Staff

@m1ster Hello! Something goes terribly wrong when the tun interface is accessed: does "OpenVPN for Android" work on the very same box? What brand and model is it? Kind regards

@livovo Hello! Just use Tor after you have connected to some VPN server. Tor renews circuit for different streams and at the same time your ISP (and any other entity wiretapping your line or acting with your ISP complicity) will not see that you're using Tor. Only limitation is that Tor does not support UDP. Kind regards

Important update pertaining to Amnesty International: Position of Amnesty International changed on late February 2020: https://www.amnesty.org/en/get-involved/take-action/julian-assange-usa-justice/ when Amnesty asked: thus recognizing that Assange is a political prisoner, as he is charged for his publishing activities. Kind regards and datalove AirVPN

Hello! We're very glad to inform you that a new 1 Gbit/s server located in Tallinn (EE) is available: Alruba. The AirVPN client will show automatically the new server; if you use any other OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Alruba supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/alruba Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

@airdev Android app must be extensively rewritten to meet new Google requirements for Android 9 and 10. No reason to hurry as the app does everything we and our customers need. It's not written anywhere that an app that works perfectly must be "frequently updated". About Eddie the development is slow, you are correct, but Mac and Linux users can now count on a totally different stable application which is also evolving in something more (i.e. a real daemon with frontend applications). Once completed with a GUI, even Windows development will become faster, as Eddie for Windows can be prioritized over Linux and Mac. We have invested a lot of time to fix critical bugs on OpenVPN3 library (which could not even work properly in Linux) and implement new key features. It's an investment in development time that may make the naive observer think that Air development is slow, but such investment will be repaid with high interests rate in the very near future. Last but not least the development of OpenVPN 3-AirVPN by AirVPN has shaken OpenVPN community and symptoms that the community is waking up have appeared. If OpenVPN3 community wakes up even our fork will require less development time, obviously. Kind regards

@Access everywhere Please pick freely according to your preferences. Hummingbird is much faster, has a tiny RAM footprint (less than 10 MB), it's based on OpenVPN3-AirVPN library, and does not require Mono, but it lacks a GUI (it will evolve with a daemon and GUI only in the near future) and many features of OpenVPN 2 and Eddie. Eddie is remarkably features richer (full integration with AirVPN infrastructure, customized routes, customized events, OpenVPN over Tor are just a few of several significant features that Hummingbird totally misses), offers a complete GUI, but it is much slower and has a huge RAM footprint (exceeding 1 GB in Linux for example). Please note that you can run Hummingbird through Eddie (Eddie 2.18.7 or higher version required) simply by ticking "Use Hummingbird if available" in "Preferences" > "Advanced" window and copying the Hummingbird binary anywhere in your commands path. In this way Eddie will run Hummingbird instead of OpenVPN 2 and you will have the hardened security of Hummingbird vs. OpenVPN 2, as well as a significant performance boost in various phases (during connection and disconnection Hummingbird is up to 300 times faster than OpenVPN 2). Kind regards

@Lee47 Wireguard only supports CHACHA20 in UDP. OpenVPN supports it too. Can you check OpenVPN with CHACHA20? It can be an interesting comparison. Of course the reason might be different: for example, if you run Windows, you might have used different drivers, or simply some other problem on your side, Also, Wireguard is still largely unnoticed because it is not used a lot (and rightly so as it is in beta testing), so ISPs are not yet interested to identify its fingerprint (which is a trivial task because Wireguard does not support any obfuscation technique and can not connect over proxy as it does not support TPC) and disrupt it. The maximum throughput achieved with OpenVPN and Virgin in AirVPN has been 500 Mbit/s by a user in this thread, which is also near the physical limit of our servers (500 Mbit/s on the client side are 1 Gbit/s on the server side). We would bet that you can't beat that performance with Wireguard, especially with AES-NI supporting systems, where the high throughput becomes more and more relevant and put CHACHA20 at a disadvantage (the only boost here is running in kernel space - but not in Android and many clients - which might not compensate AES New Instructions power), so the discrepancy must be found elsewhere. Kind regards

@giganerd That's correct, it's important to know that nftables is currently not supported by Eddie. Kind regards

Hello! You're right, Eddie 2.16 can not run in your environment. Can you please test Eddie 2.18.7 beta? Now the GUI runs with ordinary user privileges (no more GUI running with root privileges) and is run by the account of the DE you use. Other changes have been implemented and compatibility with Wayland should now be 100% - last but not least Eddie backend, running with root privileges, does not need anymore Mono framework (it is written in C++) To test Eddie 2.18.7 beta please see here: https://airvpn.org/forums/topic/45326-eddie-desktop-218beta-released/ Kind regards

@CRC89 Hello! Alternatively, you can wait for a real daemon for Linux. We currently do not offer it but the gap will be filled very soon: a daemon based on Hummingbird is in advanced stage of development and we will release a public alpha version with a CLI client to drive it in the very near future. Kind regards

@Androidlinux Hello! Currently not, we're sorry (you need to send a kill signal to Hummingbird and restart it with a new profile, which is not exactly what you ask for), but this feature will be available in the frontend+daemon solution. Hummingbird will be maintained as a stand alone binary and will also evolve in to a new software. The daemon is already in advanced development stage and initially we will release it together with a CLI frontend. Immediately after that, development of a GUI for the daemon, based on Qt, will begin. Kind regards

Hello! You can't, as you don't have iptables currently. Use nftables instead. Proceed only if you exactly know what you're doing, as Network Lock on the fly changes might cause unintended leaks. Kind regards

Hello! In Linux you can run Hummingbird. It uses our OpenVPN3-AirVPN library which supports CHACHA20 on the Data Channel. Please see here, you will also find instructions on how to configure Hummingbird to use CHACHA20-POLY1305: https://airvpn.org/hummingbird/readme/ Remember to use a profile generated only for the servers which support CHACHA20-POLY1305. They are marked yellow with the phrase "Experimental CHACHA20" in the Configuration Generator or in our web site servers monitor: https://airvpn.org/status NOTE: if your Linux system supports AES-NI then AES cipher may have higher performance than CHACHA20 cipher. Kind regards

@83jd0whx38ns Hello! What is your exact distribution? We have found the problem for example in Debian unstable, and it's a problem of the distribution with the implementation of iptables legacy with nftables. If that's your case too, force Hummingbird to use nftables for Network Lock and the problem should get resolved. https://airvpn.org/hummingbird/readme/ Check the instructions and remember to run Hummingbird with the additional option: --network-lock nftables Remember that Hummingbird (for a good reason aimed to prevent conflicts) by default prefers iptables-legacy over nftables if both are found in a system. However, if iptables legacy exists but does not provide table 'security' then Network Lock can't work because iptables legacy itself does not work properly. We are looking forward to hearing from you. Kind regards AirVPN Support Team

@newairvpnuser Hello! Mobile ISPs routinely shape at least UDP traffic. From tests with 6 major mobile ISPs in Italy, Germany, UK and Spain, we have found that 100% of them enforce traffic shaping, of various types. Traffic shaping against UDP is less common, but not infrequent, with landline ISPs. A new extreme shaping which is terrible is shaping against anything that can not be identified as HTTP/HTTPS/privileged services; it is also getting not infrequent. Try to switch to TCP and make sure to test various servers in various locations. Your device processor is, in theory, capable to encrypt/decrypt at least 50 Mbit/s of an AES-256-GCM flow, and much more with CHACHA20 (more than 70 Mbit/s), so traffic shaping enforced by your ISP is an option to consider according to your report. Consider to connect in TCP, and also test CHACHA20-POLY1305 cipher, which is supported by Eddie Android edition. Air VPN servers which support CHACHA20 are highlighted in yellow with the phrase "Experimental ChaCha20" in the servers monitor https://airvpn.org/status Anyway, once you tell Eddie to use CHACHA20, it will show and connect to only those Air VPN server which support CHACHA20. Select Eddie's "Settings" view, expand "AirVPN", tap "Encryption algorithm", select "CHACHA20-POLY1305" and tap "OK". Also tap "Default protocol", tap "TCP" and tap "OK". Tap "Quick connection mode", select "Use default options only" and tap "OK". Then test a quick connection and verify whether you get better performance or not. IMPORTANT: if you select manually servers in the "VPN servers" view, you need to specifically set "TCP" in the "AIRVPN SERVER" settings menu, because this setting is distinct from the quick connection mode configured protocol, while "Encryption algorithm" is kept always global. Kind regards

@monstrocity OVPN files have no restrictions in any way. Generate the proper file with the Configuration Generator (tick "Advanced Mode" to see all the available connection modes) or just edit your current profile with any text editor and replace the port you have in the remote directive with 41185. Kind regards

@monstrocity Thank you for your report. Interesting outcome. To kill Hummingbird gracefully send it a kill signal 15 (SIGTERM): sudo kill `pidof hummingbird` If Hummingbird is not detached from a terminal emulator you can also press CTRL-C on that to stop Hummingbird gracefully. Please see also: https://airvpn.org/hummingbird/readme/ Kind regards

Hello! That may happen, unfortunately, even with owned servers housed in any datacenter. Our servers do not keep any account data but they might be monitored in real time with external "black" boxes which can not be detected by the server itself (in practice they sniff traffic just outside the server without interfering with the server itself). However, if someone tries to tamper a server in any other way, the server will not start, because each restart will cause a lock out by our system. That VPN server must be validated manually by AirVPN management to be accepted again in the infrastructure, so if anything weird happens it will remain locked out. To defeat an adversary that monitors incoming and outgoing packets of a VPN server, and tries to correlate them, please see here: https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 Kind regards

@monstrocity Yes, correct! Kind regards

@monstrocity Please add it in the first block of directives of the ovpn file "AirVPN_Japan_TCP-443.ovpn" Open the file with a text editor, add the following line, FOR EXAMPLE just under the line beginning with "remote": reneg-sec 300 (press ENTER after it, it must be a stand alone line) and save the file. Then re-run Hummingbird like you already did, but without the --reneg-sec option. Note whether the re-keying error occurs as usual or not. Thanks in advance! Kind regards

@monstrocity Thanks. Can you add now reneg-sec 300 directive, run Hummingbird alone, and check whether anything changes? See also: Kind regards

@monstrocity Please upgrade to Hummingbird 1.0.2, use it alone (without Eddie) and check whether the same problems occur. Also compare with Eddie + OpenVPN 2.4: do you see the same errors or not? Kind regards

@adams.j Hello! Can you please test a connection over TCP (you can set it in the "Settings" view or in the single servers view) and check whether the problem persists or not? Just in case your ISP messes with UDP (not uncommon situation with mobile ISPs). Kind regards

@misam Default value is 3600 seconds (1 hour). And actually you can see that you always get the error you mentioned exactly n hours after your initial connection, with n a positive integer, an additional confirmation that the problem specifically occurs just before or during a re-keying. The first block of directives is placed on the top of the text file. We mean, do not insert the directives somewhere in the middle of certificates, keys or <> blocks. Kind regards

@arteryshelby Hello! We're afraid no solution is possible, as they have not the ability or the will to check whether a notice is bogus or not. We are looking for alternatives in Lithuania and in other countries in the Baltic region, including Estonia and Finland. Kind regards