Staff

When I go to try a speed test, the block in the middle of the page gives me a DNS error. I am connected to the VPN and I'm using your DNS. Any help would be greatly appreciated.

Hello!

speedtest.air seems to be correctly resolved by our DNS, can you please tell us on which server(s) you detect the problem?

Kind regards

I got 5 meg speeds the other night on the NL server, but I'm wanting to access iplayer. I've not used the service to stream video for a while, but I think it was on the old UK servers that I got higher speeds. I have a new computer (also OSX), but as I was saying it was good on the NL servers.

Thanks for your quick reply.

Hello!

Should you like to test it, we're experimentally working on Aquarii (Switzerland) to allow access to BBC iPlayer from outside UK. We can't guarantee it will work (we're still on a "beta testing" phase) but it's worth a try.

Kind regards

In summary:

- Can someone shine some light on why NetworkManager works, but the openvpn command line client doesn't?

Hello!

Can you please send us the openvpn logs?

- Can someone tell me what routes to add to get the return traffic from the tunnel? Or if there is a better way to run openvpn WITHOUT having my gateway changed, tell me?

Please see here: http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/

You can work with your tun interface and your physical interface (for example tun0 and eth0) in order to achieve what you want (assuming that your kernel supports policy routing and you have iproute utilities installed to handle multiple routing tables).

Kind regards

Oh I see.. Thanks alot for your concise reply =D

I am planning to sign up for your VPN soon, but I am just worried the servers are all very far from where I reside at.. potentially causing slow speeds ? =/

Hello!

Thank you for your choice.

Potentially yes. However it's not possible to make any precise prediction. Therefore, test the VPN extensively after your subscription and if you see that performance is too low remember to ask for a full refund within 3 days.

Kind regards

so i read what you posted, i clicked on "clear" next to the Key file and re-selected the "user.key" file generated from AirVPN. after i confirm the selection and close the window, and then go back to it, the file in the box says "key.key" again. but, it seems that i do connect okay (bottom center box on AirVPN says i'm connected, Viscosity window says my IP address changed, etc.)

should i just ignore the file name?

Hello!

If you connect fine you can just ignore that glitch. Viscosity points OpenVPN to read for sure the correct key, otherwise our servers would not let you in.

Kind regards

I've been having trouble lately getting a fast speed on the UK servers. I'm on a 15 meg line, and I get about 0.6 meg when I connect to either. Looking at the stats both these servers are fast, so what am I doing wrong? I use the latest version of tunnel blick and I'm I've tried jumping between TCP, UDP, and the different ports. In the past I've had these servers running at about 2/3 my broadband speed, which was great.

Thanks for your help.

Hello!

Did you change anything in your computer or network configuration when the performance on the UK servers dropped for you? When did it happen? Do you obtain better performance with the NL servers?

Kind regards

Hello!

We have checked that your account is allowed to access all the VPN servers. Can you please enable your statitistics (in your "Member Area"->"Settings") in order to help troubleshooting? On your control panel you will also find useful information about the reasons for which your last connection attempt failed. Also, please try connections on a TCP port in order to check whether the problem is solved.

About the Air client problem, can you please send us the logs?

Kind regards

Hi, is it possible to configure a modem/router so that all VPN traffic pass through it. I mean are there routers that have the possibility to configure a VPN so i'll always connect to the VPN on the devices that are connected to the router? Thanks

Hello!

Yes. Routers where you can flash DD-WRT, OpenWRT and Tomato firmwares (in the versions including OpenVPN) will all allow you to do that. Please see also our FAQ https://airvpn.org/faq

Kind regards

I don't have any other instances of OpenVPN running when I use sudo openvpn.

The log is not ok because as you can see at the end it shows timeout sometimes and other times auth failure. Here's a copy of the timeout failure ending (this comes from the log I previously gave you):

Thu Sep 27 15:23:59 2012 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)

Thu Sep 27 15:23:59 2012 TCP/UDP: Closing socket

Thu Sep 27 15:23:59 2012 SIGTERM[soft,init_instance] received, process exiting

Hello!

Please see previous message https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4382&limit=6&limitstart=18&Itemid=142#4429

YOU SAY USERNAME AND PASSWORD ARE NOT NEEDED WHEN USING KEY and CERTIFICATES?

Of course. Actually, they are never required by OpenVPN (hardened security setup). You just can't login with any password, you need both certificates and your own key.

Kind regards

I was able to use the TOR information on using Vidalia Settings Advanced tab to remove the check in the box for Configure Control Port Automatically, and it reset the Socks Port to a fixed 9050 (TBB Socks Network settings) and the listening Contraol port to 9051 (Vidalia settings). BUT, eventhough I did that and changed the directive in the OVPN file back to 9050, still same problem when using Network Manager.

Hello!

You managed to establish a connection over OpenVPN over TOR. Unfortunately, in that case, the connection was reset after 2 minuts (inactivity timeout), probably due to latency problems between some TOR node and the VPN server. You can safely retry with the very same settings, you should be able to have a stable connection unless some unfortunate cases.

About NetworkManager, it is probably misconfigured, can we see the settings?

Kind regards

I'll try as you suggest next. Although, is the reason for the auth failure because I don't have any means to enter username and password when using sudo ovpn on the configuration file? Recall that I got the folowing log message prior to openvpn quitting:

Thu Sep 27 14:25:37 2012 AUTH: Received AUTH_FAILED control message

Thu Sep 27 14:25:37 2012 TCP/UDP: Closing socket

Thu Sep 27 14:25:37 2012 SIGTERM[soft,auth-failure] received, process exiting

IS THERE A WAY I CAN ADD THE LOGIN CREDENTIALS TO THE OVPN FILE? THEN MAYBE IT FAIL ON AUTH?

Hello!

For security reasons our servers authenticate users through double-certificate and key. The credentials are all there, you don't need to enter any login or password. From the logs, the double certificates are fine, and also the user.key is accessible by openvpn. Just please make sure that you don't have any other openvpn instance running and connected.

Kind regards

GETTING CLOSER TO THE SOLUTION: I changed the socks-proxy listening directive in the OVPN file to match the actual socks port used by the TOR and now get the following log when using sudo ovpn )notice all seems ok except for the hash conflicts and the soft auth failure):

Hello!

Actually account "cyberninja" is currently (at the time this admin is writing) connected and exchanging data. This is the cause of the AUTH_FAILED. The first thing that comes to mind is that you have some other OpenVPN instance still running and connected (or maybe some other computer connected with the same account?). Please make sure that you stop any other openvpn connection and try again. In order to safely kill OpenVPN and restore the previous routing table, just press CTRL-C from the console you started it, or issue a kill command (a normal kill, not a kill -9 of course) to the OpenVPN PID, or even try "[sudo] killall openvpn".

Kind regards

I get two ports from the Vidalia log, one is the socks listening port 38006, the other is control listening port 57922. In the TBB network connectios settings in Preferences the Socks host is 127.0.0.1 and the Port is 38006, so it looks like the port would be 38006 that I need to connect thrugh, right?

Hello!

Right, change the port in socks-proxy directive accordingly and then re-launch OpenVPN and check the connection (please send us the logs if there are still issues).

Can you help me with this or do I need to go to the TOR website as you suggest?

You should check anyway, because if your proxy changes port at each startup you are forced to discover the port and change accordingly the configuration file each time you wish to re-connect over OpenVPN over TOR, which is very uncomfortable. Once you have set one listening port once and for all, you won't need to change configuration at each TOR startup.

Kind regards

I ran openvpn with sudo and here is the log showing a failure to connect to 127.0.0.1:9050 and a warning about local and remote hashes being in conflict (none of this shows up in the log at /var/log/messages):

Hello!

Good, now OpenVPN is using the correct configuration file and tries to connect to the proxy as you wish. The problem now is that the proxy is not responding on that port.

Assuming that the proxy is running and it is a socks proxy, it does not appear to be listening to port 9050. Perhaps you're using a TBB with an experimental feature: "TBB on OSX and Linux has an experimental feature where Tor listens on random unused ports rather than a fixed port each time. The goal is to avoid conflicting with a "system" Tor install, so you can run a system Tor and TBB at the same time".

If it's the case, please check here to solve the problem and predict/set which port the proxy will be listening to:

https://www.torproject.org/docs/faq.html.en#TBBSocksPort

If it's not the case, please make sure that the proxy is running, its type matches the type specified in the OpenVPN configuration file (socks or http) and that no firewall is blocking packets to and from 127.0.0.1.

Kind regards

I sent this before but it seems to have gotten lost in the communication, but here it is again (maybe all these issues are at my end only???):

Hello!

It's highly likely. We don't detect any problem with the forum.

As you can see, network-manager is not using the configuration you mean:

Sep 27 11:05:27 ihome nm-openvpn[9174]: TCP connection established with 178.248.30.131:443

If configured properly to connect over your proxy, OpenVPN would connect to 127.0.0.1:9050.

The fact that network-manager is misconfigured is further confirmed by:

Sep 27 11:05:26 ihome nm-openvpn[9174]: WARNING: No server certificate verification method has been enabled. See openvpn.net/howto.html#mitm for more info.

Please note that all the configuration files generated by our system have the "ns-cert-type server" directive in it (this is important for additional authentication security).

First of all, please perform a connection directly with OpenVPN and send us the logs (just copy and paste the output or simply tell OpenVPN to log where you wish).

cd to the directory where the configuration file is stored and issue the command ("[sudo] openvpn "), using the configuration file prepared for connections over OpenVPN over TOR, in order to ascertain that your proxy is running properly and listening to the correct port.

We're looking forward to hearing from you.

Kind regards

I tried all suggestions you have but none work for me. I'm not sure you are able go to the depth of problem solving I need and I am unable to attch pictures showing all config setups regarding connection setting in TOR and FireFox - so one problem with being able to load any png images (all less than 150kb) is making it impossible for you to see where the problem may be. This thread is way too long now and I'm not getting anywhere. Thank you for trying to help me.

Hello!

File attachments and image attachments work fine for every user, maybe it is just a problem on your side. Anyway, the OpenVPN logs are text files, so even if you can't manage to upload pictures, please just copy the logs and paste them here. They may be very useful for troubleshooting.

Kind regards

Does a server location always mean that it is restricted by that country's site restrictions and always gives out that country's ip address ?

Take for example, if I live in Australia. If I connect to an Australian VPN server, would the IP addresses given by the VPN server always be of Australian IPs ?

And would Australian site restrictions apply ? ( like not being able to access Hulu.com as it is an Australian ip .. )

Hello!

If the geographical restrictions are applied by the provider of the server (e.g. Hulu) then using a server outside that provider country will not let you use that service (but we're working on that, in order to allow geo-discriminatory access also to servers outside the country where the discrimination is performed).

If the restriction is applied by ISPs from a client's country, then the restriction can be bypassed even with connections to servers in that country, because datacenters are not subject to forced censorship as home ISPs are.

Kind regards

Hello!

Image attachment in Kunena is working properly. You can attach jpg, gif and png images, up to 150 kB in size, up to 1366x800 in pixels dimension.

Kind regards

I try to attach pictures using the Attachments/Add File button below but nothing can be loaded.

Hello!

Re-testing image attachments...

You reponded with "You need to instruct OpenVPN to connect over a proxy. Our configuration generator will generate the appropriate OpenVPN configuration file according to your instructions. For detailed instructions, please see:

airvpn.org/tor"

I followed the instructions on airvpn.org/tor, used the configuration generator and downloaded the OpenVPN configuration file (I provided a copy of it in a previous post. But, it doesn't work for me. OpenVPN acts as though that socks-proxy line doesn't exist in the configuration file. The line is "socks-proxy 127.0.0.1 9050" as instructed by the airvpn.org/tor. Am I doing soemthing wrong?

Hello!

The configuration file is fine. Chances are that OpenVPN is reading a different configuration file. Please make sure to launch OpenVPN with the configuration file which has the line "socks-proxy". You can consider to bypass entirely the network-manager and establish a connection by invoking directly openvpn with the correct configuration file.

Kind regards

Hello!

From the logs it seems that Viscosity has some problems in handling this configuration and/or there are communication problems between a TOR exit-node and the Air server. First of all, please make sure that the proxy type (http or socks) you picked matches the proxy type you're using for TOR.

After that, you might try to:

- change Air server

- change TOR node (this will happen by itself with subsequent attempts)

If the problem persists, you might try to replace Viscosity with Tunnelblick.

Particularly puzzling and potentially worrying from your log is:

NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)

which was a FreeBSD problem in 8.0-8.3 versions with OpenVPN 2.2.2 and which seems to be present in you Mac OS X system.

Kind regards

When you say "Please make sure that you have enabled the "proxy" type in your client configuration.", I use Network Manager applet in GNOME desktop and I don't see where that can be enabled. What do you mean by enabling this type in my client configuration. I use OpenVPN plugin within Network Manager.

Hello!

You need to instruct OpenVPN to connect over a proxy. Our configuration generator will generate the appropriate OpenVPN configuration file according to your instructions. For detailed instructions, please see:

https://airvpn.org/tor

Kind regards

Could you please give me step by step instructions for this? I have tried doing it and there is still a DNS leak. All the change did was move the area on the leak test to a different state but I still see my ISP.

Hello!

You can put a definitive end to DNS leak by configuring properly your firewall. Please see the instructions permanently linked to the announcements section of the forum, according to your system ("Prevent leaks...").

Kind regards

Hi!

Thank you for your reply.

Actually I wasn't expecting a solution to this because of the nature of the UDP connection (i.e. no error correction).

What I should have said is that the problem refers to all servers I actually use, which is only 1GB/s servers in Ger, Uk, and NL!

Hello!

Therefore you experience the same problem with 4 different datacenters (2 in Germany, 1 in Holland and 1 in UK) and 5 different networks (2 in Germany, 2 in Holland and 1 in UK) on 9 different servers. This strongly suggest that it's not a server/datacenter side problem.

The "Window-replay backtrack occurred" is indeed a common error for me when using UDP which seems to highly correlate with the connection loss, though I'm not absolutely certain if it gets displayed in every instance.

So there's indeed packet loss.

The confusing thing is that when I'm not connected to the VPN I never get any kind of interruption like this and my connection has no packet loss or I at least I don't notice it like this.

This may be normal, especially if you have for most of your activities TCP connections.

Also, why is only the upload affected? The upload literally drops drastically, while downloads continue for a few seconds. The connection to the server isn't at any point severed either.

There may be an explanation for that. OpenVPN implements a packet-resending even with UDP. In order to do that, the client must verify the packets, tell the server of problems (if any), wait for lost packets to be resent and finally re-order the received packets in the appropriate order (according to the maximum allowed replay frame). During the process the client could be unable to send out new packets because it is still waiting for lost packets to be resent. So you would notice same download bw but poor ul bandwidth.

Would asking my ISP to measure my line for any kind of packet loss be a good idea?

Thank you

A very useful tool is mtr ("My TraceRoute"), available for all Linux systems (probably it's available on BSD systems too). Try to generate consistent reports by mtr toward all the entry-IP addresses of our servers. Then you'll have some useful material that may help you pick the server which gives you the minimum packet loss. Compare also the results with hosts you frequently connect to with and without VPN.

Kind regards

Hello!

Your question is not stupid at all, on the contrary it underlines one of the OpenVPN excellent security features.

In SSL/TLS mode, an SSL session is established with bidirectional authentication (i.e. each side of the connection must present its own certificate). If the SSL/TLS authentication succeeds, encryption/decryption and HMAC key source material is then randomly generated by OpenSSL's RAND_bytes function and exchanged over the SSL/TLS connection. Both sides of the connection contribute random source material. This mode never uses any key bidirectionally, so each peer has a distinct send HMAC, receive HMAC, packet encrypt, and packet decrypt key. If --key-method 2 is used, the actual keys are generated from the random source material using the TLS PRF function. If --key-method 1 is used, the keys are generated directly from the OpenSSL RAND_bytes function. --key-method 2 was introduced with OpenVPN 1.5.0 and will be made the default in OpenVPN 2.0.

During SSL/TLS rekeying, there is a transition-window parameter that permits overlap between old and new key usage, so there is no time pressure or latency bottleneck during SSL/TLS renegotiations.

http://openvpn.net/index.php/open-source/documentation/security-overview.html

Kind regards