Jump to content
Not connected, Your IP:


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Staff

  1. @polomintus Hello! The monitor correctly shows the amount of online sessions, not online users, connected to each VPN server (or country etc.). That said, Nash and Matar are in the same datacenter, have the same configuration and very similar hardware They are also served by the same transit providers. Therefore, so it's not easy to think of a satisfactory explanation. We could start from the fact that our servers in Alblasserdam are connected to a pool of several 10+ Gbit/s lines and more than one high volume router, but we can not see any symptom of congestion in any rack in Alblasserdam, as you indirectly noticed too. In any case, connect to the server(s) that can provide you with the best performance. Kind regards
  2. @pjnsmb Hello and thanks! Documentation remains the one you see. It will be updated when possible and anyway not later than stable version release date. At the moment it is perfectly valid for beta 2 version, you can rely on it safely. Kind regards
  3. UPDATE 27 NOVEMBER 2020 We're glad to announce that new version 1.0.0 beta 2 has been released featuring new OpenVPN 3 library supporting data-ciphers directive. The suite also fixes DNS issues with systemd-resolved when it is actively operating in "on link" mode and concurrently with network-manager in systemd based systems (it happens for example in Fedora 33). Please check the first message of the thread for a full overview and more details! Kind regards & datalove AirVPN Staff
  4. @stevewasabi69lol Hello! That's unexpected: it must be a bug in version 2.16.3 because servers have not been sending Halloween banner since weeks ago (now they send Black Friday promo banner). You can either upgrade to latest Eddie 2.19 (but you might have issues with Windows 7) or you can just delete all the files in C:\Users\parent\AppData\Local\AirVPN\ while Eddie is not running. At the next run you will need to re-enter your credentials and any custom setting. Kind regards
  5. Hello! We're very glad to inform you that the Black Friday week has just begun in AirVPN! Save up to 74% when compared to one month plan price Check all plans and discounts here: https://airvpn.org/buy If you're already our customer and you wish to jump aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day. AirVPN, one of the oldest and most experienced consumer VPN on the market, operating since 2010, does not inspect and/or log clients' traffic, offers five simultaneous connections per account, IPv6 full support, AES-GCM and ChaCha20 ciphers on all servers, Perfect Forward Secrecy with unique per-server 4096 bit Diffie-Hellman keys, active daemons load balancing for unmatched high performance and even more, exclusive features. AirVPN is the only VPN provider which is actively developing OpenVPN 3 library with a fork that's currently 91 commits ahead of OpenVPN master and adds key features and bug fixes for a much more comfortable and reliable experience: https://airvpn.org/forums/topic/44069-openvpn-3-development-by-airvpn/ AirVPN, in accordance with its mission, develops only free and open source software for many platforms, including Android, Linux (both x86 and ARM based systems), macOS and Windows. Kind regards & datalove AirVPN Staff
  6. @OpenSourcerer @Flx In general NSA is not able to break hard encryption so key exfiltration is mandatory to obtain encryption circumvention and not encryption "break". A more advanced stage is attacking the key exchange process (that explains why we already used 2048 bit DH keys since 2010 and shifted to 4096 bit DH keys in 2014, as well as 4096 bit RSA keys). Moreover, in the specific IPsec case, check the APEX VPN four phases according to top secret documents, for a summary on how NSA can successfully attack IPSec IKEv2 and ESP through HAMMERCHANT and HAMMERSTEIN. Unfortunately, how the decryption of ESP packets actually takes place remains unexplained. We know however that the decryption is real. "No details as to how the NSA decrypts those ESP — “Encapsulating Security Payload” — packets, although there are some clues in the form of code names in the slides." (Schneier). See also Bruce Schneier's blog and The Intercept publication of the relevant top secret document. On top of all that, in 2013 proof of the BULLRUN program emerged thanks to Snowden revelations. BULLRUN was a program aimed, among other things, at inserting vulnerabilities into commercial encryption systems. Nowadays it is strongly suspected that BULLRUN targeted IPsec too. We are talking about documents leaked in 2013 but related (even) to programs designed and developed during earlier years, so it's not unreasonable to assume that in the meantime NSA has further progressed to breaking IPsec. When we created AirVPN we decided to not adopt IPsec because already in 2010 doubts on NSA interference spread out as rumors. https://theintercept.com/document/2014/03/12/vpn-voip-exploitation-hammerchant-hammerstein/ https://www.schneier.com/blog/archives/2014/03/how_the_nsa_exp.html (check Q&A as well) Kind regards
  7. @traveller Hello! Yes, both Hummingbird and Eddie are free and open source software by AirVPN. They are available for Mac too. They both enforce "Network Lock" by using pf (pre-installed by default on macOS by Apple) so you don't have to worry about traffic leaks outside the VPN tunnel. Please see here: https://airvpn.org/macos Kind regards
  8. Hello! We inform you that the following servers located in the Netherlands: Anser Comae Elnath Jabbah Luhman Sheliak are having their IP addresses changed as a necessary datacenter restructuring. What you need to do If you run Eddie (all desktop and Android editions), data will be updated automatically. No action is required. If you have OpenVPN profiles pointing to those servers qualified domain names, everything will be updated automatically. No action is required. If you have OpenVPN profiles pointing directly to those servers IP addresses, you will necessarily have to re-generate such profiles. Kind regards AirVPN Staff
  9. Hello! More about macOS Big Sur, Eddie and Hummingbird. Eddie and Hummingbird enforce Network Lock through pf rules. The mentioned problem is that kernel extensions are deprecated, and the new API NetworkExtensions includes exceptions to filtering rules which allow 56 Apple apps and services to bypass any filtering rule enforced via the API (which is quite atrocious and says a lot about Apple's respect toward its customers, but that's how it is). However, pf is the system firewall which is autonomous from NetworkExtensions API and its exceptions. Therefore Eddie and Hummingbird Network Lock are working fine just as usual. Note that the NetworkExtensions exceptions were active even in Catalina. However, nobody noticed them because third-party firewalls bypassed them by relying on kernel extensions (kexts). Now that kexts don't work well anymore, the problem has exploded, but as usual you are safe with AirVPN Network Lock both in Eddie and Hummingbird. Kind regards
  10. Hello! Of course, the problem has nothing to do with Eddie Network Lock. Eddie and Hummingbird enforce Network Lock thorugh pf rules. The mentioned problem is that kernel extensions are deprecated, and the new API NetworkExtensions includes exceptions to filtering rules which allow 56 Apple apps and services to bypass any filtering rule enforced via the API. That's quite atrocious and says a lot about Apple's respect toward its customers, but that's how it is. However, pf is the system firewall which is autonomous from NetworkExtensions API and its exceptions. Therefore Eddie and Hummingbird Network Lock are working fine just as usual. Note that the NetworkExtensions exceptions were active even in Catalina. However, nobody noticed them because third-party firewalls bypassed them by relying on kernel extensions (kexts). Now that kexts don't work anymore, the problem has exploded, but as usual you are safe with AirVPN Network Lock both in Eddie and Hummingbird. Kind regards
  11. @X22Y55Zbc Hello and thank you!! You are free to buy any coupon quantity, but you can't provide a single coupon with multiple amounts. It's not a big deal because for your purpose you can buy two or more credit coupons and redeem them when you buy a plan in our "Buy" page. There, you will see a "Do you have a coupon code?" field in the upper section, where you can enter each coupon one by one, one after the other, and redeem all of them on a single purchase. The total amount of all coupons will be credited to the account that redeemed them. Such account can use all of its credit while checking out by clicking the proper button which appears on the checkout page. If in doubt or for any additional information please do not hesitate to open a ticket! Kind regards
  12. @183aTr78f9o Hello! it looks like a legitimate procedure to connect your machine at boot to some VPN server We can't see any peculiar problem with it. Kind regards
  13. @lostagain Hello! Eddie Android edition does not send any data to Google, so no reasons to worry about that. It also "contains" no trackers at all as you can verify here: https://reports.exodus-privacy.eu.org/en/reports/org.airvpn.eddie/latest/ Furthermore, you are not obliged to download Eddie from the Play Store, because we offer the APK through a direct download from our web sites, as you must already know. https://airvpn.org/forums/topic/29660-using-airvpn-with-eddie-client-for-android/ It's true, however, that you can't know whether some Android process by Google or the manufacturer of your device bypasses the VPN tunnel, as it happens in iOS with Apple services. However, it would be a common problem to all VPN apps and protocols, not Eddie specific. Kind regards
  14. @183aTr78f9o Thank you, we will be looking forward to hearing about your tests! Yes, thank you, we fixed it as well as an atrocious "the your computer", we apologize. 😅 Kind regards
  15. @pjnsmb Hello and thank you for your tests! It seems that Bluetit started properly at boot, but the error "IPv6 is not available in this system" may be a bug, perhaps the same bug detected by @OpenSourcerer Developers are aware of the issue and should resolve it very soon. Can you please tell us your Linux distribution name and version? As a side note, why running Goldcrest with superuser privileges? By doing so you might jeopardize a portion of the security model provided by the client-daemon architecture. You can run Goldcrest without root privileges, by any user in group airvpn Kind regards
  16. @clebretonfr Hello! We might, but it's not planned for the current version, we're sorry. Those options must be approached with care because, as you probably know, they are an attack surface remarkable enlargement for a library and a daemon, as they allow execution of external scripts and binaries. As usual external execution of anything by a daemon must be minimized. We could consider a surrogate implementation into the client (Goldcrest at the moment) so that the external binary or script runs with the privileges of the user running the client. up and down directives are comfortable for very many purposes, hands down. Kind regards
  17. Hello! We're glad to know it! Maybe you mean that you have added a specific user to group airvpn ? If so: yes, the superuser decides who can access Bluetit (via Goldcrest, in this case) by adding any user to that group. It can be done even during the installation since the script will ask you about that. Of course you can later modify your choices by adding and removing users to/from airvpn group. Therefore you, the superuser, can decide whether users authorized to access Goldcrest can also gain other privileges or not, for additional security. If that was not what you meant, please feel free to elaborate. Kind regards
  18. @Flx The first message was approved by some moderator in the wrong thread, not a big deal. Then we moved the message on its own thread, this one. Then user "wireguard" posted more messages which were all approved by some moderator. @Brainbleach Of course. We were replying to "wireguard" who invites surreptitiously to punish AirVPN because AirVPN uses and develops actively OpenVPN: "Needless to say, investing in AirVPN means investing in OpenVPN, and that's not acceptable to me at this point," . He/she also kept claiming that "it's time to retire OpenVPN" (sic), that OpenVPN is a "truly disgusting hack" (sic) and so on,. showing his/her embarrassing ignorance and lack of good faith. Nothing to do with your messages. Funny how bogus account writers are so eager to become from time to time AirVPN software lead developers, general managers for AirVPN strategies, marketing directors and more. 😀 We wanted to prove beyond any reasonable doubt that his/her claim are unreasonable and based on wrong assumptions and terrible omissions, showing how Wireguard can not replace OpenVPN for a significant percentage of our customers and how our OpenVPN development has been beneficial for many users around the world. That said, we claimed that Wireguard needed to be developed and tested further years ago, so at the time our claim was totally reasonable. We also claimed years ago that the problem was not with CHACHA20 which to the best of nowadays knowledge is a very robust and secure cipher. Now the problems are different because Wireguard is asked to offer something which it was not designed for, i.e. providing some kind of anonymity layer. Such problems include lack of DNS push, lack of dynamic IP address assignment (with subsequent problems with client key-private address static correspondence, a very tough legal problem for us but above all for our customers), need of keeping client real IP address stored in a file. We have resolved them one by one with external software and internal work around. Once the problems are resolved in a robust way, which means testing thoroughly the adopted work-around, we can offer Wireguard, not earlier. Kind regards
  19. @wireguard User "wireguard" is not an account with a valid AirVPN plan If you really wanted to show your support to AirVPN and prove that you are a customer, you would have written from an account with a valid plan. In reality, accounts like "wireguard" seem to be created with the only purpose to pump something and defame something else. From now on, write only from an account that has valid plan, to show that you are in good faith. Our plans about putting Wireguard into production in the near future have been published with a lot of details, albeit without a precise release date (and we have thoroughly explained why), so we will not write again for the nth time about them. About performance, please provide details as we do frequently. Currently we outperform Wireguard with our setup in AES-NI supporting systems, as you can see from our and our customers' tests, while Wireguard can outperform OpenVPN in CHACHA20 in non-AES-NI supporting systems. . When we put Wireguard into production, OpenVPN will stay, so investing in our own OpenVPN development is perfectly fine. Just a few reasons that make OpenVPN superior to Wireguard for many, different needs: it's faster than Wireguard in AES-NI supporting systems when it uses AES. Have a look here! it can be connected over stunnel, SSH, SOCKS5 and HTTP proxies, and Tor swiftly even for the above reason, for an ISP it's not so easy to block OpenVPN, while it's trivial to block Wireguard it supports TCP it supports dynamic IP address assignment it supports DNS push it does not hold in a file your real IP address when a connection is closed a significant part of our customers will not be able to use Wireguard effectively, simply because UDP is totally blocked in their countries or by their ISPs UDP blocking and heavy shaping are becoming more and more widespread among mobile ISPs, making Wireguard slower than OpenVPN in TCP even in mobile devices, or not working at all in mobility About Torvalds and Linux kernel, you only tell a part of the story. Wireguard was first put in some Linux kernel line when Wireguard was still in beta testing and no serious audit was performed, and not put in a kernel milestone release. A further note about battery draining you mentioned in one of your previous messages: our app Eddie Android edition and Wireguard, when used with the SAME bandwidth and the SAME cipher (CHACHA20-POLY1305), consume battery approximately in the same way, so that's yet another inessential point that does not support your arguments and show once more that our investments have been wise. Finally, let's spread a veil on your embarrassing considerations on ciphers, security, privacy and NSA. Let's underline only that CHACHA20.-POLY1305 is very strong, the cipher algorithm in itself (if implemented correctly) is not a Wireguard problem in any way. It would be a reason of deep concern if Wireguard needed OpenVPN defamation to convince us that it's a good software. Unfortunately various bogus accounts have been created with such assumption and purpose, and the hidden agenda is no more hidden. Kind regards
  20. @sooprtruffaut Hello and thank you! Watch out! Source code is not available during beta testing. As usual we will make it available with the stable release. Raspberry Pi OS 64 bit actually has old libraries and the suite will not run in it, we're sorry. When Raspberry OS 64 bit beta testing is over, we plan to support it as well. Kind regards
  21. @colorman Hello! For that you will need to wait for the client software with a Qt based GUI (Firecrest) which will interact with Bluetit as well, or the ncurses based TUI of Goldcrest will be fine for you, perhaps. Stay tuned. Kind regards
  22. @colorman Hello! Please note that Goldcrest commands are a superset of Hummingbird commands, so potentially you can use Goldcrest as it were Hummingbird, but in a more robust architecture (just remember that Golcrest must be run by a user in airvpn group, of course). Hummingbird is anyway included in the suite. In general, using Goldcrest and Bluetit is way simpler because you don't need to have pre-generated profiles (you can bypass the Configuration Generator completely) and much more secure because you don't need to run Goldcrest from a user that must be able to gain superuser privileges. Which issues did you experience exactly, if you don't mind? An uninstall script will be provided in the near future. In order to delete the programs and disable everything in a systemd based system enter the following commands (have root privileges): systemctl stop bluetit.service systemctl disable bluetit.service rm /etc/systemd/system/bluetit.service rm (/usr/local/bin|/usr/bin)/goldcrest rm /sbin/bluetit rm /etc/airvpn/* rm /etc/dbus-1/systemd/org.airvpn.* systemctl reload dbus.service Kind regards
  23. Hello! Yes, of course, it's plausible. OpenVPN runs in a single core so you will see load on one core only AES New Instructions are nowadays well implemented in all desktop CPUs and SSL libraries such as OpenSSL are built to fully use them whenever possible. We hope so! 😎 On the server side we mitigate OpenVPN multi-threading lack by running multiple daemons. Each daemon "runs in a core" and our servers balance with a round robin algorithm the incoming client connections. Therefore a server can use all the cores.. Although each client connects to a single daemon (except in special configurations such as https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ ), of course, load balancing provides remarkable "distributed benefits" anyway. Kind regards
  24. Hello! We're very glad to introduce a new software suite for Linux which is ready for public beta testing. The suite includes the well known Hummingbird software, updated to the latest OpenVPN AirVPN library, and introduces for the first time a D-Bus controlled, real daemon, Bluetit, as well as a command line client, Goldcrest, to interact with Bluetit. UPDATE 11-Dec-2020: version 1.0.0 Beta 3 has been released. UPDATE 23-Dec-2020: version 1.0.0 RC 1 has been released New architecture The client-daemon architecture we introduce for the first time in our software offers a more robust security model and provides system administrators with a fine-grained, very flexible access control. Bluetit is fully integrated with AirVPN. The daemon is accessed through a D-Bus interface by providing specific methods and interface in order to give full support to OpenVPN connection and AirVPN functionality, including - but not limited to - quick automatic connection to the best AirVPN server for any specific location as well as any AirVPN server or country. New OpenVPN 3 library features Starting from version 1.0 beta 2, Hummingbird and Bluetit are linked against a new version of our OpenVPN 3 library which supports directive data-ciphers: it can be used consistently with OpenVPN 2.5 syntax in OpenVPN profiles. The directive allows OpenVPN 3 based software to negotiate a common Data Channel cipher with the OpenVPN server,, updating therefore our library to ncp-like negotiation with OpenVPN 2 branch. Hummingbird and Bluetit are already linked against the new library version, while Eddie Android edition will be updated in the near future. The new library also includes a different handling of IV_CIPHERS variable, fixing OpenVPN main branch issues causing a plethora of problems with OpenVPN 2.5. The implementation, at the same time, takes care of full backward compatibility with OpenVPN versions older than 2.5. ncp-disable directive, which to date has never been implemented in the main branch, is still supported, in order to further enhance backward compatibility with both OpenVPN profiles and servers, as well as connection flexibility with servers running older than 2.5 OpenVPN versions. Please note that if you enforce a specific Data Channel cipher by means of Bluetit configuration file, Hummingbird line option, or Goldcrest configuration file and/or line option, the enforced Data Channel cipher will override data-ciphers profile directive. Changelog 3.6.6 AirVPN by ProMIND - [ProMIND] [2020/11/02] openvpn/ssl/proto.hpp: IV_CIPHERS is set to the overridden cipher only (both from client and/or OpenVPN profile) in order to properly work with OpenVPN 2.5 IV_CIPHERS specifications. The old method of cipher overriding by means of negotiable crypto parameters is still supported in order to maintain compatibility with OpenVPN < 2.5.0 - [ProMIND] [2020/11/24] added "data-ciphers" directive to profile config .ovpn files in order to comply to OpenVPN 2.5 negotiable data cipher specifications. In case "data-ciphers" is found in the .ovpn files IV_CIPHERS is assigned to the algorithms found in "data-ciphers". In this specific case, "cipher" directive is used as a fallback cipher and, if not already specified in "data-ciphers", is appended to IV_CIPHERS Coming soon When we get out of the beta testing, we plan to document Bluetit interface to let anyone write a custom client and talk with the daemon. Furthermore, Goldcrest will evolve in the near future and will include an ncurses based TUI which will be very comfortable when you don't want to rely on command line options while a new Bluetit client, based on Qt, will be developed in the future, for those who prefer a GUI. Notes on systemd-resolved Version 1.0.0 beta 2 and subsequent versions fix a serious issue on systemd based systems running concurrently systemd-resolved and network-manager, for example Fedora 33 in its default configuration. In Fedora 33 systemd-resolved comes pre-configured to work in "on-link" mode and network-manager works together with it. This very peculiar, Windows-like setup finally kills Linux global DNS handling, adding to it those so far missing DNS leaks which made every Windows user nightmares more colorful. Any Microsoft system lacking the very concept of global DNS is now emulated, for an outstanding 30 years back time travel.. However, Hummingbird and Bluetit take care of preventing the brand new DNS leaks potentially caused by such smart setup, giving back Fedora + VPN users more peaceful nights. Also note that systemd-resolved comes pre-configured with fallback DNS (Google DNS is a systemd-resolved default fallback DNS, smart choices pile up!) which will be queried if each interface DNS server fails some resolution. In such a case, if and only if you have Network Lock enabled DNS leaks will be prevented. Supported systems The suite is currently available for Linux x86-64, i686 (32 bit distributions), arm7l (for example Raspbian and other ARM 32 bit based systems) and aarch64 (ARM 64 bit). Please note that the source code will be published with the stable release as usual. The software will be licensed under GPLv3. Overview and main features AirVPN’s free and open source OpenVPN 3 suite based on AirVPN’s OpenVPN 3 library fork Version 1.0.0 Beta 2 - Relase date 27 November 2020 Bluetit: lightweight D-Bus controlled system daemon providing full connectivity to AirVPN servers and generic OpenVPN servers Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers Hummingbird: lightweight and standalone client for generic OpenVPN server connection Linux i686, x86-64, arm7l and arm64 (Raspberry) support Full integration with systemd, SysVStyle-init and chkconfig No heavy framework required, no GUI Tiny RAM footprint Lightning fast Based on OpenVPN 3 library fork by AirVPN version 3.6.6 with tons of critical bug fixes from the main branch, new cipher support and never seen before features ChaCha20-Poly1305 cipher support on both Control and Data Channel providing great performance boost on ARM, Raspberry PI and any Linux based platform not supporting AES-NI. Note: ChaCha20 support for Android had been already implemented in our free and open source Eddie Android edition Robust leaks prevention through Network Lock based either on iptables, nftables or pf through automatic detection Proper handling of DNS push by VPN servers, working with resolv.conf as well as any operational mode of systemd-resolved additional features Full documentation: README.md Download links: Linux x86-64: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-x86_64-1.0.0-RC-1.tar.gz Linux x-86-64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-x86_64-1.0.0-RC-1.tar.gz.sha512 Linux i686: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-i686-1.0.0-RC-1.tar.gz Linux i686 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-i686-1.0.0-RC-1.tar.gz.sha512 Linux arm7l: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-armv7l-1.0.0-RC-1.tar.gz Linux arm7l sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-armv7l-1.0.0-RC-1.tar.gz.sha512 Linux aarch64: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-aarch64-1.0.0-RC-1.tar.gz Linux aarch64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.0-RC1/AirVPN-Suite-aarch64-1.0.0-RC-1.tar.gz.sha512 Please report bugs and any problem in this thread, thank you! Kind regards AirVPN Staff
  25. @Shiver Me Whiskers Hello! The previous record did not last long, apparently. If you don't mind, which connection protocol, cipher and port did you pick? Kind regards
  • Create New...