Staff

Hello amir4g, please contact us in private to bypass the web site block. Write to support(at)airvpn(dot)org Kind regards

NOTE: if you run Eddie or Hummingbird you don't need this guide, but you might need to get rid of update-systemd-resolved which, in one of its various working modes, can interfere fatally with DNS handling. This post describes how to accept OpenVPN servers DNS push on Linux, OpenBSD, FreeBSD and some other POSIX-compliant OS when: resolvconf package OR openresolv package is installed OpenVPN is run directly (i.e. NOT through any OpenVPN GUI/wrapper such as network-manager) OpenVPN version is 2.1 or higher Warning: the specified "update-resolv-conf" script path refers to many Linux distributions and OpenVPN package installation, but NOT to all of them. Please check the correct path of the mentioned file before proceeding (for example: it could be /usr/share/openvpn instead of /etc/openvpn). If the script is not on your system, you'll need to create it. See the typical script here: https://wiki.archlinux.org/index.php/OpenVPN#DNS Important: in the same above linked page, note that if you have a system based on systemd you might need some important modifications: Add to your OpenVPN configuration file(s), either in field "Custom Directives" of the Configuration Generator or by editing the configuration directly, the following lines: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf In this way update-resolv-conf will record the DNS push and through resolvconf or openresolv will modify the nameserver accordingly. When OpenVPN quits, update-resolv-conf restores the previous nameserver line(s). Kind regards

Hello, all those IP addresses are airvpn.org public frontend servers. They are all on-sync, in real time. Kind regards

Thank you. In case you have VISA, MasterCard or JCB credit cards and you have issues with PayPal, you can just use your credit card, no PayPal need at all. Kind regards

Hello, you can, that's not a problem at all. PayPal will perform automatic currency conversion. You can also pay via credit card (VISA - MasterCard - JCB). Credit card issuer company will perform automatic currency conversion. Kind regards

Hello, no, sorry, but PayPal will perform automatic currency conversion. Kind regards

Hello jaypathora, you're connecting your system over OpenVPN over TOR. Kind regards

Hello, Tunnelblick does not support connections over SSL or over a proxy (Tunnelblick is not a wrapper that supports all the OpenVPN features). Please follow this guide: https://airvpn.org/ssl Do not hesitate to contact us for any issue or information. Kind regards

Hello! Not with the current client, because TLS 1.2 is supported only since .NET framework 4.5. However, with regards to BEAST, CRIME, Lucky Thirteen and various BEAST-dubbed attacks & exploits, this does not appear relevant, because such attacks rely on cookies and javascript (one of the key of the attack is decrypting a session cookie with a relatively low number of attempts; the number of attempts is still quite high for a single session, so the attack is dubbed for example with javascript, to open many multiple sessions), which are not used by the client. The most-successful known attacks against TLS 1.0 require at least 2-3 minutes to be completed, and the client not only will not open a myriad of sessions, but it will also timeout well in advance. The next client release for Windows, Linux and OS X will be under GPL so you will be able to examine the source code. About OpenVPN, the original message by James Yonan stands: Yonan went straight to the roots, without even having the need to consider all the browsers features, side-support web sites, injection etc. required to BEAST and CRIME to have a hope to succeed, to which OpenVPN is not "vulnerable". Feel free anyway to add your considerations, and remember that we do not and we will never force to use our proprietary clients to connect to Air VPN servers. Kind regards

Hello, TLS 1.1 and TLS 1.2 are now available also on the primary frontend server airvpn.org (95.211.138.143). All ciphers are supported, AES-256 included. Kind regards

A good re-collection of the leaks so far. It partially answers to our initial questions. http://www.forbes.com/sites/andygreenberg/2013/06/25/take-a-break-from-the-snowden-drama-for-a-reminder-of-what-hes-revealed-so-far/ Kind regards

Hello, far from defending our competitors, but everything you report points to severe problems on your end. Connections stability with OpenVPN and best datacenters is nowadays "an industry standard". It's mathematically impossible that you experience instability with every and each of Air and Air's competitors servers if it was not a problem on your end (or on your ISP, hopefully not). Just look at the servers monitor top connection times from clients to have an idea about OpenVPN and our servers stability. We have clients continually connected since weeks! Think about it: how could it be possible that 38 servers in more than a dozen completely separated and different datacenters connected to tier1 providers are ALL so unstable? Please do not hesitate to open a ticket, we will do our best to try to detect the problem. Kind regards

Hello, you should disable the DNS re-bind attacks filter, it's clearly a false positive probably due to the fact that speedtest.air is resolved into an address within the private network, an address which is also the VPN DNS IP address (when you connect to 443 UDP). Kind regards

Hello, please follow the guide https://airvpn.org/ios (click "iPhone", iPad screenshots are slightly different). About Safari, just make sure that it runs in full-mode, not in mobile-mode. If you wish to transfer files from PC to iPhone, you'll need iTunes, or you can e-mail to yourself the files (and open those e-mails on the iPhone). Anyway, using Safari in full-mode will allow you to download the configuration files directly with and into your iPhone, as described in the instructions. Kind regards

Hello, in this very moment your account is connected and exchanging data, can you please check what you see on your "Client Area" and on the central bottom box (important: browsing from a machine connected to the router and logging in with the same Air account you use to connect from the router)? Kind regards

Hello, with Comodo firewall it's easy and quick to check that, look at the "View Active Connections" window. Traffic to/from your VPN IP (10...) is tunneled. Traffic to/from your computer physical network card IP address (for example 192.168...) must be only to/from the server entry-IP you're connected to (normally only openvpn.exe will have such established connection). See also here about how Comodo can help you prevent any possible leak, even when system processes running with high privileges try to bypass the tunnel (see svchost.exe for DNS leaks) or even when the VPN disconnects unexpectedly: https://airvpn.org/topic/3405-windows-comodo-prevent-leaks/ Kind regards

Hello, TLS 1.1 and 1.2 are available on 212.117.180.25. If you wish to use them right now you should resolve airvpn.org to that IP address and force the browser to TLS 1.1 or 1.2. AES-256 is available as well. TLS 1.1 and 1.2 on the other two public frontend servers are planned to be implemented within the next 24 hours. Please note that TLS 1.0 and SSL 3.0 will remain available at the moment, in order not to cut out of the system Firefox, Chromium, Chrome, Iceweasel and many other browsers versions that do not support TLS 1.1 and 1.2 (perhaps more than 3/4 of our users) or that support them but require explicit user configuration to enable them. Kind regards

Hello, yes, that's correct, because if you run a browser configured to connect over the SAME TOR proxy to which OpenVPN is connected as well, that browser will tunnel its traffic over TOR only, not over OpenVPN over TOR. If you wish OpenVPN over TOR use a browser NOT configured to connect over TOR. If you wish TOR over OpenVPN, first connect OpenVPN then launch TOR and use a browser configured to connect over the TOR proxy. If you wish to connect over TOR, while connected over OpenVPN over TOR, connect a host over OpenVPN over TOR, then launch a VM (attached to the host via NAT, not bridged) and use TOR on the VM (so that on the VM you'll have connections over TOR-variable circuit over OpenVPN over TOR-another fixed circuit). Kind regards

Thanks! We'll investigate on Cassiopeia. Kind regards

Hello, please input ALL those commands (in that order, starting from ipconfig /flushdns) and send us the output at your convenience. Kind regards

Hello, if DropBox was hogging all your bandwidth, it could have caused a timeout in the TLS "handshake"... just speculation anyway. Kind regards

Hello, your account is now successfully connected, is it alright now? Kind regards

Hello! Your account is still successfully connected to some Air server. Stopping the VPN service will cause the connection to drop... if there's something wrong (for example Tomato does not really stop the service for some reason), go to your "Client Area" while logged in with the same account you use for VPN connection, and click "Disconnect Now" button. Your account will be forcefully disconnected in a few seconds. Kind regards

Hello! With reference to this: https://airvpn.org/faq/locations can you tell us if you need a French server to access some French services only (if any, which ones?) or you need a French server in general? We ask because we have privacy problems with some datacenters we have contacted in France, they seriously fail comply to some of our non-negotiable privacy requirements; on the other hand, such compliance is not necessary for routing servers. Kind regards

Hello, as already quoted, "During SSL/TLS rekeying, there is a transition-window parameter that permits overlap between old and new key usage, so there is no time pressure or latency bottleneck during SSL/TLS renegotiations." By the way, you can use the reneg-sec directive (default is 3600 seconds) to disable it (not recommended). https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage --reneg-sec n Renegotiate data channel key after n seconds (default=3600). When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour. Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side.