Staff

Hello! While we will let developers provide more details should they wish so, we would like to firmly clarify that: Eddie 2.18.x GUI or command line frontend does not run as root; the backend process does Eddie 2.18.x is in beta testing phase, so potential bugs and issues should be in general expected at any time Eddie 2.18.x does not run "curl" with root privileges anymore @QueenSasha Eddie 2.18.x GUI is written in C# (so it needs the Mono framework) but the backend process is written in C++, so it does NOT need Mono framework. Running only a GUI in Mono with normal user privileges shrinks down Mono related risks very considerably @inradius If you find critical Mono vulnerabilities even related to apps running with user privileges things would be different, of course root privileges are necessary to modify firewall rules (for "Network Lock"), change routing table, properly handle DNS push. Root privileges are also transmitted to OpenVPN, which needs them to modify routing table, default gateway and operate on tun network interface. That's expected, correct and ordinary behavior by any OpenVPN based software developer @inradius unless you have a special API service, as it happens in Android with VPNService API, where root privileges are not needed (and you can't set a real "Network Lock" as a consequence) if any security vulnerability is ascertained and proven we and developers will of course address it expeditiously @QueenSasha Kind regards

Hello and thank you for your choice! Can you please send us a system report generated by Eddie, the Air client software, and taken just after the problem has occurred? Please click "Logs" tab, click the LIFE BELT icon, click "Copy to clipboard" and paste into your message. Kind regards

@dedo299 Hello and thank you for your considerations! We will evaluate them carefully. Currently we just want to underline that Heze and Persei suffered too many partial and total outages for our standards and the frequent events caused quite a remarkable amount of complaints, and rightly so, by our customers. Keeping those servers in spite of the collected evidence and feedback would have been detrimental for the quality of our service as it's bad to have a well performing server when the datacenter, for various reasons that have been occurring again and again, can't ensure anymore a decent uptime. We also wish to specify that Aquila, the server you mention giving you good performance, which is from a different provider, remains in Fremont: it is not one of the soon to be dismissed servers. Kind regards

Or not: it depends on whether they are tunneled. In Linux based systems with global DNS (i.e. without on-link DNS simulation) DNS queries to any public DNS will be tunneled. In Windows there is no global DNS concept so such queries in general will not be tunneled. That's also the reason why DNS leaks don't exist in Linux, unless it's deliberately configured to emulate rickety broken DNS implementation, but they are common in Windows and patched client-side by OpenVPN based software. As a side note fir the OP: remember that DNS settings on the devices behind the router will determine the finala ddress to send queries to. Only if they query the router address in the local network, then the DNS servers set on the router will be queried. If they query any other DNS, their DNS queries will be anyway tunneled by Tomato router (and our VPN servers will then send them to the final destination, get the reply, and send the reply to you). About the original problem experience by OP: OpenVPN server pushes IPv6 routes even when the client does not explicitly require them. Together with the fact that if "ip" (or any similar command) fails with IPv4, even if it's successful with IPv4, OpenVPN quits immediately, you can understand how gross and questionable this behavior is: any client without machine IPv6 support will be unable to connect. So, we will force OpenVPN to NOT push IPv6 routes, unless IPv6 is explicitly required. The patch has been implemented and deeply tested, it is safe and compact, and will be deployed in all servers progressively but swiftly. Currently only 40 servers still pose the problem caused by the "original OpenVPN behavior". Remember that the problem affects only systems which lack IPv6 support (they don't exist anymore but someone might disable IPv6 at system level for any reason, or use very old systems, so we are working to fix the issue quickly in the whole infrastructure). To get OpenVPN IPv6 push you will need necessarily the following directives: push-peer-info setenv UV_IPV6 yes The Configuration Generator already works accordingly and adds the proper directives if you require IPv6 over IPv4. Kind regards

@dedo299 Hello! We have picked a datecenter in Los Angeles to replace two Fremont servers (quite near in terms of network distance and very near geographically). The new LA servers announcement, where we specified that they replaced servers in Fremont, is here: Kind regards

Hello! We inform you that the following servers will be dismissed on November the 26th as they do not meet anymore our quality requirements in terms of line reliability and datacenter support. Alkaid Heze Microscopium Pavonis Persei The aforementioned servers have already been replaced by other servers in the same locations, running in datacenters which are currently offering higher reliability. You can check the servers status and additional information on our servers monitor here: https://airvpn.org/status Kind regards AirVPN Staff

@Flx Hello, just a note: 10.5.0.1 is no more used since a long ago. VPN DNS server primary address matches VPN server gateway, secondary address is 10.4.0.1 (regardless of the subnet you are in). 10.4.0.1 is not reachable by ping, but only DNS queries. https://airvpn.org/specs Kind regards

We would like to do so but our resources are limited and selections and choices must be made. Kind regards

Hello! We're very glad to inform you that two new 1 Gbit/s servers located in Vancouver (Canada) are available: Nahn and Sham. The AirVPN client will show automatically the new servers; if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). Servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Nahn and Sham support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check servers status in our real time servers monitor: https://airvpn.org/servers/Nahn https://airvpn.org/servers/Sham Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! We're glad to inform you all that Chamaeleon https://airvpn.org/servers/Chamaeleon in Dallas now runs OpenVPN 2.5 daemons and is configured to accept connections with cipher CHACHA20-POLY1305 both on Control and Data Channel. You can connect in ChaCha20 with Eddie Android edition, OpenVPN 3.3 AirVPN alpha for Linux, or by using Eddie desktop edition with OpenVPN 2.5. To use cipher ChaCha20: with Eddie Android edition, select "Settings" > "AirVPN" > "Encryption Algorithm" > "CHACHA20-POLY1305" with OpenVPN 3.3 AirVPN please see here: with Eddie desktop edition, install OpenVPN 2.5, tell Eddie to use OpenVPN 2.5 in "Preferences" > "Advanced" , finally add the following custom directives in "Preferences" > "OVPN Directives" and make sure to connect or white list ONLY experimental ChaCha20 servers ncp-disable cipher CHACHA20-POLY1305 Servers supporting ChaCha20 are marked as "Experimental ChaCha20" in https://airvpn.org/status in a yellow warning. Kind regards

Hello! We're very glad to inform you that three new 1 Gbit/s servers located in Chicago (Illinois, USA) are available: Fang, Kruger and Sneden. Note that the aforementioned servers replace Alkaid, Microscopium and Pavonis which do not meet anymore our technical requirements in terms of uptime and line reliability and will be withdrawn at the end of November. AirVPN clients will automatically show new servers; if you use OpernVPN or some other OpenVPN frontend, you can generate all the files to access any server through our configuration/certificates/key generator (menu "Client Area" -> "Config generator"). Servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like all the other AirVPN servers do, Fang, Kruger and Sneden support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols, smart load balancing between OpenVPN daemons and hardened security against various attacks with separate entry and exit-IP addresses. You can check servers status as usual in our real time servers monitor: https://airvpn.org/servers/Fang https://airvpn.org/servers/Kruger https://airvpn.org/servers/Sneden Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! We're very glad to inform you that two new 1 Gbit/s servers located in Los Angeles (California, USA) are available: Groombridge and Teegarden. Note that Groombridge and Teegarden replace Heze and Persei which do not meet anymore our technical requirements in terms of uptime and line reliability and will be withdrawn at the end of November. AirVPN clients will automatically show new servers; if you use OpernVPN or some other OpenVPN frontend, you can generate all the files to access Groombridge and Teegarden through our configuration/certificates/key generator (menu "Client Area" -> "Config generator"). Servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like all the other AirVPN servers do, Groombridge and Teegarden support OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols, smart load balancing between OpenVPN daemons and hardened security against various attacks with separate entry and exit-IP addresses. You can check servers status as usual in our real time servers monitor: https://airvpn.org/servers/Groombridge https://airvpn.org/servers/Teegarden Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! We don't, and anyway even if some service of ours listened to that port of our VPN servers exit-IP address, we would of course not forward packets to VPN nodes (!), if the customer did not require such thing. In this case that's what you did (you remotely forwarded inbound port 12103) so what you see is perfectly normal. Kind regards

Hello! Currently Netflix USA (and only USA) is accessible from our infrastructure, including UK servers, provided that you query VPN DNS. Kind regards

Hello! Stay tuned, we have planned to add one or two servers in Vancouver. Kind regards

@Gebi22 Hello! Please make sure that you have not defined specific filters that filter out all the servers. If the above is not the case, please open a ticket and include Eddie log taken just after the problem has occurred. In Eddie's "Log" view you can see a "Share" icon. After you have tapped it you can choose to send log via mail or share it in other ways. Kind regards

@Bubga Hello! Currently Netflix USA (and only USA) is accessible from our infrastructure, provided that you query VPN DNS. Kind regards

@giganerd Hello! Well, it's not uncommon that any source code is not released at alpha stage. In several environments it is common practice. It is all in all a wise decision because any part can be even rebuilt from scratch, even from alpha n to alpha n+1. However, as you noticed, the library source code is published and of course it's not alpha.  That would be great! Kind regards

@pjnsmb After you press CTRL-C resolv.conf backup is correctly deleted so the reply you get after you ordered "--recover-network" is expected. Up to this point everything sounds fine. Then you notice lack of Internet connectivity, which might or might not be expected. Please check firewall rules as well as chain policies before and after the VPN connection: if they match your lack of Internet connectivity is expected; if not something wrong is going on, please notify us including rules (first and after you have run the client) and exact distribution name and version. Kind regards

Hello! -6 is an undocumented option in OpenVPN 3 library, it has nothing to do with the frontend. OpenVPN 3 is mostly undocumented by OpenVPN developers and we are doing our best to fill the gap. In the next version we will clarify usage of -6 option to leave no doubts on the matter. You can infer that -6 pertains to IPv6 over IPv4 from the comments in the source code, which contrarily to what your misleading irony suggests has been published in GitHub a long ago. https://github.com/AirVPN/openvpn3-airvpn Anyway that part is identical to the main branch and has not been touched by us, so you can see that part both in our fork and in the main branch, it exists since years ago and has remained undocumented since years ago. At this stage we are focused on bug fixing because, for Linux, we found a dramatic situation to say the least. just consider, as a mere, shameful example, that data structures were systematically not initialized, an error that you can't expect or imagine, not even from C novice children students during their first C course. Lack of initialization in C/C++ causes apparently random crashes and/or unexpected behavior in different conditions, systems and system states, according to how "dirty" the data RAM area is or is not. Situation is now under control (while OpenVPN 3 main branch remains mainly unusable in Linux for practical purposes) but only after a very hard, time consuming work. That said, omitting -6 might not solve the issue. We suspect now that it's another OpenVPN 3 bug; as such we will investigate with the purpose to fix it. Please test anyway without -6 option and let us know the outcome at your convenience. (DONE) Kind regards

@giganerd Hello! We might be in presence of a conflict when you try an IPv6 connection and at the same time you also want IPv6 over IPv4 (which actually may appear contradictory). The error pertaining to address parsing comes from OpenVPN 3 library. Can you tell us whether the problem is resolved or not when you don't force IPv6 over IPv4 for an IPv6 connection (i.e. do not include -6 option)? Kind regards

@pjnsmb Hello! We're not yet in beta testing (EDIT: since Nov 29 we are ), thanks for the trust, but we count to release a beta version soon (for Mac too). Can you tell us your exact Linux distribution name and version and send us the client log taken just after the problem has occurred? Using the screen utility was a suggestion pertaining to a different case, or maybe are you connecting remotely via ssh or telnet to the machine that will connect to the VPN? If so using screen is absolutely not a hard work, it's piece of cake don't worry. Kind regards

Hello! AirVPN OpenVPN 3 client version 1.0 alpha 2 is now available. It addresses reported bugs and should resolve them. AirVPN OpenVPN 3 Client 1.0 alpha 2 - 7 November 2019 Changelog [ProMIND] DNS resolver has now a better management of IPv6 domains [ProMIND] DNS resolver has now a better management of multi IP domains [ProMIND] Minor bug fixes ======== Linux 64 bit build can be downloaded here: https://eddie.website/repository/eddie/airvpn-static1.0alpha/airvpn-static-linux-1.0-alpha2.tar.gz SHA512: https://eddie.website/repository/eddie/airvpn-static1.0alpha/airvpn-static-linux-1.0-alpha2.tar.gz.sha512 Linux Raspbian 32 bit build can be downloaded here: https://eddie.website/repository/eddie/airvpn-static1.0alpha/airvpn-static-raspberry-1.0-alpha2.tar.gz SHA 512: https://eddie.website/repository/eddie/airvpn-static1.0alpha/airvpn-static-raspberry-1.0-alpha2.tar.gz.sha512 Thank you for your tests! Kind regards

@WindUp Hello! Agreed. Since when we decided to cut any intermediary for cryptocurrencies payments, we need to implement crypto payment options one by one internally. Monero is the next on list anyway. Kind regards

@maxandjim Thank you, we will investigate about communications in the local network. If for some reason the remote ssh session gets broken with CTRL-C you can consider to run the client inside a screen and send a soft kill signal when you want to shut it down gracefully. Warning: if you lose ssh connection, the client will continue to run in "its screen", completely detached (even its stdin, stdout and stderr will be detached from the previous shell) so the machine will remain connected to the VPN and "network locked": make sure you can remotely force a machine reboot as an emergency rescue just in case you can't access it anymore via ssh. About fantastic screen utility: https://www.gnu.org/software/screen Kind regards