Staff

Hello! Warning: this document could be updated by the technical staff if necessary. Please consult it again in the near future. After a deeper analysis we would like to inform you about problems, solutions, what we did and what you need to do, in compliance with our transparency policy. The OpenSSL 1.0.1a-->f vulnerability is huge, but several factors in our infrastructure design made the menace a minor threat, without any potentially catastrophic consequence. some of our OpenVPN servers used a vulnerable OpenSSL version. They have been all updated and upgraded between 3 PM and 6 PM 08-Apr-14 CET+1. The non-updated VPN servers running branches of OpenSSL like 0.9.8 were not and are not vulnerable. Assuming that an attacker could steal your user.key on those servers or directly from your system (in case you ran a vulnerable OpenSSL version), the worst damage is that he/she will connect with your account in the future (see below for a solution to this problem). He/she will not be able to decrypt your OpenVPN Data Channel. Various factors help mitigate the problem even on those vulnerable VPN servers: the attacker could not perform an attack through the exit-IP address (he/she should have known the entry-IP) and Perfect Forward Secrecy does not allow the attacker to decrypt your datathe primary frontend (the web site you normally visit) used a vulnerable OpenSSL version which has been upgraded at 3 PM 08-Apr-14 to a non-vulnerable version. All sessions were reset. The vulnerability allowed an attacker to dump a memory portion of the server which could disclose information useful to exploit future access of those users using browsers or web clients not supporting DHE or ECDHE: Internet Explorer 6, Internet Explorer 8, YandexBot 3, or browsers manually forced NOT to use Perfect Forward Secrecy.the backend servers and other vital parts of the infrastructure were not and are not vulnerable, since they were NEVER running a vulnerable OpenSSL versionWhat we have already done: we replaced on every part of the infrastructure the vulnerable OpenSSL versions (if any) with non-vulnerable ones between 3 PM and 6 PM 08-Apr-14 CET+1we changed in advance all administrative accounts passwords (this was not strictly necessary, but it has been performed anyway)we updated the internal SSL certificateswe reset connections of clients connected to VPN servers running OpenSSL vulnerable version and rebooted the server to make sure that no old dynamically linked SSL version was still used by OpenVPNwe performed attacks against our servers, even with the help of independent attackers as peer review, to check that the vulnerability has been resolvedwe have ordered the revocation of the frontend web server previous SSL certificate (this will go into effect in 72 hours according to authority policy)UPDATE 11.15 PM 08-Apr-14 CET+1 we changed the SSL certificate and private key of our frontend serversUPDATE 12.40 AM 09-Apr-14 CET+1 we released a new package for Windows with OpenVPN using non-vulnerable OpenSSLWhat we will additionally do: we're going to add the option to generate new user.key from the client side, with no more need of our manual intervention, just in case someone wishes to use our service for free with your accountUPDATE 1.50 PM 9-Apr-14 CET+1 We are planning a major change in the system with new RSA and DH keys, new certificates and more. The operation is complex and will cause interruptions to the service. You will need to re-download configuration files, certificates and keys, re-configure DD-WRT/Tomato/pfSense etc. so we are planning it with care. A discussion about it is still ongoing and will go on probably for hours, so we can't provide more details. Please stay tuned.UPDATE 11-Apr 14 3 PM CEST IMPORTANT https://airvpn.org/topic/11319-major-system-upgrade/?do=findComment&comment=16533What YOU need to do: change your account password and your API key (if you used our API) and do it as soon as possible especially if you use Internet Explorer 6, Internet Explorer 8 or YandexBot 3 or any other browser that you specifically configured NOT to use TLS with DHE-ECDHE in any way to log in our web site. On this occasion, please consider to drop once and for all Internet Explorer 6 and 8 and prefer browsers supporting PFSchange your user.key when this option will be availableWindows users only download and install new package with OpenVPN using non-vulnerable OpenSSL https://airvpn.org/windows Allow Air client to upgrade OpenVPN version if requiredOS X Tunnelblick users only download and upgrade to new Tunnelblick with non-vulnerable OpenSSL http://code.google.com/p/tunnelblick/wiki/RlsNotesUPDATE 11-Apr 14 3 PM CEST IMPORTANT https://airvpn.org/topic/11319-major-system-upgrade/?do=findComment&comment=16533Kind regards

Hello, the RSA keys are generated with OpenSSL. The TLS keys are exchanged via Diffie-Hellman (DHE, Diffie-Hellman Merkle key Exchange in TLS ephemeral mode to provide Perfect Forward Secrecy, see http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange about previous question on MITM and how to exchange a shared secret key over an insecure channel). Additionally re-keying occurs every 60 minutes by default (in addition to each new connection of course). Kind regards

Hello! We're sorry, we have no plans to enlarge our infrastructure in Italy. Kind regards

Hello! It's correct that you can't access the Configuration Generator with account "Rottenham" because this account has no subscriptions and is not authorized to access our services (please open a ticket at your earliest convenience if you think this is a mistake and include your payment details). About the other problem, remember that you can run either OpenVPN, OpenVPN GUI or the Air client, but not them simultaneously. If you wish to run the Air client, do not start OpenVPN, not even as a service. Kind regards

Hello! We're sorry, we have no servers in Australia. The service you cite probably allows access only to Australian IP addresses. Kind regards

Hello! It will not, and in any case we will never force to use our own client to connect to our service. The service will remain accessible from any compatible OpenVPN wrapper or from OpenVPN directly. Yes, it will! Kind regards

Hello! Yes, a client for Linux is under active development. We will have some news very soon. The way to send an exit notification is the explicit-exit-notify directive (in UDP mode; in TCP it's not necessary). The only problem is not in Linux, it's in network-manager, which does not pass this directive to OpenVPN. Just run OpenVPN directly. Of course, if the connection freezes (for a line drop, for example) there is no way to send a notification, regardless of the Operating System. We have some ideas about it too to circumvent the problem, we have currently an internal discussion about it. Anyway, the wait time should not exceed 2 minutes, it's strange that you can't connect for more than 2 minutes. Kind regards

Hello, it depends on the definition. We define a "DNS leak" a DNS query sent unencrypted outside the tunnel against the correct system configuration. If a system is explicitly configured to send out an unencrypted DNS query, that's not a DNS leak: the system just does what it is ordered to do. With this definition DNS leaks are possible only in Windows, because it's the only OS that lacks a proper DNS implementation: it lacks the concept of global DNS, every network card must have its own DNS servers. This flaw may cause a chain of events which bring to real DNS leaks through svchost.exe. Kind regards

Sorry. I missed that. I have done this, also without a VM. I accessed AirVPN over a VPN that I get with my seed box. But I have never attempted to document it here. It also needs some subtle OpenVPN configuration tricks. But it may be easier than a VM for someone who has no background with VM-s, or knowledge of Linux, or the ability to install another Windows instance? === Hansito (or anyone else), Let me know if you are interested in this. It would not be simple for a newbie. And explaining it would take some effort. So I want to be sure it is wanted. The result when I did it was not very good for streaming media. Hello! Probably with a VM the whole procedure is easier, considering the "click and go" philosophy of nowadays VirtualBox etc., but your method may have a very high value under a technical and didactic point of view, not to mention its importance in old boxes for which virtualization is problematic. Kind regards

@NaDre @Hansito Apparently, Hansito wishes to tunnel ALL the VPN2 traffic over VPN1, he does not wish to have two independent tunnels. Kind regards

Hello! You must make sure that the VM (either in VirtualBox or VMWare) is attached to the host via NAT. This is vital to tunnel traffic over VPN1 over VPN2 on the VM. After that, just connect the host to a VPN, and then the guest to another one. Kind regards

Hello! We're very glad to announce that our DNS now supports specific OpenNIC and Namecoin names resolutions. You just need to use our VPN DNS 10.4.0.1 and you'll be able to resolve every name available (registered) in OpenNIC and Namecoin. Kind regards & datalove AirVPN Staff

Hello! The Air client for Windows and OpenVPN GUI are both OpenVPN wrappers. You can run the one you like most, but you can't run them both simultaneously. With OpenVPN GUI you'll need to generate configuration files with our configuration generator, accessible by clicking "Client Area" from the upper menu of our web site and then clicking "Config generator" from the left tabs. The downloaded configuration files shall be pasted inside your OpenVPN configuration directory. You don't need the Configuration Generator if you run the Air client only (it will download transparently everything you need in https according to your choices and allow you to connect immediately to any VPN server). That said, maybe you might like to start first with the simplest setup, following our instructions for Windows here https://airvpn.org/windows and of course do not hesitate to open a ticket for additional support. Kind regards

We're very glad to inform you that we added support to Tapatalk, a forum app for Android , iPhone/iPad, Windows Phone, Windows 8 and more. Tapatalk provides fast on-the-go forum access to our forums. Simply install it and search for AirVPN. Please see here: www.tapatalk.com for more information. Kind regards & datalove AirVPN Staff

Hello! We're very glad to inform you that new payment gateways have been implemented: Coinbase and Avangate. With Coinbase you have yet another, comfortable way to pay with Bitcoin, while Avangate supports many credit cards. For a list of supported cards, please see https://airvpn.org/plans Kind regards & datalove AirVPN Staff

Hello! We have tested Skype on most Europe servers, including Dorsum and several NL servers, and we could not find any problem at all. Kind regards

Hello! We're very glad to inform you that a new 1 Gbit/s server located in Ukraine is available: Zaurak. The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 2018 UDP and TCP. Just like every other Air server, Zaurak supports OpenVPN over SSL and OpenVPN over SSH. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. With Zaurak we now operate the VPN in another, new country for us, therefore your feedback will be even more welcome. Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

Hello! Yes, you should be. In general, mixing identities is not recommended. It can abet correlation attacks and significantly lower your anonymity layer. Remember, a VPN protects your line between your computer and the VPN server. It does not protect you or your computer, and it does not protect against personal data voluntarily sent out, as it may happen when you "use" a real identity while connected to the VPN. Of course there are many other purposes to use a VPN for which mixing identities is just fine, but if your main concern is a strong anonymity layer, then it's a good rule to never mix identities. Kind regards

Hello! Maybe they did not notice our ticket. But it's strange that they did not notice either the PayPal transaction email or their financial balance. We hope so. But it doesn't matter in the end, see below. If this donation is a problem they can simply refuse it and we can allocate the same money to other projects. No rejections, no 'thanks' until now. However your thoughts are very interesting. Look at the pinned topic of this forum: https://airvpn.org/topic/10122-guidelines/ We have a monthly budget that is allocated to support other projects that accomplish our mission. A part of this budget is managed by us to some specific projects, like our support to TorServers.net, with monthly recurring donations. Another part of no-profit budget is available to the objective of this forum: support with spot donation (sort of monthly award) those projects that our community likes or suggests. For this reason, we delivered the donation to RiseUp only a day after this topic was opened. We don't know this RiseUp team, but it doesn't matter: some people of our community suggested that, there was no other candidate in March 2014, so it was accepted. Note also that we delivered the donation before any contact with RiseUp team, simply because we don't ask anything in exchange, not even to be listed as supporter. Yes, we list our donations in our mission page. But this is for transparency, because (as explained in the pinned topic) we hope that our community can decide how to distribute our donation budget every month. We don't hide that this initiative can also imply a return on our image and reputation and a marketing tool. But if it is the case, we soon increase our donation budget. A nice loop in support of Net Neutrality and against censorship. We are waiting for our community feedback. If necessary, we can anyway close this initiative and raise our donations to TorServers.net. Kind regards

Hello, we confirm you it's perfectly normal. When you had no warning, you were connected to a VPN server whose IP address matches that same country you live in according to Google database and IP geo-location. Every time, according to Google, you connect from a different country, you trigger the security system. It's a feature, not a problem, but anyway you can disable it. Kind regards

Hello! Probably the difference lies in the geo-location of the IP address of the VPN server. Kind regards

Hello, the point is that you claimed false and misleading information on a public forum. We repute that fixing false information is our right and duty, and not a childish act, especially if the false information are written in our own forums. If you are looking for a service that consents plainly false information to be spread without a rectification you're in the very wrong place. Kind regards

Hello, if you mean that Google warned you because you accessed your GMail (or other) services via the AirVPN server in Spain, while you usually access it from somewhere else, that's perfectly normal: Google detected a change of the IP address it sees connections coming from and warned you. Kind regards

Hello! Not at all. You were wrong, see below. You wrote: Today is Monday. Sunday is 1 day ago. Saturday is two days ago. The new service is offered to anyone, not to Air subscribers only. It is a free courtesy, not included in Air subscription price or in any other part of Air subscriptions, and can be suspended anytime without notice. The bug has been probably detected. Kind regards

Hello, we do provide a DDNS service, if you're interested. It's included in your subscription. https://airvpn.org/topic/9314-what-is-dynamic-dns/ Kind regards