Staff

Hello! We can't, it's a not enforceable clause. Kind regards

Even if the attacking adversary would not need to catch your DNS queries they still can catch your dns traffic if they could, employees/insiders who work for the company could maliciously collect if they wanted to. That’s why having a secure dns that goes though the vpn infrastructure is an added security. Partition of trust still has a flaw that could be improved, the final vpn tunnel will still send your dns queries unencrypted. Just because a vpn company states they don’t log users data it doesn’t mean someone on the inside covertly could. Hello! Let's fix some very bad misconceptions. 1. That's false, the attacking adversary can not catch your DNS queries when tunneled into the VPN, unless he/she is inside your machine with administrator privileges, in which case of course neither DNSCrypt nor VPN nor Tor can defend you. 2. Incorrect. When you connect Tor over OpenVPN: the final VPN server sends everything encrypted to Tor entry-node VPN server can not even discern the type of traffic, because the whole payload is still encrypted by Tor, DNS queries included your ISP or network administrators will not see that you're using Tor because its traffic is still wrapped into OpenVPN TCP or UDP tunnel. DNS queries are inside Tor tunnel which is inside OpenVPN tunnel Tor can not see your real IP address Tor circuit is renewed at each new TCP stream a malicious datacenter or a rogue VPN company will see nothing of your traffic content, as it's encrypted traffic unreadable to them (that's why some rogue VPNs blocked Tor traffic, they can't mine your data) Kind regards

@pizza Hello! We agree with you, it would have been nice but not at the price to lower our standards. The reasons of our fork have been already explained here: https://airvpn.org/forums/topic/43850-openvpn-3-development/?do=findComment&comment=98527 Kind regards

Hello! Can you please test again now (restart the connection)? Kind regards

Hello! We're very glad to inform you that the Black Friday week has just begun in AirVPN! Save up to 74% when compared to one month plan price Check all plans and discounts here: https://airvpn.org/plans If you're already our customer and you wish to jump aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day. And that's not all: AirVPN offers five simultaneous connections per account, IPv6 full support, AES-GCM and ChaCha20 encryption ciphers and even more, exclusive features: https://airvpn.org/topic/28153-ipv6-support-and-new-smart-features/ AirVPN is the only VPN provider which is actively developing OpenVPN 3 library with key features: https://airvpn.org/forums/topic/44069-openvpn-3-development-by-airvpn/ Any doubt or question? Please check the following, awesome guide first: https://airvpn.org/forums/topic/45694-airvpn-sales-things-to-know/

Hello and thank you for your nice feedback! As far as we can see from the log, various delays sum up. During the connection a delay is caused by OpenVPN when it calls "netsh.exe" and "route.exe" the first time. After both binaries have been called for the first time, subsequent calls become faster (caching). It hints to some slow I/O (more on this later). First, try to resolve the following warning: W 2019.11.24 21:42:24 - OpenVPN > Warning: route gateway is ambiguous: 192.168.1.1 (2 matches) It is generally caused by two interfaces having the same gateway, for example if you keep Ethernet and WiFi connections to the same router both active. You can in this case turn off WiFi card, if it's not needed by some other setup in your system. As far as it pertains to Eddie, we see delays in the DNS flush (5 seconds), which is a highly recommended procedure, so nothing effective can be done about it. Another 5 seconds delay is caused by route check and DNS check, security operations which can be suppressed if you keep Network Lock enabled. You can bypass them respectively: - in "Preferences" > "Advanced", by unticking "Check if VPN tunnel works" - in "Preferences" > "DNS" by unticking "Check Air VPN DNS" Remember that if you cancel the above verifications, you should keep Network Lock enabled for safety reasons. A high delay is caused by Eddie's DNS operations: . 2019.11.24 21:42:28 - DNS leak protection with packet filtering enabled. . 2019.11.24 21:43:52 - DNS IPv4 of a network adapter forced (Ethernet 2, from automatic to 10.6.14.1) . 2019.11.24 21:43:52 - DNS IPv6 of a network adapter forced (Ethernet 2, from automatic to fde6:7a:7d20:20e::1) You can see that between "leak protection with packet filtering enabled" and forcing DNS on network adapters the remarkable amount of 24 seconds is needed, which is unexpected, as in our systems Eddie is much faster to do that. Please check whether your HDD is significantly fragmented. If it is, consider to defragment it: all operations involving I/O to/from the HDD will be faster after the procedure is complete, including I/O by OpenVPN and Eddie. Last but not least, Eddie 2.18.5 beta has been rewritten in various parts to speed up various operations. If you wish so, you might test the latest Eddie and check whether connection time decreases. If you are interested in testing, please see here: Feel free to keep us posted! Kind regards

Hello! Thank you for your public and private bug reports and for you ongoing support. About your questions: We confirm: OpenBSD and FreeBSD versions are planned. However, they will probably not be available before Christmas, we're terribly sorry. Currently, OpenVPN 3 can not be compiled in *BSD, therefore some additional work is required. Yes, pf for Network Lock will be supported in Mac, FreeBSD and OpenBSD. ipfw support is under evaluation. More on plans about a GUI will be released in the future. A study about asio and socket buffers is not yet complete. At this early stage it seems that OpenVPN 3 does not need fixed buffer sizes and asio seems capable to fine tune buffers properly, according to various speed tests and comparisons. Please keep in mind once again that the issue you raised is still in early stage investigation. Kind regards

Hello! Unfortunately not, because under the scenario you describe the attacking adversary would not need to catch your DNS queries to see your traffic destinations and origin. You can defeat the adversary anyway with "partition of trust", for example by connecting to Tor after you have connected to the VPN. Kind regards

@giganerd Things evolve and we always have replacements ready. In the USA the situation is extremely peculiar because the climate is hostile and it's hard to find datacenters which work well AND do not fear many notices on alleged copyright infringements for example. With the last replacement you mention, note that we have added a new provider. Also note that our relation with Leaseweb, after a harsh divorce, is again very good. In Germany we have many servers with Leaseweb DE, in Singapore we have three servers with Leaseweb SG. If you compare situation with that of one and a half year ago, we don't have less providers now. Kind regards

Hello! While we will let developers provide more details should they wish so, we would like to firmly clarify that: Eddie 2.18.x GUI or command line frontend does not run as root; the backend process does Eddie 2.18.x is in beta testing phase, so potential bugs and issues should be in general expected at any time Eddie 2.18.x does not run "curl" with root privileges anymore @QueenSasha Eddie 2.18.x GUI is written in C# (so it needs the Mono framework) but the backend process is written in C++, so it does NOT need Mono framework. Running only a GUI in Mono with normal user privileges shrinks down Mono related risks very considerably @inradius If you find critical Mono vulnerabilities even related to apps running with user privileges things would be different, of course root privileges are necessary to modify firewall rules (for "Network Lock"), change routing table, properly handle DNS push. Root privileges are also transmitted to OpenVPN, which needs them to modify routing table, default gateway and operate on tun network interface. That's expected, correct and ordinary behavior by any OpenVPN based software developer @inradius unless you have a special API service, as it happens in Android with VPNService API, where root privileges are not needed (and you can't set a real "Network Lock" as a consequence) if any security vulnerability is ascertained and proven we and developers will of course address it expeditiously @QueenSasha Kind regards

Hello and thank you for your choice! Can you please send us a system report generated by Eddie, the Air client software, and taken just after the problem has occurred? Please click "Logs" tab, click the LIFE BELT icon, click "Copy to clipboard" and paste into your message. Kind regards

@dedo299 Hello and thank you for your considerations! We will evaluate them carefully. Currently we just want to underline that Heze and Persei suffered too many partial and total outages for our standards and the frequent events caused quite a remarkable amount of complaints, and rightly so, by our customers. Keeping those servers in spite of the collected evidence and feedback would have been detrimental for the quality of our service as it's bad to have a well performing server when the datacenter, for various reasons that have been occurring again and again, can't ensure anymore a decent uptime. We also wish to specify that Aquila, the server you mention giving you good performance, which is from a different provider, remains in Fremont: it is not one of the soon to be dismissed servers. Kind regards

Or not: it depends on whether they are tunneled. In Linux based systems with global DNS (i.e. without on-link DNS simulation) DNS queries to any public DNS will be tunneled. In Windows there is no global DNS concept so such queries in general will not be tunneled. That's also the reason why DNS leaks don't exist in Linux, unless it's deliberately configured to emulate rickety broken DNS implementation, but they are common in Windows and patched client-side by OpenVPN based software. As a side note fir the OP: remember that DNS settings on the devices behind the router will determine the finala ddress to send queries to. Only if they query the router address in the local network, then the DNS servers set on the router will be queried. If they query any other DNS, their DNS queries will be anyway tunneled by Tomato router (and our VPN servers will then send them to the final destination, get the reply, and send the reply to you). About the original problem experience by OP: OpenVPN server pushes IPv6 routes even when the client does not explicitly require them. Together with the fact that if "ip" (or any similar command) fails with IPv4, even if it's successful with IPv4, OpenVPN quits immediately, you can understand how gross and questionable this behavior is: any client without machine IPv6 support will be unable to connect. So, we will force OpenVPN to NOT push IPv6 routes, unless IPv6 is explicitly required. The patch has been implemented and deeply tested, it is safe and compact, and will be deployed in all servers progressively but swiftly. Currently only 40 servers still pose the problem caused by the "original OpenVPN behavior". Remember that the problem affects only systems which lack IPv6 support (they don't exist anymore but someone might disable IPv6 at system level for any reason, or use very old systems, so we are working to fix the issue quickly in the whole infrastructure). To get OpenVPN IPv6 push you will need necessarily the following directives: push-peer-info setenv UV_IPV6 yes The Configuration Generator already works accordingly and adds the proper directives if you require IPv6 over IPv4. Kind regards

@dedo299 Hello! We have picked a datecenter in Los Angeles to replace two Fremont servers (quite near in terms of network distance and very near geographically). The new LA servers announcement, where we specified that they replaced servers in Fremont, is here: Kind regards

Hello! We inform you that the following servers will be dismissed on November the 26th as they do not meet anymore our quality requirements in terms of line reliability and datacenter support. Alkaid Heze Microscopium Pavonis Persei The aforementioned servers have already been replaced by other servers in the same locations, running in datacenters which are currently offering higher reliability. You can check the servers status and additional information on our servers monitor here: https://airvpn.org/status Kind regards AirVPN Staff

@Flx Hello, just a note: 10.5.0.1 is no more used since a long ago. VPN DNS server primary address matches VPN server gateway, secondary address is 10.4.0.1 (regardless of the subnet you are in). 10.4.0.1 is not reachable by ping, but only DNS queries. https://airvpn.org/specs Kind regards

We would like to do so but our resources are limited and selections and choices must be made. Kind regards

Hello! We're very glad to inform you that two new 1 Gbit/s servers located in Vancouver (Canada) are available: Nahn and Sham. The AirVPN client will show automatically the new servers; if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). Servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Nahn and Sham support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check servers status in our real time servers monitor: https://airvpn.org/servers/Nahn https://airvpn.org/servers/Sham Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! We're glad to inform you all that Chamaeleon https://airvpn.org/servers/Chamaeleon in Dallas now runs OpenVPN 2.5 daemons and is configured to accept connections with cipher CHACHA20-POLY1305 both on Control and Data Channel. You can connect in ChaCha20 with Eddie Android edition, OpenVPN 3.3 AirVPN alpha for Linux, or by using Eddie desktop edition with OpenVPN 2.5. To use cipher ChaCha20: with Eddie Android edition, select "Settings" > "AirVPN" > "Encryption Algorithm" > "CHACHA20-POLY1305" with OpenVPN 3.3 AirVPN please see here: with Eddie desktop edition, install OpenVPN 2.5, tell Eddie to use OpenVPN 2.5 in "Preferences" > "Advanced" , finally add the following custom directives in "Preferences" > "OVPN Directives" and make sure to connect or white list ONLY experimental ChaCha20 servers ncp-disable cipher CHACHA20-POLY1305 Servers supporting ChaCha20 are marked as "Experimental ChaCha20" in https://airvpn.org/status in a yellow warning. Kind regards

Hello! We're very glad to inform you that three new 1 Gbit/s servers located in Chicago (Illinois, USA) are available: Fang, Kruger and Sneden. Note that the aforementioned servers replace Alkaid, Microscopium and Pavonis which do not meet anymore our technical requirements in terms of uptime and line reliability and will be withdrawn at the end of November. AirVPN clients will automatically show new servers; if you use OpernVPN or some other OpenVPN frontend, you can generate all the files to access any server through our configuration/certificates/key generator (menu "Client Area" -> "Config generator"). Servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like all the other AirVPN servers do, Fang, Kruger and Sneden support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols, smart load balancing between OpenVPN daemons and hardened security against various attacks with separate entry and exit-IP addresses. You can check servers status as usual in our real time servers monitor: https://airvpn.org/servers/Fang https://airvpn.org/servers/Kruger https://airvpn.org/servers/Sneden Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! We're very glad to inform you that two new 1 Gbit/s servers located in Los Angeles (California, USA) are available: Groombridge and Teegarden. Note that Groombridge and Teegarden replace Heze and Persei which do not meet anymore our technical requirements in terms of uptime and line reliability and will be withdrawn at the end of November. AirVPN clients will automatically show new servers; if you use OpernVPN or some other OpenVPN frontend, you can generate all the files to access Groombridge and Teegarden through our configuration/certificates/key generator (menu "Client Area" -> "Config generator"). Servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like all the other AirVPN servers do, Groombridge and Teegarden support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols, smart load balancing between OpenVPN daemons and hardened security against various attacks with separate entry and exit-IP addresses. You can check servers status as usual in our real time servers monitor: https://airvpn.org/servers/Groombridge https://airvpn.org/servers/Teegarden Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! We don't, and anyway even if some service of ours listened to that port of our VPN servers exit-IP address, we would of course not forward packets to VPN nodes (!), if the customer did not require such thing. In this case that's what you did (you remotely forwarded inbound port 12103) so what you see is perfectly normal. Kind regards

Hello! Currently Netflix USA (and only USA) is accessible from our infrastructure, including UK servers, provided that you query VPN DNS. Kind regards

Hello! Stay tuned, we have planned to add one or two servers in Vancouver. Kind regards

@Gebi22 Hello! Please make sure that you have not defined specific filters that filter out all the servers. If the above is not the case, please open a ticket and include Eddie log taken just after the problem has occurred. In Eddie's "Log" view you can see a "Share" icon. After you have tapped it you can choose to send log via mail or share it in other ways. Kind regards