Staff

Hello! Which DNS server did you query? We do not detect any problem at all with all major public DNS, and our authoritative DNS servers are working properly. Kind regards

Hello! After the upgrade a bug was in the SSL server. We apologize for the inconvenience. It has been fixed, can you please try again now? Kind regards

Hello! No, that's not required. You are totally free to connect from three different addresses. For example, if you travel you can leave your home computer connected and stay connected during the travel with two more devices (smart phone and tablet, laptop and smart phone...). Kind regards

Hello! Can you please re-check all the certificates and keys and make sure that you pasted properly (just in case you committed a "paste mismatch")? Also, can you please make a test with "TLS Cipher" set to "None"? Finally, we disabled LZO compression, please set it to "None" or "No". Kind regards Hello, I confirm that changing TLS Cipher to none solved the problem. My DD-WRT is v24-sp2 (02/04/14) std - build 23503, so it´s not an old one. Just one more question: disabling TLS Cipher implies in risks? Thanks Hello! Absolutely no risks at all. The additional TLS authentication through the ta.key is clearly performed anyway (not that it adds any relevant security on your end, it's just an additional protection for our servers) because otherwise our servers would not accept your connection. It seems a bug of the OpenVPN client DD-WRT configuration page, but it is totally harmless. Kind regards

Hello! You need to re-generate the files with our Configuration Generator. Configuration, certificates and keys have changed. We're sorry you were not aware of the upgrade, we spread the information well in advance via PM, personal e-mail, forum, Twitter and Facebook, we could not do anything more. Kind regards

Hello! We don't know for sure how it's possible since the Data Channel is AES-256-CBC. Speculating, we could assume that the TLS Cipher is overridden, in the part pertaining to the Data Channel cipher, by the appropriate field in case of conflicts, and the TLS Cipher, in this case only, is used in the part TLS-DHE-RSA... keep in mind, this is just speculation. Kind regards

Hello! Can you please re-check all the certificates and keys and make sure that you pasted properly (just in case you committed a "paste mismatch")? Also, can you please make a test with "TLS Cipher" set to "None"? Finally, we disabled LZO compression, please set it to "None" or "No". Kind regards

Hello! Maybe you're using one of the older builds in which it is necessary to set TLS Cipher to "None" (every other setting will cause a connection failure). On some, old builds, setting TLS Cipher to "None" is the only solution: pasting the ta.key will cause DD-WRT OpenVPN implementation to consider anyway the additional TLS Auth configuration, fixing the apparent bug. Kind regards

Hello! The most common usage is establishing up to 3 connections to up to 3 different servers from up to three different (either real or virtual) machines. Kind regards

@zhang888 You entered a logical flaw. In order to maintain a high privacy environment and a strong anonymity layer it is mandatory that we agree that logging is not a marketing term, but it means to keep a file to record past events so that they can be rebuilt in ANY arbitrary moment in the future. If you extend the meaning of logging as you are doing, then the RAM image itself would mean "logging", or more generally any state at any given moment of any kind of a limited Turing machine would be a log. According to your definition every type of limited Turing machine logs and every state is a log (even if that state is destroyed in time) and the concepts of "anonymity layer" and "privacy" do not exist anymore as soon as any limited Turing machine or a computer is used, while on real world it is clear the difference (given the flow of time as we perceive it) between keeping information that can be used in any arbitrary moment in the future and NOT keeping them. Amongst other things, what here is relevant is that keeping a temporary information (for example, 1 byte) about whether a "connection" is established or not (which is mandatory to make Internet working) is not only totally irrelevant for privacy, but also and above all completely equivalent regardless of the value of that byte, from which the absurdity of your conclusion derives: there is no difference according to your definition in allowing n connections from one account, for each possible value of n, including n=1 and n=3. Such philosophical discussion is completely irrelevant for our mission and for the purposes of our customers, for whom the concept of "anonymity" and "privacy" are preserved when no information can be rebuilt in an arbitrary future moment even if it is known that they were using a VPN service, but it can imply a real nice philosophical discussion that you are free to open in "Off Topic", but please not in this topic, thanks in advance. Kind regards

Hello! Thank you for your feedback. 1) Client, DDNS handling and port checks need an update. We are already working on it and a solution will come out very soon (a matter probably of days). 2) We don't use any RADIUS or other kind of software for authentication purposes. There is no change about privacy and no additional monitoring. Internal details: - Each AirVPN server runs simply OpenVPN daemons - When a new connection is received, after the cryptographic validations, the VPN server contacts indirectly a backend server to notify the connection. This updates a centralized 'active sessions' table in our db, data queried by our website pages for real time stats. Previously, if our backend server already had a session from a user, it replied to OpenVPN server to reject the connection Now, if our backend server already sees 3 sessions from the same user, it tells OpenVPN server to reject the connection. Technically, there isn't any architectural change. It is a 'political' change. Kind regards

Hello! No, wait, the download of keys and certificates is NOT in the clear. It's encrypted via HTTPS with TLS up to 1.2 and Perfect Forward Secrecy (with DHE or ECDHE key exchange). Just don't use Internet Explorer 6 or 8 otherwise you will lose FS and TLS 1.2. Kind regards

Hello! We're glad to inform you that from now on: every account can establish 3 simultaneous connections to DIFFERENT AirVPN servers EDIT 29-Nov-17. This thread is obsolete, now limit of concurrent connections is FIVE. Please see https://airvpn.org/topic/24167-five-simultaneous-connections-per-account/ No impact on quality of service will occur: the guaranteed allocated bandwidth pertains to accounts, regardless of the number of established connections. If you establish 2 or 3 connections with the same account, we guarantee the SAME allocated bandwidth as before, NOT the double or the triple of it. No price increase has been planned for this new feature. As specified above, you can NOT connect the same account twice or thrice to the same AirVPN server. Each connection must go to a different AirVPN server. We're confident that allowing 3 connections per account at the same price will meet fully the requirements expressed by several customers. Please do not hesitate to contact us for any further information. Kind regards & datalove AirVPN Staff

Hello! Crucis is under maintenance and we'll make an announcement soon about it. Kind regards

Hello! We're glad to inform you that in a short time we'll release an Air client version supporting connections of OpenVPN over SSL/SSH. Kind regards

Hello! We're glad to inform you that upgrade completed successfully! Kind regards

UPGRADE IS IN PROGRESS. You can already download the new configuration files (which include new keys and certificates) if you wish so. Kind regards

Tunnelblick users need to re-generate certificates, configuration files and keys, just like users of any other OpenVPN wrapper (except the Air client) need to do. Kind regards

Hello! It's a warning, not an error. The system warns you that the key is accessible by a whole group. Just change the ownership and flags (if necessary) of the file to fix it. For example, make it readable only by root. Kind regards

Hello! Because the service could use different methods than your IP address to detect which country you're in. For example the service can (in HTML5) just ask your browser which country you're in and your browser (if authorized) will tell it. Kind regards

Hello! 2048 bit keys, currently. So what...? The Control Channel cipher is HMAC SHA1, not SHA1. SHA1 is the underlying hash verification. Deprecation has nothing to do with it. It is well known that SHA1 should never be used as a security cipher and OpenVPN does not use it. In HMAC SHA1 we don't even have to care at all about SHA1 hash collisions. In order to inject forged packets in your traffic flow, an attacker should first break every single upper layer, starting from HMAC which is extremely robust, and THEN try hash collisions. Kind regards

Hello! This might help: http://help.smugmug.com/customer/portal/articles/84385-how-do-i-install-the-godaddy-root-certificate-in-windows- Kind regards

Hello! Yes, that's correct. Only AFTER the end of the upgrade. Kind regards

UPGRADE COMPLETED SUCCESSFULLY Hello! We're glad to inform you that a major system upgrade will take place during Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC This upgrade has a triple, important purpose: close any possible exploitation chance, regardless of how unlikely it could be, deriving from past "Heartbleed" vulnerability, bring AirVPN in an even higher security environment and open the road for an important new feature of the service: 3 simultaneous connections per account on different servers (details will be provided soon after the major upgrade which takes precedence). The upgrade in details switch to 4096 bit size RSA and DH keysimplementation of additional OpenVPN TLS-Auth layerre-generation of certificates and keysgeneral optimizationDuring the upgrade all the VPN clients will be forcefully disconnected and will not be able to reconnect. The upgrade will take approximately 30 minutes. Disconnections will occur on all servers from-to: Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC that is: Sunday, 13 April 2014, 14:00:00 - Sunday, 13 April 2014, 15:00:00 PDT Sunday, 13 April 2014, 16:00:00 - Sunday, 13 April 2014, 17:00:00 CDT Sunday, 13 April 2014, 17:00:00 - Sunday, 13 April 2014, 18:00:00 EDT Sunday, 13 April 2014, 23:00:00 - Monday, 14 April 2014, 00:00:00 CEST Monday, 14 April 2014, 06:00:00 - Monday, 14 April 2014, 07:00:00 JST Click here to find your town: http://www.timeanddate.com/worldclock/fixedtime.html?msg=Switch+to+4096+bit+size+keys&iso=20140413T23&p1=215&ah=1 Mandatory actions After the upgrade, customers running the Air client for Windows will need to shut down and restart the Air client. It is assumed that customers have already downloaded the new package for Windows which includes OpenVPN with non-vulnerable OpenSSL, available here https://airvpn.org/windows and installed the new OpenVPN version. Customers running any other OpenVPN wrapper or OpenVPN will need to re-download configuration, certificates and keys files. Additional information for customers running manually configured wrappers: the "TLS-Cipher" or equivalent name in your configuration becomes: TLS-DHE-RSA-WITH-AES-256-CBC-SHAin Tomato, DD-WRT, pfSense, Fritz!Box etc., the client certificate, the server certificate, the client key and the TLS key must be pasted again (after they have been generated and downloaded from the Configuration Generator as usual) in the appropriate fields of your configurationPlease do not hesitate to contact us for any further information. Kind regards AirVPN Staff

Hello! Of course. It appears that you have not followed https://airvpn.org/topic/11298-openssl-heartbleed-bug-tlsssl-vulnerability/?do=findComment&comment=16461 in the last three days but we strongly recommend that you do that. Of course. Please follow our recommendation. It is premature to allow generation of new private keys as long as the old certificate is not revoked (revocation ordered on 8-Apr, so it should go into effect real soon now) and anyway client private key leak is not such a big deal. Stay tuned, an important announcement is due in a few hours. EDIT: announcement published https://airvpn.org/topic/11319-major-system-upgrade/ Kind regards