Jump to content
Not connected, Your IP: 3.133.159.224

Staff

Staff
  • Content Count

    10594
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    1760

Posts posted by Staff


  1. @Sister123

    Hello!

    To verify whether it's some block against UDP or not, could you please test a connection over WireGuard and check whether it goes through successfully? To switch to WireGuard:
    • from Eddie's main window please select "Preferences" > "Protocols"
    • uncheck "Automatic"
    • select any line with WireGuard, for example WireGuard port 51820. The line will be highlighted
    • click "Save" and test again connections to various servers

    Kind regards
     

  2. @JackParsons

    Hello!

    Eddie 2.13.6 should run on your system. To download it, on the Linux download page please select "Other versions", click "2.13.6" and the download page will point to that version. Before installing Eddie 2.13.6 please make sure to delete the configuration file (default.xml in older Eddie versions, default.profile in newer version) to avoid incompatibilities of the configuration file due to a downgrade.

    If even Eddie 2.13.6 can't run on your system, then you could prepare a configuration file compatible with your OpenVPN 2.3.2:
    • in the Configuration Generator turn the "Advanced" switch on
    • set the "OpenVPN profile" combo box to "2.4"
    • select a connection with OpenVPN to entry-IP address ONE (this is essential to avoid tls-crypt, unsupported by 2.3)
    • download and use the configuration file as usual
    Please consider anyway to upgrade your system for security reasons.

    Kind regards

     

  3. 4 minutes ago, John2 said:

    The issue I'm still unclear with is, why is the 2014 ca.crt still a problem? Using  the OpenVPN Utility, I 'Remove all downloaded VPN provider files' and 'Delete user key, password and cert files'. I then create new config files (using your Generator), then run the OPenVPN 'wizard'. Is the 2014 ca.crt not deleted and OpenVPN re-uses it. Or is it embedded in the Config Generator ovpn files?


    Hello!

    The Configuration Generator is (and was) able to generate either separate files or configuration files embedded with certificates and keys, according to your selection. Therefore it is possible that you have a configuration file embedded with the certificate causing the problem. However, from your previous message, it is also visible that you had an expired ca.crt in ~/Downloads/AirVPN

    Kind regards
     

  4. 2 hours ago, John2 said:

    1. OpenVPN wants a ta.key (presumably to go with the ca.crt?) at service.vpn.manager/Downloads/AirVPN
    But 'Advanced' Config Generator doesn't seem to generate that file, instead it generates tls-crypt.key (not sure here??)


    Hello!

    Please enable "Advanced" mode in the Configuration Generator, pick a connection mode with entry-IP address 1 (one) and check "Split certs/keys from ovpn file". When you generate the configuration you will obtain a ta.key.
     
    The reason is that the obsolete TLS Auth mode and the new TLS Crypt mode are mutually incompatible. In order to keep compatibility with old OpenVPN versions we need to differentiate OpenVPN daemons working on TLS Crypt from those working on TLS Auth. In general, OpenVPN responding on VPN servers entry IP addresses 1 and 2 support TLS Auth, while OpenVPN on entry IP addresses 3 and 4 support TLS Crypt.

    More details on the technical specifications page https://airvpn.org/specs
     
    2 hours ago, John2 said:

    2. Switching to WireGuard looks to be a better solution long term, but (unless anyone can point to easy install on Raspberry Pi OSMC??) that also looks like a rabbit hole!


    OSMC is a Linux distribution based on Debian and Kodi so installing WireGuard should be a matter of seconds, if it is available in the repos. Since OSMC moved to Bullseye in 2022, you could have WireGuard ready. Try to install it and check.
    sudo apt install wireguard-tools
    sudo apt install openresolv
    If the installation is successful you can follow the instructions for Linux to set up WireGuard in a minute or so,  let us know.

     
    2 hours ago, John2 said:

    While v much respecting AirVPN staff, the problem looks to be that regular Config Gen is including a now out-of-date ca.crt fil


    Of course not! ca.crt was renewed in 2021 with expiration date 2121. Your ca.crt, emitted in 2014 with expiration date 2024, was downloaded before the 2021 renewal. The Configuration Generator has never served an expired certificate.

    Kind regards
     

  5. @alanm

    Hello!

    The problem seems related to TLS Crypt authentication (you connect to an entry-IP address three). You should re-check that you have the correct TLS Crypt key and configuration:
    • TLS Configuration = Use a TLS Key (checked)
    • Automatically generate a TLS Key (unchecked)
    • TLS Key = Paste contents of the tls-crypt.key downloaded here
    • TLS Key Usage Mode = TLS Encryption and Authentication
    • TLS keydir = use default direction
    or you can go back to TLS Auth, with the ta.key and entry-IP address 1.

    More in general, you're running an indeed obsolete OpenVPN version, please consider to upgrade, or even switch to WireGuard if you like.

    @juniormaxx
    Quote

    are there any updated instructions on to set up pfsense with airvpn?


    This great guide is very good for pfSense versions running OpenVPN 2.5 and OpenVPN 2.6 with DCO disabled. https://nguvu.org/pfsense/pfsense-baseline-setup/

    Kind regards
     

  6. 1 hour ago, John2 said:

    Does that mean that you are providing an out of date cert?


    Hello!

    No. ca.crt emitted in 2021 expires in 2121. You have installed a ca.crt downloaded before 2021: up to the renewal in 2021, ca.crt emitted in 2014 expired in 2024, as you have seen.
     
    1 hour ago, John2 said:

    Can provide more data as needed - thought the problem looks obvious now?? But how to rectify??


    Two options:
    1. Please generate a new configuration file in the Configuration Generator with the "Advanced" mode enabled and the "Split certs/keys from ovpn files" checked. Download the generated ca.crt certificate and replace, with it, the old one.
    2. Alternatively, switch to WireGuard.
    Kind regards
     

  7. Hello!

    We're not 100% sure, but the "Compression" combo box set to "LZO" could create a problem with "comp-lzo no" directive. Which options do you have available in the "Compression" combo box? If available, please try with "Adaptive" and do not touch "comp-lzo no".
    Also check "Verify server certificate".

    198.54.134.254 is an entry-IP address #3 where OpenVPN accepts TLS Crypt only. Please double-check that you have (in the proper static key field) pasted the TLS Crypt key (tls-crypt.key). Last but not least, which options do you have in "TLS Control channel security" combo box?

    Kind regards








     


  8. Hello!

    No maintenance is ongoing on the CZ servers but the anomalous throughput you noticed is real. Sudden bandwidth choking is recorded ever since 1 PM UTC (Apr 10 2024). No flood and no packet loss is ongoing. If the problem does not get solved within 6 hours we will contact the datacenter technicians for support. Please connect to servers outside CZ in the meantime, when you need maximum performance.

    Kind regards
     


  9. 50 minutes ago, John2 said:

    user.key and user.crt at service.vpn.manager/AirVPN are new files (i.e. re date/time).


    Hello!

    Please check ca.crt. From the couple of log lines you sent us we may speculate that you still have an old ca.crt. It's strange because in February 2022 ca.crt was already the new one with expiration on 2121, so we might be missing something here. Is everything fine with Eddie (do not run OpenVPN at all)? Can we see the complete OpenVPN log and can you tell us your exact Operating System name and version?

    Kind regards


     

  10. 26 minutes ago, eltznth said:
    4 hours ago, sdjh4dfgez7 said:

    Hello,
    thanks. Now it works again.

    But the How-to post "Using AirVPN with Tomato" does not work anymore with the settings shown there. Can you please update it?
    Thanks and br

    Would you mind sharing your config? It seems we have the same or similar problem. Also useful for the How-to post.

    You can see it in the initial post. The corrections required are listed in our reply (the message set as "best answer" by the OP). If you still experience problems please post your configuration, similarly to what OP did.

    Kind regards
     

  11. 1 hour ago, clevoir said:

    I found that no NTP server had been set up in DD-WRT, once this had been set I was able to gain access OK


    Hello!

    Excellent, we're glad to know that the cause of the problem was found and that the problem is solved.
     
    1 hour ago, clevoir said:

    For the bug where the client is showing connected / disconnected, would you recommend updating DD-WRT to the latest version?


    In the past, that bug was not critical. Anyway your OpenVPN version is becoming obsolete therefore an upgrade in the near future, with no time pressure now that everything works, is recommended. Newest versions also support WireGuard, which could give you a remarkable performance boost.

    The DD-WRT settings you posted in another message could be improved to slightly enhance performance with this router that does not support AES-NI. Try to change the "Encryption cipher" and the first "Data cipher" to CHACHA20-POLY1305 (if available) and check whether performance increases or not.

    Kind regards
     

  12. @sdjh4dfgez7

    Hello!

    We see at least one critical error at the moment, "Compression" combo box must be set to "Adaptive", otherwise your "comp-lzo no" directive (which is correct and must not be deleted) will cause a fatal conflict with the "Disabled" setting. Let us know what happens when "Compression" is set to "Adaptive". Note: if "Adaptive" is not available, set it to "Enabled" (then comp-lzo no will disable it during the negotiation).

    Also, please check "Verify certificate" and change data-ciphers to AES-256-GCM or CHACHA20-POLY1305.

    Kind regards
     

  13. @clevoir

    Hello!

    We see a date/time problem, when OpenVPN starts the date of the router is still 1970 and it could cause a fatal TLS failure. When the initial packet is received the date seems to be set correctly, but it's unclear whether the previous past date may have already caused a problem, because:
     
    Quote

    19700101 00:00:32 W WARNING: Your certificate is not yet valid!


    Assuming that the problem is not related to date and time, UDP seems blocked, or maybe it's a block against OpenVPN. You're using TLS Auth (correctly to entry-IP address 1) with OpenVPN 2.5. You may change to TLS Crypt and test again (remember to switch to entry-IP address 3 as well). Also switch to TCP if the block persists.

    In the last part of the log a notorious bug is visible (the cycle between disconnections and connections according to management). Usually this is not relevant but if you have the option to upgrade please do it.  As you can see the date and time is again reset to UNIX 0 after the Client management disconnect/connect cycle, and this could be critical. In any case, the fact that the date is suddenly reset makes a firmware upgrade recommended.

    Before upgrading, anyway, please test again but this time make sure to start the connection when the date and time are already set correctly. Please send also a screenshot of all the various settings of the OpenVPN DD-WRT panel.

    Kind regards
     

  14. 23 hours ago, korgen said:

    Laws banning illegal content are NOT censorship


    According to this definition there is no censorship at all anywhere enforced by governments, not in North Korea, not in France, not in China...

    Please note that your definition is pure fantasy, if not insulting. Censorship is exactly suppression of speech, public communication, or other information subversive of the "common good", or against a given narrative, by law or other means of enforcement. The fact that censorship is enforced by law or by a government body does not make it less censorship. Furthermore, historically censorship was an exclusive matter of some central authority (the first well documented case is maybe the censorship rules to preserve the Athenian youth, infringed by Socrates, for which he was put to death, although the etymology comes from the Roman Office of Censor which had the duty to regulate on citizens' moral practices) and today censorship by governments is predominant.  Even In modern times censorship through laws has been and is predominant and pervasive according to Britannica and many academic researches.

    Then you can discuss ad nauseam whether censorship by law is "right" or "wrong", whether France's censorship is "better" than China's censorship, but you can't change the definition of censorship, otherwise this discussion will become delirious.

    Kind regards
     

  15. @alanm

    Hello!

    The router tries to connect to entry-IP address three, so you'll need tls-crypt.key (if you use ta.key, i.e. the TLS Auth key, the server on entry-IP address three will not respond at all, it will immediately drop the connection). Please verify that you're using the correct key. If it is correct, then you can't reach the server at all. It might be a block against OpenVPN or UDP but please try different servers first.

    Kind regards
     
×
×
  • Create New...