Staff

Hello! Vulnerability affecting Eddie for Windows installing packages downloaded earlier than Tue May 15 12:51:22 UTC 2018 in already compromised systems. Any other package type for Windows and any package type for any Operating System is not and has never been affected. Eddie Windows NSIS installers have three vulnerabilities described in ​NSIS bug 1125. The most serious of these issues (#1) allows running unsolicited code and an escalation of privilege attack using DLL Search Order Hijacking (​CAPEC-471) as Eddie Windows installers are generally executed with Admin privileges. What NSIS/Windows does is actually prefer loading DLLs in the current directory, which in case of the Downloads folder is writable by the user. Thus the vulnerability is trivial to exploit, but only if the attacker has already managed to get a malicious DLL into user's Downloads folder https://sourceforge.net/p/nsis/bugs/1125/ This issue was brought to our attention by Kushal Arvind Shah of Fortinet's FortiGuard Labs on May 14, 2018 and fixed by us Tue May 15 12:51:22 UTC 2018 in any Eddie 2.13.* Windows installer releases and above. Download of older versions has been disabled. Side note: any Eddie version older than 2.13.6 for any system has now been removed from the download list. Such versions are obsolete and the removal complies to security considerations as well as compatibility considerations with the developments of the respective Operating Systems.

Just for additional (and probably useful) information, entry and exit-IP addresses in our service are different. Even nowadays, that's not true in many VPN services. Keeping different entry and exit-IP addresses prevents various correlation attacks which can even lead to the discovery of your real IP address, even when OpenVPN works perfectly (it's a method which exploits just how the Internet routing works). For the casual reader, a clearer explanation. When you connect to an Air VPN server, you connect to some IP address (we call it the "entry-IP address" of that server). However, your packets reach the Internet from a different IP address (we call it "exit-IP address" of that VPN server). The main reasons, though, for which AirVPN seems more expensive than other services in some cases are: 1) the guarantee of no overselling (unique feature as far as we know) - this is terribly expensive 2) the lack of fake IP addresses. Some big VPN services advertise something like 4000 servers but when you dig deeper you just see that each set of dozens or even hundreds IP addresses end up to the same server 3) the lack of virtual servers, we only own or rent physical, bare metal servers with certain hardware requirements That said, nothing is immutable and two year plans as well as rates review are not in principle impossible, but we must keep everything compatible with our mission, in other words we are not going to cut rates by overselling or through fake machines, obviously. Kind regards

Hello! That's not the correct way to do it, especially with Facebook! Probably you did not get the full implications of what we wrote earlier. Anyway in this usage example Facebook may correlate your proxy IP address with your VPN IP address (through one of its infinite spy plug-ins or with the aid of a third-party web site you open with another browser because you would like to appear there with your VPN IP address or in even other ways), and not with your "real" IP address. Once again your purpose is defeated. Maybe these "VPN browser extensiosn" are just bloatware giving a false sense of trust, which is dangerous. Even the definition is a blatant lie ("VPN"??? they have nothing to do with VPN). Privacy enhancing methods are not always "practical", in spite of our efforts. We can't protect you against yourself and your bad habits, but we can try to raise your awareness about the risks you are not aware of. Kind regards

Can you explain why this is important? The entry IP appears to be fixed, either 1 above or 1 below the exit IP depending on if you use the standard entry IP or the alternative. Any adversary would know the two possible entry IP's from the exit IP. Hello! It's of vital importance because it prevents specific correlation attacks aimed to cause your system to exchange data outside the VPN tunnel when you use remote port forwarding. It's trivial to successfully perform such attacks when the entry and the exit IP addresses match. Anybody can therefore discover your "real" IP address (and this is what normally happens in many VPN services which provide remote port forwarding, we would not even define them as "competitors" anyway). Additionally your assumption may be correct or not but is irrelevant. Correlations in low latency networks become more difficult when exit and entry-IP addresses do not match, regardless of their subnet. Kind regards

Hello! That's just fine. When OpenVPN is connected to Tor, and you use another application which is configured to connect to Tor, that application traffic will be tunneled over Tor only. You can see the reason by looking at the routing table and the gateways of your system. On a qualitative level, let's say that an application configured to connect to Tor proxy locally will connect to Tor proxy locally, it has no way to route the traffic on the tun interface to reach the VPN gateway which can be reached only over OpenVPN over Tor (OpenVPN connects to Tor proxy locally as well). In https://airvpn.org/tor you can see the above depicted in the first picture. If you need Tor over OpenVPN, connect OpenVPN directly to a VPN server, then use Tor. All the applications configured to connect to Tor will have their traffic tunneled over Tor over OpenVPN. Kind regards

Hello! The browser extensions you mention configure your browser to tunnel its traffic, and only its own, over some SOCKS or HTTPS proxy. Normally it has nothing to do with entering a Virtual Private Network and should not be considered a reliable method to build an anonymity layer, not even a weak one, because all the other traffic (system traffic, other applications traffic, traffic generated by plug-ins too in some cases) will not be tunneled. On top of the above some technical challenges and concerns about DNS pre-fetching and more in general about the fact that DNS queries will not be tunneled anyway in some systems (Windows) under not uncommon circumstances must be taken into account. So the whole matter seems outside AirVPN scope, as AirVPN service is meant primarily as a privacy enhancing service through an anonymity layer which aims to not let any single packet go out to the Internet with your "real" IP address AND to send to the Internet packets with an IP address that's even different than the IP address of the VPN server you connect to (a very important feature that is often overlooked and which is not offered by many VPNs, and that anyway can't be offered by a proxy). It might be a service for other purposes, but it does not seem aimed to create any anonymity layer of any kind and/or to the purpose AirVPN is meant for. Kind regards

Hello! You are capped through traffic shaping. either enforced by yourself (check any filtering tool on your router and system) or more likely by your ISP. Note how TCP is faster than UDP. This makes no sense in an agnostic network because OpenVPN is much faster in UDP, so it's a strong clue hinting to traffic shaping. Test an "OpenVPN over SSL" connection to port 443 (a good approximation of HTTPS so to say), or a tls-crypt featured connection to entry-IP 3 or 4 to see whether they can mitigate or bypass the throttling techniques. Also consider to change ISP if possibile. You can change connection mode in Eddie Preferences > Protocols. Remember to click "Save" and restart a connection each time you change setting to apply the change onto OpenVPN. Kind regards

Hello! An additional information for those who need larger buffers when using Eddie: you can enter custom directives rcvbuf and sndbuf in "Preferences" > "OVPN Directives" custom directives field. Click "Save" after you have entered them and restart a connection to apply the change onto OpenVPN. The syntax is: rcvbuf receive_buffer_size sndbf send_buffer_size where receive_buffer_size and send_buffer_size are in bytes. Example: rcvbuf 1048576 will tell OpenVPN to create a 1 MB (1048575 bytes) receive socket buffer. Kind regards

Hello! We would like to investigate, your specific case is interesting. Your node is behind DSLite stack, with only IPv6 connection (IPv4 is encapsulated in IPv6), but you appear to have only IPv4 in the tunnel. Can you post a system report taken just after the problem has occurred to check Eddie settings (in particular about how it must handle IPv6)? "Logs" > life belt icon > copy all > paste into your message. Kind regards

Hello! Confirmed and reproduced in RC1 and Oreo. We are currently testing internally a fixed version. If everything goes well you will see RC2 quite soon. Kind regards

Hello! Yes, that's the option you look for. In the option comment you should be able to read: "Pause VPN when the screen is off. When this option is enabled, no traffic will be generated by the VPN when the screen is off. This also saves battery when the screen is off." Kind regards

Hello and thank you for your report! Can you please make sure that the option "Show notification" is ON? If it's turned off, Android can put the application to sleep according to its own resources management, causing VPN disconnection (Eddie displays a warning about that anyway). Please feel free to keep us posted. Kind regards

Hello! It surely can lower you anonymity layer and even for other, somehow more serious reasons. That's why we don't log the port history and you can delete a forwarded port anytime. Also, it is very important that you keep Network Lock enabled when you remotely forward port. Really important. Not that someone needs to worry about copyright trolls and similar bums, but if you need to listen to a port for some very sensitive activity in some hostile to human rights environment, keeping Network Lock enabled and deleting the port soon after the usage may help you sleep slightly more comfortably. Note that for "deleting the port" we mean that you delete it from your account panel as well as you change it from the configuration of your listening service(s). Kind regards

Hello! Of course. Documentation and instructions will be published before the release of the stable version. Kind regards

Hello! A 100% safe traffic leak prevention outside the VPN tunnel (we guess you mean that with "kill switch", is this right?) is impossible on a machine you don't control as root (administrator) but Eddie will perform a best effort to prevent leaks just like any other OpenVPN based application on Android. Please make sure that "TUN persist" and "Pause VPN ..." options are both active for this purpose. About the event you report, can you please add some more details? When you switched from WiFi to LTE, did OpenVPN disconnect and then never re-connected until you restarted Eddie? Can you reproduce the issue and post the full OpenVPN log taken after the problem has occurred? Kind regards

Hello! We're very glad to inform you that Eddie 1.0 Release Candidate 1 has just been released. RC1 has been linked against mbedTLS (formerly known as "PolarSSL") instead of OpenSSL. This decision has been taken because, according to our tests, performance with OpenSSL and mbedTLS is identical, while mbedTLS ensures a longer battery life under intensive usage: approximately a 10% improvement. This change also makes the package lighter. We warmly invite you to test as much as you can and report any glitch and bug you should find. We would like to thank all the beta testers so far: thanks to them the development cycle has been very fast and we are so near to release a stable version. Thank you! As usual Eddie is free and open source software released under GPLv3. You can participate to the beta testing by joining the beta community in the Google Play Store here https://play.google.com/apps/testing/org.airvpn.eddie Alternatively, if you don't want to access (or you have no access to) the Google Play Store, the apk can be downloaded from our Eddie web site here: https://eddie.website/repository/eddie/android/1.0rc1/org.airvpn.eddie.apk Kind regards and datalove AirVPN Staff ChangeLog.txt ChangeLog-1.0RC1.txt

It should not be a problem to extract a string with the IP address of the default gateway of the tun (or whatever) interface, with something like: pingip=$(ip route list dev tun0 | grep link | awk -F '/' {'print $1'} | sed 's/\.0/\.1/g') ping $pingip Fix and refine it according to your needs and pfSense nomenclature, interface names... Note that the last "sed" invocation is gross because it just replaces any ".0" with a ".1" so it will not work if you have a gateway with a 0 octet that's not the last one. Kind regards

Hello, why can't you get the VPN gateway address at each connection and automatically use it for your purposes? Kind regards

Hello! As a first check, please make sure that in Preferences > Network Lock the combo box Mode is NOT set to None. Kind regards

Hello! It's a delicate matter because GPL (and other licenses) are incompatible with Apple policy. Executive summary: Apple will not approve free and open source software, and we like to release only free and open source software. Apple business model on mobile devices is heavily based on restricting customers freedom (even the most trivial operations are locked in Apple devices). It would be irrational to allow software released with a license that's a major menace to a business model which works great. Longer analysis of the aforementioned incompatibility can be found in FSF articles and others. Kind regards

Hello, now it's very clear, thank you. Notifications on the issue will be sent shortly. Kind regards

Hello! Probably we're missing something here so we will leave the discussion to the developers with an invitation to clarify in the meantime: since plink.exe has been included in Eddie package for Windows since many years ago with its MIT license, with the correct digital signature (Simon Tatham is the author https://www.chiark.greenend.org.uk/~sgtatham/) what is the change that's causing any issue? Kind regards

You can ping the VPN default gateway address as usual. Kind regards

Hello! Our Configuration Generator will generate any profile according to your preferences. It's available in your account "Client Area" in our web site. Next Eddie version will feature servers choice (similarly to the desktop edition), so that you will not even need to import profiles (Eddie will create them for you dynamically according to your preferences). Kind regards

Hello! List of Gen2 servers as of 14-July-18. Total: 87 servers. WRONG LIST - DELETED Kind regards