Jump to content
Not connected, Your IP: 35.175.107.77

Staff

Staff
  • Content Count

    9123
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    1346

Everything posted by Staff

  1. Hello! We're very glad to inform you that we have just released Hummingbird 1.1.1 for macOS (High Sierra or higher version required). UPDATE: Apple M1 native version is available too. Main features Lightweight and stand alone binary No heavy framework required, no GUI Small RAM footprint Lightning fast Up to 100% higher throughput than OpenVPN 2.5 Based on OpenVPN 3 library fork by AirVPN Robust leaks prevention through Network Lock based on pf - working perfectly on Big Sur too Proper handling of DNS push by VPN servers What's new Remarkably higher performance Hummingbird 1.1.1 is based on the latest OpenVPN AirVPN library version 3.6.6 linked against OpenSSL, and not mbedTLS anymore. OpenSSL latest versions in macOS have reached higher performance than mbedTLS both in encryption and decryption based on AES and CHACHA20-POLY1305 ciphers. By relying on OpenSSL and thanks to highly optimized compilation as usual, Hummingbird on macOS is now able to beat OpenVPN 2 performance as well as previous Hummingbird 1.1.0 performance. According to our tests performed on macOS Catalina and Mojave, and keeping AES-256-GCM as Data Channel cipher, throughput increases up to 100%. Comparisons have been performed against Eddie 2.19.6 + OpenVPN 2.5, Tunnelblick + OpenVPN 2.4.9 and Hummingbird 1.1.0. All the tests consistently show a great performance boost, starting from +30% and peaking to +100%. Therefore, we strongly recommend that you test Hummingbird 1.1.1 even if you run Eddie. Remember that you can run Hummingbird through Eddie comfortably and quickly by setting the proper option. New OpenVPN 3 library features Starting from version 1..1..1, Hummingbird is linked against a new version of our OpenVPN 3 library which supports directive data-ciphers: it can be used consistently with OpenVPN 2.5 syntax in OpenVPN profiles. The directive allows OpenVPN 3 based software to negotiate a common Data Channel cipher with the OpenVPN server,, updating therefore our library to ncp-like negotiation with OpenVPN 2 branch. The new library also includes a different handling of IV_CIPHERS variable, fixing OpenVPN main branch issues causing a plethora of problems with OpenVPN 2.5. The implementation, at the same time, takes care of full backward compatibility with OpenVPN versions older than 2.5. ncp-disable directive, which to date has never been implemented in the main branch, is still supported, in order to further enhance backward compatibility with both OpenVPN profiles and servers, as well as connection flexibility with servers running older than 2.5 OpenVPN versions. Please note that if you enforce a specific Data Channel cipher by means of Hummingbird line option, the enforced Data Channel cipher will override data-ciphers profile directive. Changelog 3.6.6 AirVPN by ProMIND - [ProMIND] [2020/11/02] openvpn/ssl/proto.hpp: IV_CIPHERS is set to the overridden cipher only (both from client and/or OpenVPN profile) in order to properly work with OpenVPN 2.5 IV_CIPHERS specifications. The old method of cipher overriding by means of negotiable crypto parameters is still supported in order to maintain compatibility with OpenVPN < 2.5.0 - [ProMIND] [2020/11/24] added "data-ciphers" directive to profile config .ovpn files in order to comply to OpenVPN 2.5 negotiable data cipher specifications. In case "data-ciphers" is found in the .ovpn files IV_CIPHERS is assigned to the algorithms found in "data-ciphers". In this specific case, "cipher" directive is used as a fallback cipher and, if not already specified in "data-ciphers", is appended to IV_CIPHERS Download Hummingbird for macOS is distributed in notarized and plain versions, both for Intel and M1 processors: Check the download page: https://airvpn.org/macos/hummingbird/ The difference is about how the package is seen by macOS security and it is therefore up to the user to pick the distribution file suiting his or her needs best. The notarized version is compliant to macOS software security scheme and runs "out-of-the-box", whereas the plain version needs to be explicitly granted permission to run by the user in macOS security & privacy settings. Please note that both versions ensure the same functionality in connecting a VPN server, it is however up to the user to decide whether using the signed and notarized version or not. Jump to the manual: https://airvpn.org/hummingbird/readme Kind regards & datalove AirVPN Staff
  2. Hello! We're very glad to introduce a new software suite for Linux. The suite includes the well known Hummingbird software, updated to the latest OpenVPN AirVPN library, and introduces for the first time a D-Bus controlled, real daemon, Bluetit, as well as a command line client, Goldcrest, to interact with Bluetit. New architecture The client-daemon architecture we introduce for the first time in our software offers a more robust security model and provides system administrators with a fine-grained, very flexible access control. Bluetit is fully integrated with AirVPN. The daemon is accessed through a D-Bus interface by providing specific methods and interface in order to give full support to OpenVPN connection and AirVPN functionality, including - but not limited to - quick automatic connection to the best AirVPN server for any specific location as well as any AirVPN server or country. Connection during system bootstrap is fully supported as well. New OpenVPN 3 library features Hummingbird and Bluetit are linked against a new version of our OpenVPN 3 library which supports directive data-ciphers: it can be used consistently with OpenVPN 2.5 syntax in OpenVPN profiles. The directive allows OpenVPN 3 based software to negotiate a common Data Channel cipher with the OpenVPN server,, updating therefore our library to ncp-like negotiation with OpenVPN 2 branch. Hummingbird and Bluetit are already linked against the new library version, while Eddie Android edition will be updated in the near future. The new library also includes a different handling of IV_CIPHERS variable, fixing OpenVPN main branch issues which caused a plethora of problems with OpenVPN 2.5. The implementation, at the same time, takes care of full backward compatibility with OpenVPN versions older than 2.5. ncp-disable directive, which to date has never been implemented in the main branch, is still supported, in order to further enhance backward compatibility with both OpenVPN profiles and servers, as well as connection flexibility with servers running older than 2.5 OpenVPN versions. Please note that if you enforce a specific Data Channel cipher by means of Bluetit configuration file, Hummingbird line option, or Goldcrest configuration file and/or line option, the enforced Data Channel cipher will override data-ciphers profile directive. Changelog 3.6.6 AirVPN by ProMIND - [ProMIND] [2020/11/02] openvpn/ssl/proto.hpp: IV_CIPHERS is set to the overridden cipher only (both from client and/or OpenVPN profile) in order to properly work with OpenVPN 2.5 IV_CIPHERS specifications. The old method of cipher overriding by means of negotiable crypto parameters is still supported in order to maintain compatibility with OpenVPN < 2.5.0 - [ProMIND] [2020/11/24] added "data-ciphers" directive to profile config .ovpn files in order to comply to OpenVPN 2.5 negotiable data cipher specifications. In case "data-ciphers" is found in the .ovpn files IV_CIPHERS is assigned to the algorithms found in "data-ciphers". In this specific case, "cipher" directive is used as a fallback cipher and, if not already specified in "data-ciphers", is appended to IV_CIPHERS Notes on systemd-resolved In Fedora 33 systemd-resolved comes pre-configured to work in "on-link" mode and network-manager works together with it. This very peculiar, Windows-like setup kills Linux global DNS handling, causing those DNS leaks which previously occurred only on Windows. Hummingbird and Bluetit take care of preventing the brand new DNS leaks caused by such a setup. Also note that systemd-resolved comes pre-configured with fallback DNS (Google DNS is a systemd-resolved default fallback DNS, smart choices pile up!) which will be queried if each interface DNS server fails some resolution. In such a case, if and only if you have Network Lock enabled will DNS leaks be prevented. Supported systems The suite is currently available for Linux x86-64, i686 (32 bit distributions), arm7l (for example Raspbian and other ARM 32 bit based systems) and aarch64 (ARM 64 bit). AirVPN Suite is free and open source software licensed under GPLv3. Overview and main features AirVPN’s free and open source OpenVPN 3 suite based on AirVPN’s OpenVPN 3 library fork Version 1.0.0 - Relase date 7 January 2021 Bluetit: lightweight D-Bus controlled system daemon providing full connectivity to AirVPN servers and generic OpenVPN servers. Ability to connect the system to AirVPN during the bootstrap. Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers Hummingbird: lightweight and standalone client for generic OpenVPN server connection Linux i686, x86-64, arm7l and arm64 (Raspberry) support Full integration with systemd, SysVStyle-init and chkconfig No heavy framework required, no GUI Tiny RAM footprint Lightning fast Based on OpenVPN 3 library fork by AirVPN version 3.6.6 with tons of critical bug fixes from the main branch, new cipher support and never seen before features ChaCha20-Poly1305 cipher support on both Control and Data Channel providing great performance boost on ARM, Raspberry PI and any Linux based platform not supporting AES-NI. Note: ChaCha20 support for Android had been already implemented in our free and open source Eddie Android edition Robust leaks prevention through Network Lock based either on iptables, nftables or pf through automatic detection Proper handling of DNS push by VPN servers, working with resolv.conf as well as any operational mode of systemd-resolved additional features User documentation (*) and source code: https://gitlab.com/AirVPN/AirVPN-Suite (*) Developer documentation to create custom software clients for Bluetit will be published in the near future. Download links: Linux x86-64: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-x86_64-1.0.0.tar.gz Linux x-86-64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-aarch64-1.0.0.tar.gz.sha512 Linux i686: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-i686-1.0.0.tar.gz Linux i686 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-i686-1.0.0.tar.gz.sha512 Linux arm7l: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-armv7l-1.0.0.tar.gz Linux arm7l sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-armv7l-1.0.0.tar.gz.sha512 Linux aarch64: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-aarch64-1.0.0.tar.gz Linux aarch64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0/AirVPN-Suite-aarch64-1.0.0.tar.gz.sha512 Kind regards AirVPN Staff
  3. @Dadadadadaa Yes, that's correct. Kind regards
  4. @Dadadadadaa Hello! No doubts, it will be even more useful against flood. Anyway nothing changes for the customers under a security point of view, obviously, as the key is needed as TLS pre-auth (so OpenVPN can shut down immediately, before checking client certificate, and mitigate flood) and for TLS mode (so PFS etc. become possible), nothing else. Kind regards
  5. @moejoe Hello! As far as we know Enigma2 is available for MIPS based machines (Dreambox): if that's your case, we're sorry, but both Eddie and AirVPN Suite are built for i686, x86-64,. ARM (32 and 64 bit), but not MIPS. You need to re-compile them. Eddie needs Mono framework and OpenVPN, if they are not available in your system or anyway Eddie is too heavy for a top box (you will need at least 300 MB RAM free before running it, plus some MB to run OpenVPN and other external binaries), you might try Hummingbird (it will take just 10 MB or less in total), but consider that it does not have a GUI. If you run a Linux based top box with Enigma 2 on top with some ARM CPU, then you might even try Hummingbird directly. https://airvpn.org/hummingbird/readme/ Kind regards
  6. Hello! A few router web servers, by default settings, only accept connections from IP addresses in the LAN for security reasons. That would explain why you get error 111 (connection refused) and the other SSL related issue only when the connection comes from the outside. Checking the router web server configuration is worthwhile. Kind regards
  7. @paladinair A couple of ideas coming to mind: 1) You run some curl version linked to a library that does not support the underlying cipher that your server proposes 2) You run some curl version linked to a library that does not support the TLS protocol required by your server (example: your server requires TLS 1.x and curl does not support it) Kind regards
  8. @monstrocity Hello! We will investigate. Can you confirm that the problem does not occur in HB 1.1.0? Please note that Bluetit 1.0.0 RC 1 does not have the ability to enforce network lock and a connection at system bootstrap. Bluetit 1.0.0 stable release will have this ability, but of course it will be optional. Can you also send us whole terminal output after you have pressed CTRL-C (or have sent a SIGTERM to HB process), as well as the content of /etc/airvpn? ls -l /etc/airvpn Kind regards
  9. @freak Hello! Good, the infamous bottlenecks caused by the OpenVPN TAP driver should be resolved. However it's strange that CHACHA20 provides you with higher performance than AES does. A possible explanation is that your system does not support AES-NI. Your CPU does, though, so you should beat CHACHA20 performance with AES-GCM, if you can enable AES-NI. Wireguard must be faster than OpenVPN with CHACHA20, because Wireguard runs in the kernel space and CHACHA20-POLY1305 implementation should be fine,. Running in the kernel space, however, has security implications that must be considered. OpenVPN with AES, in an AES-NI supporting system, linked against latest OpenSSL which includes assembly code (at least for Linux), is faster than Wireguard according to our tests, even though OpenVPN runs in the userspace. Wireguard offer is planned, but as you know it's a wreck lacking many basic features: no DNS push, no dynamic IP address assignment, no AES or other ciphers support, no TCP support, fixed bijection of real IP addresses onto client keys/VPN address, clients real IP address storage in a file, thus posing paramount privacy as well as technical issues. Many people will be disappointed and worried when they understand the implications of all of the above. Many other people will not be able to use Wireguard at all (mobile ISPs blocking or shaping UDP, countries blocking or shaping UDP etc.). We will release software aimed at patching, when possible, those numerous problems, but we need to keep approaching and offering Wireguard with care. Kind regards
  10. @tami Hello! Hummingbird has a tiny RAM footprint if compared to Eddie (a dozen MB against hundreds of MB), even because it does not need Mono and does not have a GUI, so if you don't need a GUI use Hummingbird. CPU usage is high when traffic encryption/decryption is necessary and that's also why you can't beat some throughput limit. Hummingbird 1.1.0 is linked against mbedTLS library. New Hummingbird 1.1.1 (you can already test it, RC 1 was out some days ago) is linked against OpenSSL, which now provides higher performance than mbedTLS, at the price of a little more needed RAM. Please test it if you can and check whether the problem remains. -N off disables "Network Lock" feature. If disabling "Network Lock" resolves the problem, why Network Lock activation prevents you from connecting remains to be seen. If the problem persists with Hummingbird 1.1.1, would you like to post the complete log? If you post it, please make sure not to delete VPN server IP address as you did. It's an important information and does not compromise your privacy. Since Raspberry CPU does not support AES-NI, you can boost performance by connecting with cipher CHACHA20-POLY1305. New Hummingbird 1.1.1 is linked against our latest OpenVPN 3 AirVPN library release, which supports data-ciphers directive and is updated to comply to OpenVPN 2.5 (which runs in our servers) specifications, so you can enforce CHACHA20 and any other supported cipher with a proper profile, or by command line option. To download Hummingbird 1.1.1 please see here: https://airvpn.org/forums/topic/48435-linux-new-software-airvpn-suite-10-beta/ Hummingbird is included in the suite (of course feel free to test Goldcrest+Bluetit too). Kind regards
  11. @airvpnclient Hello! That's expected, as systemd does not support daemons which fork (Bluetit performs a double fork). See here: https://www.freedesktop.org/software/systemd/man/systemd.service.html Look at "Options" for "Type=": You can then see why systemd sends SIGTERM when it meets a real daemon. That's obviously obscene filthy crap, but makes Windows-ish and other miserable wannabe programmers happy, because allows them to run at system bootstrap, as "units", even processes which are not real daemons, which do not respect UNIX policy. Nothing to be surprised of with systemd anyway, you can't expect much from a repellent, non POSIX compliant crouch. For your specific use case, you can consider to run Hummingbird, as runnning Goldcrest+Blueiti in that way does not make much sense, or you can wait for Bluetit release which (it's official now) will include options to connect at bootstrap. Kind regards
  12. @arteryshelby @ZPKZ Hello! Stay tuned, infrastructure expansion will go on. Kind regards
  13. @hisik22091 Hello! Yes, please run Tor and use a Tor browser after you have connected to some VPN server when your threat model includes adversaries with the power of a government agency using legal or illegal tools in Europe. It's very important to not underestimate such risks, regardless of the documentation you're able to provide to substantiate any sentence and word, as even European countries have shown that they can infringe human rights with impunity: consider UK torturing a journalist (Julian Assange) for a long time and infringing other human rights, in spite of the United Nations reports, just to make an example. We use different entry and exit-IP addresses on VPN servers, but that's a weak defense against a government which can infer which exit-IP address is related to which entry-IP addresses. Unfortunately Wikipedia tends to block editing from a lot of Tor nodes,. a terrible and idiotic choice in our opinion, especially when anyone can see which IP address an edit was made from (or can obtain it through a court order). For a solution in such a case, keep reading. Note anyway that a government that performs such a correlation does not obtain a PROOF that someone wrote something, because they can't know from us which users were connected to which VPN servers at any given time, as we do not inspect and/or log traffic content and/or metadata. Also check what we wrote in 2013 about the importance of partition of trust: https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 If you find editing Wikipedia articles from Tor nodes diffiicult, you can consider OpenVPN over Tor. It's not as secure because the Tor circuit is fixed (it will not change at each new TCP stream), and it's not as easy to use as Tor over OpenVPN is, but it poses a probably impossible challenge for a government to find out the identity of the author. Wikipedia sees and records the VPN server exit-IP address, but your government does not see that you connected to that VPN server address, because your traffic goes through some Tor circuit first. Only the Tor exit-node knows that the traffic ends to our VPN server entry-IP address, but the Tor exit-node does not know your real IP address, because you connect OpenVPN to the first Tor guard. The correlation you fear is therefore destroyed. OpenVPN over Tor usage is made easier by our Eddie desktop edition software. Kind regards
  14. @Point Zero Hello! Probably it had nothing to do with Eddie itself then, but with the system. Eddie frontend runs in the Mono (.NET in Microsoft systems) framework, while the backend is written in C++. What is your Operating System exact version? To wipe out anything Eddie-related, just delete the directory it is inside, if you use a portable package, while you need to uninstall according to your system (just like you do with any app) if you had installing package., Then delete Eddie configuration file as above. Kind regards
  15. @airvpnclient Hello! Indeed. Let's try to reproduce it. Which system do you run? Kind regards
  16. Check also https://airvpn.org/forums/topic/48234-speedtest-comparison/ in order to verify what you can expect from AirVPN best performance. Kind regards
  17. Hello! Momentarily, in London please connect to Arion, where the problem is resolved, thank you. Kind regards
  18. @airvpnclient Hello! An easier way will be available soon, in the next version, which will support a specific option to have Bluetit connect during the bootstrap (you will need bluetit.rc properly configured with your AirVPN credentials). As a first attempt, can you please change your account password into one which only contains ASCII characters in [a-z} U [A-Z} U [0-9]? We ask you to do that because the only difference we can currently spot is that in one case rc.local is launched by init, while in the other one it is launched by a shell which might have a different character set. By using only ASCII characters such a problem would be solved. We are looking forward to hearing from you. Kind regards
  19. @freak Hello! Try to use wintun (another driver for tun-like virtual network interfaces) as you might have a bottleneck caused by the TAP driver. Eddie 2.19.6 for Windows is packaged with OpenVPN 2.5 and they both support wintun, you can enable it with a click. See here to download Eddie 2.19.6: https://airvpn.org/forums/topic/46329-eddie-desktop-219beta-released/ Kind regards
  20. Hello! Moving to "Troubleshooting and problems" because AirVPN is much faster than NordVPN with the same transit providers, we guess because NordVPN does not have our load balancing system (on the single server we mean) and NordVPN servers are congested at times. Using Wireguard by default also slows down NordVPN if your system supports AES-NI. Also consider to open a ticket if necessary. Kind regards
  21. @govegan3 Thank you for the report! In order to let us try and reproduce the issue, can you determine more precisely and tell us the "long time" you mention? Can you also tell us your distribution name and version? Kind regards
  22. Hello! Please open a ticket at your earliest convenience: AirVPN community can't help you with this, you need the support team.You can open a ticket from the web site or by writing and e-mail to support@airvpn.org Kind regards
  23. @john roberts Hello! If you run Bluetit and Goldcrest, you don't need to create an exception in SELinux, because Bluetit is a daemon. Bluetit will start at boot, and you can connect your system to the VPN by running Goldcrest at the end of system runlevel, or subsequently from any user belonging to airvpn group. If you run Hummingbird and you want to start it at system bootstrap with nft based Network Lock enabled you should create an exception in SELinux, but such a solution should be discarded, as Hummingbird is not designed to be a daemon. Therefore, using Hummingbird as a systemd unit is deprecated. We would suggest that you run Bluetit and Goldcrest instead. NOTE: if you need to prevent any communication outside the VPN tunnel even during the system bootstrap by system processes, you can consider to set permanent firewall rules blocking anything except DHCP discovery (essential to connect to a router), local network and localhost, as well as some ntp server if you need time sync at boot (no battery etc.). "Network Lock" will then "unlock" communications to the VPN servers and your local network allowing you to connect to a VPN server with no time pressure at all. As long as network lock is disabled, total lock will remain in place. As soon as network lock is enabled, only comms to the VPN servers become possible. Kind regards
  24. @RameshK Hello! Can you please make sure that you have downloaded the "pre-Catalina" notarized 2.19.6 version? If in doubt, please re-download (of course you can download the packages as many times as you wish). We are looking forward to hearing from you. Kind regards
  25. Hello! Sure, porting our software to ARM based Mac machines is an option we are seriously considering because during 2021 (and maybe 2022) Mac Apple will abandon development of x86-64 based computers completely. Stay tuned. Kind regards
×
×
  • Create New...