Staff

Hello! We're very glad to inform you that a new 1 Gbit/s server located in Vienna (AT) is available: Beemim. The AirVPN client will show automatically the new server; if you use any other OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Beemim supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/Beemim/ Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! The configuration looks almost fine. Just enable "DHT" and "Peer Exchange". Kind regards

Hello! We're glad to inform you that Hummingbird 1.0.3 has just been released. Hummingbird is a free and open source software by AirVPN for: Linux x86-64 Linux ARM 32 (example: Raspbian for Raspberry Pi) Linux ARM 64 macOS (Mojave or higher version required) - please do not miss important notes on macOS below based on OpenVPN3-AirVPN 3.6.4 library supporting CHACHA20-POLY1305 cipher on OpenVPN Data Channel and Control Channel. Hummingbird is very fast and has a tiny RAM footprint. AES-CBC and AES-GCM are supported as well. Version 1.0.3 uses OpenVPN3-AirVPN 3.6.4 library which had major modifications: IPv6 compatibility has been improved override logic has been improved a critical bug related to a main branch regression for TCP connections has been fixed Important: if you build Hummingbird please make sure to align to AirVPN library 3.6.4. You can't build Hummigbird 1.0.3 with library versions older than 3.6.4. Hummingbird is not aimed to Android but you can have CHACHA20-POLY1305 on Android too: please run our software Eddie Android edition, which uses our OpenVPN3-AirVPN library. Important notes for macOS users From now on we provide both a notarized version and a non-notarized version of Hummingbird for macOS. The notarized version is available essentially for those users who required it, but it is not recommended. The notarized version will run without blocks by Apple's Gatekeeper, but will let Apple correlate your real IP address, Apple ID and other data potentially disclosing your identity to the fact that you run, and when you did it for the first time, an application by AirVPN. If that's not acceptable for you, just download the tarball package .tar.gz (it is NOT notarized and NOT signed with our Apple developer ID on purpose) and include it in the exceptions to run non-notarized programs. In the future that could be no more allowed, but at the moment it is. For a more thorough explanations on important privacy issues caused by Apple and notarization please see for example here https://lapcatsoftware.com/articles/notarization-privacy.html and here https://lapcatsoftware.com/articles/catalina-executables.html Notes for Linux users x86-64 version requires a reasonably recent distribution (at least on par with Debian 9 kernel and libraries) based on systemd. A version compatible with SysVInit is anyway planned armv7l version (32 bit) has been tested in Raspberry Pi 3 and 4 with Raspbian 10. It will not run in Raspbian 9 (libraries are too old) aarch64 version (for 64 bit ARM) has been tested in Raspberry Pi4 with Ubuntu 19 and Ubuntu 20 for ARM 64 bit TCP queue limit If you connect over TCP, Hummingbird will set by default a minimum TCP outgoing queue size of 512 packets to avoid TCP_OVERFLOW errors. If you need a larger queue in TCP, the following option is now available from command line, in addition to profile directive tcp-queue-limit: --tcp-queue-limit n where n is the amount of packets. Legal range is 1-65535. We strongly recommend you to allow at least 512 packets as queue limit (default value). Larger queues are necessary when you connect in TCP and need a lot of open connections with sustained (continuous) but not necessarily high throughput, for example if you run a BitTorrent software. In such cases you can enlarge the queue as much as you need, until you stop getting TCP_OVERFLOW. It's not uncommon from our community as well as our internal tests to set 4000 packets queue limit to prevent any TCP overflow. If you connect over UDP, you can ignore all of the above. Network Lock Network Lock prevents traffic leaks outside the VPN tunnel through firewall rules. Hummingbird 1.0.3 widens --network-lock option arguments. The following arguments are now accepted: on | off | iptables | nftables | pf (default: on). If you specify on argument, or you omit --network-lock option, Hummingbird will automatically detect and use the infrastructure available on your system. Hummingbird picks the first available infrastructure between iptables-legacy, iptables, nftables and pf. Note: command line options, when specified, override profile directives, when options and profile directives have the same purpose. Binaries download URL https://gitlab.com/AirVPN/hummingbird/-/tree/master/binary Complete instructions https://airvpn.org/hummingbird/readme/ Hummingbird source code https://gitlab.com/AirVPN/hummingbird OpenVPN3-AirVPN library source code https://github.com/AirVPN/openvpn3-airvpn OpenVPN3-AirVPN library Changelog Changelog 3.6.4 AirVPN - Release date: 23 May 2020 by ProMIND - [ProMIND] [2020/05/23] completely changed the logics controlling overrides (server, port and protocol) client/ovpncli.cpp: parse_config() Properly assigned serverOverride, portOverride and protoOverride to eval.remoteList client/ovpncli.cpp: parse_config() In case serverOverride is set, remoteList is cleared and recreated with just one item containing serverOverride client/ovpncli.cpp: parse_config() In case portOverride or protoOverride is set, all the items in remoteList are changed accordingly openvpn/client/remotelist.hpp: Added public method set_transport_protocol_override() to assign the override protocol to all items in remoteList openvpn/client/cliopt.hpp: ClientOptions() now calls remote_list->set_transport_protocol_override() instead of remote_list->handle_proto_override() Hummingbird Changelog Changelog 1.0.3 - 3 June 2020 - [ProMIND] Removed --google-dns (enable Google DNS fallback) option - [ProMIND] Improved flushing logics for pf - [ProMIND] Updated to OpenVPN3-airvpn 3.6.4 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0.2 - 4 February 2020 - [ProMIND] Updated to OpenVPN3-AirVPN 3.6.3 - [ProMIND] Added --tcp-queue-limit option - [ProMIND] --network-lock option now accepts firewall type and forces hummingbird to use a specific firewall infrastructure *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0.1 - 24 January 2020 - [ProMIND] Updated to OpenVPN3-AirVPN 3.6.2 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0 - 27 December 2019 - [ProMIND] Production release *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0 RC2 - 19 December 2019 - [ProMIND] Better management of Linux NetworkManager and systemd-resolved in case they are both running - [ProMIND] Log a warning in case Linux NetworkManager and/or systemd-resolved are running *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0 RC1 - 10 December 2019 - [ProMIND] Updated asio dependency *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0 beta 2 - 6 December 2019 - [ProMIND] Updated to OpenVPN 3.6.1 AirVPN - [ProMIND] macOS now uses OpenVPN's Tunnel Builder - [ProMIND] Added --ignore-dns-push option for macOS - [ProMIND] Added --recover-network option for macOS *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0 beta 1 - 28 November 2019 - [ProMIND] Added a better description for ipv6 option in help page - [ProMIND] --recover-network option now warns the user in case the program has properly exited in its last run - [ProMIND] NetFilter class is now aware of both iptables and iptables-legacy and gives priority to the latter *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0 alpha 2 - 7 November 2019 - [ProMIND] DNS resolver has now a better management of IPv6 domains - [ProMIND] DNS resolver has now a better management of multi IP domains - [ProMIND] Minor bug fixes *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Changelog 1.0 alpha 1 - 1 November 2019 - [ProMIND] Initial public release Kind regards & datalove AirVPN Staff

@lex.luthor Hello! Unfortunately your system does not support a 2 years old glibc library (2.28), which for ARM architecture is the oldest library that Hummingbird supports. The version in your system (2.24) is more than 4 years old! Is any update to your system distribution available? Kind regards

@Hellegat Not reproducible, can you open a ticket for additional investigation? Kind regards

@c3p0 Do you still have the old profile? If so, would you send it to us? It is probably corrupt and we would like to see what happened, if possible. You might send it to us via a ticket. Thank you in any case. Kind regards

Hello! Please check whether Eddie starts minimized. Look for Eddie's tray icon in the system tray. It's a tiny cloud in a circle. Please make sure to click the "up" arrow to see even hidden tray icons. If you find the tray icon, double-click on it to raise Eddie's main window. In "Preferences" you can tell Eddie whether to start minimized or not. Kind regards

Hello! Just to point out that since Network Lock is a set of firewall rules, no traffic leak is possible if Eddie crashes. Kind regards

@Terry Stanford Hello! According to your description it's not a bug, the behavior is normal and expected, as Eddie needs root privileges to modify firewall rules (and therefore "enable Network Lock") etc. If you need "persistent" Network Lock you just need some firewall rules. In pf, for example: block out all pass in from 127.0.0.1 to 127.0.0.1 pass out from 127.0.0.1 to 127.0.0.1 (to ensure communications of your machine with itself via sockets etc. you should always allow localhost) When Eddie enables Network Lock, pf rules are overwritten and communications to VPN servers will be possible. When Eddie quits or Network Lock is disabled, your previous "blocking all" rules will be restored, so no comms outside the VPN are ever possible. Kind regards

@Neighbour80 Thank you! Firefox is developed mainly in C, C++, Rust and Javascript. It's not that a language is inherently "problematic from a security standpoint", the matter is more complex and, really, off-topic here, but you can enjoy 40-years old discussions that are still ongoing on the good and bad points of C++ since 1986 on BBS, and on specialized developers' forums. 🤩 Kind regards

@barrowight Hello! It sounds normal. During sleep network interface card is turned off and applications are frozen. Kind regards

Hello! Eddie 2.12.4 is more than three years old and is not fully compatible with Windows 10. Please upgrade to Eddie 2.18.9 (latest stable release) and the problem should be resolved. Remove completely Eddie 2.12.4 before upgrading, in particular make sure to delete any file in directory C:\Users\grrrb\AppData\Local\AirVPN Eddie Windows edition can be downloaded here: https://airvpn.org/windows Kind regards

@go558a83nk The main advantage over OpenVPN in terms of performance is the fact that Wireguard runs in the kernel space while OpenVPN runs in the userspace, Cipher CHACHA20 is available in OpenVPN too. It's slower than AES in AES-NI supporting systems, so it is very relevant only in those systems which do not support AES-NI, typically mobile and embedded devices based on ARM processors. So when Wireguard can't run in the kernel space (for example when you use it in Android or iOS) you lose that gain. The fact that Wireguard does not support TCP is bad for us, because it cuts out a very remarkable percentage of our users: those who have their ISP blocking or heavily shaping UDP, those who need to pass through some proxy (which supports only TCP) to get on to the Internet, and those who need to tunnel the VPN protocol over SSH or sTunnel. Kind regards

@HannaForest Hello! It's not less or more dangerous, it's just that data retention that's mandatory for residential ISPs is not a matter which affects our service, while data retention mandatory for datacenters is. Kind regards

@jx35552zza Hello! If you still have the old profile which caused the problem, could you send it to us in a ticket? From your description we think that it is corrupt and we would like to see how it got corrupted: we have some cases where the profile is corrupt and we would like to gather more information on the issue. Kind regards

@22lr Hello! We confirm that Hummingbird does not need Mono, so @eburom recommendation is good to resolve security concerns on Mono (remember anyway that Eddie's part running with root privileges is completely written in C++ and does not need Mono). We would like to add that in June we will announce a brand new software for Linux, a deep evolution of Hummingbird. Even the new software will not need Mono in any way. Kind regards

@HannaForest About countries in the EU, any mandatory data indiscriminate retention framework is illegal according to two different CJEU decisions, so any attempt to enforce it or incrimination for having failed to enforce it can be easily challenged up to the highest court. About UK, the legal framework does not seem to enforce mandatory data retention to datacenters, but as soon as UK will get out of the EU we will re-check the situation with the help of lawyers. About France, the difference is that data retention seems mandatory for "hosting providers" (sic), so datacenters might start logging metadata without our knowledge. We will study again and re-consider in the next months anyway. Kind regards

Hello! Today we're starting AirVPN tenth birthday celebrations! From a two servers service located in a single country providing a handful of Mbit/s, the baby has grown up to a wide infrastructure in 22 countries in three continents, providing now 240,000+ Mbit/s to tens of thousands of people around the world. In 2019 and 2020, software development enhancement has paid off: now AirVPN develops on its own an OpenVPN3 forked library which resolves various problems from the main branch and adds new features. The library is used in Hummingbird, a free and open source software for Linux and Mac, known for its speed and compactness, in Eddie Android edition and in a new software which will be announced in June. Hummingbird has been released even for ARM based Linux devices, and runs fine for example in Raspberry PI. Eddie Desktop edition has been extensively rewritten to improve performance, reliability and security. Now anything not related to the user interface is written in C++ and a lot of security hardening has been implemented. Total compatibility with macOS Catalina, Windows 10 and latest Linux distributions has been achieved, and specific packages for various, widespread Linux distributions are available for easier installation. Eddie can act as a GUI for Hummingbird in Linux and Mac, while in Windows, Eddie can also be easily configured to run OpenVPN 2.5 with the wintun driver to achieve remarkable OpenVPN performance boost and put Windows on par with other systems OpenVPN throughput ability. Furthermore, the wintun driver resolves various problems which affected TAP-Windows driver. Development for OpenBSD and FreeBSD has been unfortunately re-planned but we're glad to announce here that it will continue, starting from summer 2020. All AirVPN applications and libraries are free and open source software released under GPLv3. We think that it's somehow surprising that AirVPN not only survived, but even flourished for 10 years, in an increasingly competitive market and increasingly privacy hostile environment. No whistles and bells, no marketing fluff, no fake locations, no advertising on mainstream media, a transparent privacy policy, no trackers on the web site or in mobile applications, no bullshit of any kind in our infrastructure to sell your personal data to any personal data merchant, and above all a clear mission that is the very reason which AirVPN operates for https://airvpn.org/mission , are probably, all together, the factors which allowed such a small "miracle" and maybe make AirVPN unique. Thank you all, you users, customers, members of the community, moderators, developers: the small "miracle" happened because of you, because you saw something in AirVPN. Kind regards and datalove AirVPN Staff

@snrtd Please let's move on to the topic of Hummingbird latest release. Kind regards

@Point Zero Hello! On top of all those previous recommendations, also consider to test wintun driver, please see here: https://airvpn.org/forums/topic/46535-how-to-use-wintun-driver-in-windows/ Kind regards

@colorman Hello! When you get UDP send exception: send: Operation not permitted please check the firewall rules, store them and send them to us. @eburom Both cases are intended. We will check - (EDIT: bug confirmed); in general an UDP based profile is not compatible (explicit-exit-notify is incompatible with proto tcp) with protocol TCP. Maybe a better behavior might be: allow the override and let OpenVPN library throw the critical error, then exit. That's a design decision, we will check what the developer thinks about it. Kind regards

@colorman Hello! The quoted error is usually caused by a firewall rule blocking UDP, can you please check? Kind regards

@eburom Hello and thank you! We confirm the bug you found. It is being fixed and a new version will be released before the end of May. Kind regards

@eburom Last test has showed that Hummingbird behavior is correct. Of course we can discuss ad nauseam whether an error of this kind should cause Hummingbird to exit completely or not: shall we consider the superuser responsible for his/her actions and trust that he/she does not ignore error messages, or shall we consider him/her inept for his/her role? However, your previous report should be investigated if the issue re-occurs. That, indeed, shows an unexpected outcome, but as long as you can't reproduce it we can't do anything (we could not manage to reproduce it and it never came out during alpha, beta, RC testing...). Kind regards

@crypto1.0 Hello! In Raspbian 10 you don't have a module for table "security". You can safely ignore those warnings, as Network Lock rules will be set anyway, no need of that table. Kind regards