Staff

@colorman Hello! Please note that Goldcrest commands are a superset of Hummingbird commands, so potentially you can use Goldcrest as it were Hummingbird, but in a more robust architecture (just remember that Golcrest must be run by a user in airvpn group, of course). Hummingbird is anyway included in the suite. In general, using Goldcrest and Bluetit is way simpler because you don't need to have pre-generated profiles (you can bypass the Configuration Generator completely) and much more secure because you don't need to run Goldcrest from a user that must be able to gain superuser privileges. Which issues did you experience exactly, if you don't mind? An uninstall script will be provided in the near future. In order to delete the programs and disable everything in a systemd based system enter the following commands (have root privileges): systemctl stop bluetit.service systemctl disable bluetit.service rm /etc/systemd/system/bluetit.service rm (/usr/local/bin|/usr/bin)/goldcrest rm /sbin/bluetit rm /etc/airvpn/* rm /etc/dbus-1/systemd/org.airvpn.* systemctl reload dbus.service Kind regards

Hello! Yes, of course, it's plausible. OpenVPN runs in a single core so you will see load on one core only AES New Instructions are nowadays well implemented in all desktop CPUs and SSL libraries such as OpenSSL are built to fully use them whenever possible. We hope so! 😎 On the server side we mitigate OpenVPN multi-threading lack by running multiple daemons. Each daemon "runs in a core" and our servers balance with a round robin algorithm the incoming client connections. Therefore a server can use all the cores.. Although each client connects to a single daemon (except in special configurations such as https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ ), of course, load balancing provides remarkable "distributed benefits" anyway. Kind regards

Hello! We're very glad to introduce a new software suite for Linux which is ready for public beta testing. The suite includes the well known Hummingbird software, updated to the latest OpenVPN AirVPN library, and introduces for the first time a D-Bus controlled, real daemon, Bluetit, as well as a command line client, Goldcrest, to interact with Bluetit. UPDATE 11-Dec-2020: version 1.0.0 Beta 3 has been released. UPDATE 23-Dec-2020: version 1.0.0 RC 1 has been released New architecture The client-daemon architecture we introduce for the first time in our software offers a more robust security model and provides system administrators with a fine-grained, very flexible access control. Bluetit is fully integrated with AirVPN. The daemon is accessed through a D-Bus interface by providing specific methods and interface in order to give full support to OpenVPN connection and AirVPN functionality, including - but not limited to - quick automatic connection to the best AirVPN server for any specific location as well as any AirVPN server or country. New OpenVPN 3 library features Starting from version 1.0 beta 2, Hummingbird and Bluetit are linked against a new version of our OpenVPN 3 library which supports directive data-ciphers: it can be used consistently with OpenVPN 2.5 syntax in OpenVPN profiles. The directive allows OpenVPN 3 based software to negotiate a common Data Channel cipher with the OpenVPN server,, updating therefore our library to ncp-like negotiation with OpenVPN 2 branch. Hummingbird and Bluetit are already linked against the new library version, while Eddie Android edition will be updated in the near future. The new library also includes a different handling of IV_CIPHERS variable, fixing OpenVPN main branch issues causing a plethora of problems with OpenVPN 2.5. The implementation, at the same time, takes care of full backward compatibility with OpenVPN versions older than 2.5. ncp-disable directive, which to date has never been implemented in the main branch, is still supported, in order to further enhance backward compatibility with both OpenVPN profiles and servers, as well as connection flexibility with servers running older than 2.5 OpenVPN versions. Please note that if you enforce a specific Data Channel cipher by means of Bluetit configuration file, Hummingbird line option, or Goldcrest configuration file and/or line option, the enforced Data Channel cipher will override data-ciphers profile directive. Changelog 3.6.6 AirVPN by ProMIND - [ProMIND] [2020/11/02] openvpn/ssl/proto.hpp: IV_CIPHERS is set to the overridden cipher only (both from client and/or OpenVPN profile) in order to properly work with OpenVPN 2.5 IV_CIPHERS specifications. The old method of cipher overriding by means of negotiable crypto parameters is still supported in order to maintain compatibility with OpenVPN < 2.5.0 - [ProMIND] [2020/11/24] added "data-ciphers" directive to profile config .ovpn files in order to comply to OpenVPN 2.5 negotiable data cipher specifications. In case "data-ciphers" is found in the .ovpn files IV_CIPHERS is assigned to the algorithms found in "data-ciphers". In this specific case, "cipher" directive is used as a fallback cipher and, if not already specified in "data-ciphers", is appended to IV_CIPHERS Coming soon When we get out of the beta testing, we plan to document Bluetit interface to let anyone write a custom client and talk with the daemon. Furthermore, Goldcrest will evolve in the near future and will include an ncurses based TUI which will be very comfortable when you don't want to rely on command line options while a new Bluetit client, based on Qt, will be developed in the future, for those who prefer a GUI. Notes on systemd-resolved Version 1.0.0 beta 2 and subsequent versions fix a serious issue on systemd based systems running concurrently systemd-resolved and network-manager, for example Fedora 33 in its default configuration. In Fedora 33 systemd-resolved comes pre-configured to work in "on-link" mode and network-manager works together with it. This very peculiar, Windows-like setup finally kills Linux global DNS handling, adding to it those so far missing DNS leaks which made every Windows user nightmares more colorful. Any Microsoft system lacking the very concept of global DNS is now emulated, for an outstanding 30 years back time travel.. However, Hummingbird and Bluetit take care of preventing the brand new DNS leaks potentially caused by such smart setup, giving back Fedora + VPN users more peaceful nights. Also note that systemd-resolved comes pre-configured with fallback DNS (Google DNS is a systemd-resolved default fallback DNS, smart choices pile up!) which will be queried if each interface DNS server fails some resolution. In such a case, if and only if you have Network Lock enabled DNS leaks will be prevented. Supported systems The suite is currently available for Linux x86-64, i686 (32 bit distributions), arm7l (for example Raspbian and other ARM 32 bit based systems) and aarch64 (ARM 64 bit). Please note that the source code will be published with the stable release as usual. The software will be licensed under GPLv3. Overview and main features AirVPN’s free and open source OpenVPN 3 suite based on AirVPN’s OpenVPN 3 library fork Version 1.0.0 Beta 2 - Relase date 27 November 2020 Bluetit: lightweight D-Bus controlled system daemon providing full connectivity to AirVPN servers and generic OpenVPN servers Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers Hummingbird: lightweight and standalone client for generic OpenVPN server connection Linux i686, x86-64, arm7l and arm64 (Raspberry) support Full integration with systemd, SysVStyle-init and chkconfig No heavy framework required, no GUI Tiny RAM footprint Lightning fast Based on OpenVPN 3 library fork by AirVPN version 3.6.6 with tons of critical bug fixes from the main branch, new cipher support and never seen before features ChaCha20-Poly1305 cipher support on both Control and Data Channel providing great performance boost on ARM, Raspberry PI and any Linux based platform not supporting AES-NI. Note: ChaCha20 support for Android had been already implemented in our free and open source Eddie Android edition Robust leaks prevention through Network Lock based either on iptables, nftables or pf through automatic detection Proper handling of DNS push by VPN servers, working with resolv.conf as well as any operational mode of systemd-resolved additional features Full documentation: README.md Download links: Linux x86-64: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-x86_64-1.0.0-RC-1.tar.gz Linux x-86-64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-x86_64-1.0.0-RC-1.tar.gz.sha512 Linux i686: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-i686-1.0.0-RC-1.tar.gz Linux i686 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-i686-1.0.0-RC-1.tar.gz.sha512 Linux arm7l: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-armv7l-1.0.0-RC-1.tar.gz Linux arm7l sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-armv7l-1.0.0-RC-1.tar.gz.sha512 Linux aarch64: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-aarch64-1.0.0-RC-1.tar.gz Linux aarch64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-aarch64-1.0.0-RC-1.tar.gz.sha512 Please report bugs and any problem in this thread, thank you! Kind regards AirVPN Staff

@Shiver Me Whiskers Hello! The previous record did not last long, apparently. If you don't mind, which connection protocol, cipher and port did you pick? Kind regards

@jeuia3e9x74uxu6wk0r2u9kdos @korsko @Overkill Hello! Both AirVPN software for macOS, Eddie and Hummingbird, enforce Network Lock via pf rules, therefore nothing changes and leaks prevention stays as effective as usual even in macOS Big Sur. Kind regards

@zsam288 Thanks, fixed. Kind regards

Version 2.19.6 (Thu, 12 Nov 2020 13:01:54 +0000) [change] Windows 7/8: OpenVPN 2.5.0 in bundle [change] Absence of SSH or SSL log level from Warning to Info [bugfix] Fixed an elevation issue with sudo in CLI mode [bugfix] Windows: Error VCRUNTIME140_1.dll in some environment.

@mith_y2k Hello! You can simply re-start Hummingbird with the option you mention. Enjoy CHACHA20! Kind regards

@sooprtruffaut Hello! It is implemented already on all servers supporting CHACHA20-POLY1305 on Data Channel, i.e. all servers running OpenVPN 2.5. Please check the schedule in the first message. Kind regards

@mazeman23 Hello! OpenVPN 2.5_git you're running seems to not support data-ciphers, or the directive argument(s) is/are missing or illegal. Changing basic options on the run between beta , RC and stable versions seems not infrequent in OpenVPN development. Can you please re-check the OpenVPN version you're running? If it's really OpenVPN 2.5 stable, check the configuration file that Eddie generates (in "Stats" window double click the item pertaining to the generated OpenVPN profile), and examine the "data-ciphers" line (send the config to us as well if in doubt, cut certificates and keys). @harold.lewis "SSL not available" is what Eddie prints when it can't find stunnel (yes, it's a weird way to say it ). Kind regards

@dragoworld235 Hello! Yes, please open an issue in our git. Do you want to open an issue for OpenVPN3 main branch too because you see the very same problem with latest "OpenVPN for Android" when it is configured to work with OpenVPN3? Kind regards

@buthowcome Hello! Yes, correct: if your CPU and system support AES-NI, you will have higher performance with AES. Kind regards

@buthowcome Hello! We can't be sure and we can't rule it out. Try to switch to TCP and check whether performance improves or not. For the quick connection, open "Settings" > "AirVPN" > "Default protocol" and set it to "TCP". Then set "Quick connection mode" to "Use default options only". If you don't use quick connection, in order to force TCP on the server specific connections, tap the gearbox, open "Protocol" and select "TCP". Kind regards

@Bilru Hello! A month ago a long time customer of us from Egypt told us that protocol TCP to port 443 of entry-IP address three is the quickest way he found to bypass Egypt ISP blocks. Worth a try, probably that connection mode is still effective. It would save you the overhead caused by an additional tunnel. Kind regards

@dragoworld235 Hello! Changing Eddie to make it run OpenVPN 2 is a problematic matter, because OpeNVPN 2 is not a library, while OpenVPN3 is. By avoiding to run an external binary Eddie Android edition complies to security best practices as well as Google requirements in latest API. Anyway OpenVPN3-AirVPN library is not OpenVPN3. It's a fork which is 90 commits ahead of OpenVPN:master and had many important bugs fixed. An updated Eddie Android edition using our latest library version might be a Christmas present to you all, while you will see very soon an updated Hummingbird (which also calls OpenVPN3-AirVPN library) for Linux and macOS. Kind regards

@samaw80 Hello! We apologize for the inconvenience, which has been caused by Apple notarization. You can quickly resolve the issue by downloading and running Eddie 2.19.5. To do that, in Mac download page https://airvpn.org/macos click the button "Click here" just under the sentence: If you run older than macOS Catalina systems, please download latest Eddie 2.19 beta version You will be brought back to the download page, pointing to Eddie 2.19.5 and its specific notarization for systems older than Catalina. Kind regards

@sooprtruffaut Thank you! In which system do you need CHACHA20 for performance improvement? Kind regards

Hello! We're sorry, it's not yet implemented. You can already test CHACHA20 from Eddie Android edition and Hummingbird, anyway, not only from OpenVPN 2.5. If you have any issue please let us know. Kind regards

@Shiver Me Whiskers Hello! Yes, today Eddie 2.19.5 with wintun support for Windows was also released. 😎 Thank you, enjoy AirVPN! Kind regards

Version 2.19.5 (Wed, 04 Nov 2020 11:22:24 +0000) [bugfix] Minor bugfixes [bugfix] Occasionally wrong order in DNS restoring [change] OpenVPN 2.5.0 - Hummingbird 1.1.0 [change] Minor changes The primary objective of this version is OpenVPN 2.5.0. Other issues are still under investigation, thx. AUR (Arch repository) will be updated ASAP.

Hello! Thank you! No, "Line issue" may hint to other problems as well. We will try to be more precise in the future by editing by hand the status. Now all the servers in Maidenhead are fully operational. Kind regards

Hello! We're very glad to announce all VPN servers progressive upgrade to Data Channel CHACHA20-POLY1305 cipher and TLS 1.3 support. UPDATE 18-Nov-2020: upgrade has been completed successfully on all AirVPN servers. The upgrade requires restarting OpenVPN daemons and some other service. Users connected to servers will be disconnected and servers during upgrade will remain unavailable for two minutes approximately. In order to prevent massive, simultaneous disconnections, we have scheduled a progressive upgrade in 15 days, starting from tomorrow 5 Nov 2020. Please see the exact schedule at the bottom of this post, in the attached PDF file. Servers marked as "OK" have been already upgraded and you can use CHACHA20-POLY1305 with them right now. When should I use CHACHA20-POLY1305 cipher on OpenVPN Data Channel? In general, you should prefer CHACHA20 over AES on those systems which do not support AES-NI (AES New Instructions). CHACHA20 is computationally less onerous, but not less secure, than AES for CPUs that can't rely on AES New Instructions. If you have an AES-NI supporting CPU and system, on the contrary you should prefer AES for higher performance. How can I use CHACHA20-POLY1305 on AirVPN? CHACHA20-POLY1035 on Data Channel is supported by OpenVPN 2.5 or higher versions and OpenVPN3-AirVPN library. In Eddie Android edition, open "Settings" > "AirVPN" > "Encryption algorithm" and select CHACHA20-POLY1305. Eddie Android edition will then filter and connect to VPN servers supporting CHACHA20-POLY1305 and will use the cipher both on Control and Data channels. In our web site Configuration Generator, after you have ticked "Advanced Mode", you can pick OpenVPN version >=2.5, and also select "Prefer CHACHA20-POLY1305 cipher if available". If you're generating a configuration file for Hummingbird, select OpenVPN3-AirVPN: the configuration file needs to be different, because some new directives of OpenVPN 2.5 are not supported in OpenVPN3, and Hummingbird is based on OpenVPN3-AirVPN. In Eddie desktop edition, upgrade to 2.19.6 version first. Then select the above mentioned option. However, most desktop computers support AES-NI, so make sure to check first, because using CHACHA20-POLY1305 on such systems will cause performance harm when you go above 300 Mbit/s (if you stay below that performance, probably you will not notice any difference). Also note that if your system does not have OpenVPN 2.5 or higher version you will not be able to use CHACHA20-POLY1305. If you wish to manually edit your OpenVPN 2.5 profile to prefer CHACHA20 on Data Channel when available: delete directive cipher add the following directive: data-ciphers CHACHA20-POLY1305:AES-256-GCM Pending Upgrade Server Schedule Kind regards and datalove AirVPN Staff

Hello! They are not down, they are in "yellow state" for aggressive DDoS. The anti-DDoS filter works, but sometimes filters out even proper connections, so we prefer to recommend different servers. It's up to you, the servers are not closed and accept connections in all modes. If you experience issues, it's the anti-DDoS filter. The datacenter will lift the filter when the attack ceases (the only alternative is null-routing the servers IP addresses, in such a case the servers will be of course completely closed). Kind regards

Hello! It's the Data Channel key re-negotiation over the Control Channel via Diffie-Hellman Exchange. See also Perfect Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrecy You can lower the re-negotiation time on your client side with directive reneg-sec n, where n is in seconds, but you can't increase it and you can't disable forward secrecy (anyway you don't want to disable it). OpenVPN re-negotiates Data Channel key by using overlapping time windows. During the negotiation, the previous key is used for any packet flow, so you will not notice any communication breakdown. When the message "killed expiring key" appears, it means that the negotiation completed successfully and the previous key is not used anymore. AirVPN uses unique DH keys. Each VPN server has a different and unique key. DH key size is 4096 bit. Kind regards

Hello! Not by itself, but you can connect Hummingbird locally after you have established a tunnel by stunnel to our servers. In order to do so please see here: https://airvpn.org/ssl/ Please test connections in TLS Crypt and TCP first. TLS crypt, combined with TCP; has mainly made OpenVPN over stunnel obsolete: it has the same block circumvention abilities and provides higher performance. Only if TLS Crypt fails test OpenVPN over stunel (if it fails too, test OpenVPN over SSH). https://airvpn.org/ssh Note: if you are not in a restrictive network do not add a second tunnel, which decreases performance, and work in UDP. which is more efficient for OpenVPN. Kind regards