Staff

Hello! a) You can find the entry-IP address of a server by generating, with the Configuration Generator, the configuration for that server and looking (with any text editor) at the line "remote" of the .ovpn file. Or just ask us. The rules are ok both for UDP and TCP. Anyway, you might like to eliminate all that logging, it may be useless and also slow down the system. b ) Probably not. The rule: "allow log UDP to 255.255.255.255" should be "allow udp from any to 255.255.255.255". Even "allow ip from any to 255.255.255.255" is ok. The rule "allow log ip from 127.0.0.1 to any" is risky. It's safer something like "allow ip from 127.0.0.0/8 to 127.0.0.0/8" Additionally, you need to communicate with your internal network devices (at least with your router) so you should also add: "allow ip from 192.168.0.0/16 to 192.168.0.0/16" or maybe (it depends on your subnet) even a more restrictive "allow ip from 192.168.1.0/24 to 192.168.1.0/24" could be fine. However this rule will allow DNS queries to your router and that could lead to a sort of DNS leak if your router re-transmits the query to your ISP. In this case, block outbound port 53 in the subnet: "deny ip from 192.168.0.0/16 to 192.168.0.0/16 53 out" c) ip is Internet Protocol and includes TCP, UDP, ICMP etc. d) 192.168.0.0/16 "covers" the range starting from 192.168.0.0 and ending to 192.168.255.255, so you're just fine. e) Impossible to say in advance, you can't determine the entry node in the TOR network by default. One of the strong points of TOR is establishing different circuits. You're ok with the already mentioned rules, because if you connect OpenVPN over TOR, you want that the final destinations (of your physical network card packets, not of the packets in the tun adapter of course) are the entry-IP addresses of Air servers. Kind regards

Hello, the reported Tunnelblick vulnerability (affecting 3.2.8 and earlier versions) was quickly addressed already in Tunnelblick 3.3experimental, and has been ultimately fixed on Tunnelblick 3.3beta22 on 12-Sep-2012, i.e. just a few weeks after the notification. http://code.google.com/p/tunnelblick/wiki/RlsNotes About Viscosity, on the very same page which you provided the link of, it is written that Jason Donenfeld reported the vulnerability to the vendor on 11-Aug-2012 and the vendor corrected it on 30-Aug-2012. You should never run obsolete program versions: vulnerabilities are discovered every day and it's important to address them expeditiously. Also keep your OS X up to date (although Apple is sometimes slow in addressing vulnerabilities): dozens of vulnerabilities are discovered every month. The work of those who discover vulnerabilities and notify the programmers about vulnerabilities is invaluable. Kind regards

Hello, this connection drops for this timeout: 12/11/2013 - 11:23 AM read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060) 12/11/2013 - 11:23 AM Connection reset, restarting [-1] If you're connecting via WiFi, please try to get a stronger signal. If you are connecting via cable, there's not much you can try (apart making sure that the cable is not damaged). Kind regards

Hello, Tunnelblick is an OpenVPN wrapper but it does not support every OpenVPN feature. In particular it does not support connections over a proxy. Therefore you need to run OpenVPN without this wrapper in the middle. Please see here: https://airvpn.org/topic/9325-development-of-os-x-airvpn-client/ Kind regards

Hello, we have had a momentary problem for some minutes which caused the issue (only to the Air client), we deeply apologize for any inconvenience. Kind regards

Hello! If your client disconnects without notifying the server (for example because the connection is suddenly lost) and OpenVPN is on UDP, there's no way that the server can know that the client disconnected. Therefore, the system will "release" the client only after the timeout. When you click the "Disconnect Now" button, the system executes the command even if the page does not refresh. After you issue the forced disconnection command by clicking the button, please allow 10 seconds and then re-try a connection. We see that your account is currently connected and successfully exchanging data, so we presume that the problem was solved before this reply, is it correct? Kind regards

Hello! This is pasted from caduber's ticket, to readers' comfort: Hello! In most cases this problem is caused by wrong permission/ownerships in the system folders. Please run the Disk Repair Utility and perform a "Repair Permissions" on your boot drive, it should fix the issue. P.S. Please see also here http://bit.ly/1dfrWtg

Hello! That's correct: since there's an NL Netflix version, the re-routing to Netflix USA has been canceled on the NL servers, otherwise we would have rendered Netflix NL inaccessible. Kind regards

Hello! For OS X, as long as our client/OpenVPN graphical wrapper is not ready, direct OpenVPN usage is necessary to connect OpenVPN over a proxy. Which setup to pick depends on your needs. With OpenVPN over TOR our VPN servers can't see your real IP address and the TOR nodes can't see your traffic. Your system is visible on the Internet with the VPN server exit-IP address. Your ISP sees TOR traffic. With TOR over OpenVPN our VPN servers can't see your traffic. Your system is visible on the Internet with the TOR exit-node IP address. Your ISP sees OpenVPN traffic. Both solutions imply a significant performance hit. OpenVPN over TOR offers the option for additional hopping. For example you could run TOR in a Virtual Machine to have, in the VM, traffic over TOR (circuit 1) over OpenVPN over TOR (circuit 2). This solution will result in a formidably strong anonymity layer on the Internet, at the price of a critical performance hit. Kind regards

Hello! We're sorry, Tunnelblick does not support any OpenVPN connection over SSH/SSL or proxy. Kind regards

Hello, even that would be insufficient to remain anonymous if, in the action, you use an identity that can be exploited to reveal your real identity. Kind regards

Hello, it looks correct, anyway try not to remap to a different local port: try the same port everywhere. Kind regards

Have you considered malware or hijacks from within your system? Kind regards

Hello, the rules are correct, provided that your home network is in 192.168.0.0/16 (please check). Another rule should be added to allow DHCP, if you need it (probably so), you need to allow anything in UDP to IP 255.255.255.255 (to know why, please see how DHCP discovery works). Kind regards

Hello! One of our DNS servers run there, yes, as failover DNS. It's not a privacy risk, because DNS queries come from the VPN servers. Kind regards

Hello, that was the problem we faced even before building up AirVPN. Without entering a debate about the confusion you make between security and anonymity, an adversary needs to control different networks and must have the ability to correlate traffic in order to crumble the anonymity layer. For example an adversary with the power to wiretap simultaneously your line AND the VPN server (the server, not the datacenter lines: in this case timing correlations become necessary and the task becomes overwhelming for every single client) you're connected to has this power. Mitigation is possible by picking servers outside your country and by rotating servers, but in order to defeat completely an adversary with such power (and even some higher powers) you need partition of trust: https://airvpn.org/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 Of course, if you mix identities, and one of these identities is your real identity or can anyway be exploited to reveal your real identity, no service and no technique and no partition of trust in this world can 100% protect you. Remember that a VPN protects your line, not your behavior. A very trivial example is using a VPN connection to log in Facebook with an account which is related (or has been related at least once in the past) to your real identity. Kind regards

Hello, very interesting for us and useful to Virgin customers as well as potential Virgin customers, thank you very much for your feedback. Kind regards

Hello! Assuming that the Comodo rules are correctly set, all you wrote is just right, you are protected against any leak. Kind regards

Hello, please open a ticket at your convenience. Kind regards

Hello! Very well! That's correct: the authentication to a VPN server is not based on login/password, but on certificates and key. Kind regards

Hello! In the Configuration Generator please tick "Advanced Mode", then tick "Separate certs/keys from .ovpn files". In this way you will generate split files, otherwise the CG will embed the configuration .ovpn file with certificates and key . user.crt is the client certificate; ca.crt is the CA certificate; user.key is the client key. Kind regards

Hello! In the following example, we setup an OpenVPN over SSH connection to port 22 of server Persei with Windows Vista/7/8. 1) Log in the Air web site and go to "Client Area"->"Config Generator" 2) Tick "Windows" as Operating System and select server "Persei" 3) Tick "Advanced Mode" and tick "SSH Tunnel, port 22" 4) Tick to accept the Terms of Service and click "Generate" 5) The Generator will generate four files. Download the four files "AirVPN_US-Persei_SSH.22.ovpn", "AirVPN_US-Persei_SSH-22.bat", "sshtunnel.ppk" and "plink.exe". 6) Put (copy and paste) the aforementioned four files in the SAME directory. It can be any directory you like, just create a new one for your comfort. 7) Open a PowerShell or a command prompt, cd to the aforementioned directory (*) and type: AirVPN_US-Persei_SSH-22.bat 8) Wait until ssh connection is established (it should take just 3-4 seconds), then open another Powershell WITH administrator privileges, cd to the same directory as above and type: openvpn AirVPN_US-Persei_SSH.22.ovpn (*) this means to set the current working directory with the command cd. For example, if the directory where you pasted all the files is C:\somedirectory\someotherdirectory, the command will be: "cd C:\somedirectory\someotherdirectory" Kind regards

Hello, yes, you need the iptables rules. The forwarded ports in the web interface settings should be deleted, in order to avoid to expose your system to correlation attacks. You need them only when you want to forward ports when the router OpenVPN client is not running. Assuming that you need to forward both UDP and TCP, that's correct. Kind regards

Hello! Something is blocking OpenVPN: Mon Nov 11 11:59:27 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Since you can connect with your iPod, it should not be a block from your university. For testing purposes, can you momentarily disable your firewall and try again? Kind regards

Hello, very well. Yes, the configuration (but not necessarily the date and time) stays. You might like to have your router connect to an NTP server to sync date and time at each reboot or periodically. Kind regards