Staff

Hello, we wish (in our setup, we mean) that stunnel accepts any connection to bypass restrictions, even when it will have certificate replacement and therefore it is subjected to MITM exploits. The integrity and data security layer is ensured by the underlying OpenVPN tunnel. stunnel is not there to add anything to security when you use OpenVPN over SSL, it is there to try to punch a hole in the filters through which OpenVPN can establish its tunnel. Kind regards

@idealist You don't understand. With static IP addresses stored on the servers you map uniquely and permanently an IP address to a user. Once that IP address is discovered (no need to crack the server, as we wrote) the correlation is done because we know which user always has that IP address, even if we don't log traffic, and we would give away the information under a court order. Which is exactly what go558a83nk already explained to you. This is not possible with OpenVPN, as the dynamic IP addresses are never correlated to a user once the session is over, they are lost. So if the attacker asks "who has that IP address?" with OpenVPN in our setup we don't know, while with Wireguard in the current (at the time of writing) stage of development we would know. If now or in the future Wireguard will allow dynamic addresses assignments, so that no address must be stored permanently for any client, the problem is resolved, but at the time we wrote the article it was not. Kind regards

The issue has been already explained: the keys and the internal IP addresses are all on the server, and they are on every and each server. They can be used to correlate specific targets and disclose their identities, while on our current setup that's not possible. It makes a world of difference when you consider threat models in which VPN users are specifically targeted. Maybe you don't understand the importance of this menace because you wrote: which is correct in our setup, but incorrect in Wireguard setup. The attacker CAN get the internal IP address via WebRTC for example and: 1) in our setup he/she does not correlate the internal IP address with the client key 2) in Wireguard setup he/she does Once that's done the attacker may obtain legally (via a court order) the payment data of the user because it can ask us which user is linked to a single IP address (and also the user key for subsequent forensic evidence). Since the VPN IP address is static and unique, we would be of course forced to comply. We wish to underline for the last time that the problem has been acknowledged by developers and we had been told that it would be resolved. Kind regards

True, so what? It is not the point we made: having all the keys of all users on each VPN is the core privacy and security issue, while having to map statically the addresses of tens or hunreds of thousand clients is the core operational issue in this case. Having no TCP is a different problem for different reasons (because of systematic Net Neutrality violations). According to stats voluntarily provided by users, at least 50% of VPN users complain about UDP shaping and/or blocking by their ISPs in "Western" countries, and the percentage seems higher in other countries. OpenVPN not only supports TCP for the Data Channel, but also allows tls-crypt, which is important when the VPN software fingerprint detection is used to break the connection, which is routinely enforced by many ISPs especially in mobility. By the way, as we repeatedly stated, the first problem we have addressed is being worked on according to what devs told us, while it's not ruled out that Wireguard will support TCP in the future (an external software is also available right now, but of course we prefer native TCP support) . Last but not least, we are confident that obfuscation too is being studied since when we tested the software (another mandatory feature for our customers for the aforementioned reasons), as well as connections to SOCKS or HTTP proxies (yet another essential feature for all of our customers who work behind some proxy) so let's see what comes out when a stable version is released. Kind regards

You can see the obvious difference. In our setup the attacker needs to wait for a connection to that server from a customer to try to wiretap the private key, while with Wireguard the attacker gets at once all the keys of all the users even when the server is offline. Furthermore we would need to map on every and each server statically tens of thousand IP addresses and keys, which is unacceptable. The fact that the IP addresses are local to the VPN is irrelevant and obvious and does not change anything about the privacy problems we mentioned. There could be a workaround to the problem, but we have been told that the problem will be resolved before Wireguard gets out of the beta phase, so it's useless to study the implementation of a workaround during the beta testing as the authors will implement a solution. That's not what we needed / asked for. If now Wireguard supports TLS pre-auth (important for us for trivial reasons) and certificate verification on a TCP control channel that's excellent but it was not available when we wrote the article. Kind regards

Hello! No it doesn't. Our VPN servers do not store clients keys (and have never kept them). At the time the article was written, with Wireguard you needed to pre-map the VPN IP addresses for clients on each server. That's unacceptable. Of course a VPN is not meant to provide you with an anonymity layer so we add a series of essential features which could not be replicated with Wireguard when the post you refer to was written. We have been told that the mentioned problem will be resolved before a stable version is released. Same thing with client/server authentication, if both pre-auth (what OpenVPN calls "TLS Auth" or "TLS Crypt") and client/server certificate verification in TCP have been implemented in the meantime, we welcome them, but they were anyway NOT available at the time the article you refer to was written. Kind regards

Hello! We're very glad to inform you that a new 1 Gbit/s server located in São Paulo, BR, is available: Lalande. The AirVPN client will show automatically the new server. If you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Lalande supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/lalande Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello, we might implement a filtering at VPN DNS level. It's not a trivial decision because it is an attack to Net Neutrality and a violation of our network agnosticism. Once you start selecting content, you are no more necessarily protected by liability exemptions on the behavior of your users. You also set a precedent and you can potentially be forced (legally) to implement wider filtering systems. Our purpose has always been providing our users with a network that's as neutral as possible. Kind regards

Hello! We do not enforce any "cap". You can also see from the tables in the status page that 125 Mbit/s is a performance which is easily beaten. The fact that you experience a constant and exact cap with every and each VPN server, and therefore with different tier1 and tier2 transit providers, hints obviously to a cap inside your network (your very local one network, or your ISP's). https://airvpn.org/status Kind regards

Hello! We're glad to inform you that we are finalizing the beta testing phase of our free and open source software Eddie for Android version 2.3. You can participate to testing by joining the beta community in the Google Play Store here: https://play.google.com/apps/testing/org.airvpn.eddie You can also download the Eddie Android 2.3 beta 2 apk directly from our repository: https://eddie.website/repository/eddie/android/2.3beta2/org.airvpn.eddie.apk The application is fully localized and we look for translators, especially for translations into Japanese, Korean and other languages. If you wish to translate (from English) please contact info@airvpn.org for every detail. Available languages: Chinese (simplified), Chinese (traditional), Danish, Dutch, English, French, German, Italian, Portuguese, Spanish, Russian, Turkish. Eddie for Android is free and open source software released under GPLv3. We invite you to check from independent 3rd parties the lack of trackers code signatures, for example here: https://reports.exodus-privacy.eu.org/en/reports/search/org.airvpn.eddie New in version 2.3: Disabled data backup on uninstall Server statistics shown in Favorite/Forbidden/Countries & Servers groups Logout drops user credentials Native library updated to the latest openvpn3, lz4, mbedtls and asio commits Minor bug fixes See changelog at the end of this post for a complete list Main features: Free and open source OpenVPN GUI based on OpenVPN 3 The only Android application officially developed by AirVPN Robust, best effort prevention of traffic leaks outside the VPN tunnel Battery-conscious application Low RAM footprint Ergonomic and friendly interface Ability to start and connect the application at device boot Option to define which apps must have traffic inside or outside the VPN tunnel through white and black list Localization in simplified and traditional Chinese, Danish, English, French, German, Italian, Portuguese, Russian, Spanish, Turkish Full integration with AirVPN Enhanced security thanks to locally stored encrypted data through master password Quick one-tap connection and smart, fully automated server selection Smart server selection with custom settings Manual server selection Smart attempts to bypass OpenVPN blocks featuring protocol and server fail-over Full Android TV compatibility including D-Pad support. Mouse emulation is not required. Enhancements aimed to increase accessibility and comfort to visually impaired persons AirVPN servers sorting options Customizable "Favorite" and "Forbidden" servers and countries OpenVPN mimetype support to import profiles from external applications Multiple OpenVPN profile support. The app now imports and manages multiple OpenVPN profiles Support for custom bootstrap servers Support for favorite and forbidden countries AirVPN broadcast messages support User's subscription expiration date is shown in login/connection information The app is aware of concurrent VPN use. In case another app is granted VPN access, Eddie acts accordingly and releases VPN resources Optional local networks access. In such case, local network devices are exempted from the VPN and can be accessed within the local devices Localization override. User can choose the default language and localization from one of the available ones Favorite and forbidden lists can be emptied with a single tap VPN Lock can now be disabled or enabled from settings VPN reconnection in case of unexpected OpenVPN disconnection. (It requires VPN Lock to be disabled) User can generate an OpenVPN profile for any AirVPN server or country and save it in OpenVPN profile manager Server scoring algorithm implementing the latest AirVPN balancing factors in order to determine the best server for quick connection Network name and extra information are shown along with network type Device network status management Kind regards & datalove AirVPN Staff Changelog 2.3 beta 2 (VC 22) - Release date: 27 June 2019 by ProMIND - [ProMIND] About page and webview function now point to https://airvpn.org - [ProMIND] Updated native library with the latest sub-project branches and releases AirVPNUser.java - [ProMIND] getOpenVPNProfile(): AES-256-GCM is now the default cipher MainActivity.java - [ProMIND] Language override is reported to the application log OpenVPNTunnel.java - [ProMIND] improved connection error handling - [ProMIND] removed doRun() method. Method's body moved to run() VPN.java - [ProMIND] Added CONNECTION_ERROR to Status enum VPNService.java - [ProMIND] Added method handleConnectionError() Changelog 2.3 beta 1 (VC 21) - Release date: 17 May 2019 by ProMIND AndroidManifest.xml - [ProMIND] set android:allowBackup and android:fullBackupOnly to false airvpn_server_listview_group_item.xml - [ProMIND] added server statistics layout ConnectAirVPNServerFragment.java - [ProMIND] AirVPNServerExpandableListAdapter.GroupListViewHolder: added server statistics items - [ProMIND] AirVPNServerExpandableListAdapter.getGroupView(): added server statistics items to HEADER and GROUP types - [ProMIND] createGroupList(): compute server statistics for HEADER and GROUP types AirVPNUser.java - [ProMIND] getUserLocation(): set connection timeout to SupportTools.HTTP_CONNECTION_TIMEOUT - [ProMIND] getUserLocation(): set read timeout to SupportTools.HTTP_READ_TIMEOUT - [ProMIND] logout(): user name, password and current profile are set to empty and forgetAirVPNCredentials() is called native library - [ProMIND] updated to the latest openvpn3, lz4, mbedtls and asio commits manifest.xml - [ProMIND] updated to the latest document

Hello! To all: is anybody else experiencing blocks from AT&T and/or Wave Broadband? @DieWurst Please feel free to open a ticket at your earliest convenience, if you haven't already done so. Kind regards

Hello! You can't. TLS 1.3 will be supported starting from OpenVPN 2.4.7 in the near future. Quite irrelevant for OpenVPN currently, but stay tuned. TLS 1.3 is available on all of our web servers, where it is not irrelevant at all. Kind regards

Hello! The Servers view settings are specific to the servers, while the Settings view include options for the quick connect (full auto) mode. Also note that in the Settings view you have the option to bypass the protocols chosen by the full auto mode. Kind regards

Hello! Please make sure to check the ticket you opened just in case you did not receive the courtesy e-mail, or simply you did not enter an existing and valid e-mail address. Trial requests are satisfied, according to availability, in 1 - 48 hours usually. Kind regards

Hello! What allegations are correct? For "correct" do you mean at least pressed as charges by a prosecutor? Otherwise your claims are unsubstantiated and play as a part of the smear campaign itself. Because, and it is worth to repeat it, none of the allegations that tried to frame Jacob Appelbaum, (WikiLeaks, Tor Project advocate), Trevor Fitzgibbons (Edward Snowden PR, publisher, WikiLeaks PR), Julian Assange (WikiLeaks), Nadim Kobeissi (Cryptocat) and Peter Todd (Bitcoin Core former developer) as serial rapists arrived at any court, and no prosecutor pressed charges against any of them so far. It is also worth noting that the campaigns to make Appelbaum, Kobeissi and Todd appear as rapists started from claims of the same person (Isis Agora Lovecruft), and that Peter Todd has sued Isis for defamation. According to Todd's lawyers, Isis Agora Lovecruft wanted that Todd condemned some person she was accusing of rape publicly, which is an infamous trick to re-inforce a smear campaign: have a third-party condemning the alleged acts of some person before any charges are brought against that person and before any allegation verification goes through a due process with presumption of innocence and a fair trial. When Todd refused to condemn publicly that person (probably Kobeissi). Isis Agora Lovecruft accused EVEN Todd of rape and sexual assault: https://bitcoinwarrior.net/2019/04/former-bitcoin-core-developer-peter-todd-faces-rape-allegations-refutes-with-defamation-suit/ So Isis is accusing three different persons (Appelbaum, Kobeissi and Todd) of very serious crimes and currently none of them has had charges pressed against (so they did not even need to defend in a court, so far). Anyone who forgets presumption of innocence commits a paramount mistake that weakens human rights and strengthens the intelligence tactics based on smear campaigns since a century ago. The readiness through which some people in the "Western countries" are eager to forget the most fundamental rights is very dangerous and must be fought relentlessly, without any tiny hesitation. Further references: https://contraspin.co.nz/freeing-julian-assange-part-one/ Kind regards

Hello! It's a bug by Eddie which checks the IPv6 routes even with OpenVPN versions older than 2.4, when our servers refuse to push IPv6 to those versions. You have two available, alternative solutions: 1) Upgrade OpenVPN to version 2.4 or higher (latest stable version is 2.4.7). Recommended solution. 2) Alternatively, set the "IPv6 layer" combo box to "Block". You can find it in the "Preferences" > "Networking" window. You will renounce to IPv6 but Eddie will connect at least and you will not need to upgrade OpenVPN. Kind regards

@NormG1 Hello! It's just HTML5 geo-location: https://www.w3schools.com/html/html5_geolocation.asp HTML5 exists since 2014 and ipleak.net has this feature since then, so no news here. Do not enable HTML5 geo-location, or disable it if you have already done so. All browsers come with it disabled by default as far as we know. Kind regards

Hello! Well everything seems fine. Frankly we don't see any source of confusion: the web browser geo-location has a button to activate when the browser is configured to not reveal it. Kind regards

@NormG1 Hello! Such a strange bug that it's capable to detect your location? Doesn't sound like a bug at all. "Geo-location detection" field in ipleak.net involves HTML5. Make sure to disable it on the browser. WebRTC has nothing to do with it. Kind regards

Thanks. Anyway we have never published twice the same thing. A quick note on unsubstantiated claims about Assange or Manning published even in this thread, meaning that disinformation pollution is still widespread. For example Encrypted's nonsense about Assange's "odd loyalties towards the enemies of liberal democracy." is curious. It's a sentence that propaganda actors are trained to put down against Assange and others in an obsessive, coordinated way to trigger repetition by message recipients according to a well known psychological effect. Coordination and psychology tactics have refined since when smear campaigns were conducted against, say, Martin Luther King or Nelson Mandela. Just to make an example which is straight in front of our faces, check Tor Project and the smear campaign against Jacob Appelbaum, based on sexual assaults claims which were never proven (and not even brought to a court), similarly to smear campaign against Assange. They caused a damage to Tor Project, especially because they lost their most valuable asset, even after their "internal investigation", but the real target was someone with high profile who dared to work with WikiLeaks. A clear, intimidatory message to the whole community. By the way, when we sponsored Tor Project and OONI we were criticized exactly because we supported an organization whose a leading actor was a "potential rapist". Can you see how powerful and pervasive smear campaigns have become? They are so pervasive that even small companies like ours are noted and addressed when supporting someone or something that's defamed. Of course, the fact that the allegations against Mr. Appelbaum never became formal, legal charges of anything were not noticed by those "critics", and did not change the fact that we were pressured to not donate to Tor Project. We wonder what those persons full of shit have to say nowadays (probably nothing because they have no sense of dignity, just like those who smear Assange now). If you consider that such pressures are brought against small companies like ours that provide negligible donations when compared to Tor financing, you can have a more accurate picture about the pervasiveness and extent of smear campaigns and how people is willing to renounce to the principle of presumption of innocence when it pertains to the target of a smear campaign. It's important to note that those smear campaigns target even you, us and everybody using or offering easy to use encryption services, because they are all born from the identical, very same political agenda. Maybe you can remember after the Paris attacks that the CIA said that those who offer encryption services on the Internet and those who instruct how to use those services have "blood on their hands" (if you don't, check here for example https://www.latimes.com/opinion/op-ed/la-oe-1126-greenwald-snowden-paris-encryption-20151126-story.html ). It is imperative that more and more people get their heads out of their asses and look at the bigger picture, at least to slow down the progressive dismantling or co-opting of any and each service which is not compliant to the wishes of the so called "deep state". Kind regards

Hello, passwords are stored encrypted in our database. As far as it pertains to your considerations on password exchange, are you trolling? If not, we will leave the task to explain why you have derailed to some person of good will, however it's difficult to explain when you lack even the basics of the matter. In the meantime rest assured that password exchange is performed according to the state of the art. Kind regards

Hello! An important work is ongoing, both on Eddie AND new software, and both have high priority. Please be patient. Kind regards

@zhang888 Hi! Re: Snowden On top of what you say, Snowden never forgot the people who saved his life and vigorously tries to defend them with the weight of his reputation and making the world aware of their conditions, including Julian Assange, who played an extraordinary role, and the brave family with children who sheltered him in Hong Kong while he was hunted (they are still persecuted for that). https://twitter.com/SCMPNews/status/1133498183391125504 The Courage Foundation, created by WikiLeaks and strongly wanted by Assange as well, is still funding Snowden too. Trust advisers of the Courage Foundation include John Pilger, Daniel Ellsberg, Renata Avila, the Pussy Riot, Annie Machon... https://www.couragefound.org/who-we-support/ It's hard to make a distinction on moral grounds between Snowden and Manning. As Snowden explains here: https://edwardsnowden.com/frequently-asked-questions/#why-snowden-did-not-voice-complaints-within-the-system following internal intelligence channels would have been pointless in his case. Even more so for Manning, as her denounces pertained not only to highly illegal activities as revealed by Snowden, but even on war crimes including deliberate assassinations of journalists and children and torture which was known and approved by the highest levels not only of the Intelligence, but by the leaders of a country. An important difference between Snowden and Manning and Assange on the perception by the public opinion is that the concerted smear campaign to "assassinate characters" has been more effective against Manning and Assange. In the case of Snowden, it succeeded only in insinuating the macroscopic lie according to which Snowden would not have given credit to Assange in his extraordinary and courageous journalistic role and his decisive actions to save Snowden's life https://www.youtube.com/watch?v=ooC8DOW1TBk, but this lie was quickly exposed by Snowden himself and other real journalists. Snowden also claimed that his decision to cooperate with Greenwald and not WikiLeaks does not mean in any way that WikiLeaks is NOT a totally legitimate model. It is also mandatory to remember, in honor of Chelsea Manning, that she resisted months of brutal torture and years of imprisonment (she is again in jail now) aimed to force her to lie and fabricate accusations against Assange. Even Assange was and is victim of various infringement of human rights, as the United Nations found with the reports from the Arbitrary Detention Working Group, and the findings of the Special Rapporteur on Torture, including arbitrary detention https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=17012&LangID=E , torture, vilification of human dignity through countries ganging up and denial of access to medical support. https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=24665&LangID=E Therefore, it's enigmatic to show respect to Snowden and not to Manning, and/or to Snowden and not to the man who saved his life. But then again, this might be just another success of the huge smear campaigns. Here we might have had a misunderstanding, our bad. We will keep in touch in private to understand whether you want the publication or not.  True. Our mission is clear https://airvpn.org/mission and of course it does not imply neutrality when we come to defend privacy, freedom of speech, freedom to access and impart information, which are all fundamental rights. Our neutrality pertains of course to keep our infrastructure protocol agnostic. We also do not intervene lightly. We must have absolute certainty and excellent documentation before we intervene. You will have noticed that since 2012 and up to April 2019 we had never taken a position about Assange. Honest, declared partiality toward defense of specific human rights and high transparency are, in our opinion, a good feature of AirVPN. So far, we think that AirVPN is a fairly good example of how a business can be conducted in a totally ethic way and can be successful without relying on marketing fluff. Kind regards

Hello! Yes, please open a ticket. A suspension from the VPN can mean some payment trouble you might be even unaware of. Further investigations are due. Same for suspensions from the forum: permanent suspensions from the forum is caused 100% by spam (ads about pills, pharma, links of any type etc.) and often we find that the suspended person did not have any idea that a spambot was running in his/her syustem. Kind regards

Thank you, we understand the problem you face. It can be easily solved by following exclusively the RSS feed of our "News" forum. In the "News" forum you will find what you need without side content interfering with info purely related to internal AirVPN matters. Original AirVPN founders bound AirVPN activities to a clear mission https://airvpn.org/mission It does, in ways that are not obvious, but surface when you put all the pieces together. The outcome of the coordinated efforts to limit the activities of services like ours, as well as other services aimed at enhancing privacy and/or freedom of expression, through different plans including putting an end to effective encryption for everyone, has anyway become visible in the last 12-15 months, we talked about it recently in "News". Also, we must not forget how certain technical decisions which directly and beneficially impacted our customers, for example 4096 bit DH keys and our decision to not use ECC in OpenVPN, are direct consequences of what we know even thanks to WikiLeaks, and not random decisions which turned out to be great for some incredible series of strokes of luck. We are very sorry if you got this impression. It has nothing to do with that, it's rather a normal action to comply to AirVPN mission. While it's true that in the past most actions compliant to our mission had a good marketing side effect, the purpose with which they are performed is not for business. On the other hand, it's also true that when someone accepts to support AirVPN, he/she sees that the mission statement is quite different from any other VPN service on Earth. Apple and oranges, as Snowden is a whistleblower and Assange a journalist and a publisher. It's worth noting that it's very much possible that Snowden would have disappeared, or at least tortured and imprisoned in terrible conditions, if Assange did not intervene. It's possible that Assange intervention saved Snowden life, according to the public documentation available. It's also worth noting that Chelsea Manning contacted both the New York Times and the Washington Post, and they were "uninterested" in her revelations, or too scared to publish them. Manning ended up to WikiLeaks only because the NYT and the WP did not have the care to go deeper into material checking and the courage Assange both had. That's very interesting. Please feel free to elaborate on how our political viewpoint could possibly be hidden as we published our mission at AirVPN birth. AirVPN mission is the very reason which AirVPN exists for. In your opinion, and here matter becomes even more interesting, why a political mission which states that the company must operate at the best of its abilities in defense of privacy, freedom of expression and against censorship should be kept hidden in Western democracies? Feel free to be explicit with threats, no need to post veiled threats. Kind regards