Staff

hi. please help. whenever i try to connect. it always ask for user and password. although it was already inserted on the account.cfg. thanks

Hello!

Did you insert login and password on the configuration file? If so, please remove them. The authentication is performed through double certificate and personal key. Please make sure that the configuration file points to the correct files (ca.crt is the server certificate, user.crt the client certificate and user.key the client key). Our configuration generator builds all the files according to your instructions (menu "Member Area"->"Access Without Our Client").

Kind regards

So programs such as Trillian and Skype do or don't need DNS resolution? Sorry, I'm a bit confused.

Hello!

You should check with their programmers. Anyway we observe that Skype is able to continue working without DNS resolution.

Nevertheless, if one wasn't downloading or torrenting and not exchanging sensitive issues over IM and VOIP protocols, couldn't the 0.0.0.0 fix be seen as a quick and easy way to *basically* half non-VPN traffic when the VPN is disconnected?

Generally speaking no, because there are very many possible leaks which do not require DNS resolution. It can't be and should not be considered a secure solution.

Kind regards

Newbie question here:

Couldn't entering "netsh interface IPv4 set dnsserver "Wireless Network Connection" static 0.0.0.0 both" into the command prompt also work in not allowing traffic out when not connecting to a VPN?

As per the DNSleaktest.com code, I enter this into my command prompt after connecting to VPN (before it's set to DHCP) and my DNS is secured. If I disconnect from AirVPN without changing 0.0.0.0 back to DCHP, the internet remains totally inaccessible.

Thoughts?

Hello!

Unfortunately not, in general that will prevent only DNS leaks, not every leak. You may have the impression that the Internet is totally inaccessible because your system can't resolve anymore domain names. However, all the programs which do need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address.

Kind regards

What about instant message programs such as Trillian and Skype?

Hello!

Exactly.

Sorry for the typo, the sentence " all the programs which do need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address" must be read "all the programs which do NOT need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address"

Original message edited to correct the typo.

Kind regards

Below is my log showing I was able to sudo openvpn the OVPN file for AirVPN over TOR. It got initiazed ok then the socket was closed with this error: RTNETLINK answers: Operation not permitted.

Hello!

Comparing this log with your previous logs, it's unclear why OpenVPN tries to modify the routing table with "ip route" etc. instead of "route". Do you need multiple routing tables? Assuming that your kernel supports policy routing (you run an Ubuntu distribution, right...?), please check group permissions:

http://ubuntuforums.org/showthread.php?t=1867166

See in particular post number 5 by "Jonathan L".

Kind regards

Hello!
 

Sat Sep 29 04:06:42 2012 NOTE: FlushIpNetTable failed on interface [48] {7506FB69-AE75-4114-96A2-2F74D4F60180} (status=5) : Access is denied.

OpenVPN can't access the TAP-Win32 interface and can't modify the routing table.

Please make sure that:
- you launch OpenVPN GUI with administrator privileges
- there are no other OpenVPN instances running
- the TAP-Win32 adapter is enabled

Kind regards

Newbie question here:

Couldn't entering "netsh interface IPv4 set dnsserver "Wireless Network Connection" static 0.0.0.0 both" into the command prompt also work in not allowing traffic out when not connecting to a VPN?

As per the DNSleaktest.com code, I enter this into my command prompt after connecting to VPN (before it's set to DHCP) and my DNS is secured. If I disconnect from AirVPN without changing 0.0.0.0 back to DCHP, the internet remains totally inaccessible.

Thoughts?

Hello!

Unfortunately not, in general that will prevent only DNS leaks, not every leak. You may have the impression that the Internet is totally inaccessible because your system can't resolve anymore domain names. However, all the programs which do not need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address.

Kind regards

Forgive my ignorance... is this used with a DD-WRT router?

Hello!

Not exactly, but you can easily adapt them to DD-WRT, changing interface names and IP addresses if necessary. However, proceed with care. We recommend that you first read here, you can see directly the iptables rules for DD-WRT and an important warning when you apply those rules:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2377&Itemid=142#2377

Kind regards

Hi,

I got bursts of 5 meg and an average of 2 on the Swiss server, and I could watch iplayer also! Are there any plans to expand this to other services, in particular sky go?

Hello!

Yes! First, we still need to solve some technical issues.

Then, we'll open a dedicated forum section for suggestions, reports and services IP ranges detection. This is a huge task, especially for services which check the IP address location even during the streaming, so we are planning to offer the option as a free, additional service to premium members (no additional payments, no different plans) hoping for a cooperation from the community. We think that only with the support and the reports of the community we can make this type of service a reality for a lot of geo-discriminatory services.

Kind regards

When I go to try a speed test, the block in the middle of the page gives me a DNS error. I am connected to the VPN and I'm using your DNS. Any help would be greatly appreciated.

Hello!

speedtest.air seems to be correctly resolved by our DNS, can you please tell us on which server(s) you detect the problem?

Kind regards

I got 5 meg speeds the other night on the NL server, but I'm wanting to access iplayer. I've not used the service to stream video for a while, but I think it was on the old UK servers that I got higher speeds. I have a new computer (also OSX), but as I was saying it was good on the NL servers.

Thanks for your quick reply.

Hello!

Should you like to test it, we're experimentally working on Aquarii (Switzerland) to allow access to BBC iPlayer from outside UK. We can't guarantee it will work (we're still on a "beta testing" phase) but it's worth a try.

Kind regards

In summary:

- Can someone shine some light on why NetworkManager works, but the openvpn command line client doesn't?

Hello!

Can you please send us the openvpn logs?

- Can someone tell me what routes to add to get the return traffic from the tunnel? Or if there is a better way to run openvpn WITHOUT having my gateway changed, tell me?

Please see here: http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/

You can work with your tun interface and your physical interface (for example tun0 and eth0) in order to achieve what you want (assuming that your kernel supports policy routing and you have iproute utilities installed to handle multiple routing tables).

Kind regards

Oh I see.. Thanks alot for your concise reply =D

I am planning to sign up for your VPN soon, but I am just worried the servers are all very far from where I reside at.. potentially causing slow speeds ? =/

Hello!

Thank you for your choice.

Potentially yes. However it's not possible to make any precise prediction. Therefore, test the VPN extensively after your subscription and if you see that performance is too low remember to ask for a full refund within 3 days.

Kind regards

so i read what you posted, i clicked on "clear" next to the Key file and re-selected the "user.key" file generated from AirVPN. after i confirm the selection and close the window, and then go back to it, the file in the box says "key.key" again. but, it seems that i do connect okay (bottom center box on AirVPN says i'm connected, Viscosity window says my IP address changed, etc.)

should i just ignore the file name?

Hello!

If you connect fine you can just ignore that glitch. Viscosity points OpenVPN to read for sure the correct key, otherwise our servers would not let you in.

Kind regards

I've been having trouble lately getting a fast speed on the UK servers. I'm on a 15 meg line, and I get about 0.6 meg when I connect to either. Looking at the stats both these servers are fast, so what am I doing wrong? I use the latest version of tunnel blick and I'm I've tried jumping between TCP, UDP, and the different ports. In the past I've had these servers running at about 2/3 my broadband speed, which was great.

Thanks for your help.

Hello!

Did you change anything in your computer or network configuration when the performance on the UK servers dropped for you? When did it happen? Do you obtain better performance with the NL servers?

Kind regards

Hello!

We have checked that your account is allowed to access all the VPN servers. Can you please enable your statitistics (in your "Member Area"->"Settings") in order to help troubleshooting? On your control panel you will also find useful information about the reasons for which your last connection attempt failed. Also, please try connections on a TCP port in order to check whether the problem is solved.

About the Air client problem, can you please send us the logs?

Kind regards

Hi, is it possible to configure a modem/router so that all VPN traffic pass through it. I mean are there routers that have the possibility to configure a VPN so i'll always connect to the VPN on the devices that are connected to the router? Thanks

Hello!

Yes. Routers where you can flash DD-WRT, OpenWRT and Tomato firmwares (in the versions including OpenVPN) will all allow you to do that. Please see also our FAQ https://airvpn.org/faq

Kind regards

I don't have any other instances of OpenVPN running when I use sudo openvpn.

The log is not ok because as you can see at the end it shows timeout sometimes and other times auth failure. Here's a copy of the timeout failure ending (this comes from the log I previously gave you):

Thu Sep 27 15:23:59 2012 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)

Thu Sep 27 15:23:59 2012 TCP/UDP: Closing socket

Thu Sep 27 15:23:59 2012 SIGTERM[soft,init_instance] received, process exiting

Hello!

Please see previous message https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4382&limit=6&limitstart=18&Itemid=142#4429

YOU SAY USERNAME AND PASSWORD ARE NOT NEEDED WHEN USING KEY and CERTIFICATES?

Of course. Actually, they are never required by OpenVPN (hardened security setup). You just can't login with any password, you need both certificates and your own key.

Kind regards

I was able to use the TOR information on using Vidalia Settings Advanced tab to remove the check in the box for Configure Control Port Automatically, and it reset the Socks Port to a fixed 9050 (TBB Socks Network settings) and the listening Contraol port to 9051 (Vidalia settings). BUT, eventhough I did that and changed the directive in the OVPN file back to 9050, still same problem when using Network Manager.

Hello!

You managed to establish a connection over OpenVPN over TOR. Unfortunately, in that case, the connection was reset after 2 minuts (inactivity timeout), probably due to latency problems between some TOR node and the VPN server. You can safely retry with the very same settings, you should be able to have a stable connection unless some unfortunate cases.

About NetworkManager, it is probably misconfigured, can we see the settings?

Kind regards

I'll try as you suggest next. Although, is the reason for the auth failure because I don't have any means to enter username and password when using sudo ovpn on the configuration file? Recall that I got the folowing log message prior to openvpn quitting:

Thu Sep 27 14:25:37 2012 AUTH: Received AUTH_FAILED control message

Thu Sep 27 14:25:37 2012 TCP/UDP: Closing socket

Thu Sep 27 14:25:37 2012 SIGTERM[soft,auth-failure] received, process exiting

IS THERE A WAY I CAN ADD THE LOGIN CREDENTIALS TO THE OVPN FILE? THEN MAYBE IT FAIL ON AUTH?

Hello!

For security reasons our servers authenticate users through double-certificate and key. The credentials are all there, you don't need to enter any login or password. From the logs, the double certificates are fine, and also the user.key is accessible by openvpn. Just please make sure that you don't have any other openvpn instance running and connected.

Kind regards

GETTING CLOSER TO THE SOLUTION: I changed the socks-proxy listening directive in the OVPN file to match the actual socks port used by the TOR and now get the following log when using sudo ovpn )notice all seems ok except for the hash conflicts and the soft auth failure):

Hello!

Actually account "cyberninja" is currently (at the time this admin is writing) connected and exchanging data. This is the cause of the AUTH_FAILED. The first thing that comes to mind is that you have some other OpenVPN instance still running and connected (or maybe some other computer connected with the same account?). Please make sure that you stop any other openvpn connection and try again. In order to safely kill OpenVPN and restore the previous routing table, just press CTRL-C from the console you started it, or issue a kill command (a normal kill, not a kill -9 of course) to the OpenVPN PID, or even try "[sudo] killall openvpn".

Kind regards

I get two ports from the Vidalia log, one is the socks listening port 38006, the other is control listening port 57922. In the TBB network connectios settings in Preferences the Socks host is 127.0.0.1 and the Port is 38006, so it looks like the port would be 38006 that I need to connect thrugh, right?

Hello!

Right, change the port in socks-proxy directive accordingly and then re-launch OpenVPN and check the connection (please send us the logs if there are still issues).

Can you help me with this or do I need to go to the TOR website as you suggest?

You should check anyway, because if your proxy changes port at each startup you are forced to discover the port and change accordingly the configuration file each time you wish to re-connect over OpenVPN over TOR, which is very uncomfortable. Once you have set one listening port once and for all, you won't need to change configuration at each TOR startup.

Kind regards

I ran openvpn with sudo and here is the log showing a failure to connect to 127.0.0.1:9050 and a warning about local and remote hashes being in conflict (none of this shows up in the log at /var/log/messages):

Hello!

Good, now OpenVPN is using the correct configuration file and tries to connect to the proxy as you wish. The problem now is that the proxy is not responding on that port.

Assuming that the proxy is running and it is a socks proxy, it does not appear to be listening to port 9050. Perhaps you're using a TBB with an experimental feature: "TBB on OSX and Linux has an experimental feature where Tor listens on random unused ports rather than a fixed port each time. The goal is to avoid conflicting with a "system" Tor install, so you can run a system Tor and TBB at the same time".

If it's the case, please check here to solve the problem and predict/set which port the proxy will be listening to:

https://www.torproject.org/docs/faq.html.en#TBBSocksPort

If it's not the case, please make sure that the proxy is running, its type matches the type specified in the OpenVPN configuration file (socks or http) and that no firewall is blocking packets to and from 127.0.0.1.

Kind regards

I sent this before but it seems to have gotten lost in the communication, but here it is again (maybe all these issues are at my end only???):

Hello!

It's highly likely. We don't detect any problem with the forum.

As you can see, network-manager is not using the configuration you mean:

Sep 27 11:05:27 ihome nm-openvpn[9174]: TCP connection established with 178.248.30.131:443

If configured properly to connect over your proxy, OpenVPN would connect to 127.0.0.1:9050.

The fact that network-manager is misconfigured is further confirmed by:

Sep 27 11:05:26 ihome nm-openvpn[9174]: WARNING: No server certificate verification method has been enabled. See openvpn.net/howto.html#mitm for more info.

Please note that all the configuration files generated by our system have the "ns-cert-type server" directive in it (this is important for additional authentication security).

First of all, please perform a connection directly with OpenVPN and send us the logs (just copy and paste the output or simply tell OpenVPN to log where you wish).

cd to the directory where the configuration file is stored and issue the command ("[sudo] openvpn "), using the configuration file prepared for connections over OpenVPN over TOR, in order to ascertain that your proxy is running properly and listening to the correct port.

We're looking forward to hearing from you.

Kind regards

I tried all suggestions you have but none work for me. I'm not sure you are able go to the depth of problem solving I need and I am unable to attch pictures showing all config setups regarding connection setting in TOR and FireFox - so one problem with being able to load any png images (all less than 150kb) is making it impossible for you to see where the problem may be. This thread is way too long now and I'm not getting anywhere. Thank you for trying to help me.

Hello!

File attachments and image attachments work fine for every user, maybe it is just a problem on your side. Anyway, the OpenVPN logs are text files, so even if you can't manage to upload pictures, please just copy the logs and paste them here. They may be very useful for troubleshooting.

Kind regards

Does a server location always mean that it is restricted by that country's site restrictions and always gives out that country's ip address ?

Take for example, if I live in Australia. If I connect to an Australian VPN server, would the IP addresses given by the VPN server always be of Australian IPs ?

And would Australian site restrictions apply ? ( like not being able to access Hulu.com as it is an Australian ip .. )

Hello!

If the geographical restrictions are applied by the provider of the server (e.g. Hulu) then using a server outside that provider country will not let you use that service (but we're working on that, in order to allow geo-discriminatory access also to servers outside the country where the discrimination is performed).

If the restriction is applied by ISPs from a client's country, then the restriction can be bypassed even with connections to servers in that country, because datacenters are not subject to forced censorship as home ISPs are.

Kind regards