Staff

Hello! Error 111 suggests that the packets are actively refused. Anyway, please consider that the test is performed in TCP only. Therefore, if rtorrent expects UDP packets the test will always "fail". Is rtorrent able to receive incoming connections while "torrenting"? Kind regards

Hello! We ALWAYS respond to ANY inquiry by private citizens, blogs, forums, etc. This year we did not receive any question from TorrentFreak, though, otherwise we would have gladly answered as we have always done. We were aware of this article only when we saw it on TorrentFreak, after publication. Kind regards

Hello! The short answer is no, because according to the document the exploit, in order to succeed to decrypt Data Channel of the VPN users, needs old IKE (as it is in IPsec basic implementation), or at least a VPN which implements a static key which is also used as the key to encrypt the Data Channel (without PFS). While these conditions can be met by several VPN services for consumers or even companies VPNs around the world, it's not our case. It's even easier in case of VoIP based on H.323, according to a comment to an article here https://www.schneier.com/blog/archives/2014/03/how_the_nsa_exp.html#comments : To say the same with different words, according to the document it seems that the attack can hope to succeed only if non ephemeral key exchange is employed by the VPN, which is not the case for a correctly configured OpenVPN system. However we are looking forward to more analysis from security teams around the world, there are some vague steps in the document which need to be explained/interpreted. Kind regards

@LBDude Thanks! At a first glance the document confirms that the attack can't succeed against OpenVPN because the foundation of the attack, at least according to the document, lies on IKE (used by IPsec and some VoIP software) packets "exfiling". Of course we will be waiting for more expert reviews and more information for a more thourough analysis. As a side note, it must be noted that approximately 11-12 years ago Schneier as well as Belani, Mookhey and many other persons reported and proved several vulnerabilities on IKE implementation, PSK etc. etc. so it's not upsetting that anyone exploits vulnerabilities when they have been well know for more than a decade. Kind regards

@clown Hello! As a side note, just a quick warning: watch your language or you will be permanently banned from writing into our forums. A DNS leak is a DNS query that's sent unencrypted (outside the tunnel) against the computer owner configuration. If your system queries a public DNS, or even your ISP DNS if it's not restricted to the ISP network, according to the owner configuration, it is not a DNS leak when: - the query is sent inside the tunnel, OR - the query does respect the system owner configuration You can query any DNS server you like from inside the tunnel. Our servers will just send your query out as they do with any other packet (no discrimination againt any protocol). The purpose of web sites like dnsleaktest is to show which DNS your system queries. The results can be used as hints to DNS leaks for further investigations. The only known system which "overrides" the owner configuration with DNS queries is Windows (due to lack of proper DNS implementation). In Windows each network card can have different DNS, simply because the concept of global DNS is totally missing since more than 20 years ago. The process svchost.exe (which is responsible for many tasks, including DNS queries), under various cases tries to send out queries to all the DNS IP addresses listed in every and each card, without regards to routing and any other configuration. Therefore web sites like ipleak.net can be very useful especially for Windows users. According to your very own description there's no DNS leak from your DD-WRT system, as it was to be expected, since DNS leaks do not affect non-Windows systems. Kind regards

We submitted a help ticket, according to the recommended method to talk with riseup.net team, about a week ago. We gave them information about our mission, a link to this topic, and informed them that we want to support riseup.net mission, with a donation and coupons for their activists. We performed the donation (1340 US $) on the same day. The day after, we received an e-mail, the only feedback we ever received: It looked like an automated reply, so we replied that we don't need any email account or any access to their services. We also entered their IRC chat and informed them that we are still waiting for a response to our ticket. No reply in a week. No further action from us is planned. Kind regards

Hello! Thank you for your feedback! We think that different business models for different needs apply here. We are the only service in the world which guarantees explicitly on the Terms of Service a minimum allocated bandwidth. It is a promise of no overselling, and we publish a real-time servers monitor to show that we respect this commitment. This makes our service extremely inexpensive, but of course only if you are able to understand the value of this commitment. Competitors are there to satisfy different needs, expectations etc.! We will always try to improve our customers' satisfaction, but we will never be able to satisfy every need of every person in the world, otherwise we would have no competitors at all. Kind regards

Hello! Where do you see that in the article? By the way, about your questions: 1 and 2. Offline access is impossible, we should be traveling around 3 continents every day and asking for infinite authorizations to access datacenters. Anyway it's not relevant, even if we did that the problem would just be the same, because there are methods to compromise a computer without having to actively operate with the computer itself, or simply because you have no guarantee that external wiretapping devices are not attached to the server a second after you leave the datacenter. The solution is completely different and we've been talking about it since years ago, please refer to https://airvpn.org/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 etc. 3.That's already performed by your OpenVPN, with double-certificate verification. During the connection, packet authentication is performed. 4. Apparently that's not relevant for us because keys are negotiated with DHE, therefore we just don't care if and who's listening to any router or any other device between your node and our node and it's not worrying not even if they catch your user.key: apart from the fact that they will be able to connect to our VPN servers with your account and therefore use our service for free, with your user.key they can't decrypt your data channel. Maybe the author of the article refers to something else (unfortunately the whole article seems to be written in too simplistic and vague terms), therefore a deeper analysis is needed. Just remember that math can't be twisted. Kind regards

Hello! Exactly. According to your very own description nowhere in the router your ISP DNS IP addresses are specified. So your router just does not know your ISP DNS. Kind regards

No problem! But what am I supposed to do now? Will that problem go away (why should it???)? Will AirVPN do something about it? Thanks for making that more clear to me! Greyzy Hello! We need to study the problem. If the web site blocks in any case multiple accesses from the same IP address it's a problem to be evaluated carefully. It's also a problem on their (n-tv) side, because nowadays NATs are used not only by us in order to provide a stronger anonymity layer, but also by thousands of ISPs due to the fact that IPv4 addresses have been exhausted since some time ago. Therefore, generally speaking, it's an idiotic decision to bar an IPv4 address because there are multiple accesses from the same IP address. It's a decision that harms the service itself. In the meantime, Wezen and Castor are still working, so you can connect them. Kind regards

Hello! No, you're wrong, they are NOT transmitted unencrypted. Anyway your user.key is useless to decrypt your OpenVPN communications. It can be used to connect to a VPN server of ours. Kind regards

Hello! We have repeatedly replied in other threads and we tend to avoid duplicates. This is a forum used by the community and you must not expect that we always enter a debate, especially if we already answered in the past. We may do it and we may not. If you want an answer on some subject from us please open a ticket at your convenience. That said, what you suggest is not a real solution, usually these block lists include entire datacenter IP ranges. What you're suggesting is to go back to full surveillance, with logging etc. and that's not what our service is aimed to. You can't claim to protect Net Neutrality, remain a mere conduit and at the same time monitor the users of your infrastructure. Anyway that would not solve the problem. As jgalt correctly wrote, the fault here is from the end service, not ours. If an abuse is perpetrated from any node of a datacenter, the maintainers of some blacklists add the whole datacenter IP range. The administrators of the services that implement such blacklists clearly prefer to be enemy of an open Internet than doing some effort to put in place more proper solutions. These administrators are the first persons to cry for Net Neutrality and freedom when their services are censored by third parties, but they are also acting exactly against the very same principles they invoke when they are harmed. In any case, preserving Net Neutrality is much more important than complying to a bad behavior of some bad behaving service administrators. Contrarily to hypocritical administrators, we struggle to remain always coherent with our mission. Kind regards

Hello! No, it doesn't. Just set 10.4.0.1 as primary DNS in your router in order to query the VPN DNS. Set a public DNS server IP address as secondary DNS to allow names resolution when the router is not connected to the VPN. OpenNIC may be a good choice, see http://opennicproject.org As a side note, what you're experiencing is not a DNS leak, which occurs only on Windows (the only OS lacking the concept of global DNS): the router is just doing what you instructed it to do, i.e. query the configured DNS. Kind regards

Hello, your suggestion looked very good and a part of the donations budget has been delivered to riseup.net. More news soon in the dedicated "Mission" page https://airvpn.org/mission Kind regards AirVPN

Hello! Can you please make sure that you really followed the instructions? You should never double-click the configuration file. You need to double-click the icon of the folder that you renamed with a ".tblk" extension. 1) create a folder (for example on the Desktop) 2) paste inside the folder one and only one .ovpn file 3) rename the folder with a ".tblk" extension (for example, folder "abc" becomes "abc.tblk") 4) double click on the folder icon Kind regards

Hello! Well, the traffic to trackers is re-routed on some servers and not on others. To ipleak.net the traffic is not re-routed by any server, so you should always see the VPN server exit-IP address. We tend not to announce publicly such re-routing operations for some good reasons. The important thing, anyway, is that you never see your real IP address during the test. Kind regards

Hello, yes, please see https://airvpn.org/topic/9787-the-pros-and-the-cons/?do=findComment&comment=11501 Kind regards

Hello! We're very glad to inform you that we now provide a service to detect data provided by your torrent client, similar to the service provided by checkmytorrentip, through our http://ipleak.net web site (just click "Activate" under "Detected torrent address"). To detect data from your torrent client we provide a magnet link to a fake file. The magnet contains an http url of a controlled by us tracker (in http, not udp) which archives the information coming from the torrent client and displays them to you. The procedure can take up to 20-30 seconds, so do not close the web page for some time after you have started the torrent client, in order to allow the test to be completed. Enjoy the service when you need it! Kind regards

Hello! We're very glad to inform you that we now provide a service to detect data provided by your torrent client, similar to the service provided by checkmytorrentip, through our http://ipleak.net web site (just click "Activate" under "Detected torrent address"). To detect data from your torrent client we provide a magnet link to a fake file. The magnet contains an http url of a controlled by us tracker (in http, not udp) which archives the information coming from the torrent client and displays them to you. The procedure can take up to 20-30 seconds, so do not close the web page for some time after you have started the torrent client, in order to allow the test to be completed. Enjoy the service when you need it! Kind regards

Hello, in order to do this: please make sure that you follow the instructions. Your description is ambiguous. Keep in mind that you have to rename the folder you have created (not the file) after you have pasted one and only one .ovpn file inside it. Kind regards

Incredible. Blowfish was designed in 1993 and his very creator Schneier recommended years ago NOT to use it. There's a class of weak keys that causes problems in picking an appropriate key and, under the user point of view, we doubt that you can have the absolute security that the keys are appropriately picked. It's somehow weird that Air is compared to such services, maybe it's a comparison not focused on security. Many experts claim that Blowfish should not be used for OpenVPN Data Channel and in general it should not be used at all. Again, Schneier himself said to switch to something else in 2007. Anyway, about the CPU processing power, if the CPU usage is so low in your box then you're right, the bottleneck does not seem be there. Keep on experimenting and feel free to report back, because, as it is reported by very many customers on different threads here and also if you have a look at the top speed users in the servers monitor table, it's normal to achieve higher than 40 Mbit/s throughput on several of our servers (including Alkaid) with a line like yours. The quality of Air datacenters connectivity to tier1 and tier2 providers is surely not inferior to the datacenters we see PIA uses. Assuming that you connect in UDP, (if not, please try it, performance with TCP is surely inferior) you might like to verify, first of all, if there's packet fragmentation, by checking the OpenVPN logs after some minutes of ongoing connection and normal usage. Kind regards

Hello, is the Data Channel cipher the same? On boxes CPUs, AES-256-CBC is computationally heavy, but our ciphers are picked with high security in mind. As far as we know PIA uses weaker encryption for the OpenVPN Control Channel. Kind regards

Hello, another factor to be considered is that UDP is connectionless, therefore if a client disconnects without notification to the server (for example because line dropped), the server has no way to know that the client is no more there until a ping times out (60 seconds). TCP is an alternative option, but under normal circumstances TCP performance is always inferior than UDP one. Kind regards

Hello, please click the button "Disconnect Now" in your "Client Area" for such purposes, it's there for that. Anyway your guess does not seem right, your account is not connected, maybe you have some other problem: feel free to open a ticket and always include the log files pertaining to the problem. The one-connection per account is not a matter to be fixed, it's a feature. We are the only VPN service in the world, as far as we know, that provides a guaranteed allocated bandwidth with a real time servers monitor to show that we keep to our word. Although this feature might not be appreciated by some people who just need lower quality or "whistles and bells" services with no care for anonymity and performance, we assure you that the fact that we are considered probably the top VPN service in terms of performance (in spite of the most computationally hungry cipher suite) is related to this as well. Kind regards

Hello, we will soon make an announcement about the release of Eddie, which will include leaks prevention features (including prevention of leaks in case of unexpected VPN disconnection). In the meantime we remind you that if you have issues with a Windows firewall, in Windows you can prevent any leak with a single command which needs less than 10 seconds to be typed in. For example if your computer gateway IP address in your home/office network is 192.168.1.1 (just an example) open a command a prompt with admin privileges and type: route delete 0.0.0.0 192.168.1.1and that's all you need to prevent any leak. You can immediately see the gateway IP address by typing "route print". Please see here for some theory and more information: https://airvpn.org/topic/9797-blocking-non-vpn-traffic-without-firewall-using-routing-router/?do=findComment&comment=11512 Kind regards