Staff

A report dated September 2015 shows that it is not possible to use OpenVPN in UDP mode. Possible interference/disruption. Solution: connect in TCP.

Hello! We're very glad to inform you that a new 100 Mbit/s server located in Ukraine is available: Procyon. The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 2018 UDP and TCP. Just like every other Air server, Procyon supports OpenVPN over SSL and OpenVPN over SSH. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello, just an idea: please check the OpenVPN socket buffers sizes in the router (you can see how they are set for example in the OpenVPN logs). When you run the client, it tells OpenVPN to set buffers of 128 kB. Buffers smaller than 64 kB may slow down performance significantly when required throughput exceeds 20 Mbit/s. The directives for OpenVPN are (respectively for the send and the receive buffer): sndbuf n rcvbuf n where n is in bytes (so set them to 131072 to have 128 kB buffers). Kind regards

Hello, the performance looks bad even without VPN. By the way do not trust our speed test (or any other speed test) and make sure to test different servers in different countries. How are the OpenVPN socket buffers sizes set? Kind regards

Hello, not reproducible on any testing machine. Never reported by thousands of customers using Eddie with Windows every day. It must be something extremely peculiar and specific to your system. Can you provide complete details of your system setup (including any antivirus, firewall and packet filtering/inspection tool installed) and exact steps to reproduce the issue? Kind regards

Hello, BBC geoblock our UK server "Carinae". We have inserted Carinae to Geolocation routing and now don't redirect to bbc.com. Kind regards

@bobber6 We do not comment on laws that our lawyers have not read in their entirety and we won't comment on draft laws because they can be modified hundreds of times or dropped. We know of similar laws that are already enforced in various Western countries, for example France and USA, where intelligence personnel can wiretap a private citizen without a mandate from a magistrate or judicial overview, or where mass surveillance is routinely performed by competent agencies (think about NSA). We usually find EDRi comments and articles enlightening so we re-direct you there for analysis of such laws. This is a page you should be interested in: https://edri.org/theme/security-surveillance We already wrote years ago about how to defeat a particularly powerful adversary under specific conditions (for example that your system is not compromised) so we will not comment again on that. It's bad that you spend time to write here without having searched our forums. Here it is, for your comfort: https://airvpn.org/topic/54-using-airvpn-over-tor/?p=1745 About other parts of the laws we cited, we remind you once again that it's not our competence and it's not the purpose of our service to protect your system against malware, including spyware installed surreptitiously by intelligence or other entities. When a system is compromised by such spyware, usage of a VPN, Tor etc. is totally irrelevant. Kind regards

Hello! We're very glad to inform you that a new 1 Gbit/s server located in Paris (FR) is available: Marfic. The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accept connections on ports 53, 80, 443, 2018 UDP and TCP. Just like every other Air server, Marfic supports OpenVPN over SSL and OpenVPN over SSH. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! We're very glad to inform you that a new 1 Gbit/s server located in Munich (DE) is available: Mesarthim. The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accept connections on ports 53, 80, 443, 2018 UDP and TCP. Just like every other Air server, Mesarthim supports OpenVPN over SSL and OpenVPN over SSH. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello, you're right, except of course for the packets from/to your node to/from the VPN server. Kind regards

Hello, where did you get this idea? It is designed specifically NOT to do it, for important reasons (think about headless servers remotely administered). Leaving your system isolated from the Internet while the Air client is not running is your sole responsibility and can be achieved very easily in a few seconds (see how Netwok Lock works to understand how). It would be an enormous design flaw to allow the Air client to do that. The client RAM footprint is minimal and can be loaded in a fraction of seconds. If the client needs two minutes to run, it is certainly some problem in your system. If you mean that it's OpenVPN that needs two minutes to connect, then it's again a problem in your system. Note that the Air client is an OpenVPN wrapper. That's not "corruption" of your network and restoring to a prior savepoint is not necessary. It's an obvious consequence of killing the client without grace, because in such a case you prevent the client to restore your previous firewall and DNS settings. That's a blatant absurdity, see above. Implementing Network Lock through plug-ins which use firewalls is intentional. The good part of it is that it is modular and allows any third-party to support their firewall (Eddie, including the Network Lock plug-ins, is free and open source). The excellent part of it is that it defers packet filtering to already established, peer-reviewed tools developed in decades, instead of starting from scratch with subsequent security problems. For these reasons, writing an own firewall would be a terrible mistake and your recommendations are not only not acceptable, but even a list of "awful things to avoid at all costs in software design". You seem to follow the perverted vision of monolithic applications which try to do anything by themselves, which is a vision that, when implemented (it had some crazy followers some years ago, actually, and someone is still convinced of the goodness in it), has brought to catastrophic consequences. Or perhaps your post has been influenced by major problems in your system, so feel free to open a ticket to try to investigate on them. Kind regards

The problem arises in very rare cases, when no NAT device is present, for example when you connect an ethernet port from your cable modem to your LAN adapter directly, and your ISP assings you public IPs by defailt. In this case, your reported WebRTC IP would be not internal, but external, potentially exposing your original IP address. But this setup is very rare these days, most people have Wi-Fi's, which automatically implies usage of a router with NAT mechanism. Nissemus is right, the external, public IP address is immediately found even if you're behind a NAT. The application binds to the physical interface which sends packets outside the tunnel to the router which routes them in the usual ISP route. The receiver that asked for STUN service will receive packets coming from the customer real IP address. Network Lock will of course prevent this, as you know, just like it drops any other packet out of the tunnel coming (for example) from processes binding to the physical interface. As a side note, see also how STUN is able to traverse NAT: https://webrtchacks.com/stun-helps-webrtc-traverse-nats/ Kind regards

Hello! Can you please upgrade to Eddie 2.10.3? There are some issues between Eddie 2.9.2 and Yosemite. Although these issues seem unrelated to your problem, it's worth to upgrade and perform a test anyway. Changelog available here: https://airvpn.org/services/changelog.php?software=client&format=html Kind regards

Hello! Possible explanation (without logs, only speculation is possible): if DNS in OS X are set manually, Tunnelblick does not accept the DNS push from the VPN server. As a result, you might still be using your ISP DNS, which are poisoned according to your description. Our free and open source client Eddie has a much more advanced DNS handling, can you please test it and report back at your convenience? Eddie for OS X is available in the usual OS X page https://airvpn.org/macosx The fact that you see in the central bottom box "Not connected" when you browse to airvpn.org, though, is a symptom of a much deeper problem: the traffic might be not tunneled at all. Again, our client Eddie performs various checks to warn you if there are problems with tunneling, and also features a "Network Lock" option which will prevent any leak. Kind regards

That's not a problem with the Privacy Notice... that article deliberately reported false data for reasons that are not worth the time to be investigated, and not only about us (you can easily cross-check other false claims in that table). Note also how the table is a picture, to avoid indexing by search engines. Kind regards

Hello, www.national-lottery.co.uk for now it's works from "Dabih" UK Server. Kind regards

Hello, which IP address does your system resolve "airvpn.org" into? Both in and out of the VPN. You also say that the same happens in the VPN while the system uses the VPN DNS. This makes us suspect that your hosts file (which takes precedence over DNS, in names resolution) might include a wrong resolution for airvpn.org Can you also publish the client logs? Kind regards

Hello, we have inserted www.national-lottery.co.uk in our micro-routing system. Can you try again and confirm that it works now ? Kind regards

Hello, we have identified the problem. Can you try again and confirm that it works now from Canadian servers ? Kind regards

That's not what we reproduce. Is IPv6 disabled? Kind regards

Please enable Network Lock and test again. Kind regards

Hello! We're very glad to announce that we support the TorProject Open Observatory of Network Interference: https://ooni.torproject.org Our support includes, since July 2015 up to June 2016, monetary funding to aid project financial sustainability. See also https://airvpn.org/mission Furthermore, we are sponsoring an important OONI event, Adina15 hackathon, which will be held in Rome on October the 1st and 2nd, 2015. https://ooni.torproject.org/event/adina15 We'll be gladly providing all the awards and prizes to participants and winners of the Adina15 event. Members of the AirVPN team will attend the event. EDIT 27-SEP-15 - Only today it has been announced that the Adina15 hackathon event has been postponed to unknown date. https://lists.torproject.org/pipermail/ooni-dev/2015-September/000340.html This decision is obviously outside our control (we sponsor the event, we have no role in its organization) and we regret it very much. Kind regards and datalove AirVPN Staff

That's very risky. You have two programs with the same privileges competing to modify the kernel or OS packets filtering tables at the same time. In general you must never run two firewalls simultaneously (that's true for any system, not only Windows). Kind regards

A refreshed guide is available here: Prerequisite Install DD-WRT on router go to https://www.dd-wrt.com/ Select "router database", then enter you router model number. Follow the instructions as described and install the DD-WRT *vpn*.bin. Steps Create configuration files from our Config Generator. Select the server location and port you want to connect to, tick "Advanced Mode", tick "Separate certs/keys from .ovpn file", then generate and download the configuration files. Under the router "setup tab" locate your router's local IP address. Go to Specs page of AirVPN website and locate Air VPN DNS for the server you want to connect to, and enter it under Static DNS 1. Navigate to the "Services" tab then select the "VPN" tab. Select "Enable" under OpenVPN Client. Set the Server IP/Name and Port to the Air VPN server you selected (see here to determine VPN server entry-IP address: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses ). Set Tunnel Device to "TUN" Set Tunnel Protocol to either "UDP" or "TCP" according to the Air VPN server you selected Set Encryption Cipher to " AES-256" Set Hash Algorithm to "SHA1" Put a check mark beside "nsCertType verification" Select "Enable" Advanced Options Select "Enable" LZO Compression Select "Enable" NAT Set Local IP Address to the router's local IP address found earlier. Set TLS Cipher to "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" or "None" Unzip the AirVPN configuration file you downloaded. Using your favorite text editor - Open up "ca.crt" and copy all of the contents into the CA Cert window. - Open up "user.crt" and copy only and including "----- BEGIN CERTIFICATE----- to the end of ----- END CERTIFICATE----- " into Public Client Cert. - Open up "user.key" and copy all of the contents into Private Client Key. - Open up "ta.key" and copy all of the contents into TLS Auth Key Select "Save" at the bottom of the page then "Apply Setting" Select "Save" at the bottom of the page then "Apply Setting" DD-WRT firewall rules Go to "Administration" tab then select the "Commands" tab. Copy the following firewall rules into the command window (IMPORTANT: check your tun interface name and set it accordingly - some firmware builds will have tun1 and not tun0) iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE Click on "Save Firewall" Verification of VPN setup Go to https://airvpn.org and at the bottom of the screen it should show you are connected. Trouble Shooting If you're not shown as connected wait a minute then refresh the web (it could take a minute to make a connection with the VPN and log in). Go to DD-WRT configuration and navigate to the "Services" tab, then "VPN" tab. Once there go to the bottom of the page and click on "Apply Settings". Once completed wait a minute and verify your connection again. If you're still not connected verify the server status you're trying to connect to. Go to Air VPN website and log in, then navigate to "Support" and select "Server Status". If server is down reconfigure DD-WRT to connect to another server. If you are still have difficulties connecting, view the OpenVPN log file in DD-WRT. You can find the log by going to DD-WRT configuration and navigating to the "Status" tab and selecting "OpenVpn". Hopefully the log will give you some indication of why you can not connect. Still having issues Contact Air VPN support, they are quick at responding back to you and very knowledgeable. Another option is to ask on the Air VPN forums.

About Tomato Firmware Tomato is a small, lean and simple replacement firmware for Linksys' WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other Broadcom-based routers. Official website: http://www.polarcloud.com/tomato. PrerequisiteMake sure you triple-check that your version of Tomato supports OpenVPN or you'll be sorry. I strongly recommend Toastman's build of Tomato because of its widespread feature support and stability. StepsUnder Basic->Network, configure your 3 static DNS servers. If you wish to use the AirVPN DNS set 10.4.0.1 as first DNS IP address. The Air DNS will enable you to access internal Air services, geo-routing services and bypass ICE/ICANN USA censorship (more information here). About the others, I recommend picking ones from the OpenNIC Project because many of the servers don't keep any logs, which is consistent with the Air service, plus they would allow your internet service to continue functioning in the event of a government-ordered root DNS server shutdown- https://servers.opennic.org/Under Basic->Time, make sure that the correct time zone and server is configured.Download the OpenVPN (.ovpn) file of your choosing under "Client Area -> Config Generator" after you log in the AirVPN site. In the Configuration Generator make sure to tick "Advanced Mode" and "Separate certs/keys from .ovpn files". In order to determine the IP address of the server you wish to connect to, please resolve "servername.airservers.org". For example, for Acrux resolve "acrux.airservers.org". Find the server names by looking at Status page.For the actual configuration, please see the following two screenshots of the Basic and Advanced OpenVPN Client Configuration: Under Basic, sub in your own correct protocol, IP and port in place of what I have in my own config. In the Advanced Custom Configuration text box, the options are as follows: resolv-retry infinite remote-cert-tls server comp-lzo verb 3 Under Keys, you'll need to again text edit your user.key, user.crt, ca.crt and ta.key files, copy the matching keys and certificates and paste them into the text boxes in your router config. - ta.key is the Static Key - ca.crt is the Certificate Authority certificate (in some older builds, "Server certificate") - user.crt is the Client Certificate - user.key is the Client KeyAbout certificates files (user.crt and ca.crt) content, just copy and paste from "-----BEGIN CERTIFICATE-----" (included) up to "-----END CERTIFICATE-----" (included).Save all settings.Under Status, click Start Now and count for 30 seconds. Go to https://airvpn.org and at the bottom of the screen it should show you are connected or visit https://ipleak.net for check. Tested withToastman's build of Tomato [v1.28.7500 MIPSR2Toastman-RT K26 VPN] on Asus RT-N16 router.Tomato-ND-1.28.7633-Toastman-IPT-ND-SmallVPN on Buffalo WHR-G54S Feedback For any comment or feedback, you can find the discussion here. Thanks to Baraka for this article.