profile, or by command line option. To download Hummingbird 1.1.1 please see here: https://airvpn.org/forums/topic/48435-linux-new-software-airvpn-suite-10-beta/ Hummingbird is included in the suite (of course feel free to test Goldcrest+Bluetit too). Kind regards

@airvpnclient Hello! That's expected, as systemd does not support daemons which fork (Bluetit performs a double fork). See here: https://www.freedesktop.org/software/systemd/man/systemd.service.html Look at "Options" for "Type=": You can then see why systemd sends SIGTERM when it meets a real daemon. That's obviously obscene filthy crap, but makes Windows-ish and other miserable wannabe programmers happy, because allows them to run at system bootstrap, as "units", even processes which are not real daemons, which do not respect UNIX policy. Nothing to be surprised of with systemd anyway, you can't expect much from a repellent, non POSIX compliant crouch. For your specific use case, you can consider to run Hummingbird, as runnning Goldcrest+Blueiti in that way does not make much sense, or you can wait for Bluetit release which (it's official now) will include options to connect at bootstrap. Kind regards

@arteryshelby @ZPKZ Hello! Stay tuned, infrastructure expansion will go on. Kind regards

@hisik22091 Hello! Yes, please run Tor and use a Tor browser after you have connected to some VPN server when your threat model includes adversaries with the power of a government agency using legal or illegal tools in Europe. It's very important to not underestimate such risks, regardless of the documentation you're able to provide to substantiate any sentence and word, as even European countries have shown that they can infringe human rights with impunity: consider UK torturing a journalist (Julian Assange) for a long time and infringing other human rights, in spite of the United Nations reports, just to make an example. We use different entry and exit-IP addresses on VPN servers, but that's a weak defense against a government which can infer which exit-IP address is related to which entry-IP addresses. Unfortunately Wikipedia tends to block editing from a lot of Tor nodes,. a terrible and idiotic choice in our opinion, especially when anyone can see which IP address an edit was made from (or can obtain it through a court order). For a solution in such a case, keep reading. Note anyway that a government that performs such a correlation does not obtain a PROOF that someone wrote something, because they can't know from us which users were connected to which VPN servers at any given time, as we do not inspect and/or log traffic content and/or metadata. Also check what we wrote in 2013 about the importance of partition of trust: https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 If you find editing Wikipedia articles from Tor nodes diffiicult, you can consider OpenVPN over Tor. It's not as secure because the Tor circuit is fixed (it will not change at each new TCP stream), and it's not as easy to use as Tor over OpenVPN is, but it poses a probably impossible challenge for a government to find out the identity of the author. Wikipedia sees and records the VPN server exit-IP address, but your government does not see that you connected to that VPN server address, because your traffic goes through some Tor circuit first. Only the Tor exit-node knows that the traffic ends to our VPN server entry-IP address, but the Tor exit-node does not know your real IP address, because you connect OpenVPN to the first Tor guard. The correlation you fear is therefore destroyed. OpenVPN over Tor usage is made easier by our Eddie desktop edition software. Kind regards

@Point Zero Hello! Probably it had nothing to do with Eddie itself then, but with the system. Eddie frontend runs in the Mono (.NET in Microsoft systems) framework, while the backend is written in C++. What is your Operating System exact version? To wipe out anything Eddie-related, just delete the directory it is inside, if you use a portable package, while you need to uninstall according to your system (just like you do with any app) if you had installing package., Then delete Eddie configuration file as above. Kind regards

@airvpnclient Hello! Indeed. Let's try to reproduce it. Which system do you run? Kind regards

Check also https://airvpn.org/forums/topic/48234-speedtest-comparison/ in order to verify what you can expect from AirVPN best performance. Kind regards

Hello! Momentarily, in London please connect to Arion, where the problem is resolved, thank you. Kind regards

@airvpnclient Hello! An easier way will be available soon, in the next version, which will support a specific option to have Bluetit connect during the bootstrap (you will need bluetit.rc properly configured with your AirVPN credentials). As a first attempt, can you please change your account password into one which only contains ASCII characters in [a-z} U [A-Z} U [0-9]? We ask you to do that because the only difference we can currently spot is that in one case rc.local is launched by init, while in the other one it is launched by a shell which might have a different character set. By using only ASCII characters such a problem would be solved. We are looking forward to hearing from you. Kind regards

@freak Hello! Try to use wintun (another driver for tun-like virtual network interfaces) as you might have a bottleneck caused by the TAP driver. Eddie 2.19.6 for Windows is packaged with OpenVPN 2.5 and they both support wintun, you can enable it with a click. See here to download Eddie 2.19.6: https://airvpn.org/forums/topic/46329-eddie-desktop-219beta-released/ Kind regards

Hello! Moving to "Troubleshooting and problems" because AirVPN is much faster than NordVPN with the same transit providers, we guess because NordVPN does not have our load balancing system (on the single server we mean) and NordVPN servers are congested at times. Using Wireguard by default also slows down NordVPN if your system supports AES-NI. Also consider to open a ticket if necessary. Kind regards

@govegan3 Thank you for the report! In order to let us try and reproduce the issue, can you determine more precisely and tell us the "long time" you mention? Can you also tell us your distribution name and version? Kind regards

Hello! Please open a ticket at your earliest convenience: AirVPN community can't help you with this, you need the support team.You can open a ticket from the web site or by writing and e-mail to support@airvpn.org Kind regards

@john roberts Hello! If you run Bluetit and Goldcrest, you don't need to create an exception in SELinux, because Bluetit is a daemon. Bluetit will start at boot, and you can connect your system to the VPN by running Goldcrest at the end of system runlevel, or subsequently from any user belonging to airvpn group. If you run Hummingbird and you want to start it at system bootstrap with nft based Network Lock enabled you should create an exception in SELinux, but such a solution should be discarded, as Hummingbird is not designed to be a daemon. Therefore, using Hummingbird as a systemd unit is deprecated. We would suggest that you run Bluetit and Goldcrest instead. NOTE: if you need to prevent any communication outside the VPN tunnel even during the system bootstrap by system processes, you can consider to set permanent firewall rules blocking anything except DHCP discovery (essential to connect to a router), local network and localhost, as well as some ntp server if you need time sync at boot (no battery etc.). "Network Lock" will then "unlock" communications to the VPN servers and your local network allowing you to connect to a VPN server with no time pressure at all. As long as network lock is disabled, total lock will remain in place. As soon as network lock is enabled, only comms to the VPN servers become possible. Kind regards

@RameshK Hello! Can you please make sure that you have downloaded the "pre-Catalina" notarized 2.19.6 version? If in doubt, please re-download (of course you can download the packages as many times as you wish). We are looking forward to hearing from you. Kind regards

Hello! Sure, porting our software to ARM based Mac machines is an option we are seriously considering because during 2021 (and maybe 2022) Mac Apple will abandon development of x86-64 based computers completely. Stay tuned. Kind regards

Hello! Through round trip times differences, discernment between geographically near locations of servers whose traffic is served by the same transit provider is very hard or not possible, because the deviation may remain inside the range of the experimental error. Anyway if you want to try, use mtr, gather a sufficiently vast set of experimental data and process it according to what statistics teaches. Tests with YouTube mean literally nothing for obvious reasons. M247 operates servers in co-owned datacenters and not. Server locations are correct to the best of our knowledge, according to M247 claims and consistent with technical verification. M247 servers in Phoenix operated by us are located in Phoenix, in the following Cogent datacenter: https://www.cogentco.com/en/cogent-phoenix Bootes (Phoenix) IP addresses are in 193.37.254.0/24, a block property of M247 (AS9009) and employed in Cogent above mentioned datacenter. https://ipinfo.io/AS9009/193.37.254.0/24 You can verify via mtr the last replying hops and check the different final route with M247 servers in Los Angeles (Teegarden,. Grrombridge). Normally traffic in Phoenix is served by Cogent while in Los Angeles mainly by NTT. Disclaimer: IX location where the provider has a POP may not match datacenter location, for example our servers in Alblasserdam (NL) are in Alblasserdam but have direct lines to AMS-IX, which is in Amsterdam. We report anyway Alblasserdam as it is the town where the servers and its high volume router(s) physically are. Kind regards

@pjnsmb Hello! Yes, it runs fine in Debian stable releases. Momentarily, problems occurring in unstable distributions are not addressed, but that does not mean that they won't be addressed in the future. Furthermore, it is also possible that problems get resolved in time, while unstable distribution bugs are resolved. Kind regards

@krytellan Hello! Eddie 2.12.4 is very old and is packaged with and linked against software which does not support anymore the new encryption requirements by AirVPN. Please upgrade and the problem should be resolved. NOTE: Windows 7 is an abandoned system and latest Eddie versions are no more tested in Windows 7. If you experience issues with latest Eddie release, please run Eddie 2.16.3. To download Eddie 2.16.3: browse https://airvpn.org/windows click "Other versions" click "2.16.3": you will be brought back to the download page, pointing this time to Eddie 2.16.3 select the correct system Windows 7 select the correct architecture (32 bit or 64 bit, please check) download and install as usual Kind regards

@fkeriviavcxjhvjke Hello! You have three options. 1) Run AirVPN Suite 1.0.0. It will take care properly of DNS push even when systemd-resolved is configured to work in on-link mode bypassing resolv..conf and even when it works together with network-manager. Tested successfully under new Fedora 33 default settings. The suite is free and open source software by AirVPN, based also on a robust client-daemon architecture, and offers Network Lock (for traffic leaks prevention) which works fine even in Fedora 33. See here: https://airvpn.org/forums/topic/48435-linux-new-software-airvpn-suite-10-beta/ 2) Disable systemd-resolved and re-create /etc/resolv.conf file to work with global DNS as usual, instead of the questionable and dangerous per-link basis mode. After that, you can either run AirVPN Suite 1.0.0, OpenVPN with update-resolv-conf script, or Eddie. Eddie is a free and open source software by AirVPN with a GUI running in Mono. Only when systemd-resolved is disabled or re-configured to respect /etc/resolv.conf, can Eddie be used in Fedora 33. If you choose to run OpenVPN directly, remember that OpenVPN does not handle DNS push on Linux on the client side, so use the mentioned script. Please see here: https://airvpn.org/forums/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/ 3) Not recommended. Run OpenVPN with script update-resolved-systemd. Again see https://airvpn.org/forums/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/ Kind regards

@dibble Hello! Eddie is compiled for x86-64. If you're running an ARM based Mac, you should run Eddie in Rosetta 2, can you please check? We have some reports according to which Eddie runs fine in Rosetta 2, and other reports claiming that Eddie freezes. Please send us your report as well. Kind regards

@Point Zero Hello! Try to delete the default.profile file. It's Eddie configuration file. You can find its location by reading the first Eddie log entries. Make sure that Eddie is not running, then delete the file, finally re-start Eddie and check whether the problem is resolved. Eddie will re-create a profile with default settings. Note that you will need to re-enter your AirVPN credentials and custom settings. Kind regards

@colorman Hello! That's great, thank you! Case dismissed. Kind regards