Staff

Hello! Here the problem looks different, please see here to resolve this issue and test again: https://airvpn.org/forums/topic/58289-openvpn-certificate-has-expired/?do=findComment&comment=231319 Kind regards

@spacewarper Hello! Currently you have no forwarded ports in your port panel so we can't perform any preliminary test. When you have forwarded a port please update the thread, or feel free to open a ticket. Kind regards

What exactly is this feature? I couldn't find it anywhere in AirVPN server tab. Tapping any server will connect to said server.  Hello! In the previous 3.0 version you had to confirm the connection each time (after you tapped a server or selected "Connect" for some specific area following a long tap) on a dialog box. In 3.1, by default you don't have to confirm anymore. It is a community driven change. You can re-enable the confirmation dialog from the Settings. Kind regards

Hello! Some customers have contacted the support team asking for a comment on the port shadow attack described in CVE-2021-3773 and brought into the spotlight for the umpteenth time during the Privacy Enhancing Technologies Symposium 2024: https://citizenlab.ca/2024/07/vulnerabilities-in-vpns-paper-presented-at-the-privacy-enhancing-technologies-symposium-2024/ To explain why, unlike many other VPN services, AirVPN is not vulnerable to various attacks under the generic port shadow umbrella, please download the new paper and read below while watching table 2 on page 121: in our infrastructure public entry-IP addresses and public exit-IP addresses are not the same (M6). This is an absolute protection against ATIP, connection inference, and port forwarding overwrite and also makes port scan impossible (another reason for which port scan is impossible is given by additional isolation, see the end of the message) per-host connection limit is enforced (M3) making eviction re-route extremely difficult if not impossible static private IP address is implemented (M2) with WireGuard (it can be changed by explicit key renewal user's action) and highly likely with OpenVPN as long as the user connects to the same server with the same key, another (redundant) protection against port scan In our infrastructure additional protections are in place. We prefer not to disclose them all at the moment, we will just mention the block of any communication between nodes in the same virtual network either through private or public addresses. That's why, unlike any corporate VPN with shared resources, you can't contact any service inside the VPN (except the DNS), not even your own, from a machine connected to the same VPN in our infrastructure. Decapsulation as described on the paper is doomed to fail for this isolation/compartmentalization and this is also another reason for which port scans are not possible. TL;DR AirVPN infrastructure, according to the current state of the art in remediation and mitigation by security researchers as well as paper authors, is not vulnerable to the attacks described under the port shadow umbrella in this new paper. Kind regards & datalove AirVPN Staff

EDIT: Eddie 3.1.0 stable version has been released! Please move to this topic for any comment: https://airvpn.org/forums/topic/62769-eddie-android-edition-310-available/ Hello! Eddie Android edition is a fully integrated with AirVPN, free and open source WireGuard and OpenVPN GUI client. It is based on official WireGuard library and latest OpenVPN3-AirVPN library (free and open source software library by AirVPN), allowing comfortable connections to both OpenVPN and WireGuard servers. All Android versions from 5.1 to 14 are supported. We're very glad to inform you that Eddie Android edition 3.1 beta is now available, featuring a complete update of all libraries, enhanced TV support, a new quick setting panel tile, revamped VPN profile generation, connection control buttons on notification, specific Android 14 support, GPS spoofing (default: off) and much more. Special notes on the new GPS spoofing feature: if enabled, the location of the device will be set to a fake GPS position upon a successful VPN connection. When connecting to an AirVPN server, the location will be set to the country where the VPN server is located, through predefined coordinates. If the device connects to a non-AirVPN server, random country coordinates will be selected. To test and use this new feature, please set Eddie as the "mock location app" for your device in the developer settings page (only one app at a time can be the mock provider). Once enabled, you can also set the GPS spoofing refresh interval between 10, 5, 3, 1, 0.5 and 0.25 seconds (default: 1 second). The options are available in the Settings > System view. To those who will decide testing: thank you so much! Remember to uninstall any previous Eddie version before side loading the new Eddie 3.1 beta version. Please report at your convenience any bug and problem in this thread. If possible generate a report from the app: by tapping the paper plane icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private). Please remember that Android TV has been stripped of the Always On VPN feature to prevent users from connecting to a VPN during an Android TV based system bootstrap. Therefore Eddie start & connection at bootstrap, as well as system built in leaks prevention, are not possible on Android TV 10 and higher versions. For leaks prevention you can rely on Eddie's "VPN Lock" feature. Android TV 9 and older versions can still start Eddie during the bootstrap and have it connected when you activate Always on VPN and configure Eddie accordingly. Eddie 3.1 new features list Eddie Android 3.1.0 beta 1 (VC 31) Added support to Android 14 Updated to OpenVPN3 3.11 AirVPN (20240719) Updated to OpenSSL 3.3.1 Updated to WireGuard 2e0774f Updated to the latest AirVPN Suite specifications and functions Added quick setting panel tile for quick connection and disconnection Improved VPN profiles generation Auto AirVPN user login at startup Server score sort in AirVPN Server tab Show and log connection statistics at disconnection Added permission checking at startup according to user's settings Added optional "quick tap" connection to AirVPN server tab WireGuard handshaking timeout manager can be enabled or disabled by user Added connection control buttons to notification Improved Android TV D-Pad navigation, notably left and right arrow for opening and closing the menu drawer Bug fixes and improvements Eddie Android 3.1.0 beta 2 (VC 31) Updated to the latest OpenVPN3-AirVPN library fork Added Manifest's [AirVPN document served by bootstrap servers to provide clients with several pieces of information] preset connection modes. Select them in the Preferences > AirVPN view. Optional GPS Spoofing (requires system's developer options to be enabled) Revised connection dialog management Beta 1 bugs/inconsistencies fix Download link https://eddie.website/repository/Android/3.1.0-Beta2/EddieAndroid-3.1.0-Beta2.apk SHA-256 checksum 42244e6cbedb402f3dde8b60bbd2c2f4d617463e32638ab1fc4743364b4458d7 *EddieAndroid-3.1.0-Beta2.apk How to sideload Eddie Android edition on Android TV and FireOS devices https://airvpn.org/android/eddie/apk/tv Kind regards & datalove AirVPN Staff

@Innovathorr Hello! Something is blocking access to bootstrap servers (servers which are essential to download VPN server information as well as your client certificates and keys). Please follow the instructions you have received and/or publish a system report, see here: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/ The system report may show the reason of the failed access to the bootstrap servers. Kind regards

@hcReJhTCzLS5c5U Hello! When Firefox starts, it usually generates a lot of traffic. It contacts Mozilla Servers to check for updates, download new features, add-on servers to download and install new extensions, themes, and plugins, DNS servers on its own, SSL/TLS certificate authorities, gelocation services to determine the user’s location and provide location-based services and crash reporting services. If the Firefox traffic goes outside the VPN tunnel for any reason (check Firefox Internet connection configuration) it will be blocked by Network Lock and Firefox main window pop-up will be delayed severely. Furthermore, a potential new issue is ongoing, which is typical in Fedora and many other distributions "transitioning to" nftables by maintaining iptables syntax backward compatibility with translations and all that jazz (yet another evidence of lack of adequate design skills and vision typical in some Linux environments). libvirt adds rules via iptables-nft with xtables commands and nft can't process correctly anymore the ruleset. Eddie uses nft whenever it finds it, by default, so if you use libvirt for any purpose (from QEMU to VirtualBox and more), a big rule set mess can arise whenever a program runs nft. The issue has been at the moment tackled and resolved in the AirVPN Suite 2.0.0 beta 1 which goes back to launch iptables-nftables when available (even when nft is available) to avoid the mess. On Eddie, please modify the "Preferences" > "Network Lock" > "Mode" combo box into iptables-legacy and the problem should be resolved. This problem could be resoved by Eddie 2.24 beta, please test it: https://airvpn.org/forums/topic/57401-eddie-desktop-224-beta-released/ Kind regards

@roranicus Hello! Is it stuck indefinitely? If so try this: delete any file in ~/.config/eddie/ while Eddie is NOT running (from a terminal enter the command "rm ~/.config/eddie/*" without quotes) uninstall Eddie 2.21.8 upgrade to Eddie 2.24 beta version: https://airvpn.org/forums/topic/57401-eddie-desktop-224-beta-released/ test again Kind regards

@Zoloft Hello! A likely explanation is that the torrent software binds to all interfaces AND Network Lock (a feature available in all AirVPN software which prevents any traffic leak outside the VPN tunnel) is disabled. By enabling Network Lock the problem must be resolved. By binding the torrent software (if a bind option is available) to the VPN interface you add another layer of security which may come useful if you don't run AirVPN software. Kind regards

Hello! Quite the contrary, previous problems seem resolved. Please note that you have a different problem now. Now you're using a DCO adapter and driver with an OpenVPN version not supporting DCO. Same solution as before, tell Eddie to use its own interface in "Preferences" > "Networking" or switch to WireGuard in "Preferences" > "Protocols" window. Kind regards

Hello! Yes, correct. Against any momentary lapse of reason you can also consider to check "Preferences" > "General" > "Activate Network Lock at startup". With that option enabled, Network Lock will be enforced as soon as Eddie is started, and will be lifted only when you shut down Eddie or explicitly disable Network Lock. Kind regards

Hello! For Eddie, now the default system DNS setting is 10.128.0.1 (which in reality is the VPN DNS), probably due to some previous error. So when Eddie is shut down it restores 10.128.0.1 on all interfaces and resolv.conf. While Eddie is NOT running, you may consider to delete Eddie's backup files or even the configuration file if the problem persists. They are stored in ~/.config/eddie (~ is the home directory of the user running Eddie). Kind regards

Hello! A certificate has expired. Likely solution described here: https://airvpn.org/forums/topic/58289-openvpn-certificate-has-expired/?tab=comments#comment-231319 Kind regards

Hello! Unsure whether it can help, but anyway: you don't bind a program to Eddie for networking purposes. You bind a program to a network interface. Specifically you can bind qBittorrent to the network interface brought up by OpenVPN or WireGuard (some utun) and therefore you must make sure that you start qBittorrent after the VPN connection has been successfully established, then you find the correct interface name, and finally you bind qBittorrent to that interface (then re-start qBittorrent if necessary). If in doubt just don't bind to a specific interface, and activate Network Lock in Eddie, so you're protected against traffic leaks outside the VPN tunnel. Also make sure that qBittorrent does not bind to some network interface specific IP address because it can change from connection to connection. Kind regards

@TobyWan Hello! Two problems to solve: The Express VPN interface can cause a critical error, please see here for a quick resolution: https://airvpn.org/forums/topic/56643-stuck-in-a-broken-route-never-connects/?do=findComment&comment=225323 The failed authorization is most probably caused by your recent key replacements. Try to log your account out and in again from Eddie's main window please. Kind regards

@2mD Hello! UDP seems blocked: You need to search for any possible filter against UDP or more generic filter. Assuming that the ISP is the same, the block could be self-inflicted. As you changed only the router, first check the various Speedport Pro filters. This router offers a very wide variety of filters, including filters on protocols and destination ports. Kind regards

Hello! The previous problem is resolved. When the connection attempt fails your network is unreachable according to OpenVPN: . 2024.07.01 15:57:48 - OpenVPN > write UDP: Network is unreachable (code=51) . 2024.07.01 15:57:48 - OpenVPN > Network unreachable, restarting The error message hints at various options: your network is down your physical interface is down the network is up but UDP is blocked directly in the machine (check firewall etc.) Please test a connection over WireGuard to see whether WireGuard can't reach the network too. Switch to WireGuard in Preferences > Protocols window (uncheck Automatic, select any WireGuard line and click Save). Kind regards

Hello! Most servers, but not all, in the Toronto datacenter suffer of a 20-30% persistent packet loss on IPv6, therefore the system sets them in "yellow" status with the "Low packet loss" message. If you don't need IPv6 you can anyway force a connection to them as IPv4 works just fine. We are being assisted by the datacenter technicians to understand the cause of the problem. Kind regards

@gamuza Hello! You have forced Eddie to connect using IPv6, but either your network, router or ISP doesn't support IPv6. Please switch back to IPv4: in the Preferences > Networking window, change the Internet Protocol used for connection combo box to "IPv4, IPv6" (the default setting), click Save and test connections again. If your system supports IPv6, our VPN servers will allow you to use IPv6 over IPv4 even if your router and/or ISP do not support IPv6. Kind regards

Hello! We're sorry to inform you that Altais (Kiev, Ukraine) has been canceled by the service provider due to our refusal to provide 100% warranty that non-permitted activities will ever take place on the server, which is of course an impossible commitment not only for VPN but for any ISP providing private citizens with any online service in general. We're also sorry to inform you that we have no plans at the moment to rent new servers in Kiev or anywhere else in Ukraine because of various factors, among which the behavior of local police (remember in the past the request for bribes masked as fines to unlock servers) and the unreliability of local datacenter managers, which seem to be used to cancel services without notification and without refunds. Over the past decade, the behavior of Ukrainian datacenters and local authorities has brought nothing but inconvenience to our customers, so it is time to (at least temporarily) suspend operations there. Kind regards AirVPN Staff

Hello! Can you please send us a system report generated by Eddie after a connection attempt has failed? Please see here: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/ Kind regards

@Shotmaker Hello! The route check must necessarily take place after the connection has been already established successfully, because it is a check to make sure that the traffic goes through the VPN tunnel. Your traffic did not leak and you have no reason to worry. You are protected against traffic leaks both by Network Lock and by the network interface binding you describe. No leaks can occur. You have the impression that torrents did not stop immediately after a VPN disconnection just because the counters have a progressive modification in qBittorrent (as well as in many other torrent clients). Kind regards

Hello! We're sorry, AirVPN DDNS does not support SRV records. You may find SRV supported in third party DDNS, such as no-ip with the Pro DNS plan. Kind regards

@gamuza Hello! Can you tell us your Operating System name and version as well as the name and version of the program you run to connect to AirVPN servers? Kind regards

@gxxxx Hello! Please test WireGuard (in place of OpenVPN) and also compare your torrent software settings with the following guide: https://airvpn.org/faq/p2p You can find the instructions to run and configure WireGuard on compatible systems here: https://airvpn.org/download or you can run one of our native programs supporting WIreGuard, if available for your system. Kind regards